CVE-2023-47619: 
NixOS vulnerability analysis and mitigation

Audiobookshelf, a self-hosted audiobook and podcast server, was found to contain multiple security vulnerabilities in versions 2.4.3 and prior. The vulnerability was assigned CVE-2023-47619 and was disclosed on December 13, 2023. The issue primarily affects users with update permissions who could potentially access and manipulate files on the system (GitHub Security Lab, NVD).

The vulnerability exists in the AuthorController.js component where insufficient input validation allows users with update permissions to perform unauthorized actions. The issue received a CVSS v3.1 base score of 8.1 (HIGH) from GitHub, Inc., and 6.5 (MEDIUM) from NIST. The vulnerability is classified under CWE-918 (Server-Side Request Forgery) and CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The flaw specifically manifests when handling the imagePath parameter in author update requests, where the input is processed without proper sanitization (GitHub Security Lab).

The vulnerability can lead to multiple security implications including Server-Side Request Forgery (SSRF), arbitrary file read (AFR), and arbitrary file deletion (AFD). Attackers with update permissions can read arbitrary files, delete arbitrary files, and send GET requests to arbitrary URLs and read the responses, potentially leading to information disclosure (GitHub Security Lab).

As of the time of publication, no patches were available for this vulnerability (NVD). Organizations using Audiobookshelf should carefully review and restrict update permissions to trusted users until a patch is available.