SCA: security update for webcrack (GHSA-ccqh-278p-xq6w)

medium Tenable Cloud Security Plugin ID 413830

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- webcrack is a tool for reverse engineering javascript. An arbitrary file write vulnerability exists in the
webcrack module when processing specifically crafted malicious code on Windows systems. This vulnerability
is triggered when using the unpack bundles feature in conjunction with the saving feature. If a module
name includes a path traversal sequence with Windows path separators, an attacker can exploit this to
overwrite files on the host system. This vulnerability allows an attacker to write arbitrary `.js` files
to the host system, which can be leveraged to hijack legitimate Node.js modules to gain arbitrary code
execution. This vulnerability has been patched in version 2.14.1. (CVE-2024-43373)

See Also

https://github.com/advisories/GHSA-ccqh-278p-xq6w

Plugin Details

Severity: Medium

ID: 413830

Version: Revision 1.7

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.58

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: High

Base Score: 7.2

Temporal Score: 5.6

Vector: CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2024-43373

CVSS v3

Risk Factor: High

Base Score: 7.8

Temporal Score: 7

Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS v4

Risk Factor: Medium

Base Score: 6.2

Threat Score: 5

Threat Vector: CVSS:4.0/E:P

Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:H/SA:L

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 8/14/2024

Vulnerability Publication Date: 8/14/2024

Reference Information

CVE: CVE-2024-43373