CVE-2023-24477: 
NixOS vulnerability analysis and mitigation

CVE-2023-24477 affects Guardian/CMC versions before 22.6.2, discovered in a session management vulnerability. The issue involves incomplete session invalidation upon logout when using the Chrome web browser under certain timing conditions. This vulnerability was reported and disclosed by Nozomi Networks Inc., with the initial CVE assignment date of January 24, 2023 (CVE Details).

The vulnerability is classified as a Session Fixation (CWE-384) issue. It has received a CVSS v4.0 base score of 5.4 (Medium) with vector string CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N, and a CVSS v3.1 base score of 7.0 (High) with vector string CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD, Nozomi Advisory).

The vulnerability could allow an authenticated local attacker to gain access to the original user's session after logout. This could potentially lead to unauthorized access to sensitive information and system functions within the scope of the original user's permissions (Nozomi Advisory).

The primary mitigation is to upgrade to Guardian/CMC version 22.6.2, v23.0.0, or later versions. As a workaround, users are advised to adopt best practices that include closing the browser after logout (Nozomi Advisory).