CVE-2023-28487: 
NixOS vulnerability analysis and mitigation

CVE-2023-28487 affects Sudo versions before 1.9.13, where the software fails to properly escape control characters in sudoreplay output. This vulnerability was discovered in early 2023 and was publicly disclosed on March 15, 2023. The issue affects various operating systems and distributions that use Sudo, including Red Hat Enterprise Linux, Debian, Ubuntu, and NetApp products (NVD, NetApp Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N. The technical issue involves the improper handling of control characters in the sudoreplay output functionality. The vulnerability is classified under CWE-116 (Improper Encoding or Escaping of Output) (NVD).

When successfully exploited, this vulnerability could lead to the disclosure of sensitive information. The impact is primarily related to confidentiality, with no direct effect on integrity or availability of the system (NetApp Advisory).

The primary mitigation is to upgrade Sudo to version 1.9.13 or later. The fix includes changes to escape control characters in octal format, handle space characters in command paths, and properly handle command line arguments that contain spaces. For Debian 10 (buster), the fix is available in version 1.8.27-1+deb10u6 (Debian LTS, Sudo Release).