CVE-2023-32749: 
NixOS vulnerability analysis and mitigation

Pydio Cells, a self-hosted Document Sharing and Collaboration platform, contains a privilege escalation vulnerability (CVE-2023-32749) that affects versions 4.1.2 and earlier. The vulnerability was discovered on March 23, 2023, and fixed versions (4.2.0, 4.1.3, 3.0.12) were released on May 8, 2023. The issue allows users to create external users with unauthorized role assignments, potentially granting access to all cells and non-personal workspaces (RedTeam Advisory).

The vulnerability exists in the user creation functionality where external users can be created by default. When creating a new user, the application sends a HTTP PUT request with a JSON object containing an empty 'Roles' array. By modifying this request to include a list of all available role UUIDs, which can be obtained through the user search functionality, an attacker can create a new user account with elevated privileges. The vulnerability has been assigned a CVSS v3.1 base score of 8.8 HIGH (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) (NVD).

The successful exploitation of this vulnerability allows attackers with access to any regular user account to escalate their privileges by creating new external users with all roles assigned. This grants unauthorized access to all folders and files in any cell and workspace throughout the Pydio instance, except for personal workspaces (RedTeam Advisory).

As a temporary workaround, administrators can disable the creation of external users in the authentication settings. For a permanent fix, users should upgrade to Pydio Cells version 4.2.0, 4.1.3, or 3.0.12, depending on their current version track (RedTeam Advisory).