stigmem-node@0.9.0a1

Stigmem reference node — single-host production implementation

  • latest version

    0.9.0a12

  • latest non vulnerable version

  • first published

    1 months ago

  • latest version published

    17 days ago

  • licenses detected

  • Direct Vulnerabilities

    Known vulnerabilities in the stigmem-node package. This does not include vulnerabilities belonging to this package’s dependencies.

    Fix vulnerabilities automatically

    Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

    Fix for free
    VulnerabilityVulnerable Version
    • H
    Authorization Bypass Through User-Controlled Key

    stigmem-node is a Stigmem reference node — single-host production implementation

    Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key in the issue_tombstone process and the read-suppression path, where tenant scoping is not properly enforced. An attacker can access or suppress data belonging to other tenants by submitting requests that exploit the lack of tenant isolation. This is only exploitable if the deployment is configured with the stigmem-plugin-multi-tenant plugin enabled, allowing multiple tenants on a single node.

    How to fix Authorization Bypass Through User-Controlled Key?

    Upgrade stigmem-node to version 0.9.0a12 or higher.

    [,0.9.0a12)
    • H
    Incorrect Authorization

    stigmem-node is a Stigmem reference node — single-host production implementation

    Affected versions of this package are vulnerable to Incorrect Authorization in the run_decay_sweep process. An attacker can access or modify data belonging to other tenants by initiating a decay sweep with a write credential for one tenant, which acts on all tenants' facts due to missing tenant scoping. This is only exploitable if the deployment is running the opt-in stigmem-plugin-multi-tenant configuration.

    How to fix Incorrect Authorization?

    Upgrade stigmem-node to version 0.9.0a12 or higher.

    [,0.9.0a12)
    • H
    Incorrect Authorization

    stigmem-node is a Stigmem reference node — single-host production implementation

    Affected versions of this package are vulnerable to Incorrect Authorization in the routes/quarantine.py process. An attacker can access and modify other tenants' quarantined data by sending requests to the /v1/quarantine list and admit/reject endpoints without proper tenant isolation. This is only exploitable if the deployment is running the opt-in stigmem-plugin-multi-tenant configuration.

    How to fix Incorrect Authorization?

    Upgrade stigmem-node to version 0.9.0a12 or higher.

    [,0.9.0a12)
    • H
    Resources Downloaded over Insecure Protocol

    stigmem-node is a Stigmem reference node — single-host production implementation

    Affected versions of this package are vulnerable to Resources Downloaded over Insecure Protocol in the plugin signature enforcement process. An attacker can execute unauthorized code by placing unsigned plugins in writable plugin directories when signature enforcement is disabled. This is only exploitable if the plugin directories are writable by less-trusted users and the configuration flag to disable signature enforcement is set.

    How to fix Resources Downloaded over Insecure Protocol?

    Upgrade stigmem-node to version 0.9.0a2 or higher.

    [,0.9.0a2)
    • C
    Insufficient Verification of Data Authenticity

    stigmem-node is a Stigmem reference node — single-host production implementation

    Affected versions of this package are vulnerable to Insufficient Verification of Data Authenticity in the peer registration process. An attacker can impersonate a federation peer or intercept registration by submitting malicious key material without requiring explicit administrator approval or out-of-band fingerprint verification. This is only exploitable if federation peer registration is exposed to untrusted networks and administrator approval is not enforced.

    How to fix Insufficient Verification of Data Authenticity?

    Upgrade stigmem-node to version 0.9.0a2 or higher.

    [,0.9.0a2)
    • C
    Active Debug Code

    stigmem-node is a Stigmem reference node — single-host production implementation

    Affected versions of this package are vulnerable to Active Debug Code in the federation process when mTLS is explicitly disabled and the node is bound to a non-loopback URL. An attacker can intercept sensitive federation traffic by performing a network man-in-the-middle attack. This is only exploitable if federation is enabled, mTLS is disabled, and the node is configured to listen on a non-loopback interface.

    How to fix Active Debug Code?

    Upgrade stigmem-node to version 0.9.0a2 or higher.

    [,0.9.0a2)
    • H
    Insufficient Verification of Data Authenticity

    stigmem-node is a Stigmem reference node — single-host production implementation

    Affected versions of this package are vulnerable to Insufficient Verification of Data Authenticity due to improper validation in the peer-token timestamp process. An attacker can cause valid authentication tokens to be rejected by presenting tokens with timestamps that are incorrectly interpreted as expired, leading to disruption of authenticated federation flows and potential denial of service.

    How to fix Insufficient Verification of Data Authenticity?

    Upgrade stigmem-node to version 0.9.0a2 or higher.

    [,0.9.0a2)
    • C
    Missing Authorization

    stigmem-node is a Stigmem reference node — single-host production implementation

    Affected versions of this package are vulnerable to Missing Authorization in deployments where authentication is disabled and the node is bound to a non-loopback URL. An attacker can gain unauthorized read, write, and federation access by connecting to the exposed service. This is only exploitable if authentication is intentionally disabled and the service is accessible from outside the local loopback interface.

    How to fix Missing Authorization?

    Upgrade stigmem-node to version 0.9.0a2 or higher.

    [,0.9.0a2)
    • H
    SQL Injection

    stigmem-node is a Stigmem reference node — single-host production implementation

    Affected versions of this package are vulnerable to SQL Injection in the handling of Postgres schema identifiers due to improper quoting and interpolation into SQL strings. An attacker can execute arbitrary SQL commands by supplying crafted schema names. This is only exploitable if schema names are derived from untrusted sources such as request, tenant, header, or user input.

    How to fix SQL Injection?

    Upgrade stigmem-node to version 0.9.0a2 or higher.

    [,0.9.0a2)