An issue was discovered in function _libssh2_packet_add in libssh2 1.10.0 allows attackers to access out of bounds memory.

An update of the libssh2 package has been released.

The version of AOS installed on the remote host is prior to 6.7.1.6. It is, therefore, affected by multiple vulnerabilities as referenced in the NXSA-AOS-6.7.1.6 advisory.

  - An issue was discovered in Python before 3.8.18, 3.9.x before 3.9.18, 3.10.x before 3.10.13, and 3.11.x     before 3.11.5. It primarily affects servers (such as HTTP servers) that use TLS client authentication. If     a TLS server-side socket is created, receives data into the socket buffer, and then is closed quickly,     there is a brief window where the SSLSocket instance will detect the socket as not connected and won't     initiate a handshake, but buffered data will still be readable from the socket buffer. This data will not     be authenticated if the server-side TLS peer is expecting client certificate authentication, and is     indistinguishable from valid TLS stream data. Data is limited in size to the amount that will fit in the     buffer. (The TLS connection cannot directly be used for data exfiltration because the vulnerable code path     requires that the connection be closed on initialization of the SSLSocket.) (CVE-2023-40217)

  - An authentication issue was addressed with improved state management. This issue is fixed in macOS Big Sur     11.7.7, macOS Monterey 12.6.6, macOS Ventura 13.4. An unauthenticated user may be able to access recently     printed documents. (CVE-2023-32360)

  - VMware Tools contains a SAML token signature bypass vulnerability. A malicious actor that has been granted     Guest Operation Privileges https://docs.vmware.com/en/VMware-vSphere/8.0/vsphere-     security/GUID-6A952214-0E5E-4CCF-9D2A-90948FF643EC.html in a target virtual machine may be able to elevate     their privileges if that target virtual machine has been assigned a more privileged Guest Alias     https://vdc-download.vmware.com/vmwb-repository/dcr-public/d1902b0e-d479-46bf-8ac9-cee0e31e8ec0/07ce8dbd-     db48-4261-9b8f-c6d3ad8ba472/vim.vm.guest.AliasManager.html . (CVE-2023-34058)

  - open-vm-tools contains a file descriptor hijack vulnerability in the vmware-user-suid-wrapper. A malicious     actor with non-root privileges may be able to hijack the /dev/uinput file descriptor allowing them to     simulate user inputs. (CVE-2023-34059)

  - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE     (component: CORBA). Supported versions that are affected are Oracle Java SE: 8u381, 8u381-perf; Oracle     GraalVM Enterprise Edition: 20.3.11 and 21.3.7. Easily exploitable vulnerability allows unauthenticated     attacker with network access via CORBA to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.
    Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to     some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can     only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web     Start applications or Untrusted Java applets, such as through a web service. (CVE-2023-22067)

  - Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of     Oracle Java SE (component: JSSE). Supported versions that are affected are Oracle Java SE: 8u381,     8u381-perf, 11.0.20, 17.0.8, 21; Oracle GraalVM for JDK: 17.0.8, 21; Oracle GraalVM Enterprise Edition:
    20.3.11, 21.3.7 and 22.3.3. Easily exploitable vulnerability allows unauthenticated attacker with network     access via HTTPS to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.
    Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of     service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note:
    This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start     applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the     internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java     deployments, typically in servers, that load and run only trusted code (e.g., code installed by an     administrator). (CVE-2023-22081)

  - A malicious actor that has been granted Guest Operation Privileges https://docs.vmware.com/en/VMware-     vSphere/8.0/vsphere-security/GUID-6A952214-0E5E-4CCF-9D2A-90948FF643EC.html in a target virtual machine     may be able to elevate their privileges if that target virtual machine has been assigned a more privileged     Guest Alias https://vdc-download.vmware.com/vmwb-repository/dcr-     public/d1902b0e-d479-46bf-8ac9-cee0e31e8ec0/07ce8dbd-     db48-4261-9b8f-c6d3ad8ba472/vim.vm.guest.AliasManager.html . (CVE-2023-20900)

