SCA: security update for uvicorn (GHSA-33c7-2mpw-hg34)

high Tenable Self-Hosted Container Security Plugin ID 409243

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- This affects all versions of package uvicorn. The request logger provided by the package is vulnerable to
ASNI escape sequence injection. Whenever any HTTP request is received, the default behaviour of uvicorn is
to log its details to either the console or a log file. When attackers request crafted URLs with percent-
encoded escape sequences, the logging component will log the URL after it's been processed with
urllib.parse.unquote, therefore converting any percent-encoded characters into their single-character
equivalent, which can have special meaning in terminal emulators. By requesting URLs with crafted paths,
attackers can: * Pollute uvicorn's access logs, therefore jeopardising the integrity of such files. * Use
ANSI sequence codes to attempt to interact with the terminal emulator that's displaying the logs (either
in real time or from a file). (CVE-2020-7694)

See Also

https://github.com/advisories/GHSA-33c7-2mpw-hg34

Plugin Details

Severity: High

ID: 409243

Version: Revision 1.5

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.18

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N

CVSS Score Source: CVE-2020-7694

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS v4

Risk Factor: High

Base Score: 8.7

Threat Score: 7.7

Threat Vector: CVSS:4.0/E:P

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 7/29/2020

Vulnerability Publication Date: 7/27/2020

Reference Information

CVE: CVE-2020-7694