CVE-2023-43621: 
NixOS vulnerability analysis and mitigation

CVE-2023-43621 affects Croc through version 9.6.5, a cross-platform file sharing utility. The vulnerability was discovered in September 2023 and involves the exposure of shared secrets used for file transfers. The issue specifically relates to how the shared secret, which is used for authenticating file transfers between sender and receiver, is handled in the command-line interface (NVD, Debian Tracker).

The vulnerability stems from the way Croc handles shared secrets in command-line arguments. When a shared secret is specified via the command line (either using 'croc send --code' on the sender side or directly on the receiver side), it becomes visible in the process list. This exposure occurs because command-line arguments are readable by all local users who can list processes and their arguments on Linux and most UNIX-like systems. The vulnerability has been assigned a CVSS v3.1 Base Score of 4.7 (Medium) with the vector string CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N (NVD).

The primary impact of this vulnerability is the potential exposure of shared secrets to unauthorized local users on multi-user systems. If a malicious local user obtains the shared secret by viewing the process list, they could potentially intercept the file transfer and receive files intended for another recipient (GitHub Issue).

To mitigate this vulnerability, it is recommended to avoid passing the shared secret as a command-line argument. Instead, the shared secret should be read from stdin, a local file, or an environment variable, although this may be less intuitive than command-line usage (GitHub Issue).