CVE-2024-5262: 
NixOS vulnerability analysis and mitigation

CVE-2024-5262 is a Files or Directories Accessible to External Parties vulnerability discovered in ProjectDiscovery Interactsh's SMB server component. The vulnerability affects versions from 0.0.6 through 1.1.9. This security flaw was disclosed on June 5, 2024, and allows remote attackers to read and write any files in the directory and subdirectories where the victim runs interactsh-server through anonymous login (ZUSO Advisory).

The vulnerability has been assigned a CVSS 4.0 Base Score of 9.3 (Critical) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N. It is also rated with a CVSS 3.1 Base Score of 9.8 (Critical) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The vulnerability is classified under CWE-552 (Files or Directories Accessible to External Parties) (ZUSO Advisory, NVD).

The vulnerability allows unauthorized access to read and write any files in the directory and subdirectories where the interactsh-server is running. This could potentially lead to unauthorized access to sensitive information, file manipulation, and system compromise (NVD).

The recommended mitigation is to update to Interactsh server version 1.2.0 or later, which contains the fix for this vulnerability. The fix implements better scoping of SMB share permissions (ZUSO Advisory, GitHub PR).