CVE-2023-22671: 
NixOS vulnerability analysis and mitigation

A command injection vulnerability was discovered in NSA Ghidra through version 10.2.2, identified as CVE-2023-22671. The vulnerability exists in the Linux runtime script (Ghidra/RuntimeScripts/Linux/support/launch.sh) where user-provided input is passed directly into an eval statement, leading to potential command injection when calling analyzeHeadless with untrusted input. The issue was discovered and reported on January 4, 2023 (GitHub Issue).

The vulnerability stems from the launch.sh script's usage of eval to process user input without proper sanitization. Specifically, when executing the analyzeHeadless command, the script passes user-provided arguments directly to an eval statement, allowing for command injection. The vulnerable code is located in the launch.sh script, where eval is used to execute Java commands (GitHub Issue).

The vulnerability allows attackers to execute arbitrary commands on systems running Ghidra when using the analyzeHeadless functionality. This is particularly concerning for security SaaS services that utilize analyzeHeadless as part of their service, as it could lead to remote code execution through natural-looking invocations (GitHub Issue).

The vulnerability was addressed in a fix that removed the usage of eval from the launch.sh script. The fix was implemented and merged through pull request #4872, which was incorporated into version 10.2.3 (GitHub PR).