CVE-2023-6199: 
NixOS vulnerability analysis and mitigation

Book Stack version 23.10.2 contains a Server-Side Request Forgery (SSRF) vulnerability that was discovered on November 17, 2023, and publicly disclosed on November 20, 2023. The vulnerability affects the BookStack application and has been assigned CVE-2023-6199. The issue allows an authenticated user with writer permissions to filter local files on the server through SSRF (Fluid Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 7.1 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N. The issue is classified as CWE-918 (Server-Side Request Forgery). The vulnerability specifically affects the image handling functionality of BookStack and could be exploited to perform server-side requests or read the contents of files on the server system (Fluid Advisory, BookStack Blog).

The vulnerability allows attackers with writer permissions to obtain local files from the server through SSRF. This could potentially lead to unauthorized access to sensitive information stored on the server system (Fluid Advisory).

The vulnerability has been patched in BookStack version 23.10.3. Users are strongly advised to upgrade their installations, particularly where untrusted users have permission to create/edit/update page content. The update includes improved thumbnail handling for image data (BookStack Blog).