SCA: security update for github.com/stripe/smokescreen (GHSA-gcj7-j438-hjj2)

medium Tenable Self-Hosted Container Security Plugin ID 415066

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Smokescreen is a simple HTTP proxy that fogs over naughty URLs. The primary use case for Smokescreen is to
prevent server-side request forgery (SSRF) attacks in which external attackers leverage the behavior of
applications to connect to or scan internal infrastructure. Smokescreen also offers an option to deny
access to additional (e.g., external) URLs by way of a deny list. There was an issue in Smokescreen that
made it possible to bypass the deny list feature by appending a dot to the end of user-supplied URLs, or
by providing input in a different letter case. Recommended to upgrade Smokescreen to version 0.0.3 or
later. (CVE-2022-24825)

See Also

https://github.com/advisories/GHSA-gcj7-j438-hjj2

Plugin Details

Severity: Medium

ID: 415066

Version: Revision 1.7

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 1.2

Percentile: 0.01

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS Score Source: CVE-2022-24825

CVSS v3

Risk Factor: Medium

Base Score: 5.3

Temporal Score: 4.6

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 4/7/2022

Vulnerability Publication Date: 4/7/2022

Reference Information

CVE: CVE-2022-24825

cwe: CWE-918