CVE-2023-5719: 
NixOS vulnerability analysis and mitigation

The vulnerability (CVE-2023-5719) affects the Crimson 3.2 Windows-based configuration tool, which was discovered and disclosed in November 2023. This security flaw impacts Red Lion's Crimson software, specifically when administrators define new passwords for users and download security configurations to devices (CISA Advisory, NVD).

The vulnerability occurs when passwords containing the percent (%) character are processed, resulting in invalid values being included and potential string truncation if a NUL character is encountered. The severity of this vulnerability is rated as CRITICAL with a CVSS v3.1 base score of 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Notably, this vulnerability only affects passwords set through the Windows-based configuration tool and does not impact passwords entered via the Crimson system web server (NVD).

If exploited, this vulnerability could leave devices in a vulnerable state due to compromised credentials that are weaker than intended. The impact is particularly significant as it affects the security configuration process, potentially leading to unauthorized access to affected systems (CISA Advisory).

Red Lion has addressed this vulnerability in newer versions of the software. Users are advised to update the Crimson configuration tool to a version later than 3.2. Additionally, administrators should avoid using the percent (%) character in passwords when using affected versions of the software (Red Lion Advisory).