SCA: security update for github.com/anchore/quill (GHSA-g32c-4pvp-769g)

medium Tenable Self-Hosted Container Security Plugin ID 438653

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Quill provides simple mac binary signing and notarization from any platform. Quill before version v0.7.1
has unbounded reads of HTTP response bodies during the Apple notarization process. Exploitation requires
the ability to modify API responses from Apple's notarization service, which is not possible under
standard network conditions due to HTTPS with proper TLS certificate validation; however, environments
with TLS-intercepting proxies (common in corporate networks), compromised certificate authorities, or
other trust boundary violations are at risk. When processing HTTP responses during notarization, Quill
reads the entire response body into memory without any size limit. An attacker who can control or modify
the response content can return an arbitrarily large payload, causing the Quill client to run out of
memory and crash. The impact is limited to availability; there is no effect on confidentiality or
integrity. Both the Quill CLI and library are affected when used to perform notarization operations. This
vulnerability is fixed in 0.7.1. (CVE-2026-31960)

Solution

Update the github.com/anchore/quill library and its related packages to version 0.7.1 or later.

See Also

https://github.com/advisories/GHSA-g32c-4pvp-769g

Plugin Details

Severity: Medium

ID: 438653

Version: Revision 1.9

Type: Local

Family: SCA Checks

Published: 3/12/2026

Updated: 6/1/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.73

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 4.6

Temporal Score: 3.4

Vector: CVSS2#AV:A/AC:H/Au:N/C:N/I:N/A:C

CVSS Score Source: CVE-2026-31960

CVSS v3

Risk Factor: Medium

Base Score: 5.3

Temporal Score: 4.6

Vector: CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 3/11/2026

Vulnerability Publication Date: 3/11/2026

Reference Information

CVE: CVE-2026-31960

cwe: CWE-770