CVE-2022-29180: 
NixOS vulnerability analysis and mitigation

A critical vulnerability (CVE-2022-29180) was discovered in the Charm software versions v0.9.0 to v0.12.1. The vulnerability allowed attackers to forge HTTP requests to manipulate the charm data directory, potentially enabling unauthorized access or deletion of server files. The issue was discovered internally and patched in version v0.12.1, released on May 6, 2022 (Charm Advisory).

The vulnerability is classified as a Server-Side Request Forgery (SSRF) issue with a CVSS v3.1 base score of 9.8 (Critical) according to NVD assessment, while GitHub assessed it with a score of 5.9 (Medium). The vulnerability was identified as CWE-918 (Server-Side Request Forgery). The issue stemmed from improper path validation before accessing the file store, which was fixed by implementing proper path cleaning using filepath.Clean() (NVD).

The vulnerability could allow attackers to access or delete files on the server through manipulated HTTP requests. However, encrypted user data uploaded to the Charm server remained safe as the servers cannot decrypt user data, including filenames, paths, and key-value data. Users running the official Charm Docker images were at minimal risk due to containerization limiting the exploit to the containerized filesystem (Charm Advisory).

The vulnerability was patched in version v0.12.1 with commit 3c90668. The fix implements proper path cleaning before accessing the file store. All users running self-hosted Charm instances were recommended to update immediately to this version (Charm Advisory).