CVE-2023-36177: 
NixOS vulnerability analysis and mitigation

An issue was discovered in badaix Snapcast version 0.27.0, a multiroom client-server audio player that synchronizes audio playback across multiple clients. The vulnerability allows remote attackers to execute arbitrary code and gain sensitive information through crafted requests in the JSON-RPC-API (NVD, Debian Security).

The vulnerability exists in the JSON-RPC interface of the server component of Snapcast. It leverages the functionality of reading sound from a process to achieve remote code execution. The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating a critical severity level with network accessibility, low attack complexity, and no required privileges or user interaction (NVD).

The vulnerability allows attackers to execute arbitrary code on affected systems through the JSON-RPC API. This can lead to complete system compromise, including the ability to gain sensitive information and execute malicious commands on the target system (NVD, Oxnan Blog).

The vulnerability has been fixed in version 0.30.0 of Snapcast. For Debian systems, the fix has been backported to version 0.26.0+dfsg1-1+deb12u1 in the bookworm distribution. Users are strongly recommended to upgrade their snapcast packages to the latest version (Debian Security, Debian Tracker).