SCA: security update for archivebox (GHSA-cr45-98w9-gwqx)

high Tenable Cloud Security Plugin ID 444479

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- ArchiveBox is an open source self-hosted web archiving system. Any users who are using the `wget`
extractor and view the content it outputs. The impact is potentially severe if you are logged in to the
ArchiveBox admin site in the same browser session and view an archived malicious page designed to target
your ArchiveBox instance. Malicious Javascript could potentially act using your logged-in admin
credentials and add/remove/modify snapshots, add/remove/modify ArchiveBox users, and generally do anything
an admin user could do. The impact is less severe for non-logged-in users, as malicious Javascript cannot
*modify* any archives, but it can still *read* all the other archived content by fetching the snapshot
index and iterating through it. Because all of ArchiveBox's archived content is served from the same host
and port as the admin panel, when archived pages are viewed the JS executes in the same context as all the
other archived pages (and the admin panel), defeating most of the browser's usual CORS/CSRF security
protections and leading to this issue. Version 0.9.0 contains a patch. As a mitigation for this issue
would be to disable the wget extractor by setting `archivebox config --set SAVE_WGET=False`, ensure you
are always logged out, or serve only a [static HTML
version](https://github.com/ArchiveBox/ArchiveBox/wiki/Publishing-Your-Archive#2-export-and-host-it-as-
static-html) of your archive. (CVE-2023-45815)

Solution

Update the archivebox library and its related packages to version 0.9.0 or later.

See Also

https://github.com/advisories/GHSA-cr45-98w9-gwqx

Plugin Details

Severity: High

ID: 444479

Version: Revision 1.1

Type: Local

Family: SCA Checks

Published: 7/7/2026

Updated: 7/7/2026

Risk Information

VPR

Risk Factor: Low

Score: 2.3

Percentile: 9.14

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: Medium

Base Score: 5.5

Temporal Score: 4.3

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:N

CVSS Score Source: CVE-2023-45815

CVSS v3

Risk Factor: Medium

Base Score: 5.4

Temporal Score: 4.9

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS v4

Risk Factor: High

Base Score: 7.4

Threat Score: 6.5

Threat Vector: CVSS:4.0/E:P

Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 10/19/2023

Vulnerability Publication Date: 10/19/2023

Reference Information

CVE: CVE-2023-45815

cwe: CWE-79