SCA: security update for github.com/talos-systems/talos (GHSA-7hgc-php5-77qq)

high Tenable Cloud Security Plugin ID 412086

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Talos Linux is a Linux distribution built for Kubernetes deployments. Talos worker nodes use a join token
to get accepted into the Talos cluster. Due to improper validation of the request while signing a worker
node CSR (certificate signing request) Talos control plane node might issue Talos API certificate which
allows full access to Talos API on a control plane node. Accessing Talos API with full level access on a
control plane node might reveal sensitive information which allows full level access to the cluster
(Kubernetes and Talos PKI, etc.). Talos API join token is stored in the machine configuration on the
worker node. When configured correctly, Kubernetes workloads don't have access to the machine
configuration, but due to a misconfiguration workload might access the machine configuration and reveal
the join token. This problem has been fixed in Talos 1.2.2. Enabling the Pod Security Standards mitigates
the vulnerability by denying hostPath mounts and host networking by default in the baseline policy.
Clusters that don't run untrusted workloads are not affected. Clusters with correct Pod Security
configurations which don't allow hostPath mounts, and secure access to cloud metadata server (or machine
configuration is not supplied via cloud metadata server) are not affected. (CVE-2022-36103)

See Also

https://github.com/advisories/GHSA-7hgc-php5-77qq

Plugin Details

Severity: High

ID: 412086

Version: Revision 1.7

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.12

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: High

Base Score: 9

Temporal Score: 6.7

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2022-36103

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.7

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 9/16/2022

Vulnerability Publication Date: 9/13/2022

Reference Information

CVE: CVE-2022-36103