CVE-2023-42658: 
NixOS vulnerability analysis and mitigation

CVE-2023-42658 is a security vulnerability discovered in Chef InSpec, affecting versions prior to 4.56.58 and 5.22.29. The vulnerability allows local command execution via maliciously crafted profile through the archive command (NVD, CVE). The vulnerability was discovered by HackerOne user tas50 and was disclosed on October 31, 2023 (Progress Community).

The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (HIGH) by NIST with vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating local access, low attack complexity, no privileges required, and user interaction required. Progress Software Corporation assigned a slightly higher CVSS score of 8.8 (HIGH) with vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H. The vulnerability is classified under CWE-94 (Improper Control of Generation of Code) and CWE-917 (Improper Neutralization of Special Elements used in an Expression Language Statement) (NVD).

The vulnerability can lead to local command execution, potentially allowing an attacker to execute arbitrary commands on the affected system with high impacts on confidentiality, integrity, and availability of the system (NVD).

Users should upgrade Chef InSpec to version 4.56.58 or later for the 4.x series, or version 5.22.29 or later for the 5.x series to address this vulnerability (NVD).