  - The code that processes control channel messages sent to `named` calls certain functions recursively     during packet parsing. Recursion depth is only limited by the maximum accepted packet size; depending on     the environment, this may cause the packet-parsing code to run out of available stack memory, causing     `named` to terminate unexpectedly. Since each incoming control channel message is fully parsed before its     contents are authenticated, exploiting this flaw does not require the attacker to hold a valid RNDC key;
    only network access to the control channel's configured TCP port is necessary. This issue affects BIND 9     versions 9.2.0 through 9.16.43, 9.18.0 through 9.18.18, 9.19.0 through 9.19.16, 9.9.3-S1 through     9.16.43-S1, and 9.18.0-S1 through 9.18.18-S1. (CVE-2023-3341)

  - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of     Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u371,     8u371-perf, 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle     GraalVM for JDK: 17.0.7 and 20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker     with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise     Edition, Oracle GraalVM for JDK. Successful attacks of this vulnerability can result in unauthorized read     access to a subset of Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK accessible     data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a     web service which supplies data to the APIs. This vulnerability also applies to Java deployments,     typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load     and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for     security. (CVE-2023-22045)

  - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of     Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 8u371,     8u371-perf, 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle     GraalVM for JDK: 17.0.7 and 20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker     with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise     Edition, Oracle GraalVM for JDK. Successful attacks of this vulnerability can result in unauthorized     update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle     GraalVM for JDK accessible data. Note: This vulnerability can be exploited by using APIs in the specified     Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to     Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java     applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java     sandbox for security. (CVE-2023-22049)

  - An issue was discovered in function _libssh2_packet_add in libssh2 1.10.0 allows attackers to access out     of bounds memory. (CVE-2020-22218)

  - A use after free vulnerability exists in curl <7.87.0. Curl can be asked to *tunnel* virtually all     protocols it supports through an HTTP proxy. HTTP proxies can (and often do) deny such tunnel operations.
    When getting denied to tunnel the specific protocols SMB or TELNET, curl would use a heap-allocated struct     after it had been freed, in its transfer shutdown code path. (CVE-2022-43552)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of AHV installed on the remote host is prior to 20220304.480. It is, therefore, affected by multiple vulnerabilities as referenced in the NXSA-AHV-20220304.480 advisory.

  - An issue was discovered in Python before 3.8.18, 3.9.x before 3.9.18, 3.10.x before 3.10.13, and 3.11.x     before 3.11.5. It primarily affects servers (such as HTTP servers) that use TLS client authentication. If     a TLS server-side socket is created, receives data into the socket buffer, and then is closed quickly,     there is a brief window where the SSLSocket instance will detect the socket as not connected and won't     initiate a handshake, but buffered data will still be readable from the socket buffer. This data will not     be authenticated if the server-side TLS peer is expecting client certificate authentication, and is     indistinguishable from valid TLS stream data. Data is limited in size to the amount that will fit in the     buffer. (The TLS connection cannot directly be used for data exfiltration because the vulnerable code path     requires that the connection be closed on initialization of the SSLSocket.) (CVE-2023-40217)

  - A use after free vulnerability exists in curl <7.87.0. Curl can be asked to *tunnel* virtually all     protocols it supports through an HTTP proxy. HTTP proxies can (and often do) deny such tunnel operations.
    When getting denied to tunnel the specific protocols SMB or TELNET, curl would use a heap-allocated struct     after it had been freed, in its transfer shutdown code path. (CVE-2022-43552)

  - The code that processes control channel messages sent to `named` calls certain functions recursively     during packet parsing. Recursion depth is only limited by the maximum accepted packet size; depending on     the environment, this may cause the packet-parsing code to run out of available stack memory, causing     `named` to terminate unexpectedly. Since each incoming control channel message is fully parsed before its     contents are authenticated, exploiting this flaw does not require the attacker to hold a valid RNDC key;
    only network access to the control channel's configured TCP port is necessary. This issue affects BIND 9     versions 9.2.0 through 9.16.43, 9.18.0 through 9.18.18, 9.19.0 through 9.19.16, 9.9.3-S1 through     9.16.43-S1, and 9.18.0-S1 through 9.18.18-S1. (CVE-2023-3341)

  - An issue was discovered in function _libssh2_packet_add in libssh2 1.10.0 allows attackers to access out     of bounds memory. (CVE-2020-22218)

  - A side channel vulnerability on some of the AMD CPUs may allow an attacker to influence the return address     prediction. This may result in speculative execution at an attacker-controlled address, potentially     leading to information disclosure. (CVE-2023-20569)

  - An issue in Zen 2 CPUs, under specific microarchitectural circumstances, may allow an attacker to     potentially access sensitive information. (CVE-2023-20593)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of AOS installed on the remote host is prior to 6.5.5.5. It is, therefore, affected by multiple vulnerabilities as referenced in the NXSA-AOS-6.5.5.5 advisory.

