CVE-2023-25152: 
NixOS vulnerability analysis and mitigation

Wings, Pterodactyl's server control plane, was found to contain an Improper Link Resolution vulnerability (CVE-2023-25152) that was disclosed on February 8, 2023. The vulnerability affects Wings versions < 1.7.2, 1.11.0, 1.11.1, and 1.11.2. This security issue allows attackers with an existing server allocation to potentially create new files on the host system (GitHub Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 8.4 (High severity) with the following vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:L/A:H. The vulnerability is classified as CWE-59 and requires network access with high attack complexity. While it requires low privileges, no user interaction is needed for exploitation (GitHub Advisory).

The vulnerability could allow attackers to modify resource allocations, promote containers to privileged mode, or potentially add SSH authorized keys to gain remote shell access to the target machine. This impacts the confidentiality, integrity, and availability of the affected systems (GitHub Advisory).

The vulnerability has been patched in Wings version v1.11.3 and backported to v1.7.3. Users running v1.11.x should upgrade to v1.11.3, while those on v1.7.x should upgrade to v1.7.3. No alternative workarounds are available (GitHub Advisory).