SCA: security update for github.com/harness/gitness (GHSA-w469-hj2f-jpr5)

high Tenable Self-Hosted Container Security Plugin ID 435151

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Harness Open Source is an end-to-end developer platform with Source Control Management, CI/CD Pipelines,
Hosted Developer Environments, and Artifact Registries. Prior to version 3.3.0, Open Source Harness git
LFS server (Gitness) exposes api to retrieve and upload files via git LFS. Implementation of upload git
LFS file api is vulnerable to arbitrary file write. Due to improper sanitization for upload path, a
malicious authenticated user who has access to Harness Gitness server api can use a crafted upload request
to write arbitrary file to any location on file system, may even compromise the server. Users using git
LFS are vulnerable. This issue has been patched in version 3.3.0. (CVE-2025-58158)

See Also

https://github.com/advisories/GHSA-w469-hj2f-jpr5

Plugin Details

Severity: High

ID: 435151

Version: Revision 1.12

Type: Local

Family: SCA Checks

Published: 8/29/2025

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.49

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: High

Base Score: 9

Temporal Score: 6.7

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2025-58158

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.7

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 8/29/2025

Vulnerability Publication Date: 8/29/2025

Reference Information

CVE: CVE-2025-58158