CVE-2023-47390: 
NixOS vulnerability analysis and mitigation

CVE-2023-47390 affects Headscale through version 0.22.3. The vulnerability involves the exposure of bearer tokens in info-level logs, which was discovered and disclosed in November 2023. This security issue impacts the logging functionality of Headscale, a self-hosted implementation of the Tailscale control server (NVD, GitHub Issue).

The vulnerability stems from Headscale's logging mechanism writing bearer tokens to info-level logs when accessing the HTTP API. When users interact with the API, the system logs the entire bearer token in plaintext as part of the request metadata, including headers such as 'authorization' and 'grpcgateway-authorization'. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH), with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (NVD).

The exposure of bearer tokens in logs presents a significant security risk as these tokens can be used for authentication and authorization. If unauthorized users gain access to the logs, they could potentially extract these tokens and use them to make authenticated requests to the API, leading to unauthorized access to the system (GitHub Issue).

Users should upgrade to a version newer than 0.22.3 once available. In the meantime, it is recommended to restrict access to system logs and regularly rotate API tokens to minimize the risk of exposure (NVD).

The vulnerability was initially reported through GitHub Issues, where it received attention from the community with multiple users acknowledging the security concern through reactions and comments (GitHub Issue).