CVE-2024-0890: 
NixOS vulnerability analysis and mitigation

A critical SQL injection vulnerability (CVE-2024-0890) was discovered in hongmaple octopus version 1.0, specifically affecting the /system/dept/edit interface. The vulnerability was disclosed on January 25, 2024, and has been classified as critical with a CVSS v3.1 base score of 9.8 (NVD).

The vulnerability exists due to improper handling of the 'ancestors' parameter in the /system/dept/edit interface. The SQL injection is possible through the manipulation of this parameter, primarily due to the use of the $ placeholder symbol. The vulnerability has been assigned a CVSS v3.1 vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating its critical severity (NVD).

The vulnerability allows remote attackers to execute arbitrary SQL commands on the affected system. This could potentially lead to unauthorized access to the database, data manipulation, and complete system compromise (Github POC).

As the vulnerability affects version 1.0 of hongmaple octopus and uses continuous delivery with rolling releases, no specific version details of affected or updated releases are available. Users are advised to implement strict input validation and consider upgrading to newer versions if available (NVD).