PYSEC-2026-2423
Vulnerability from pysec - Published: 2026-07-13 15:19 - Updated: 2026-07-13 16:03Relevant Products/Components:
trestle/core/commands/author/jinja.pytrestle author jinja
Detailed Description:
The -o/--output argument in trestle author jinja allows writing files outside the intended workspace.
The application does not properly validate:
../..\- absolute paths
This allows arbitrary file write to attacker-controlled locations.
Vulnerable code:
output_file = trestle_root / r_output_file
An attacker can overwrite files such as:
.github/workflows/*.yml.git/hooks/*- user writable config files
This can lead to CI/CD compromise or local code execution.
Steps To Reproduce:
- Clone the repository:
git clone https://github.com/oscal-compass/compliance-trestle.git
cd compliance-trestle
- Create template:
echo "hello" > template.j2
- Run:
trestle author jinja -i template.j2 -o "subdir\..\..\..\..\..\poc.txt"
- Observe:
dir E:\poc.txt
The file is written outside the repository workspace.
Browsers Verified In:
Not browser related.
Tested on:
- Windows 11
- Python 3.13
Supporting Material/References:
Affected file:
trestle/core/commands/author/jinja.py
Successfully verified:
- directory traversal using
../ - Windows traversal using
..\ - arbitrary file write outside workspace
Access Vector Required for Exploitation:
Local
Vulnerability Exists in Default Configuration?:
Yes
Is the exploitation trivial or does it involve a multi-step process that may depend on user/victim interaction?:
Trivial. Single command execution.
Exploitation Requires Authentication?:
No
Under what privileges does the vulnerable service or component run?:
Runs with privileges of the user executing the trestle command.
Impact
An attacker can write files outside the intended workspace directory and overwrite sensitive files writable by the current user.
Possible impacts include:
- overwriting
.github/workflows/*.ymlto execute attacker-controlled GitHub Actions workflows - overwriting
.git/hooks/*for local code execution - modifying user configuration files such as
.bashrc - tampering with repository files and generated compliance artifacts
In CI/CD environments, this may result in execution of attacker-controlled commands on build runners.
| Name | purl | compliance-trestle | pkg:pypi/compliance-trestle |
|---|
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "compliance-trestle",
"purl": "pkg:pypi/compliance-trestle"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.12.2"
},
{
"introduced": "4.0.0"
},
{
"fixed": "4.0.3"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"0.0.2",
"0.0.3",
"0.1.0",
"0.1.1",
"0.10.0",
"0.11.0",
"0.12.0",
"0.13.0",
"0.13.1",
"0.14.0",
"0.14.1",
"0.14.2",
"0.14.3",
"0.14.4",
"0.15.0",
"0.15.1",
"0.16.0",
"0.17.0",
"0.18.0",
"0.18.1",
"0.19.0",
"0.2.0",
"0.2.1",
"0.2.2",
"0.20.0",
"0.21.0",
"0.22.0",
"0.22.1",
"0.23.0",
"0.24.0",
"0.25.0",
"0.25.1",
"0.26.0",
"0.27.0",
"0.27.1",
"0.27.2",
"0.28.0",
"0.28.1",
"0.29.0",
"0.3.0",
"0.30.0",
"0.31.0",
"0.32.0",
"0.32.1",
"0.33.0",
"0.34.0",
"0.35.0",
"0.36.0",
"0.37.0",
"0.4.0",
"0.5.0",
"0.6.0",
"0.6.1",
"0.6.2",
"0.7.0",
"0.7.1",
"0.7.2",
"0.8.0",
"0.8.1",
"0.9.0",
"1.0.0rc0",
"1.0.1",
"1.0.2",
"1.1.0",
"1.2.0",
"2.0.0",
"2.1.0",
"2.1.1",
"2.2.0",
"2.2.1",
"2.3.0",
"2.3.1",
"2.4.0",
"2.5.0",
"2.5.1",
"2.6.0",
"2.6.1",
"3.0.1",
"3.1.0",
"3.10.2",
"3.10.3",
"3.10.4",
"3.11.0",
"3.12.0",
"3.12.1",
"3.2.0",
"3.3.0",
"3.4.0",
"3.5.0",
"3.6.0",
"3.7.0",
"3.8.0",
"3.8.1",
"3.9.0",
"3.9.1",
"3.9.2",
"3.9.3",
"4.0.0",
"4.0.1",
"4.0.2"
]
}
],
"aliases": [
"CVE-2026-46345",
