SCA: security update for tuf (GHSA-wjw6-2cqr-j4qr)

medium Tenable Self-Hosted Container Security Plugin ID 419980

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- python-tuf is a Python reference implementation of The Update Framework (TUF). In both clients
(`tuf/client` and `tuf/ngclient`), there is a path traversal vulnerability that in the worst case can
overwrite files ending in `.json` anywhere on the client system on a call to `get_one_valid_targetinfo()`.
It occurs because the rolename is used to form the filename, and may contain path traversal characters (ie
`../../name.json`). The impact is mitigated by a few facts: It only affects implementations that allow
arbitrary rolename selection for delegated targets metadata, The attack requires the ability to A) insert
new metadata for the path-traversing role and B) get the role delegated by an existing targets metadata,
The written file content is heavily restricted since it needs to be a valid, signed targets file. The file
extension is always .json. A fix is available in version 0.19 or newer. There are no workarounds that do
not require code changes. Clients can restrict the allowed character set for rolenames, or they can store
metadata in files named in a way that is not vulnerable: neither of these approaches is possible without
modifying python-tuf. (CVE-2021-41131)

See Also

https://github.com/advisories/GHSA-wjw6-2cqr-j4qr

Plugin Details

Severity: Medium

ID: 419980

Version: Revision 1.5

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.8

Percentile: 56.9

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: High

Base Score: 8.8

Temporal Score: 6.5

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:C/A:C

CVSS Score Source: CVE-2021-41131

CVSS v3

Risk Factor: High

Base Score: 8.7

Temporal Score: 7.6

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

CVSS v4

Risk Factor: Medium

Base Score: 6.9

Threat Score: 2.5

Threat Vector: CVSS:4.0/E:U

Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:H/SA:N

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 10/19/2021

Vulnerability Publication Date: 10/19/2021

Reference Information

CVE: CVE-2021-41131

cwe: CWE-22