GHSA-w76h-q7c6-jpjp

Source

https://github.com/advisories/GHSA-w76h-q7c6-jpjp

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-w76h-q7c6-jpjp/GHSA-w76h-q7c6-jpjp.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-w76h-q7c6-jpjp

Aliases

CVE-2026-46380

Published

2026-05-28T18:27:13Z

Modified

2026-05-28T18:30:08.791706493Z

Severity

6.7 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N CVSS Calculator

Summary

compliance-trestle Vulnerable to SSRF in Remote Fetching Subsystem

Details

A source code audit led to the discovery of three significant security vulnerabilities in the trestle/core/remote/cache.py module.

Finding 1 (Critical): SSRF (CWE-918) The HTTPSFetcher.dofetch() method passes a user-supplied URL directly to requests.get() without validation. This allows an attacker to perform Server-Side Request Forgery, targeting internal services or cloud metadata endpoints (e.g., 169.254.169.254).

Per rule 4.2.11 of the CVE CNA rules Finding 1 will be addressed in this advisory, while findings 2 & 3 will be addressed in separate advisories:

Multiple Path Traversal Vulnerabilities in Remote Fetching Subsystem

Finding 2 & 3 (High/Medium): Path Traversal (CWE-22) The caching logic for HTTPSFetcher and LocalFetcher fails to sanitize URI paths, allowing for arbitrary file reads via file:// or writing cached files outside the intended directory.

Impact: > These vulnerabilities can be chained to exfiltrate sensitive cloud credentials or compromise CI/CD environments.

Reproduction: > Please see the attached pocssrfandpathtraversal.py and terminal_output.txt. 13 exploit vectors have been verified locally.

compliance-trestleaudit2026-03-30.pdf pocssrfandpathtraversal.py terminal_output.txt

Database specific

{
    "cwe_ids": [
        "CWE-918"
    ],
    "severity": "MODERATE",
    "github_reviewed_at": "2026-05-28T18:27:13Z",
    "github_reviewed": true,
    "nvd_published_at": null
}

References

Affected packages

PyPI / compliance-trestle

Package

Name: compliance-trestle; View open source insights on deps.dev
Purl: pkg:pypi/compliance-trestle

Affected ranges

Type: ECOSYSTEM
Events: Introduced

4.0.0

Fixed

4.0.3

Affected versions

4.*

4.0.0

4.0.1

4.0.2

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-w76h-q7c6-jpjp/GHSA-w76h-q7c6-jpjp.json"

PyPI / compliance-trestle

Package

Name: compliance-trestle; View open source insights on deps.dev
Purl: pkg:pypi/compliance-trestle

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.12.2

Affected versions

0.*

0.0.2

0.0.3

0.1.0

0.1.1

0.2.0

0.2.1

0.2.2

0.3.0

0.4.0

0.5.0

0.6.0

0.6.1

0.6.2

0.7.0

0.7.1

0.7.2

0.8.0

0.8.1

0.9.0

0.10.0

0.11.0

0.12.0

0.13.0

0.13.1

0.14.0

0.14.1

0.14.2

0.14.3

0.14.4

0.15.0

0.15.1

0.16.0

0.17.0

0.18.0

0.18.1

0.19.0

0.20.0

0.21.0

0.22.0

0.22.1

0.23.0

0.24.0

0.25.0

0.25.1

0.26.0

0.27.0

0.27.1

0.27.2

0.28.0

0.28.1

0.29.0

0.30.0

0.31.0

0.32.0

0.32.1

0.33.0

0.34.0

0.35.0

0.36.0

0.37.0

1.*

1.0.0rc0

1.0.1

1.0.2

1.1.0

1.2.0

2.*

2.0.0

2.1.0

2.1.1

2.2.0

2.2.1

2.3.0

2.3.1

2.4.0

2.5.0

2.5.1

2.6.0

2.6.1

3.*

3.0.1

3.1.0

3.2.0

3.3.0

3.4.0

3.5.0

3.6.0

3.7.0

3.8.0

3.8.1

3.9.0

3.9.1

3.9.2

3.9.3

3.10.2

3.10.3

3.10.4

3.11.0

3.12.0

3.12.1

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-w76h-q7c6-jpjp/GHSA-w76h-q7c6-jpjp.json"