CVE-2021-42094: 
NixOS vulnerability analysis and mitigation

A command injection vulnerability was discovered in Zammad versions before 4.1.1 (CVE-2021-42094). The vulnerability was identified in the custom Packages functionality, which allows users to upload packages to extend features. The issue was discovered and disclosed on October 5, 2021, affecting Zammad versions 1.0.x up to 4.1.0 (Zammad Advisory).

The vulnerability exists in the package installation functionality of Zammad. The flaw allows an attacker to create files outside of the application's intended scope, which can then be leveraged to perform command injection attacks. The vulnerability has been assigned a CVSS v3.1 base score of 9.8 CRITICAL (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) (NVD).

The vulnerability allows attackers to execute arbitrary commands on the affected system through the package installation feature. Given the CVSS score of 9.8, this indicates a critical severity level with potential for complete system compromise, including high impacts on confidentiality, integrity, and availability (NVD).

The vulnerability has been fixed in Zammad versions 4.1.1 and 5.0.0. Users are strongly recommended to upgrade to one of these fixed versions. Updates can be obtained through the official Zammad website, FTP server, or through the OS package manager (Zammad Advisory).