CVE-2023-47741: 
NixOS vulnerability analysis and mitigation

IBM i 7.3, 7.4, 7.5, and IBM i Db2 Mirror for i 7.4 and 7.5 web browser clients contain a security vulnerability identified as CVE-2023-47741. The vulnerability was disclosed on December 18, 2023, and allows clear-text passwords to remain in browser memory, which can be viewed using common browser tools before garbage collection occurs (IBM Security, NVD).

The vulnerability has a CVSS v3.1 Base Score of 5.3 (MEDIUM) with the following vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N. The attack requires physical access (AV:P), has low attack complexity (AC:L), requires no privileges (PR:N), needs no user interaction (UI:N), changes scope (S:C), and can result in high confidentiality impact (C:H) with no impact on integrity (I:N) or availability (A:N) (NVD).

A malicious actor with physical access to a victim's PC could exploit this vulnerability to gain access to the IBM i operating system by viewing clear-text passwords stored in browser memory using common browser tools (IBM Security).

IBM has released fixes through PTFs for affected versions. For IBM i 5770-SS1 Option 3: 7.5 (SI84809), 7.4 (SI84811), 7.3 (SI84814), and for Option 34: 7.5 (SI85585), 7.4 (SI85584), 7.3 (SI85582). For Db2 Mirror for i: 7.5 (SI85394), 7.4 (SI85393). IBM recommends that all users running unsupported versions upgrade to supported and fixed versions of affected products (IBM Security, IBM Db2 Mirror).