Detections
Analytics

SCA: security update for github.com/google/exposure-notifications-verification-server (GHSA-5v95-v8c8-3rh6)

high Tenable Self-Hosted Container Security Plugin ID 411027

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

 - A privilege escalation vulnerability impacting the Google Exposure Notification Verification Server
 (versions prior to 0.23.1), allows an attacker who (1) has UserWrite permissions and (2) is using a
 carefully crafted request or malicious proxy, to create another user with higher privileges than their
 own. This occurs due to insufficient checks on the allowed set of permissions. The new user creation event
 would be captured in the Event Log. (CVE-2021-22538)

See Also

https://github.com/advisories/GHSA-5v95-v8c8-3rh6

Plugin Details

Severity: High

ID: 411027

Version: Revision 1.2

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 1/29/2025

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 4.8

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P

CVSS Score Source: CVE-2021-22538

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.7

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 3/15/2021

Vulnerability Publication Date: 3/15/2021

Reference Information

CVE: CVE-2021-22538

cwe: CWE-276