SCA: security update for github.com/mutagen-io/mutagen, github.com/mutagen-io/mutagen-compose (GHSA-jmp2-wc4p-wfh2)

high Tenable Cloud Security Plugin ID 416464

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Mutagen provides real-time file synchronization and flexible network forwarding for developers. Prior to
versions 0.16.6 and 0.17.1 in `mutagen` and prior to version 0.17.1 in `mutagen-compose`, Mutagen `list`
and `monitor` commands are susceptible to control characters that could be provided by remote endpoints.
This could cause terminal corruption, either intentional or unintentional, if these characters were
present in error messages or file paths/names. This could be used as an attack vector if synchronizing
with an untrusted remote endpoint, synchronizing files not under control of the user, or forwarding
to/from an untrusted remote endpoint. On very old systems with terminals susceptible to issues such as
CVE-2003-0069, the issue could theoretically cause code execution. The problem has been patched in Mutagen
v0.16.6 and v0.17.1. Earlier versions of Mutagen are no longer supported and will not be patched. Versions
of Mutagen after v0.18.0 will also have the patch merged. As a workaround, avoiding synchronization of
untrusted files or interaction with untrusted remote endpoints should mitigate any risk. (CVE-2023-30844)

See Also

https://github.com/advisories/GHSA-jmp2-wc4p-wfh2

Plugin Details

Severity: High

ID: 416464

Version: Revision 1.14

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 6.9

Percentile: 97.07

Vendor

Vendor Severity: Low

CVSS v2

Risk Factor: High

Base Score: 9

Temporal Score: 6.7

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2023-30844

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.7

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 5/5/2023

Vulnerability Publication Date: 5/5/2023

Reference Information

CVE: CVE-2023-30844