SCA: security update for github.com/artifacthub/hub (GHSA-9pc8-m4vp-ggvf)

medium Tenable Cloud Security Plugin ID 413392

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Artifact Hub is a web-based application that enables finding, installing, and publishing packages and
configurations for CNCF projects. During a security audit of Artifact Hub's code base a security
researcher identified a bug in which a default unsafe rego built-in was allowed to be used when defining
authorization policies. Artifact Hub includes a fine-grained authorization mechanism that allows
organizations to define what actions can be performed by their members. It is based on customizable
authorization policies that are enforced by the `Open Policy Agent`. Policies are written using `rego` and
their data files are expected to be json documents. By default, `rego` allows policies to make HTTP
requests, which can be abused to send requests to internal resources and forward the responses to an
external entity. In the context of Artifact Hub, this capability should have been disabled. This issue has
been resolved in version `1.16.0`. Users are advised to upgrade. There are no known workarounds for this
vulnerability. (CVE-2023-45822)

See Also

https://github.com/advisories/GHSA-9pc8-m4vp-ggvf

Plugin Details

Severity: Medium

ID: 413392

Version: Revision 1.7

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 1.2

Percentile: 0.01

Vendor

Vendor Severity: Low

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS Score Source: CVE-2023-45822

CVSS v3

Risk Factor: Medium

Base Score: 5.3

Temporal Score: 4.6

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 10/19/2023

Vulnerability Publication Date: 10/19/2023

Reference Information

CVE: CVE-2023-45822

cwe: CWE-918