SCA: security update for piccolo (GHSA-h7cm-mrvq-wcfr)

medium Tenable Cloud Security Plugin ID 415564

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Piccolo is an ORM and query builder which supports asyncio. In versions 0.120.0 and prior, the
implementation of `BaseUser.login` leaks enough information to a malicious user such that they would be
able to successfully generate a list of valid users on the platform. As Piccolo on its own does not also
enforce strong passwords, these lists of valid accounts are likely to be used in a password spray attack
with the outcome being attempted takeover of user accounts on the platform. The impact of this
vulnerability is minor as it requires chaining with other attack vectors in order to gain more then simply
a list of valid users on the underlying platform. The likelihood of this vulnerability is possible as it
requires minimal skills to pull off, especially given the underlying login functionality for Piccolo based
sites is open source. This issue has been patched in version 0.121.0. (CVE-2023-41885)

See Also

https://github.com/advisories/GHSA-h7cm-mrvq-wcfr

Plugin Details

Severity: Medium

ID: 415564

Version: Revision 1.8

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3.9

Percentile: 52.58

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS Score Source: CVE-2023-41885

CVSS v3

Risk Factor: Medium

Base Score: 5.3

Temporal Score: 4.6

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 9/12/2023

Vulnerability Publication Date: 9/12/2023

Reference Information

CVE: CVE-2023-41885