  - An issue was discovered in Python before 3.8.18, 3.9.x before 3.9.18, 3.10.x before 3.10.13, and 3.11.x     before 3.11.5. It primarily affects servers (such as HTTP servers) that use TLS client authentication. If     a TLS server-side socket is created, receives data into the socket buffer, and then is closed quickly,     there is a brief window where the SSLSocket instance will detect the socket as not connected and won't     initiate a handshake, but buffered data will still be readable from the socket buffer. This data will not     be authenticated if the server-side TLS peer is expecting client certificate authentication, and is     indistinguishable from valid TLS stream data. Data is limited in size to the amount that will fit in the     buffer. (The TLS connection cannot directly be used for data exfiltration because the vulnerable code path     requires that the connection be closed on initialization of the SSLSocket.) (CVE-2023-40217)

  - An authentication issue was addressed with improved state management. This issue is fixed in macOS Big Sur     11.7.7, macOS Monterey 12.6.6, macOS Ventura 13.4. An unauthenticated user may be able to access recently     printed documents. (CVE-2023-32360)

  - VMware Tools contains a SAML token signature bypass vulnerability. A malicious actor that has been granted     Guest Operation Privileges https://docs.vmware.com/en/VMware-vSphere/8.0/vsphere-     security/GUID-6A952214-0E5E-4CCF-9D2A-90948FF643EC.html in a target virtual machine may be able to elevate     their privileges if that target virtual machine has been assigned a more privileged Guest Alias     https://vdc-download.vmware.com/vmwb-repository/dcr-public/d1902b0e-d479-46bf-8ac9-cee0e31e8ec0/07ce8dbd-     db48-4261-9b8f-c6d3ad8ba472/vim.vm.guest.AliasManager.html . (CVE-2023-34058)

  - open-vm-tools contains a file descriptor hijack vulnerability in the vmware-user-suid-wrapper. A malicious     actor with non-root privileges may be able to hijack the /dev/uinput file descriptor allowing them to     simulate user inputs. (CVE-2023-34059)

  - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE     (component: CORBA). Supported versions that are affected are Oracle Java SE: 8u381, 8u381-perf; Oracle     GraalVM Enterprise Edition: 20.3.11 and 21.3.7. Easily exploitable vulnerability allows unauthenticated     attacker with network access via CORBA to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.
    Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to     some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can     only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web     Start applications or Untrusted Java applets, such as through a web service. (CVE-2023-22067)

  - Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of     Oracle Java SE (component: JSSE). Supported versions that are affected are Oracle Java SE: 8u381,     8u381-perf, 11.0.20, 17.0.8, 21; Oracle GraalVM for JDK: 17.0.8, 21; Oracle GraalVM Enterprise Edition:
    20.3.11, 21.3.7 and 22.3.3. Easily exploitable vulnerability allows unauthenticated attacker with network     access via HTTPS to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.
    Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of     service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note:
    This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start     applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the     internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java     deployments, typically in servers, that load and run only trusted code (e.g., code installed by an     administrator). (CVE-2023-22081)

  - A malicious actor that has been granted Guest Operation Privileges https://docs.vmware.com/en/VMware-     vSphere/8.0/vsphere-security/GUID-6A952214-0E5E-4CCF-9D2A-90948FF643EC.html in a target virtual machine     may be able to elevate their privileges if that target virtual machine has been assigned a more privileged     Guest Alias https://vdc-download.vmware.com/vmwb-repository/dcr-     public/d1902b0e-d479-46bf-8ac9-cee0e31e8ec0/07ce8dbd-     db48-4261-9b8f-c6d3ad8ba472/vim.vm.guest.AliasManager.html . (CVE-2023-20900)

