CVE-2023-48106: 
NixOS vulnerability analysis and mitigation

Buffer Overflow vulnerability was discovered in zlib-ng minizip-ng version 4.0.2, identified as CVE-2023-48106. The vulnerability allows attackers to execute arbitrary code through a crafted file targeting the mzpathresolve function in the mz_os.c file. The vulnerability was disclosed on November 22, 2023 (NVD, MITRE).

The vulnerability is classified as a heap-based buffer overflow occurring in the mzpathresolve function within mz_os.c. The issue has been assigned a CVSS v3.1 base score of 8.8 (HIGH), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The vulnerability can be triggered when processing specially crafted files, potentially leading to arbitrary code execution (NVD).

The vulnerability allows attackers to execute arbitrary code on affected systems. Given the CVSS score and vector string, the impact is considered high across all three security metrics: Confidentiality, Integrity, and Availability. The vulnerability requires user interaction but no privileges, making it particularly dangerous in scenarios where users process untrusted files (NVD).

Users should upgrade from minizip-ng version 4.0.2 to a patched version. The vulnerability has been reported and tracked in various security databases including Debian's security tracker (Debian Tracker).