CVE-2023-26032: 
NixOS vulnerability analysis and mitigation

CVE-2023-26032 is a SQL injection vulnerability discovered in ZoneMinder, an open-source CCTV software application. The vulnerability affects versions prior to 1.36.33 and 1.37.33, where the Username field of the JWT token was trusted when performing SQL queries. This security flaw was disclosed on February 24, 2023, and received a high severity CVSS score of 8.9 (GitHub Advisory, NVD).

The vulnerability stems from insufficient input validation in the Username field of the JWT token. If an attacker could determine the HASH key used by ZoneMinder, they could generate a malicious JWT token and use it to execute arbitrary SQL queries. The vulnerability has been assigned a CVSS v3.1 base score of 8.9, with the following metrics: Attack Vector: Network, Attack Complexity: High, Privileges Required: None, User Interaction: None, Scope: Changed, Confidentiality: High, Integrity: High, and Availability: Low (GitHub Advisory).

The successful exploitation of this vulnerability could allow attackers to view, add, modify, or delete information in the back-end database, potentially compromising the entire system's security. The high CVSS score reflects the significant potential impact on both data confidentiality and integrity (Security Online).

The vulnerability has been patched in ZoneMinder versions 1.36.33 and 1.37.33. The fix was implemented through commit decf3e3. Users are strongly recommended to upgrade to these patched versions. For those unable to upgrade immediately, manual application of the patch is suggested as a workaround (GitHub Advisory).