  - An issue in Zen 2 CPUs, under specific microarchitectural circumstances, may allow an attacker to     potentially access sensitive information. (CVE-2023-20593)

  - An issue was discovered in fl_set_geneve_opt in net/sched/cls_flower.c in the Linux kernel before 6.3.7.
    It allows an out-of-bounds write in the flower classifier code via TCA_FLOWER_KEY_ENC_OPTS_GENEVE packets.
    This may result in denial of service or privilege escalation. (CVE-2023-35788)

  - The code that processes control channel messages sent to `named` calls certain functions recursively     during packet parsing. Recursion depth is only limited by the maximum accepted packet size; depending on     the environment, this may cause the packet-parsing code to run out of available stack memory, causing     `named` to terminate unexpectedly. Since each incoming control channel message is fully parsed before its     contents are authenticated, exploiting this flaw does not require the attacker to hold a valid RNDC key;
    only network access to the control channel's configured TCP port is necessary. This issue affects BIND 9     versions 9.2.0 through 9.16.43, 9.18.0 through 9.18.18, 9.19.0 through 9.19.16, 9.9.3-S1 through     9.16.43-S1, and 9.18.0-S1 through 9.18.18-S1. (CVE-2023-3341)

  - Information exposure through microarchitectural state after transient execution in certain vector     execution units for some Intel(R) Processors may allow an authenticated user to potentially enable     information disclosure via local access. (CVE-2022-40982)

  - An out-of-bounds write vulnerability in the Linux kernel's net/sched: sch_qfq component can be exploited     to achieve local privilege escalation. The qfq_change_agg() function in net/sched/sch_qfq.c allows an out-     of-bounds write because lmax is updated according to packet sizes without bounds checks. We recommend     upgrading past commit 3e337087c3b5805fe0b8a46ba622a962880b5d64. (CVE-2023-3611)

  - A use-after-free vulnerability in the Linux kernel's net/sched: cls_fw component can be exploited to     achieve local privilege escalation. If tcf_change_indev() fails, fw_set_parms() will immediately return an     error after incrementing or decrementing the reference counter in tcf_bind_filter(). If an attacker can     control the reference counter and set it to zero, they can cause the reference to be freed, leading to a     use-after-free vulnerability. We recommend upgrading past commit 0323bce598eea038714f941ce2b22541c46d488f.
    (CVE-2023-3776)

  - A use-after-free vulnerability in the Linux kernel's net/sched: cls_route component can be exploited to     achieve local privilege escalation. When route4_change() is called on an existing filter, the whole     tcf_result struct is always copied into the new instance of the filter. This causes a problem when     updating a filter bound to a class, as tcf_unbind_filter() is always called on the old instance in the     success path, decreasing filter_cnt of the still referenced class and allowing it to be deleted, leading     to a use-after-free. We recommend upgrading past commit b80b829e9e2c1b3f7aae34855e04d8f6ecaf13c8.
    (CVE-2023-4206)

  - A use-after-free vulnerability in the Linux kernel's net/sched: cls_fw component can be exploited to     achieve local privilege escalation. When fw_change() is called on an existing filter, the whole tcf_result     struct is always copied into the new instance of the filter. This causes a problem when updating a filter     bound to a class, as tcf_unbind_filter() is always called on the old instance in the success path,     decreasing filter_cnt of the still referenced class and allowing it to be deleted, leading to a use-after-     free. We recommend upgrading past commit 76e42ae831991c828cffa8c37736ebfb831ad5ec. (CVE-2023-4207)

  - A use-after-free vulnerability in the Linux kernel's net/sched: cls_u32 component can be exploited to     achieve local privilege escalation. When u32_change() is called on an existing filter, the whole     tcf_result struct is always copied into the new instance of the filter. This causes a problem when     updating a filter bound to a class, as tcf_unbind_filter() is always called on the old instance in the     success path, decreasing filter_cnt of the still referenced class and allowing it to be deleted, leading     to a use-after-free. We recommend upgrading past commit 3044b16e7c6fe5d24b1cdbcf1bd0a9d92d1ebd81.
    (CVE-2023-4208)

