CVE-2023-40378: 
NixOS vulnerability analysis and mitigation

IBM Directory Server for IBM i contains a local privilege escalation vulnerability identified as CVE-2023-40378. The vulnerability was discovered in October 2023 and affects IBM i versions 7.2, 7.3, 7.4, and 7.5. A malicious actor with command line access to the host operating system can elevate privileges to gain component access to the host operating system (IBM Security Bulletin).

The vulnerability has been assigned a CVSS Base Score of 7.8 HIGH by NIST with a vector of CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, while IBM Corporation assessed it with a Base Score of 4.9 MEDIUM and vector CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L. The vulnerability is classified under CWE-269 (Improper Privilege Management) (NVD).

If exploited, this vulnerability allows an attacker with command line access to elevate their privileges and gain component access to the host operating system. This could potentially lead to unauthorized access to system resources and compromise of system security (IBM Security Bulletin).

IBM has released fixes for all affected versions through PTFs: SI84813 for v7.5, SI84817 for v7.4, SI84842 for v7.3, and SI84836 for v7.2. IBM recommends that all users running unsupported versions of affected products upgrade to supported and fixed versions. No workarounds are available for this vulnerability (IBM Security Bulletin).