All versions of package datatables.net are vulnerable to Prototype Pollution due to an incomplete fix for https://snyk.io/vuln/SNYK-JS-DATATABLESNET-598806.

The version of IBM Cognos Analytics installed on the remote host is prior to 11.1.7 FP8, 11.2.4 FP3, or 12.0.2. It is, therefore, affected by multiple vulnerabilities as referenced in the IBM Security Bulletin No. 7123154, including the following:

  - When deserializing untrusted or corrupted data, it is possible for a reader to consume memory beyond the   allowed constraints and thus lead to out of memory on the system. This issue affects Java applications using   Apache Avro Java SDK up to and including 1.11.2. Users should update to apache-avro version 1.11.3 which   addresses this issue. (CVE-2023-39410)

  - In order to decrypt SM2 encrypted data an application is expected to call the API function   EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the   'out' parameter can be NULL and, on exit, the 'outlen' parameter is populated with the buffer size required   to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call   EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the 'out' parameter. A bug in the   implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the   plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by   the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a   second time with a buffer that is too small. A malicious attacker who is able present SM2 content for   decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of   62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour   or causing the application to crash. The location of the buffer is application dependent but is typically   heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). (CVE-2021-3711)

  - SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization.
  Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using   SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend   upgrading to version 2.0 and beyond. (CVE-2022-1471)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

According to its self-reported version, the Tenable Nessus application running on the remote host is 10.4.2 or earlier. It is, therefore, affected by multiple vulnerabilities in OpenSSL prior to version 3.0.8, spin.js prior to version 2.3.2, and datatables.net prior to version 1.13.2:
    
    - An attacker that had observed a genuine connection between a client and a server could use the flaw to send trial       messages to the server and record the time taken to process them. After a sufficiently large number of messages       the attacker could recover the pre-master secret used for the original connection. (CVE-2022-4304)

    - The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and decodes any header data and the payload       data. Under certain conditions, a double free will occur. This will most likely lead to a crash. (CVE-2022-4450)

    - The public API function BIO_new_NDEF is a helper function used for streaming ASN.1 data via a BIO. Under certain conditions,       the BIO chain is not properly cleaned up and the BIO passed by the caller still retains internal pointers to the previously       freed filter BIO. This will most likely result in a crash. (CVE-2023-0215)

    - An invalid pointer dereference on read can be triggered when an application tries to load malformed PKCS7 data. The result of the       dereference is an application crash which could lead to a denial of service attack. (CVE-2023-0216)

    - An invalid pointer dereference on read can be triggered when an application tries to check a malformed DSA public key by the       EVP_PKEY_public_check() function. This will most likely lead to an application crash. (CVE-2023-0217)

    - A NULL pointer can be dereferenced when signatures are being verified on PKCS7 signed or signedAndEnveloped data. In case the hash       algorithm used for the signature is known to the OpenSSL library but the implementation of the hash algorithm is not available the       digest initialization will fail. (CVE-2023-0401) 

    - A read buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking, which       might result in a crash which could lead to a denial of service attack. (CVE-2022-4203)

    - All versions of package datatables.net are vulnerable to Prototype Pollution due to an incomplete fix for       https:/snyk.io/vuln/SNYK-JS-DATATABLESNET-598806. (CVE-2020-28458)

    - With the package datatables.net before 1.11.3 if an array is passed to the HTML escape entities function it would not       have its contents escaped. (CVE-2021-23445)

    - jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of       Object.prototype pollution. If an unsanitized source object contained an enumerable __proto__ property, it could extend the       native Object.prototype. (CVE-2019-11358)

    - In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing <option> elements from untrusted       sources, even after sanitizing it, to one of jQuery DOM manipulation methods may execute untrusted code. (CVE-2020-11023)

    - jquery prior to 1.9.0 allows Cross-site Scripting attacks via the load method that fails to recognize and remove <script>       HTML tags that contain a whitespace character and trigger execution of the enclosed script logic. (CVE-2020-7656)

According to its self-reported version, the Tenable Nessus application running on the remote host is 10.x prior to 10.3.1. It is, therefore, affected by multiple vulnerabilities, including:

  - A use-after-free vulnerability in the doContent function in xmlparse.c in libexpat. (CVE-2022-40674)

  - A path traversal vulnerability in the locale string handling functionality of Moment.js. (CVE-2022-24785)

  - A denial of service vulnerability in the string-to-date parsing functinality in Moment.js (CVE-2022-31129)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version   number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:1169 advisory.

