SCA: security update for pimcore/pimcore (GHSA-gvmf-wcx6-p974)

high Tenable Self-Hosted Container Security Plugin ID 415318

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Pimcore is an Open Source Data & Experience Management Platform. Pimcore offers developers listing classes
to make querying data easier. This listing classes also allow to order or group the results based on one
or more columns which should be quoted by default. The actual issue is that quoting is not done properly
in both cases, so there's the theoretical possibility to inject custom SQL if the developer is using this
methods with input data and not doing proper input validation in advance and so relies on the auto-quoting
being done by the listing classes. This issue has been resolved in version 10.4.4. Users are advised to
upgrade or to apple the patch manually. There are no known workarounds for this issue. (CVE-2022-31092)

See Also

https://github.com/advisories/GHSA-gvmf-wcx6-p974

Plugin Details

Severity: High

ID: 415318

Version: Revision 1.7

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.12

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2022-31092

CVSS v3

Risk Factor: High

Base Score: 8.1

Temporal Score: 7.3

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 6/22/2022

Vulnerability Publication Date: 6/22/2022

Reference Information

CVE: CVE-2022-31092

cwe: CWE-89