CVE-2024-13046: 
NixOS vulnerability analysis and mitigation

Ashlar-Vellum Cobalt contains a vulnerability related to CO file parsing that was discovered in December 2024. The vulnerability, tracked as CVE-2024-13046, allows remote attackers to execute arbitrary code on affected installations of Ashlar-Vellum Cobalt. This security flaw specifically affects Cobalt version 1204.90 (NVD, ZDI Advisory).

The vulnerability is classified as an Out-of-Bounds Write issue (CWE-787) that occurs during the parsing of CO files. The flaw stems from inadequate validation of user-supplied data, which can result in a write operation past the end of an allocated buffer. The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (High), with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H (ZDI Advisory).

If successfully exploited, this vulnerability allows attackers to execute arbitrary code in the context of the current process. The high CVSS score indicates significant potential impact on the confidentiality, integrity, and availability of the affected system (ZDI Advisory).

Given the nature of the vulnerability, the only recommended mitigation strategy is to restrict interaction with the application. The vendor was notified of the vulnerability on August 1, 2024, but no patch was available at the time of disclosure (ZDI Advisory).

The vulnerability was initially reported to the vendor by security researcher Andrea Micalizzi (aka rgod). After multiple follow-ups and no patch being released, Zero Day Initiative published this as a zero-day advisory on December 30, 2024 (ZDI Advisory).