  - In the Linux kernel through 6.3.1, a use-after-free in Netfilter nf_tables when processing batch requests     can be abused to perform arbitrary read and write operations on kernel memory. Unprivileged local users     can obtain root privileges. This occurs because anonymous sets are mishandled. (CVE-2023-32233)

  - Linux Kernel nftables Out-Of-Bounds Read/Write Vulnerability; nft_byteorder poorly handled vm register     contents when CAP_NET_ADMIN is in any user or network namespace (CVE-2023-35001)

  - A use-after-free vulnerability in the Linux kernel's net/sched: cls_u32 component can be exploited to     achieve local privilege escalation. If tcf_change_indev() fails, u32_set_parms() will immediately return     an error after incrementing or decrementing the reference counter in tcf_bind_filter(). If an attacker can     control the reference counter and set it to zero, they can cause the reference to be freed, leading to a     use-after-free vulnerability. We recommend upgrading past commit 04c55383fa5689357bcdd2c8036725a55ed632bc.
    (CVE-2023-3609)

  - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of     Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u371,     8u371-perf, 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle     GraalVM for JDK: 17.0.7 and 20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker     with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise     Edition, Oracle GraalVM for JDK. Successful attacks of this vulnerability can result in unauthorized read     access to a subset of Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK accessible     data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a     web service which supplies data to the APIs. This vulnerability also applies to Java deployments,     typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load     and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for     security. (CVE-2023-22045)

  - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of     Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 8u371,     8u371-perf, 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle     GraalVM for JDK: 17.0.7 and 20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker     with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise     Edition, Oracle GraalVM for JDK. Successful attacks of this vulnerability can result in unauthorized     update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle     GraalVM for JDK accessible data. Note: This vulnerability can be exploited by using APIs in the specified     Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to     Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java     applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java     sandbox for security. (CVE-2023-22049)

  - An issue was discovered in function _libssh2_packet_add in libssh2 1.10.0 allows attackers to access out     of bounds memory. (CVE-2020-22218)

  - A use after free vulnerability exists in curl <7.87.0. Curl can be asked to *tunnel* virtually all     protocols it supports through an HTTP proxy. HTTP proxies can (and often do) deny such tunnel operations.
    When getting denied to tunnel the specific protocols SMB or TELNET, curl would use a heap-allocated struct     after it had been freed, in its transfer shutdown code path. (CVE-2022-43552)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of F5 Networks BIG-IP installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the K000138219 advisory.

  - An issue was discovered in function _libssh2_packet_add in libssh2 1.10.0 allows attackers to access out     of bounds memory. (CVE-2020-22218)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote CentOS Linux 7 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2023:5615 advisory.

  - An issue was discovered in function _libssh2_packet_add in libssh2 1.10.0 allows attackers to access out     of bounds memory. (CVE-2020-22218)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 7 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2023-5615 advisory.

    [1.8.0-4.el7_9.1]
    - fix use-of-uninitialized-value (CVE-2020-22218)

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2023:5615 advisory.

    The libssh2 packages provide a library that implements the SSH2 protocol.

    Security Fix(es):

    * libssh2: use-of-uninitialized-value in _libssh2_transport_read (CVE-2020-22218)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of libssh2 installed on the remote CBL Mariner 2.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2020-22218 advisory.

  - An issue was discovered in function _libssh2_packet_add in libssh2 1.10.0 allows attackers to access out     of bounds memory. (CVE-2020-22218)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of libssh2 installed on the remote host is prior to 1.4.2-3.14. It is, therefore, affected by a vulnerability as referenced in the ALAS-2023-1834 advisory.

  - An issue was discovered in function _libssh2_packet_add in libssh2 1.10.0 allows attackers to access out     of bounds memory. (CVE-2020-22218)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES12 / SLES_SAP12 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2023:3738-1 advisory.

  - An issue was discovered in function _libssh2_packet_add in libssh2 1.10.0 allows attackers to access out     of bounds memory. (CVE-2020-22218)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of libssh2 installed on the remote host is prior to 1.4.3-12. It is, therefore, affected by a vulnerability as referenced in the ALAS2-2023-2257 advisory.

