CVE-2023-50454: 
NixOS vulnerability analysis and mitigation

An issue was discovered in Zammad before 6.2.0 where SSL/TLS connections to external services were established without proper validation of hostname and certificate authority (NVD, Vendor Advisory). The vulnerability was disclosed on December 6, 2023, and affects all Zammad 6.1.x versions.

The vulnerability stems from improper certificate validation in several subsystems of Zammad. When establishing SSL/TLS connections to external services, the system failed to properly validate both the hostname and certificate authority of the connected services. This vulnerability has been assigned a CVSS v3.1 base score of 5.9 (Medium) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N (NVD).

The vulnerability could allow man-in-the-middle attackers to intercept and potentially manipulate communications between Zammad and external services if they manage to redirect network traffic to a malicious server. This could lead to exposure of sensitive information transmitted during these connections (Vendor Advisory).

The vulnerability has been fixed in Zammad version 6.2.0. Users are strongly recommended to upgrade to this version. However, for existing configured external connections such as email, SSL verification will not be automatically enabled. Administrators need to review all configured connections and manually enable SSL verification where applicable, particularly for publicly available services (Vendor Advisory).