SCA: security update for mermaid (GHSA-x3vm-38hw-55wf)

medium Tenable Self-Hosted Container Security Plugin ID 420265

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Mermaid is a JavaScript based diagramming and charting tool that uses Markdown-inspired text definitions
and a renderer to create and modify complex diagrams. An attacker is able to inject arbitrary `CSS` into
the generated graph allowing them to change the styling of elements outside of the generated graph, and
potentially exfiltrate sensitive information by using specially crafted `CSS` selectors. The following
example shows how an attacker can exfiltrate the contents of an input field by bruteforcing the `value`
attribute one character at a time. Whenever there is an actual match, an `http` request will be made by
the browser in order to "load" a background image that will let an attacker know what's the value of the
character. This issue may lead to `Information Disclosure` via CSS selectors and functions able to
generate HTTP requests. This also allows an attacker to change the document in ways which may lead a user
to perform unintended actions, such as clicking on a link, etc. This issue has been resolved in version
9.1.3. Users are advised to upgrade. Users unable to upgrade should ensure that user input is adequately
escaped before embedding it in CSS blocks. (CVE-2022-31108)

See Also

https://github.com/advisories/GHSA-x3vm-38hw-55wf

Plugin Details

Severity: Medium

ID: 420265

Version: Revision 1.7

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 2.3

Percentile: 8.67

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 5.8

Temporal Score: 4.5

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N

CVSS Score Source: CVE-2022-31108

CVSS v3

Risk Factor: Medium

Base Score: 6.1

Temporal Score: 5.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 7/5/2022

Vulnerability Publication Date: 6/28/2022

Reference Information

CVE: CVE-2022-31108