CVE-2024-45679: 
NixOS vulnerability analysis and mitigation

A heap-based buffer overflow vulnerability was discovered in Assimp versions prior to 5.4.3, identified as CVE-2024-45679. The vulnerability was reported on September 18, 2024, affecting the Open Asset Import Library's PlyLoader.cpp component. This security flaw impacts all versions of Assimp software before version 5.4.3 (JVN Advisory, NVD).

The vulnerability is classified as a heap-based buffer overflow (CWE-122) with a CVSS v3.1 base score of 8.4 (HIGH). The vulnerability exists in the PlyLoader.cpp component of Assimp. The CVSS vector string is CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating local access requirements with no privileges or user interaction needed (JVN Advisory).

If successfully exploited, this vulnerability allows a local attacker to execute arbitrary code by importing a specially crafted file into the product. The high CVSS score indicates potential severe impacts on system confidentiality, integrity, and availability (NVD, JVN Advisory).

The primary mitigation is to update to Assimp version 5.4.3 or later, which contains the fix for this vulnerability. The fix was released as part of the Assimp 5.4.3 Bugfix Release (Assimp Release, JVN Advisory).

The vulnerability was discovered and reported by Yuhei Kawakoya of NTT Security Holdings to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership to address the vulnerability (JVN Advisory).