SCA: security update for hyper-bump-it (GHSA-xc27-f9q3-4448)

medium Tenable Self-Hosted Container Security Plugin ID 420416

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- hyper-bump-it is a command line tool for updating the version in project files.`hyper-bump-it` reads a
file glob pattern from the configuration file. That is combined with the project root directory to
construct a full glob pattern that is used to find files that should be edited. These matched files should
be contained within the project root directory, but that is not checked. This could result in changes
being written to files outside of the project. The default behaviour of `hyper-bump-it` is to display the
planned changes and prompt the user for confirmation before editing any files. However, the configuration
file provides a field that can be used cause files to be edited without displaying the prompt. This issue
has been fixed in release version 0.5.1. Users are advised to upgrade. Users that are unable to update
from vulnerable versions, executing `hyper-bump-it` with the `--interactive` command line argument will
ensure that all planned changes are displayed and prompt the user for confirmation before editing any
files, even if the configuration file contains `show_confirm_prompt=true`. (CVE-2023-41057)

See Also

https://github.com/advisories/GHSA-xc27-f9q3-4448

Plugin Details

Severity: Medium

ID: 420416

Version: Revision 1.5

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.51

Vendor

Vendor Severity: Low

CVSS v2

Risk Factor: Medium

Base Score: 4.9

Temporal Score: 3.8

Vector: CVSS2#AV:L/AC:L/Au:N/C:N/I:C/A:N

CVSS Score Source: CVE-2023-41057

CVSS v3

Risk Factor: Medium

Base Score: 5.5

Temporal Score: 5

Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 9/4/2023

Vulnerability Publication Date: 9/4/2023

Reference Information

CVE: CVE-2023-41057

cwe: CWE-22