SCA: security update for templated_dictionary (GHSA-7j98-74jh-cjxh)

critical Tenable Cloud Security Plugin ID 421491

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- The Mock software contains a vulnerability wherein an attacker could potentially exploit privilege
escalation, enabling the execution of arbitrary code with root user privileges. This weakness stems from
the absence of proper sandboxing during the expansion and execution of Jinja2 templates, which may be
included in certain configuration parameters. While the Mock documentation advises treating users added to
the mock group as privileged, certain build systems invoking mock on behalf of users might inadvertently
permit less privileged users to define configuration tags. These tags could then be passed as parameters
to mock during execution, potentially leading to the utilization of Jinja2 templates for remote privilege
escalation and the execution of arbitrary code as the root user on the build server. (CVE-2023-6395)

See Also

https://github.com/advisories/GHSA-7j98-74jh-cjxh

Plugin Details

Severity: Critical

ID: 421491

Version: Revision 1.3

Type: Local

Family: SCA Checks

Published: 3/28/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.58

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2023-6395

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 1/16/2024

Vulnerability Publication Date: 1/16/2024

Reference Information

CVE: CVE-2023-6395