CVE-2022-43859: 
NixOS vulnerability analysis and mitigation

IBM Navigator for i versions 7.3, 7.4, and 7.5 contains a SQL injection vulnerability that could allow an authenticated user to obtain sensitive information for objects they are authorized to access, but not through the intended interface. The vulnerability was discovered in 2022 and was assigned CVE-2022-43859 (IBM Advisory).

The vulnerability allows an authenticated user to perform a UNION-based SQL injection attack to view file permissions through the IBM Navigator interface. The vulnerability has been assigned a CVSS base score of 6.3 MEDIUM with a vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L, indicating network accessibility with low attack complexity requiring low privileges (NVD).

If exploited, this vulnerability allows authenticated users to bypass interface restrictions and obtain sensitive information about file permissions that they should not be able to access through the Navigator interface, even if they have legitimate access to the objects through other means (IBM Advisory).

IBM has released fixes for this vulnerability through the IBM HTTP Server for i Group PTF. The specific PTF levels required are: SF99952 level 5 for version 7.5, SF99662 level 25 for version 7.4, and SF99722 level 42 for version 7.3. Users are recommended to apply these PTFs to remediate the vulnerability (IBM Advisory).