SCA: security update for com.github.jlangch:venice (GHSA-4mmh-5vw7-rgvj)

low Tenable Cloud Security Plugin ID 410287

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Venice is a Clojure inspired sandboxed Lisp dialect with excellent Java interoperability. A partial path
traversal issue exists within the functions `load-file` and `load-resource`. These functions can be
limited to load files from a list of load paths. Assuming Venice has been configured with the load paths:
`[ "/Users/foo/resources" ]` When passing **relative** paths to these two vulnerable functions everything
is fine: `(load-resource "test.png")` => loads the file "/Users/foo/resources/test.png" `(load-resource
"../resources-alt/test.png")` => rejected, outside the load path When passing **absolute** paths to these
two vulnerable functions Venice may return files outside the configured load paths: `(load-resource
"/Users/foo/resources/test.png")` => loads the file "/Users/foo/resources/test.png" `(load-resource
"/Users/foo/resources-alt/test.png")` => loads the file "/Users/foo/resources-alt/test.png" !!! The latter
call suffers from the _Partial Path Traversal_ vulnerability. This issue’s scope is limited to absolute
paths whose name prefix matches a load path. E.g. for a load-path `"/Users/foo/resources"`, the actor can
cause loading a resource also from `"/Users/foo/resources-alt"`, but not from `"/Users/foo/images"`.
Versions of Venice before and including v1.10.17 are affected by this issue. Upgrade to Venice >= 1.10.18,
if you are on a version < 1.10.18. There are currently no known workarounds. (CVE-2022-36007)

See Also

https://github.com/advisories/GHSA-4mmh-5vw7-rgvj

Plugin Details

Severity: Low

ID: 410287

Version: Revision 1.6

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 1.2

Percentile: 0.01

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Low

Base Score: 1.7

Temporal Score: 1.3

Vector: CVSS2#AV:L/AC:L/Au:S/C:P/I:N/A:N

CVSS Score Source: CVE-2022-36007

CVSS v3

Risk Factor: Low

Base Score: 3.3

Temporal Score: 3

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 8/18/2022

Vulnerability Publication Date: 8/14/2022

Reference Information

CVE: CVE-2022-36007

cwe: CWE-22