CVE-2023-2110: 
NixOS vulnerability analysis and mitigation

Obsidian desktop versions before 1.2.8 contain a Local File Disclosure vulnerability (CVE-2023-2110) affecting Windows, Linux, and macOS platforms. The vulnerability stems from improper path handling via 'app://local/' protocol, which allows attackers to access and exfiltrate local files to remote web servers. This security issue was discovered in April 2023 and was patched in version 1.2.8 released on May 3, 2023 (Obsidian Changelog, STAR Labs).

The vulnerability exists in the app:// custom URL scheme registered via electron.protocol.registerFileProtocol API in resources/app.asar/main.js. When handling requests starting with app://local/, the remainder of the URL is resolved as an absolute path. While there is a referrer check to prevent external webpage access, it can be bypassed by sending an empty referrer header through XMLHttpRequest, allowing unauthorized access to local files. The vulnerability has been assigned a CVSS 3.1 base score of 8.2 (High) with vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N (STAR Labs).

The vulnerability allows attackers to access and exfiltrate arbitrary files from the victim's system. Additionally, attackers can obtain a list of recently opened vaults from specific system locations, access workspace configurations, and potentially read most contents in the victim's vaults. The vulnerability also enables attackers to append content to existing markdown files or overwrite them entirely, potentially making the exploit wormable and compromising data integrity (STAR Labs).

The vulnerability has been patched in Obsidian version 1.2.8 by removing support for app://local URLs. For users of affected versions, it is recommended to avoid opening untrusted markdown or canvas files in Obsidian and to refrain from copying text from untrusted webpages into Obsidian. Detection of exploitation attempts can be performed by monitoring for iframe tags loading suspicious URLs in markdown files (Obsidian Changelog, STAR Labs).