CVE-2023-27478: 
NixOS vulnerability analysis and mitigation

libmemcached-awesome, an open source C/C++ client library and tools for the memcached server, was found to contain a vulnerability (CVE-2023-27478) where it could return data for a previously requested key if that previous request timed out due to a low POLL_TIMEOUT setting. This vulnerability affects versions greater than 1.0.18 and less than 1.1.4. The issue was discovered in early 2023 and was fixed in version 1.1.4 (GitHub Advisory).

The vulnerability occurs when using a low POLL_TIMEOUT setting, which can cause request timeouts. When a timeout occurs, subsequent requests may return data from previously requested keys instead of the correct data. The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Moderate) with the following metrics: Attack Vector: Network, Attack Complexity: Low, Privileges Required: None, User Interaction: None, Scope: Unchanged, Confidentiality: Low, Integrity: Low, Availability: None (GitHub Advisory).

The vulnerability can lead to disclosure of unrelated data, potentially exposing sensitive information to unauthorized users. When exploited, the library may return data from previously requested keys without any error indication, which could lead to data leakage between different operations or users of the system (GitHub Advisory, PHP Memcached Issue).

The vulnerability has been patched in version 1.1.4. For users unable to upgrade immediately, several workarounds are available: 1) Use a reasonably high POLL_TIMEOUT setting (like the default value), 2) Use separate libmemcached connections for unrelated data, 3) Do not re-use libmemcached connections in an unknown state (GitHub Advisory).