CVE-2023-4813: 
NixOS vulnerability analysis and mitigation

A flaw was found in glibc (CVE-2023-4813) where in an uncommon situation, the gaih_inet function may use memory that has been freed, resulting in an application crash. This vulnerability was discovered in September 2023 and affects glibc versions prior to 2.36. The issue is only exploitable when the getaddrinfo function is called and the hosts database in /etc/nsswitch.conf is configured with SUCCESS=continue or SUCCESS=merge (NVD, Red Hat).

The vulnerability occurs in the gaih_inet function when processing getaddrinfo calls. The issue manifests when the hosts database in /etc/nsswitch.conf has specific configuration settings (SUCCESS=continue or SUCCESS=merge). The CVSS v3.1 base score is 5.9 (Medium) with the vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H (Red Hat).

When successfully exploited, this vulnerability can result in an application crash due to the use-after-free condition. The impact is limited to denial of service (DoS) with no confidentiality or integrity impacts reported (NetApp).

The immediate workaround is to remove the 'SUCCESS=continue' or 'SUCCESS=merge' options from the hosts line in nsswitch.conf, as these options are not officially supported on the hosts database. For a permanent fix, users should upgrade to glibc version 2.36 or later which contains the security patch (Bugzilla).