CVE-2023-50976: 
NixOS vulnerability analysis and mitigation

CVE-2023-50976 affects Redpanda versions before 23.1.21 and 23.2.x before 23.2.18. The vulnerability stems from missing authorization checks in the Transactions API, which could allow unauthorized access to transaction-related functionality (NVD, MITRE).

The vulnerability involves missing authorization checks in several transaction-related API handlers including end_txn, add_offsets_to_txn, add_partitions_to_txn, and txn_offset_commit. The CVSS v3.1 base score is 9.8 (CRITICAL) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (NVD).

Due to the missing authorization checks, an attacker could potentially access and manipulate transaction functionality without proper permissions. This could lead to unauthorized access to transaction operations including ending transactions, adding offsets, adding partitions, and committing transaction offsets (GitHub PR).

Users should upgrade to Redpanda version 23.1.21 or 23.2.18 or later, which implement proper authorization checks for the Transactions API. The fix adds authorization verification for WRITE permissions on transactional IDs and READ permissions for group IDs where appropriate (GitHub PR).