SCA: security update for piccolo (GHSA-xq59-7jf3-rjc6)

critical Tenable Self-Hosted Container Security Plugin ID 420618

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Piccolo is an object-relational mapping and query builder which supports asyncio. Prior to version 1.1.1,
the handling of named transaction `savepoints` in all database implementations is vulnerable to SQL
Injection via f-strings. While the likelihood of an end developer exposing a `savepoints` `name` parameter
to a user is highly unlikely, it would not be unheard of. If a malicious user was able to abuse this
functionality they would have essentially direct access to the database and the ability to modify data to
the level of permissions associated with the database user. A non exhaustive list of actions possible
based on database permissions is: Read all data stored in the database, including usernames and password
hashes; insert arbitrary data into the database, including modifying existing records; and gain a shell on
the underlying server. Version 1.1.1 fixes this issue. (CVE-2023-47128)

See Also

https://github.com/advisories/GHSA-xq59-7jf3-rjc6

Plugin Details

Severity: Critical

ID: 420618

Version: Revision 1.7

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.3

Percentile: 53.37

Vendor

Vendor Severity: Critical

CVSS v2

Risk Factor: High

Base Score: 9.4

Temporal Score: 7.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:N

CVSS Score Source: CVE-2023-47128

CVSS v3

Risk Factor: Critical

Base Score: 9.1

Temporal Score: 8.2

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS v4

Risk Factor: Critical

Base Score: 9.3

Threat Score: 8.8

Threat Vector: CVSS:4.0/E:P

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 11/12/2023

Vulnerability Publication Date: 11/10/2023

Reference Information

CVE: CVE-2023-47128

cwe: CWE-89