compliance-trestle - jinja has an Arbitrary File Write via Path Traversal
Description
Relevant Products/Components:
trestle/core/commands/author/jinja.pytrestle author jinja
---
Detailed
Description:
The -o/--output argument in trestle author jinja allows writing files outside the intended workspace.
The application does not properly validate:
../..\- absolute paths
This allows arbitrary file write to attacker-controlled locations.
Vulnerable code:
output_file = trestle_root / r_output_file
An attacker can overwrite files such as:
.github/workflows/*.yml.git/hooks/*- user writable config files
This can lead to CI/CD compromise or local code execution.
---
Steps
To Reproduce:
- Clone the repository:
git clone https://github.com/oscal-compass/compliance-trestle.git
cd compliance-trestle
- Create template:
echo "hello" > template.j2
- Run:
trestle author jinja -i template.j2 -o "subdir\..\..\..\..\..\poc.txt"
- Observe:
dir E:\poc.txt
The file is written outside the repository workspace.
---
Browsers
Verified In:
Not browser related.
Tested on:
- Windows 11
- Python 3.13
---
Supporting
Material/References:
Affected file:
trestle/core/commands/author/jinja.py
Successfully verified:
- directory traversal using
../ - Windows traversal using
..\ - arbitrary file write outside workspace
---
Access
Vector Required for Exploitation:
Local
---
Vulnerability
Exists in Default Configuration?:
Yes
---
Is the exploitation trivial or does it involve a multi-step process that may depend on user/victim interaction?:
Trivial. Single command execution.
---
Exploitation
Requires Authentication?:
No
---
Under what privileges does the vulnerable service or component run?:
Runs with privileges of the user executing the trestle command.
Impact
An attacker can write files outside the intended workspace directory and overwrite sensitive files writable by the current user.
Possible impacts include:
- overwriting
.github/workflows/*.ymlto execute attacker-controlled GitHub Actions workflows - overwriting
.git/hooks/*for local code execution - modifying user configuration files such as
.bashrc - tampering with repository files and generated compliance artifacts
In CI/CD environments, this may result in execution of attacker-controlled commands on build runners.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
compliance-trestlePyPI | >= 4.0.0, < 4.0.3 | 4.0.3 |
compliance-trestlePyPI | < 3.12.2 | 3.12.2 |
Affected products
1- Range: <= 3.12.1
Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-4q5v-7g7x-j79wghsaADVISORY
- github.com/oscal-compass/compliance-trestle/commit/247fcce289f60103f3d8e28d8ec51a6986b94fb6ghsaWEB
- github.com/oscal-compass/compliance-trestle/commit/7d107b3ac53caca7bde97a6278b23cd739d94525ghsaWEB
- github.com/oscal-compass/compliance-trestle/security/advisories/GHSA-4q5v-7g7x-j79wghsaWEB
News mentions
0No linked articles in our index yet.