CVE-2023-38745: 
NixOS vulnerability analysis and mitigation

CVE-2023-38745 is a vulnerability in Pandoc versions before 3.1.6 that allows arbitrary file write through crafted image elements. This vulnerability emerged as an incomplete fix for CVE-2023-35936, specifically failing to properly account for double encoded path names. The issue affects systems that pass untrusted user input to Pandoc and allow it to be used to produce a PDF or with the --extract-media option (NVD, Debian LTS).

The vulnerability is triggered when providing a specially crafted image element in the input when generating files via the --extract-media option or outputting to PDF format. The core issue lies in the handling of double-encoded path names, where an attacker could bypass the previous security fix by encoding '%' characters as '%25'. This allows for path traversal and arbitrary file writes on the system. The vulnerability has a CVSS v3.1 Base Score of 6.3 (Medium) with vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:H (NVD).

When exploited, this vulnerability allows an attacker to create or overwrite arbitrary files on the system, with the scope of impact determined by the privileges of the process running Pandoc. This is particularly concerning for systems that process untrusted user input through Pandoc's PDF generation or media extraction features (NVD, Debian LTS).

The vulnerability has been fixed in Pandoc version 3.1.6. The fix involves using the SHA1 hash of the contents as the canonical name if the URL-unescaped filename or extension contains a '%' character, similar to how paths containing '..' are handled. Users are strongly recommended to upgrade to version 3.1.6 or later (GitHub Commit, Debian LTS).