CVE-2022-43858: 
NixOS vulnerability analysis and mitigation

IBM Navigator for i versions 7.3, 7.4, and 7.5 contains a vulnerability that allows authenticated users to access files they are authorized to access but should not be able to access through the Navigator interface. The vulnerability was discovered and disclosed in December 2022, affecting the IBM i operating system's web-based administration interface (IBM Security Bulletin).

The vulnerability allows remote authenticated users to bypass interface checks by modifying parameters, thereby gaining unauthorized access to files through the Navigator interface. The vulnerability has been assigned a CVSS v3.1 base score of 4.3 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N. It has been classified as a Path Traversal vulnerability (CWE-22) (NVD).

The vulnerability enables authenticated users to access and download files they are authorized to access at the system level but should not be able to access through the Navigator interface. While the impact is limited to files the user already has authorization to access, it represents a bypass of intended access control mechanisms within the Navigator interface (IBM Security Bulletin).

IBM has released fixes for this vulnerability through the IBM HTTP Server for i Group PTF. The specific PTF levels required are: SF99952 level 5 for version 7.5, SF99662 level 25 for version 7.4, and SF99722 level 42 for version 7.3. These fixes can be obtained through IBM Fix Central (IBM Security Bulletin).