compliance-trestle 3.11.0

Direct Vulnerabilities

Known vulnerabilities in the compliance-trestle package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
H Improper Neutralization of Special Elements Used in a Template Engine compliance-trestle is a Tools to manage & autogenerate python objects representing the OSCAL layers/models Affected versions of this package are vulnerable to Improper Neutralization of Special Elements Used in a Template Engine via the `render_template` method. An attacker can execute arbitrary commands with the privileges of the running process by injecting malicious payloads into data fields that are rendered by trusted templates. Note: This is only exploitable if attacker-controlled input data is rendered into a trusted template and the user/operator processes the attacker-controlled data, such as SSP or LUT files. How to fix Improper Neutralization of Special Elements Used in a Template Engine? Upgrade `compliance-trestle` to version 3.12.2, 4.0.3 or higher.	[,3.12.2)[4.0.0,4.0.3)
H Server-side Request Forgery (SSRF) compliance-trestle is a Tools to manage & autogenerate python objects representing the OSCAL layers/models Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the `HTTPSFetcher._do_fetch` function. A user can access internal services or cloud metadata endpoints by supplying a crafted URL that is passed directly to the underlying HTTP request. How to fix Server-side Request Forgery (SSRF)? Upgrade `compliance-trestle` to version 3.12.2, 4.0.3 or higher.	[,3.12.2)[4.0.0,4.0.3)
M Directory Traversal compliance-trestle is a Tools to manage & autogenerate python objects representing the OSCAL layers/models Affected versions of this package are vulnerable to Directory Traversal via the profile import mechanism. An attacker can read arbitrary files on the server filesystem by supplying a crafted OSCAL profile YAML with malicious `imports[].href` values containing path traversal sequences. Note: This is only exploitable if a victim imports or resolves an attacker-controlled OSCAL profile YAML. How to fix Directory Traversal? Upgrade `compliance-trestle` to version 3.12.2, 4.0.3 or higher.	[,3.12.2)[4.0.0,4.0.3)
H Directory Traversal compliance-trestle is a Tools to manage & autogenerate python objects representing the OSCAL layers/models Affected versions of this package are vulnerable to Directory Traversal through remote cache fetching. An attacker can write arbitrary files to locations outside the intended cache directory by supplying specially crafted URLs containing path traversal sequences, resulting in the ability to overwrite sensitive files or inject malicious content. How to fix Directory Traversal? Upgrade `compliance-trestle` to version 3.12.2, 4.0.3 or higher.	[,3.12.2)[4.0.0,4.0.3)
H External Control of File Name or Path compliance-trestle is a Tools to manage & autogenerate python objects representing the OSCAL layers/models Affected versions of this package are vulnerable to External Control of File Name or Path via the `-o/--output` argument in the `trestle author jinja`. An attacker can overwrite arbitrary files outside the intended workspace by supplying crafted path traversal sequences, such as `../` or absolute paths, as output destinations. This can result in the modification of sensitive files, execution of attacker-controlled code, or compromise of CI/CD workflows. How to fix External Control of File Name or Path? Upgrade `compliance-trestle` to version 3.12.2, 4.0.3 or higher.	[,3.12.2)[4.0.0,4.0.3)

Vulnerability

Vulnerable Version

Improper Neutralization of Special Elements Used in a Template Engine

compliance-trestle is a Tools to manage & autogenerate python objects representing the OSCAL layers/models

Affected versions of this package are vulnerable to Improper Neutralization of Special Elements Used in a Template Engine via the render_template method. An attacker can execute arbitrary commands with the privileges of the running process by injecting malicious payloads into data fields that are rendered by trusted templates.

Note: This is only exploitable if attacker-controlled input data is rendered into a trusted template and the user/operator processes the attacker-controlled data, such as SSP or LUT files.

How to fix Improper Neutralization of Special Elements Used in a Template Engine?

Upgrade compliance-trestle to version 3.12.2, 4.0.3 or higher.

[,3.12.2)[4.0.0,4.0.3)

Server-side Request Forgery (SSRF)

compliance-trestle is a Tools to manage & autogenerate python objects representing the OSCAL layers/models

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) via the HTTPSFetcher._do_fetch function. A user can access internal services or cloud metadata endpoints by supplying a crafted URL that is passed directly to the underlying HTTP request.

How to fix Server-side Request Forgery (SSRF)?

Upgrade compliance-trestle to version 3.12.2, 4.0.3 or higher.

[,3.12.2)[4.0.0,4.0.3)

Directory Traversal

compliance-trestle is a Tools to manage & autogenerate python objects representing the OSCAL layers/models

Affected versions of this package are vulnerable to Directory Traversal via the profile import mechanism. An attacker can read arbitrary files on the server filesystem by supplying a crafted OSCAL profile YAML with malicious imports[].href values containing path traversal sequences.

Note: This is only exploitable if a victim imports or resolves an attacker-controlled OSCAL profile YAML.

How to fix Directory Traversal?

Upgrade compliance-trestle to version 3.12.2, 4.0.3 or higher.

[,3.12.2)[4.0.0,4.0.3)

Directory Traversal

compliance-trestle is a Tools to manage & autogenerate python objects representing the OSCAL layers/models

Affected versions of this package are vulnerable to Directory Traversal through remote cache fetching. An attacker can write arbitrary files to locations outside the intended cache directory by supplying specially crafted URLs containing path traversal sequences, resulting in the ability to overwrite sensitive files or inject malicious content.

How to fix Directory Traversal?

Upgrade compliance-trestle to version 3.12.2, 4.0.3 or higher.

[,3.12.2)[4.0.0,4.0.3)

External Control of File Name or Path

compliance-trestle is a Tools to manage & autogenerate python objects representing the OSCAL layers/models

Affected versions of this package are vulnerable to External Control of File Name or Path via the -o/--output argument in the trestle author jinja. An attacker can overwrite arbitrary files outside the intended workspace by supplying crafted path traversal sequences, such as ../ or absolute paths, as output destinations. This can result in the modification of sensitive files, execution of attacker-controlled code, or compromise of CI/CD workflows.

How to fix External Control of File Name or Path?

Upgrade compliance-trestle to version 3.12.2, 4.0.3 or higher.

[,3.12.2)[4.0.0,4.0.3)

compliance-trestle@3.11.0

Tools to manage & autogenerate python objects representing the OSCAL layers/models

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically