CVE-2023-37896: 
NixOS vulnerability analysis and mitigation

Nuclei, a vulnerability scanner, disclosed a security issue (CVE-2023-37896) affecting users utilizing Nuclei as Go code (SDK) running custom templates prior to version 2.9.9. The vulnerability was related to sanitization issues with payloads loading in sandbox mode, where relative paths were not being converted to absolute paths before performing sandbox flag checks (Vendor Advisory).

The vulnerability occurred due to relative paths not being converted to absolute paths before performing the sandbox flag check, which allowed arbitrary files to be read on the filesystem in certain cases when using Nuclei from Go SDK implementation. The issue has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (NVD).

The vulnerability could allow arbitrary files to be read on the filesystem when using Nuclei from Go SDK implementation. This primarily affects confidentiality as indicated by the CVSS metrics showing high confidentiality impact while integrity and availability remain unaffected (Vendor Advisory).

The issue has been fixed in version 2.9.9. The maintainers have enabled sandbox by default for filesystem loading and introduced two new options replacing the deprecated -sandbox option: -lfa (allow local file access) which is enabled by default and -lna (restrict local network access) which can be enabled by users optionally. The -lfa allows file access anywhere on the system, and -lna blocks connections to the local/private network (Release Notes).