SCA: security update for onefuzz (GHSA-q5vh-6whw-x745)

critical Tenable Self-Hosted Container Security Plugin ID 417914

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- OneFuzz is an open source self-hosted Fuzzing-As-A-Service platform. Starting with OneFuzz 2.12.0 or
greater, an incomplete authorization check allows an authenticated user from any Azure Active Directory
tenant to make authorized API calls to a vulnerable OneFuzz instance. To be vulnerable, a OneFuzz
deployment must be both version 2.12.0 or greater and deployed with the non-default --multi_tenant_domain
option. This can result in read/write access to private data such as software vulnerability and crash
information, security testing tools and proprietary code and symbols. Via authorized API calls, this also
enables tampering with existing data and unauthorized code execution on Azure compute resources. This
issue is resolved starting in release 2.31.0, via the addition of application-level check of the bearer
token's `issuer` against an administrator-configured allowlist. As a workaround users can restrict access
to the tenant of a deployed OneFuzz instance < 2.31.0 by redeploying in the default configuration, which
omits the `--multi_tenant_domain` option. (CVE-2021-37705)

See Also

https://github.com/advisories/GHSA-q5vh-6whw-x745

Plugin Details

Severity: Critical

ID: 417914

Version: Revision 1.6

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 5

Percentile: 95.11

Vendor

Vendor Severity: Critical

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2021-37705

CVSS v3

Risk Factor: Critical

Base Score: 10

Temporal Score: 8.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS v4

Risk Factor: Critical

Base Score: 9.5

Threat Score: 8.3

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 8/13/2021

Vulnerability Publication Date: 8/13/2021

Reference Information

CVE: CVE-2021-37705