CVE-2023-7245: 
NixOS vulnerability analysis and mitigation

CVE-2023-7245 is a security vulnerability discovered in OpenVPN Connect versions 3.0 through 3.4.3 (Windows) and through 3.4.7 (macOS). The vulnerability stems from an improperly configured nodejs framework, which allows local users to execute arbitrary code within the nodejs process context by exploiting the ELECTRON_RUN_AS_NODE environment variable (NVD).

The vulnerability has been assigned a CVSS v3.1 Base Score of 7.8 (HIGH) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. This indicates that the vulnerability requires local access, low attack complexity, and low privileges to exploit, but can result in high impacts to confidentiality, integrity, and availability (NVD).

The vulnerability allows local attackers to execute arbitrary code within the nodejs process context, potentially compromising the security of the affected system. This could lead to unauthorized access to system resources, data manipulation, or system compromise within the scope of the nodejs process (NVD).

The vulnerability has been patched in OpenVPN Connect version 3.4.4 for Windows and version 3.4.8 for macOS. Users are strongly advised to upgrade to these or later versions to mitigate the vulnerability. For Windows users, version 3.4.4 (3412) was released on February 8, 2024, and for macOS users, version 3.4.8 (4792) was released on January 18, 2024 (OpenVPN Windows, OpenVPN macOS).

The vulnerability was reported by security researcher Mykola Grymalyuk from RIPEDA Consulting, demonstrating the ongoing collaboration between security researchers and software vendors in identifying and addressing security vulnerabilities (OpenVPN Windows).