SCA: security update for Bunkum (GHSA-jrf2-h5j6-3rrq)

medium Tenable Self-Hosted Container Security Plugin ID 416560

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Bunkum is an open-source protocol-agnostic request server for custom game servers. First, a little bit of
background. So, in the beginning, Bunkum's `AuthenticationService` only supported injecting `IUser`s.
However, as Refresh and SoundShapesServer implemented permissions systems support for injecting `IToken`s
into endpoints was added. All was well until 4.0. Bunkum 4.0 then changed to enforce relations between
`IToken`s and `IUser`s. This wasn't implemented in a very good way in the `AuthenticationService`, and
ended up breaking caching in such a way that cached tokens would persist after the lifetime of the request
- since we tried to cache both tokens and users. From that point until now, from what I understand, Bunkum
was attempting to use that cached token at the start of the next request once cached. Naturally, when that
token expired, downstream projects like Refresh would remove the object from Realm - and cause the object
in the cache to be in a detached state, causing an exception from invalid use of `IToken.User`. So in
other words, a use-after-free since Realm can't manage the lifetime of the cached token. Security-wise,
the scope is fairly limited, can only be pulled off on a couple endpoints given a few conditions, and you
can't guarantee which token you're going to get. Also, the token *would* get invalidated properly if the
endpoint had either a `IToken` usage or a `IUser` usage. The fix is to just wipe the token cache after the
request was handled, which is now in `4.2.1`. Users are advised to upgrade. There are no known workarounds
for this vulnerability. (CVE-2023-45814)

See Also

https://github.com/advisories/GHSA-jrf2-h5j6-3rrq

Plugin Details

Severity: Medium

ID: 416560

Version: Revision 1.7

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 1.2

Percentile: 0.01

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS Score Source: CVE-2023-45814

CVSS v3

Risk Factor: Medium

Base Score: 5.3

Temporal Score: 4.6

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 10/19/2023

Vulnerability Publication Date: 10/18/2023

Reference Information

CVE: CVE-2023-45814

cwe: CWE-772