SCA: security update for zsa (GHSA-wjmj-h3xc-hxp8)

medium Tenable Cloud Security Plugin ID 419974

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- zsa is a library for building typesafe server actions in Next.js. All users are impacted. The zsa
application transfers the parse error stack from the server to the client in production build mode. This
can potentially reveal sensitive information about the server environment, such as the machine username
and directory paths. An attacker could exploit this vulnerability to gain unauthorized access to sensitive
server information. This information could be used to plan further attacks or gain a deeper understanding
of the server infrastructure. This has been patched on `0.3.3`. (CVE-2024-37162)

See Also

https://github.com/advisories/GHSA-wjmj-h3xc-hxp8

Plugin Details

Severity: Medium

ID: 419974

Version: Revision 1.7

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 1.2

Percentile: 0.01

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS Score Source: CVE-2024-37162

CVSS v3

Risk Factor: Medium

Base Score: 5.3

Temporal Score: 4.6

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS v4

Risk Factor: Medium

Base Score: 6.9

Threat Score: 2.7

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 6/6/2024

Vulnerability Publication Date: 6/6/2024

Reference Information

CVE: CVE-2024-37162

cwe: CWE-209