CVE-2023-20872: 
NixOS vulnerability analysis and mitigation

CVE-2023-20872 is an out-of-bounds read/write vulnerability discovered in VMware Workstation and Fusion's SCSI CD/DVD device emulation functionality. The vulnerability was reported by Wenxu Yin of 360 Vulnerability Research Institute and was disclosed on April 25, 2023. The affected products include VMware Workstation Pro v17.x and VMware Fusion v13.x (VMware Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 7.7, categorizing it as 'Important' severity. The CVSS vector string is AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H, indicating local access requirements with high attack complexity. The vulnerability specifically affects the SCSI CD/DVD device emulation component of the software (VMware Advisory).

If successfully exploited, this vulnerability could allow an attacker to execute code on the hypervisor from a virtual machine. The high severity rating indicates potential significant impact on the confidentiality, integrity, and availability of the system (VMware Advisory, Help Net Security).

VMware has released patches to address this vulnerability in VMware Workstation 17.0.1 and VMware Fusion 13.0.1. As a temporary workaround, administrators can remove the CD/DVD device from the virtual machine or configure the virtual machine not to use a virtual SCSI controller (VMware Advisory, Bleeping Computer).