SCA: security update for hail (GHSA-487p-qx68-5vjw)

medium Tenable Cloud Security Plugin ID 433694

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Hail is an open-source, general-purpose, Python-based data analysis tool with additional data types and
methods for working with genomic data. Hail relies on OpenID Connect (OIDC) email addresses from ID tokens
to verify the validity of a user's domain, but because users have the ability to change their email
address, they could create accounts and use resources in clusters that they should not have access to. For
example, a user could create a Microsoft or Google account and then change their email to
`[email protected]`. This account can then be used to create a Hail Batch account in Hail Batch clusters
whose organization domain is `example.org`. The attacker is not able to access private data or impersonate
another user, but they would have the ability to run jobs if Hail Batch billing projects are enabled and
create Azure Tenants if they have Azure Active Directory Administrator access. (CVE-2023-51663)

See Also

https://github.com/advisories/GHSA-487p-qx68-5vjw

Plugin Details

Severity: Medium

ID: 433694

Version: Revision 1.4

Type: Local

Family: SCA Checks

Published: 8/19/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 1.2

Percentile: 0.01

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N

CVSS Score Source: CVE-2023-51663

CVSS v3

Risk Factor: Medium

Base Score: 5.3

Temporal Score: 4.6

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 1/2/2024

Vulnerability Publication Date: 12/29/2023

Reference Information

CVE: CVE-2023-51663

cwe: CWE-289