CVE-2021-46671: 
NixOS vulnerability analysis and mitigation

CVE-2021-46671 is a vulnerability discovered in atftp software versions before 0.7.5. The vulnerability involves a buffer overflow issue where options.c reads past the end of an array, potentially exposing sensitive server-side /etc/group data to remote clients (NVD, Debian Bug).

The vulnerability is classified as an Out-of-bounds Read (CWE-125) with a CVSS v3.1 Base Score of 5.3 (Medium). The attack vector is network-based, requires low attack complexity, and needs no privileges or user interaction. The scope is unchanged, with low confidentiality impact and no impact on integrity or availability (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) (NVD).

When exploited, the vulnerability allows remote attackers to access sensitive information by reading server-side /etc/group data. The issue only manifests under specific circumstances, such as when the server is running in standalone mode (--daemon, not via inetd), and primarily affects the first request to the server (Debian Bug).

The vulnerability has been fixed in atftp version 0.7.5 and later. Various distributions have released patched versions: Debian Bullseye (0.7.git20120829-3.3+deb11u2), Buster (0.7.git20120829-3.2~deb10u3), and Stretch (0.7.git20120829-3.1~deb9u3) (Debian LTS).