CVE-2023-23574: 
NixOS vulnerability analysis and mitigation

A blind SQL Injection vulnerability (CVE-2023-23574) was discovered in Nozomi Networks Guardian and CMC products. The vulnerability, identified in the alerts_count component, stems from improper input validation and affects versions prior to 22.6.2. The issue was discovered during a scheduled internal VAPT testing session by Stefano Libero of Nozomi Networks Product Security team (Vendor Advisory).

The vulnerability is classified as CWE-89 (Improper Neutralization of Special Elements used in an SQL Command). It has received a CVSS v4.0 base score of 8.7 (High) with vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N, and a CVSS v3.1 base score of 8.8 (High) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD, Vendor Advisory).

The vulnerability allows authenticated users to execute arbitrary SQL statements on the DBMS used by the web application. Successful exploitation could enable attackers to extract arbitrary information from the DBMS in an uncontrolled way, alter its structure and data, and potentially affect its availability (Vendor Advisory).

Nozomi Networks recommends upgrading to version 22.6.2 or later to address this vulnerability. As a temporary workaround, organizations can use internal firewall features to limit access to the web management interface (Vendor Advisory).