CVE-2023-28371: 
NixOS vulnerability analysis and mitigation

CVE-2023-28371 affects Stellarium through version 1.2, a real-time 3D photo-realistic nightsky renderer. The vulnerability was disclosed on March 15, 2023, and allows attackers to write to files that are typically unintended, such as ones with absolute pathnames or through directory traversal (NVD).

The vulnerability is classified as an Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') issue (CWE-22). It received a CVSS v3.1 Base Score of 9.8 CRITICAL with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating a critical severity level with network access vector, low attack complexity, and no required privileges or user interaction (NVD).

The vulnerability allows attackers to write to unintended files through absolute pathnames or directory traversal, potentially leading to unauthorized file modifications and system compromise. This could affect system integrity and potentially lead to unauthorized access to sensitive files (NVD).

Multiple security patches have been implemented to address this vulnerability. These include requiring manually set flags to run scripts from absolute pathnames, preventing overwriting of config.ini, and implementing checks for directory traversal attempts. The fixes are available in updated versions of Stellarium, and configuration options have been added to control file write permissions through the flags 'flagscriptallowabsolutepath' and 'flagscriptallowwriteabsolute_path' (Stellarium Commit, Stellarium Commit).

The vulnerability was addressed in Fedora Linux distributions with security updates released for Fedora 36, 37, and 38, indicating the broader impact on Linux distributions and the response from the open-source community (Fedora Update).