SCA: security update for nanopb (GHSA-85rr-4rh9-hhwh)

high Tenable Cloud Security Plugin ID 412451

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Nanopb is a small code-size Protocol Buffers implementation. In Nanopb before versions 0.4.4 and 0.3.9.7,
decoding specifically formed message can leak memory if dynamic allocation is enabled and an oneof field
contains a static submessage that contains a dynamic field, and the message being decoded contains the
submessage multiple times. This is rare in normal messages, but it is a concern when untrusted data is
parsed. This is fixed in versions 0.3.9.7 and 0.4.4. The following workarounds are available: 1) Set the
option `no_unions` for the oneof field. This will generate fields as separate instead of C union, and
avoids triggering the problematic code. 2) Set the type of the submessage field inside oneof to
`FT_POINTER`. This way the whole submessage will be dynamically allocated and the problematic code is not
executed. 3) Use an arena allocator for nanopb, to make sure all memory can be released afterwards.
(CVE-2020-26243)

See Also

https://github.com/advisories/GHSA-85rr-4rh9-hhwh

Plugin Details

Severity: High

ID: 412451

Version: Revision 1.4

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.18

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.4

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P

CVSS Score Source: CVE-2020-26243

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 11/25/2020

Vulnerability Publication Date: 11/25/2020

Reference Information

CVE: CVE-2020-26243