{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/compliance-trestle/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["compliance-trestle"],"_cs_severities":["high"],"_cs_tags":["compliance-trestle","arbitrary-file-write","path-traversal","rce"],"_cs_type":"advisory","_cs_vendors":["IBM"],"content_html":"\u003cp\u003eThe compliance-trestle library, version 4.0.2 and earlier, contains a vulnerability in its remote fetching cache mechanism (HTTPSFetcher and SFTPFetcher) within the \u003ccode\u003etrestle/core/remote/cache.py\u003c/code\u003e file. This flaw allows for arbitrary file writes due to insufficient sanitization of path traversal sequences (\u003ccode\u003e../\u003c/code\u003e) in URLs. A malicious OSCAL profile referencing a URL containing path traversal elements can cause the HTTP response body to be written to an arbitrary location on the filesystem, outside of the intended cache directory. This vulnerability was reported on 2026-05-27 and can be exploited to achieve remote code execution.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malicious OSCAL profile containing an \u003ccode\u003eimports\u003c/code\u003e section with a URL to a controlled server (e.g., \u003ccode\u003ehttps://evil.com/../../../../../../../tmp/trestle_pwned.json\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe compliance-trestle library parses the malicious OSCAL profile and extracts the URL from the \u003ccode\u003eimports\u003c/code\u003e section.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eHTTPSFetcher\u003c/code\u003e or \u003ccode\u003eSFTPFetcher\u003c/code\u003e class within \u003ccode\u003ecache.py\u003c/code\u003e is instantiated to fetch the remote resource.\u003c/li\u003e\n\u003cli\u003eThe library uses \u003ccode\u003eurlparse\u003c/code\u003e to parse the URL, but it does not sanitize the path component for path traversal sequences.\u003c/li\u003e\n\u003cli\u003eThe library constructs a local cache path using the hostname and the unsanitized path component, resulting in a path outside the intended cache directory.\u003c/li\u003e\n\u003cli\u003eThe library creates the necessary directories using \u003ccode\u003emkdir(parents=True, exist_ok=True)\u003c/code\u003e, effectively creating the arbitrary path on the filesystem.\u003c/li\u003e\n\u003cli\u003eThe library fetches the content from the attacker\u0026rsquo;s server using \u003ccode\u003erequests.get\u003c/code\u003e or an SFTP client.\u003c/li\u003e\n\u003cli\u003eThe fetched content, controlled by the attacker, is written to the arbitrary file path using \u003ccode\u003ewrite_text\u003c/code\u003e, leading to arbitrary file write and potentially remote code execution (e.g., by writing to cron job directories or SSH authorized keys).\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to write arbitrary files to the filesystem with the privileges of the user running the compliance-trestle application. This can lead to various impacts, including remote code execution via cron job injection, unauthorized SSH access via authorized keys injection, or configuration file overwrites. The number of victims and targeted sectors are currently unknown, but any system using a vulnerable version of compliance-trestle is susceptible.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to a patched version of compliance-trestle that addresses the path traversal vulnerability.\u003c/li\u003e\n\u003cli\u003eApply the provided remediation steps to sanitize path components and implement boundary checks in \u003ccode\u003ecache.py\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for requests to suspicious domains like \u003ccode\u003eevil.com\u003c/code\u003e referenced in the IOC table.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM and tune for your environment to detect potential exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-27T22:58:35Z","date_published":"2026-05-27T22:58:35Z","id":"https://feed.craftedsignal.io/briefs/2026-05-compliance-trestle-arbitrary-file-write/","summary":"The compliance-trestle library is vulnerable to an arbitrary file write via cache path traversal due to improper sanitization of URL path components in the remote fetching cache mechanism, potentially leading to remote code execution.","title":"compliance-trestle Arbitrary File Write via Cache Path Traversal","url":"https://feed.craftedsignal.io/briefs/2026-05-compliance-trestle-arbitrary-file-write/"}],"language":"en","title":"CraftedSignal Threat Feed — Compliance-Trestle","version":"https://jsonfeed.org/version/1.1"}