logo

Database

Lack of data validation - Path Traversal In compliance-trestle

Description

compliance-trestle - jinja has an Arbitrary File Write via Path Traversal Relevant Products/Components:

    trestle/core/commands/author/jinja.py

    trestle author jinja

Detailed Description:

The -o/--output argument in trestle author jinja allows writing files outside the intended workspace.

The application does not properly validate:

    ../

    ..\

    absolute paths

This allows arbitrary file write to attacker-controlled locations.

Vulnerable code:

output_file = trestle_root / r_output_file

An attacker can overwrite files such as:

    .github/workflows/*.yml

    .git/hooks/*

    user writable config files

This can lead to CI/CD compromise or local code execution.

Steps To Reproduce:

    Clone the repository:

git clone https://github.com/oscal-compass/compliance-trestle.git
cd compliance-trestle

    Create template:

echo "hello" > template.j2

    Run:

trestle author jinja -i template.j2 -o "subdir\..\..\..\..\..\poc.txt"

    Observe:

dir E:\poc.txt

The file is written outside the repository workspace.

Browsers Verified In:

Not browser related.

Tested on:

    Windows 11

    Python 3.13

Supporting Material/References:

Affected file:

trestle/core/commands/author/jinja.py

Successfully verified:

    directory traversal using ../

    Windows traversal using ..\

    arbitrary file write outside workspace

Access Vector Required for Exploitation:

Local

Vulnerability Exists in Default Configuration?:

Yes

Is the exploitation trivial or does it involve a multi-step process that may depend on user/victim interaction?:

Trivial. Single command execution.

Exploitation Requires Authentication?:

No

Under what privileges does the vulnerable service or component run?:

Runs with privileges of the user executing the trestle command.

Impact

An attacker can write files outside the intended workspace directory and overwrite sensitive files writable by the current user.

Possible impacts include:

    overwriting .github/workflows/*.yml to execute attacker-controlled GitHub Actions workflows

    overwriting .git/hooks/* for local code execution

    modifying user configuration files such as .bashrc

    tampering with repository files and generated compliance artifacts

In CI/CD environments, this may result in execution of attacker-controlled commands on build runners.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-463452. NVD-2026-463453. OSV-2026-463454. GHSA-4q5v-7g7x-j79w5. GCVE-2026-46345

References

1. https://github.com/oscal-compass/compliance-trestle/security/advisories/GHSA-4q5v-7g7x-j79w2. https://github.com/oscal-compass/compliance-trestle/commit/247fcce289f60103f3d8e28d8ec51a6986b94fb63. https://github.com/oscal-compass/compliance-trestle/commit/7d107b3ac53caca7bde97a6278b23cd739d94525

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.