SCA: security update for joelbutcher/socialstream (GHSA-3q97-vjpp-c8rp)

high Tenable Self-Hosted Container Security Plugin ID 409651

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Socialstream is a third-party package for Laravel Jetstream. It replaces the published authentication and
profile scaffolding provided by Laravel Jetstream, with scaffolding that has support for Laravel
Socialite. When linking a social account to an already authenticated user, the lack of a confirmation step
introduces a security risk. This is exacerbated if ->stateless() is used in the Socialite configuration,
bypassing state verification and making the exploit easier. Developers should ensure that users explicitly
confirm account linking and avoid configurations that skip critical security checks. Socialstream v6.2
introduces a new custom route that requires a user to "Confirm" or "Deny" a request to link a social
account. Users are advised to upgrade. There are no known workarounds for this vulnerability.
(CVE-2024-56329)

See Also

https://github.com/advisories/GHSA-3q97-vjpp-c8rp

Plugin Details

Severity: High

ID: 409651

Version: Revision 1.7

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.12

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 4.8

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P

CVSS Score Source: CVE-2024-56329

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.7

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS v4

Risk Factor: High

Base Score: 8.9

Threat Score: 5.9

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 12/20/2024

Vulnerability Publication Date: 12/20/2024

Reference Information

CVE: CVE-2024-56329

cwe: CWE-287