SCA: security update for tzinfo (GHSA-5cm2-9h8c-rvfx)

high Tenable Self-Hosted Container Security Plugin ID 410765

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- TZInfo is a Ruby library that provides access to time zone data and allows times to be converted using
time zone rules. Versions prior to 0.36.1, as well as those prior to 1.2.10 when used with the Ruby data
source tzinfo-data, are vulnerable to relative path traversal. With the Ruby data source, time zones are
defined in Ruby files. There is one file per time zone. Time zone files are loaded with `require` on
demand. In the affected versions, `TZInfo::Timezone.get` fails to validate time zone identifiers
correctly, allowing a new line character within the identifier. With Ruby version 1.9.3 and later,
`TZInfo::Timezone.get` can be made to load unintended files with `require`, executing them within the Ruby
process. Versions 0.3.61 and 1.2.10 include fixes to correctly validate time zone identifiers. Versions
2.0.0 and later are not vulnerable. Version 0.3.61 can still load arbitrary files from the Ruby load path
if their name follows the rules for a valid time zone identifier and the file has a prefix of
`tzinfo/definition` within a directory in the load path. Applications should ensure that untrusted files
are not placed in a directory on the load path. As a workaround, the time zone identifier can be validated
before passing to `TZInfo::Timezone.get` by ensuring it matches the regular expression
`\A[A-Za-z0-9+\-_]+(?:\/[A-Za-z0-9+\-_]+)*\z`. (CVE-2022-31163)

See Also

https://github.com/advisories/GHSA-5cm2-9h8c-rvfx

Plugin Details

Severity: High

ID: 410765

Version: Revision 1.6

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 58

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: High

Base Score: 7.6

Temporal Score: 6

Vector: CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2022-31163

CVSS v3

Risk Factor: High

Base Score: 8.1

Temporal Score: 7.3

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 7/21/2022

Vulnerability Publication Date: 7/21/2022

Reference Information

CVE: CVE-2022-31163