CVE-2022-45969: 
NixOS vulnerability analysis and mitigation

Alist v3.4.0 contains a directory traversal vulnerability that allows unauthorized file uploads. The vulnerability was discovered and reported on November 22, 2022, affecting the file system operations in Alist software. This security issue enables users with only file upload permissions to bypass base path restrictions and upload files to arbitrary paths in the system (GitHub Issue). The vulnerability has been assigned a CVSS v3.1 base score of 9.8 CRITICAL with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability exists in the file system path handling mechanism where the application fails to properly validate and sanitize file paths during upload operations. Specifically, attackers can exploit this by using '../' path traversal sequences in the 'File-Path' parameter during HTTP PUT requests to the '/api/fs/put' endpoint. The vulnerability is tracked as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) (NVD).

The vulnerability allows attackers to bypass directory restrictions and upload files to arbitrary locations on the system. This could lead to unauthorized file system access, potential system compromise, and breach of data confidentiality. Given the CVSS score of 9.8, this vulnerability is considered critical due to its network accessibility, low attack complexity, and high impact on confidentiality, integrity, and availability (NVD).

Users should upgrade to a version newer than v3.4.0. The issue was reported to persist in version 3.5.1, so users should verify patch availability with the vendor and apply any security updates as they become available (GitHub Issue).