SCA: security update for dulwich (GHSA-897w-fcg9-f6xj)

high Tenable Cloud Security Plugin ID 442450

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Dulwich is a pure-Python implementation of the Git file formats and protocols. Versions starting with
0.10.0 and prior to 1.2.5 have an arbitrary file write leading to remote code execution when cloning or
checking out a malicious Git repository on Windows. Dulwich's path-element validator accepted tree entries
whose filenames contained bytes that Windows interprets as structural path syntax. Contributing
configuration bugs made matters worse. The core.protectNTFS and core.protectHFS settings were looked up
under a wrong option name and so user-set values were silently ignored, and core.protectNTFS only
defaulted to true on Windows (Git upstream has defaulted it to true everywhere since CVE-2019-1353). Both
have been corrected. Anyone who clones, fetches, or checks out an untrusted repository with Dulwich on
Windows - either through the Dulwich CLI, porcelain.clone, or any downstream tool built on Dulwich - is
impacted. POSIX clones are not directly exploitable (on POSIX \ is a literal filename byte), but a POSIX
user can unknowingly propagate a malicious tree to Windows consumers via push or re-publication. This
issue is fixed in Dulwich 1.2.5. Users should upgrade to 1.2.5 or later. There is no effective pre-patch
workaround. On affected versions the core.protectNTFS configuration key was silently ignored, so setting
it to true does not mitigate the issue. Users who cannot upgrade should avoid cloning, fetching, or
checking out untrusted repositories with Dulwich on Windows. After upgrading the NTFS validator is on by
default on every platform, so no additional configuration is required. (CVE-2026-42305)

Solution

Update the dulwich library and its related packages to version 1.2.5 or later.

See Also

https://github.com/advisories/GHSA-897w-fcg9-f6xj

Plugin Details

Severity: High

ID: 442450

Version: Revision 1.7

Type: Local

Family: SCA Checks

Published: 5/29/2026

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 6.9

Percentile: 96.92

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 7.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2026-42305

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 5/28/2026

Vulnerability Publication Date: 5/28/2026

Reference Information

CVE: CVE-2026-42305

cwe: CWE-22