CVE-2023-46129: 
NixOS vulnerability analysis and mitigation

NATS.io's cryptographic key handling library (nkeys) vulnerability was discovered in versions 0.4.0 through 0.4.5, corresponding with NATS server versions 2.10.0 through 2.10.3. The vulnerability was identified on October 26, 2023, and affects the encryption functionality introduced in January 2023. NATS.io is a high-performance open-source pub-sub distributed communication technology used for cloud, on-premise, IoT, and edge computing (OSS Security, GitHub Advisory).

The vulnerability stems from the nkeys library's 'xkeys' encryption handling logic, which incorrectly passed an array by value into an internal function. The function was meant to mutate the buffer to populate the encryption key, but due to this implementation flaw, all encryption operations were performed using an all-zeros key. This issue specifically affects the encryption functionality while leaving the signing capabilities unaffected. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (NVD).

The vulnerability primarily affects the Auth Callouts feature introduced in NATS server 2.10.0. In scenarios where Callouts are configured in an account shared with untrusted users or where callout responders connect without TLS, this vulnerability could lead to user credential exposure. The Auth Callout request includes supplied user passwords, which could be compromised due to the ineffective encryption (OSS Security).

No workarounds are available for this vulnerability. The recommended solution is to upgrade to nkeys version 0.4.6 and NATS server version 2.10.4. For applications handling auth callouts in Go that use the nkeys library, users must update the dependency, recompile, and deploy in lockstep (GitHub Advisory).