CVE-2023-43091: 
NixOS vulnerability analysis and mitigation

A code injection vulnerability was discovered in GNOME Maps (CVE-2023-43091) that affects versions 43 prior to 43.7 and 44 prior to 44.4. The vulnerability exists in the application's handling of its service.json configuration file, which is typically downloaded from static.gnome.org. This flaw was introduced through merge request 227 and remained present through the v43.* series of releases from v43.0 up to and including v45.beta (GNOME Issue).

The vulnerability stems from the use of JavaScript's eval function in the src/transitRouter.js file, which executes strings obtained from a JSON configuration file. The issue specifically involves the transitProviders[].provider.plugin fields in the JSON configuration file, where the value is unchecked before being passed to eval. This allows for the insertion of arbitrary JavaScript code in the JSON field, which the application then executes when the plugin is loaded (GNOME Issue).

If exploited, this vulnerability could allow attackers to execute arbitrary code within the context of the GNOME Maps application. The impact is particularly significant if the configuration file source is compromised, as it could affect all users who download the service.json file from the default location (GNOME Issue).

The issue has been fixed by implementing an allowlist for plugin values that correspond to the plugin classes that can be instantiated. The fix was committed in version d26cd774 and has been backported to the 44.x and 43.x branches. Users should upgrade to versions 43.7 or 44.4 or later to receive the security fix (GNOME Commit).