CVE-2016-7794 Sociomantic CVE debrief

Who should care

Administrators, developers, and platform owners running sociomantic-tsunami git-hub, especially any instance that accepts repository names from untrusted or externally supplied input.

Technical summary

The supplied NVD record classifies this issue as CVSS 3.0 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H with CWE-284 (Improper Access Control). NVD lists sociomantic git-hub as vulnerable through version 0.10.2, while the supplied title/description indicate the problem is fixed in 0.10.3. The reference set includes an OSS Security mailing-list post, a SecurityFocus entry, and a GitHub issue tracker item.

Defensive priority

Critical — prioritize immediate upgrade or removal from exposed service paths.

Recommended defensive actions

• Upgrade sociomantic-tsunami git-hub to 0.10.3 or later as soon as possible.
• Inventory all deployments and embedded uses of git-hub to confirm no vulnerable 0.10.2-or-earlier instances remain.
• If immediate upgrade is not possible, limit network exposure and restrict who can submit repository names to the service.
• Review logs and automation for unusual repository-name activity, especially around any untrusted input paths.
• If compromise is suspected, treat the host as potentially affected and perform a full incident review before returning it to service.

Evidence notes

Evidence is drawn from the supplied NVD record and linked references. The NVD CVSS vector is 9.8/critical (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), and the vulnerable CPE range ends at 0.10.2. The supplied title/description state that versions before 0.10.3 are affected. The reference list also shows an OSS Security mailing-list disclosure, a SecurityFocus entry, and a GitHub issue tracker reference. No KEV entry is present in the supplied data.

Official resources