CVE-2023-33972: 
NixOS vulnerability analysis and mitigation

Scylladb, a NoSQL data store using the seastar framework compatible with Apache Cassandra, contains a privilege escalation vulnerability identified as CVE-2023-33972. The vulnerability affects all versions of ScyllaDB up to version 5.2.8, and was disclosed on September 27, 2023. This security issue allows authenticated users with table creation permissions in a keyspace to escalate their privileges, potentially gaining unauthorized access to other tables within the same keyspace (GitHub Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (High) by NVD with a vector string of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. GitHub has assigned it a slightly lower score of 7.2 (High) with a vector string of CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H. The vulnerability is classified under CWE-269 (Improper Privilege Management) (NVD).

The vulnerability allows authenticated users who have CREATE permissions on a keyspace to gain unauthorized access to any table within that same keyspace, even if they don't have explicit permissions for those tables. This represents a significant privilege escalation that could lead to unauthorized data access and potential data breaches (GitHub Advisory).

As of the disclosure, no official patch has been released to address this vulnerability. However, a workaround has been provided: administrators should disable CREATE privileges on keyspaces and instead create new tables on behalf of other users. This temporary solution helps prevent unauthorized privilege escalation until a permanent fix is available (GitHub Advisory).