  - An issue was discovered in function _libssh2_packet_add in libssh2 1.10.0 allows attackers to access out     of bounds memory. (CVE-2020-22218)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Ubuntu 16.04 ESM / 18.04 LTS / 20.04 LTS host has packages installed that are affected by a vulnerability as referenced in the USN-6371-1 advisory.

    It was discovered that libssh2 incorrectly handled memory access. An attacker could possibly use this     issue to cause a crash.

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote openSUSE 15 host has packages installed that are affected by a vulnerability as referenced in the SUSE- SU-2023:3555-1 advisory.

  - An issue was discovered in function _libssh2_packet_add in libssh2 1.10.0 allows attackers to access out     of bounds memory. (CVE-2020-22218)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Debian 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-3559 advisory.

  - In libssh2 before 1.9.0, kex_method_diffie_hellman_group_exchange_sha256_key_exchange in kex.c has an     integer overflow that could lead to an out-of-bounds read in the way packets are read from the server. A     remote attacker who compromises a SSH server may be able to disclose sensitive information or cause a     denial of service condition on the client system when a user connects to the server. This is related to an
    _libssh2_check_length mistake, and is different from the various issues fixed in 1.8.1, such as     CVE-2019-3855. (CVE-2019-13115)

  - In libssh2 v1.9.0 and earlier versions, the SSH_MSG_DISCONNECT logic in packet.c has an integer overflow     in a bounds check, enabling an attacker to specify an arbitrary (out-of-bounds) offset for a subsequent     memory read. A crafted SSH server may be able to disclose sensitive information or cause a denial of     service condition on the client system when a user connects to the server. (CVE-2019-17498)

  - An issue was discovered in function _libssh2_packet_add in libssh2 1.10.0 allows attackers to access out     of bounds memory. (CVE-2020-22218)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
204473	Photon OS 4.0: Libssh2 PHSA-2023-4.0-0465	Nessus	PhotonOS Local Security Checks	high
204329	Photon OS 5.0: Libssh2 PHSA-2023-5.0-0094	Nessus	PhotonOS Local Security Checks	high
190859	Nutanix AOS : Multiple Vulnerabilities (NXSA-AOS-6.7.1.6)	Nessus	Misc.	high
190819	Nutanix AHV : Multiple Vulnerabilities (NXSA-AHV-20220304.480)	Nessus	Misc.	medium
190796	Nutanix AOS : Multiple Vulnerabilities (NXSA-AOS-6.5.5.5)	Nessus	Misc.	high
188029	F5 Networks BIG-IP : libssh2 vulnerability (K000138219)	Nessus	F5 Networks Local Security Checks	high
187229	CentOS 7 : libssh2 (RHSA-2023:5615)	Nessus	CentOS Local Security Checks	high
182868	Oracle Linux 7 : libssh2 (ELSA-2023-5615)	Nessus	Oracle Linux Local Security Checks	high
182830	RHEL 7 : libssh2 (RHSA-2023:5615)	Nessus	Red Hat Local Security Checks	high
182151	CBL Mariner 2.0 Security Update: libssh2 (CVE-2020-22218)	Nessus	MarinerOS Local Security Checks	high
181849	Amazon Linux AMI : libssh2 (ALAS-2023-1834)	Nessus	Amazon Linux Local Security Checks	high
181826	SUSE SLES12 Security Update : libssh2_org (SUSE-SU-2023:3738-1)	Nessus	SuSE Local Security Checks	high
181719	Amazon Linux 2 : libssh2 (ALAS-2023-2257)	Nessus	Amazon Linux Local Security Checks	high
181453	Ubuntu 16.04 ESM / 18.04 LTS / 20.04 LTS : libssh2 vulnerability (USN-6371-1)	Nessus	Ubuntu Local Security Checks	high
181200	openSUSE 15 Security Update : libssh2_org (SUSE-SU-2023:3555-1)	Nessus	SuSE Local Security Checks	high
181187	Debian DLA-3559-1 : libssh2 - LTS security update	Nessus	Debian Local Security Checks	high

Detections

Analytics

CVE-2020-22218

high

Tenable Plugins

high

high

high

medium

high

high

high

high

high

high

high

high

high

high

high

high