CVE-2023-22378: 
NixOS vulnerability analysis and mitigation

A blind SQL Injection vulnerability (CVE-2023-22378) was discovered in Nozomi Networks Guardian and CMC products. The vulnerability, identified in versions prior to 22.6.2, stems from improper input validation in the sorting parameter. The issue was initially reported on January 24, 2023, and affects authenticated users accessing the web application (Nozomi Advisory).

The vulnerability is classified as CWE-89 (Improper Neutralization of Special Elements used in an SQL Command). It received a CVSS v4.0 base score of 8.7 (High) and a CVSS v3.1 base score of 8.8 (High). The vulnerability vector for CVSS v4.0 is CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N, indicating network accessibility, low attack complexity, and high impacts on confidentiality, integrity, and availability (Nozomi Advisory, NVD).

Successful exploitation allows authenticated users to execute arbitrary SQL statements on the database management system (DBMS). Attackers can potentially extract arbitrary information from the DBMS in an uncontrolled way, alter its structure and data, and affect its availability (Nozomi Advisory).

The primary mitigation is to upgrade to version 22.6.2 or later. As a temporary workaround, organizations can use internal firewall features to limit access to the web management interface. Siemens recommends configuring the environment according to their operational guidelines for industrial security (Nozomi Advisory).