SCA: security update for github.com/wolfi-dev/wolfictl (GHSA-8fg7-hp93-qhvr)

medium Tenable Cloud Security Plugin ID 412625

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- wolfictl is a command line tool for working with Wolfi. A git authentication issue in versions prior to
0.16.10 allows a local user’s GitHub token to be sent to remote servers other than `github.com`. Most git-
dependent functionality in wolfictl relies on its own `git` package, which contains centralized logic for
implementing interactions with git repositories. Some of this functionality requires authentication in
order to access private repositories. A central function `GetGitAuth` looks for a GitHub token in the
environment variable `GITHUB_TOKEN` and returns it as an HTTP basic auth object to be used with the
`github.com/go-git/go-git/v5` library. Most callers (direct or indirect) of `GetGitAuth` use the token to
authenticate to github.com only; however, in some cases callers were passing this authentication without
checking that the remote git repository was hosted on github.com. This behavior has existed in one form or
another since commit 0d06e1578300327c212dda26a5ab31d09352b9d0 - committed January 25, 2023. This impacts
anyone who ran the `wolfictl check update` commands with a Melange configuration that included a `git-
checkout` directive step that referenced a git repository not hosted on github.com. This also impacts
anyone who ran `wolfictl update <url>` with a remote URL outside of github.com. Additionally, these
subcommands must have run with the `GITHUB_TOKEN` environment variable set to a valid GitHub token. Users
should upgrade to version 0.16.10 to receive a patch. (CVE-2024-35183)

See Also

https://github.com/advisories/GHSA-8fg7-hp93-qhvr

Plugin Details

Severity: Medium

ID: 412625

Version: Revision 1.12

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.68

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Low

Base Score: 3.8

Temporal Score: 2.8

Vector: CVSS2#AV:L/AC:H/Au:S/C:C/I:N/A:N

CVSS Score Source: CVE-2024-35183

CVSS v3

Risk Factor: Medium

Base Score: 4.4

Temporal Score: 3.9

Vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 5/15/2024

Vulnerability Publication Date: 5/15/2024

Reference Information

CVE: CVE-2024-35183