CVE-2023-30362: 
NixOS vulnerability analysis and mitigation

A Buffer Overflow vulnerability was discovered in the coap_send function of libcoap library version 4.3.1-103-g52cfd56. The vulnerability was fixed in version 4.3.1-120-ge242200. This security issue was assigned CVE-2023-30362 and was publicly disclosed on June 23, 2023 (NVD).

The vulnerability exists in the coapsendinternal function within src/net.c. The issue occurs when calculating and inserting a null character at the end of pdu->data based on data_len, without proper length verification. This can lead to cases where it exceeds the allowed range of pdu->data, resulting in a heap buffer overflow read condition during the strstr function call (GitHub Issue). The vulnerability has been assigned a CVSS v3.1 base score of 7.5 HIGH, with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (NVD).

The vulnerability allows attackers to obtain sensitive information via malformed PDU (Protocol Data Unit). The high CVSS score indicates that this vulnerability can be exploited remotely without requiring privileges or user interaction, potentially leading to the disclosure of sensitive memory contents (NVD).

The vulnerability has been fixed in libcoap version 4.3.1-120-ge242200. Users should upgrade to this version or later to address the security issue. The fix was implemented through a patch that addresses the potential overflow in coapsendinternal() (GitHub PR).