SCA: security update for convict (GHSA-4jrm-c32x-w4jf)

high Tenable Cloud Security Plugin ID 410260

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability in
Mozilla Convict. This allows an attacker to inject attributes that are used in other components, or to
override existing attributes with ones that have incompatible type, which may lead to a crash. The main
use case of Convict is for handling server-side configurations written by the admins owning the servers,
and not random users. So it's unlikely that an admin would deliberately sabotage their own server. Still,
a situation can happen where an admin not knowledgeable about JavaScript could be tricked by an attacker
into writing the malicious JavaScript code into some config files. This issue affects Convict: before
6.2.4. (CVE-2023-0163)

See Also

https://github.com/advisories/GHSA-4jrm-c32x-w4jf

Plugin Details

Severity: High

ID: 410260

Version: Revision 1.9

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.58

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: High

Base Score: 7.2

Temporal Score: 5.6

Vector: CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2023-0163

CVSS v3

Risk Factor: High

Base Score: 8.4

Temporal Score: 7.6

Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS v4

Risk Factor: High

Base Score: 8.6

Threat Score: 7.3

Threat Vector: CVSS:4.0/E:P

Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 1/10/2023

Vulnerability Publication Date: 1/10/2023

Reference Information

CVE: CVE-2023-0163