CVE-2024-13047: 
NixOS vulnerability analysis and mitigation

Ashlar-Vellum Cobalt contains a type confusion vulnerability in the parsing of CO files (CVE-2024-13047), discovered and reported by Andrea Micalizzi (rgod). The vulnerability was initially reported on August 6, 2024, and was publicly disclosed on December 30, 2024, after the vendor failed to provide a patch (ZDI Advisory).

The vulnerability stems from improper validation of user-supplied data during the parsing of CO files, resulting in a type confusion condition. The issue has been assigned a CVSS v3.1 base score of 7.8 (High), with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The vulnerability is classified under CWE-843 (Access of Resource Using Incompatible Type) (NVD, ZDI Advisory).

If successfully exploited, this vulnerability allows remote attackers to execute arbitrary code in the context of the current process on affected installations of Ashlar-Vellum Cobalt. The high severity rating indicates potential complete compromise of system confidentiality, integrity, and availability (ZDI Advisory).

Given the nature of the vulnerability, the only recommended mitigation strategy is to restrict interaction with the application. As of the disclosure date, no official patch has been released by the vendor (ZDI Advisory).