CVE-2023-45823: 
NixOS vulnerability analysis and mitigation

Artifact Hub, a web-based application for finding, installing, and publishing packages and configurations for CNCF projects, was found to contain a security vulnerability identified as CVE-2023-45823. The vulnerability was discovered during a security audit by researcher Dejan Zelic at OffSec, who identified that using symbolic links in certain kinds of repositories loaded into Artifact Hub could enable unauthorized file reading. The issue was disclosed on October 19, 2023 (GitHub Advisory).

The vulnerability stems from insufficient validation of symbolic links when processing git-based repositories. When Artifact Hub clones and processes repositories, it reads specific files based on the artifact kind. However, the system failed to validate whether the file being accessed was a symbolic link, leading to a path traversal vulnerability (CWE-22). The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (High), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating network accessibility, low attack complexity, no required privileges or user interaction, and high impact on confidentiality (NVD).

The vulnerability could allow attackers to read arbitrary files in the system, potentially exposing sensitive information. The impact is primarily focused on confidentiality, with no direct effect on system integrity or availability (GitHub Advisory).

The vulnerability has been patched in Artifact Hub version 1.16.0. Users are strongly advised to upgrade to this version or later. There are no known workarounds for this vulnerability (GitHub Advisory).