CVE-2023-40612: 
NixOS vulnerability analysis and mitigation

A vulnerability (CVE-2023-40612) was discovered in OpenMNS Horizon versions 31.0.8 and earlier than 32.0.2, where the file editor accessible to users with ROLEFILESYSTEMEDITOR privileges was found to be vulnerable to XXE (XML External Entity) injection attacks. The vulnerability was reported by Erik Wynter and addressed in Meridian 2023.1.5 and Horizon 32.0.2 (NVD).

The vulnerability is classified as CWE-91 (XML Injection) and received a CVSS v3.1 base score of 8.0 (HIGH) from NIST NVD with vector string CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The OpenNMS Group assessed it with a lower CVSS score of 5.3 (MEDIUM) with vector string CVSS:3.1/AV:A/AC:H/PR:H/UI:N/S:U/C:L/I:H/A:L. The vulnerability specifically affects the file editor component that is accessible to users with ROLEFILESYSTEMEDITOR privileges (NVD).

The XXE injection vulnerability could potentially allow attackers with ROLEFILESYSTEMEDITOR privileges to read sensitive files, execute server-side request forgery (SSRF) attacks, or cause denial of service conditions. The high CVSS scores indicate potential for significant confidentiality and integrity breaches (NVD).

The recommended mitigation is to upgrade to Meridian 2023.1.5 or Horizon 32.0.2 or newer versions. OpenNMS has noted that Meridian and Horizon installations should be deployed within private networks and not be directly accessible from the Internet. A security patch was implemented to secure the XML parser factory (OpenNMS Patch, Release Notes).