SCA: security update for infrahub-server (GHSA-v2p7-4pv4-3wwh)

medium Tenable Cloud Security Plugin ID 435254

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Infrahub offers a central hub to manage data, templates, and playbooks. Prior to versiond 1.3.9 and 1.4.5,
a bug in the authentication logic will cause API tokens that were deleted and/or expired to be considered
valid. This means that any API token that is associated with an active user account can authenticate
successfully. This issue is fixed in versions 1.3.9 and 1.4.5. As a workaround, users can delete or
deactivate the account associated with a deleted API token to prevent that token from authenticating.
(CVE-2025-59036)

See Also

https://github.com/advisories/GHSA-v2p7-4pv4-3wwh

Plugin Details

Severity: Medium

ID: 435254

Version: Revision 1.7

Type: Local

Family: SCA Checks

Published: 9/11/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 2.8

Percentile: 22.92

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 4.8

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P

CVSS Score Source: CVE-2025-59036

CVSS v3

Risk Factor: Medium

Base Score: 5.5

Temporal Score: 4.8

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 9/10/2025

Vulnerability Publication Date: 9/9/2025

Reference Information

CVE: CVE-2025-59036

cwe: CWE-298