"GHSA-4q5v-7g7x-j79w"
],
"details": "**Relevant Products/Components:**\n\n* `trestle/core/commands/author/jinja.py`\n* `trestle author jinja`\n\n---\n\n## Detailed Description:\n\nThe `-o/--output` argument in `trestle author jinja` allows writing files outside the intended workspace.\n\nThe application does not properly validate:\n\n* `../`\n* `..\\`\n* absolute paths\n\nThis allows arbitrary file write to attacker-controlled locations.\n\nVulnerable code:\n\n```python\noutput_file = trestle_root / r_output_file\n```\n\nAn attacker can overwrite files such as:\n\n* `.github/workflows/*.yml`\n* `.git/hooks/*`\n* user writable config files\n\nThis can lead to CI/CD compromise or local code execution.\n\n---\n\n## Steps To Reproduce:\n\n1. Clone the repository:\n\n```bash\ngit clone https://github.com/oscal-compass/compliance-trestle.git\ncd compliance-trestle\n```\n\n2. Create template:\n\n```bash\necho \"hello\" \u003e template.j2\n```\n\n3. Run:\n\n```powershell\ntrestle author jinja -i template.j2 -o \"subdir\\..\\..\\..\\..\\..\\poc.txt\"\n```\n\n4. Observe:\n\n```powershell\ndir E:\\poc.txt\n```\n\nThe file is written outside the repository workspace.\n\n---\n\n## Browsers Verified In:\n\nNot browser related.\n\nTested on:\n\n* Windows 11\n* Python 3.13\n\n---\n\n## Supporting Material/References:\n\nAffected file:\n\n```text\ntrestle/core/commands/author/jinja.py\n```\n\nSuccessfully verified:\n\n* directory traversal using `../`\n* Windows traversal using `..\\`\n* arbitrary file write outside workspace\n\n---\n\n## Access Vector Required for Exploitation:\n\nLocal\n\n---\n\n## Vulnerability Exists in Default Configuration?:\n\nYes\n\n---\n\n## Is the exploitation trivial or does it involve a multi-step process that may depend on user/victim interaction?:\n\nTrivial.\nSingle command execution.\n\n---\n\n## Exploitation Requires Authentication?:\n\nNo\n\n---\n\n## Under what privileges does the vulnerable service or component run?:\n\nRuns with privileges of the user executing the `trestle` command.\n\n## Impact\n\nAn attacker can write files outside the intended workspace directory and overwrite sensitive files writable by the current user.\n\nPossible impacts include:\n\n* overwriting `.github/workflows/*.yml` to execute attacker-controlled GitHub Actions workflows\n* overwriting `.git/hooks/*` for local code execution\n* modifying user configuration files such as `.bashrc`\n* tampering with repository files and generated compliance artifacts\n\nIn CI/CD environments, this may result in execution of attacker-controlled commands on build runners.",
"id": "PYSEC-2026-2423",
"modified": "2026-07-13T16:03:45.419078Z",
"published": "2026-07-13T15:19:13.079771Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/oscal-compass/compliance-trestle/security/advisories/GHSA-4q5v-7g7x-j79w"
},
{
"type": "WEB",
"url": "https://github.com/oscal-compass/compliance-trestle/commit/247fcce289f60103f3d8e28d8ec51a6986b94fb6"
},
{
"type": "WEB",
"url": "https://github.com/oscal-compass/compliance-trestle/commit/7d107b3ac53caca7bde97a6278b23cd739d94525"
},
{
"type": "PACKAGE",
"url": "https://github.com/oscal-compass/compliance-trestle"
},
{
"type": "PACKAGE",
"url": "https://pypi.org/project/compliance-trestle"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-4q5v-7g7x-j79w"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-46345"
}
],
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "compliance-trestle - jinja has an Arbitrary File Write via Path Traversal"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.