    The ovirt-engine package provides the manager for virtualization environments.
    This manager enables admins to define hosts and networks, as well as to add     storage, create VMs and manage user permissions.

    A list of bugs fixed in this update is available in the Technical Notes     book:

    https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.4/html-single/technical_notes

    Security Fix(es):

    * nodejs-bootstrap-select: not escaping title values on <option> may lead to XSS (CVE-2019-20921)

    * m2crypto: bleichenbacher timing attacks in the RSA decryption API (CVE-2020-25657)

    * datatables.net: prototype pollution if 'constructor' were used in a data property name (CVE-2020-28458)

    * nodejs-immer: prototype pollution may lead to DoS or remote code execution (CVE-2020-28477)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2021:1186 advisory.

    The ovirt-engine package provides the manager for virtualization environments.
    This manager enables admins to define hosts and networks, as well as to add     storage, create VMs and manage user permissions.

    Bug Fix(es):
    * Previously, saving user preferences in the Red Hat Virtualization Manager required the MANIPULATE_USERS     permission level. As a result, user preferences were not saved on the server.
    In this release, the required permission level for saving user preferences was changed to EDIT_PROFILE,     which is the permission level assigned by default to all users. As a result, saving user preferences works     as expected. (BZ#1920539)

    A list of bugs fixed in this update is available in the Technical Notes     book:

    https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.4/html-single/technical_notes

    Security Fix(es):

    * nodejs-bootstrap-select: not escaping title values on <option> may lead to XSS (CVE-2019-20921)

    * datatables.net: prototype pollution if 'constructor' were used in a data property name (CVE-2020-28458)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has a package installed that is affected by a vulnerability as referenced in the RHSA-2021:1184 advisory.

    The ovirt-hosted-engine-setup package provides a self-hosted engine tool for the Red Hat Virtualization     Manager. A self-hosted engine is a virtualized environment in which the Manager runs on a virtual machine     on the hosts managed by the Manager.
    Bug Fix(es):

    * In this release, it is now possible to enter a path to the OVA archive for local appliance installation     using the cockpit-ovirt UI. (BZ#1755156)

    * Previously, following a successful migration on the Self-hosted Engine, he HA agent on the source host     immediately moved to the state EngineDown, and shorly thereafter tried to start the engine locally, if the     destination host didn't update the shared storage quickly enough, marking the Manager virtual machine as     being up.
    As a result, starting the virtual machine failed due to a shared lock held by the destination host. This     also resulted in generating false alarms and notifications.
    In this release, the HA agent first moves to the state EngineMaybeAway, providing the destination host     more time to update the shared storage with the updated state. As a result, no notifications or false     alarms are generated.
    Note: in scenarios where the virtual machine needs to be started on the source host, this fix slightly     increases the time it takes the Manager virtual     machine on the source host to start. (BZ#1815589)

    * Previously, if a host in the Self-hosted Engine had an ID number higher than 64, other hosts did not     recognize that host, and the host did not appear in 'hosted-engine --vm-status'.
    In this release, the Self-hosted Engine allows host ID numbers of up to 2000. (BZ#1916032)

    * ovirt-hosted-engine-setup now requires ansible-2.9.17. (BZ#1921108)

    * Previously the logical names for disks without a mounted filesystem were not displayed in the Red Hat     Virtualization Manager.
    In this release, logical names for such disks are properly reported provided the version of QEMU Guest     Agent in the virtual machine is 5.2 or higher. (BZ#1836661)

    * Previously, if the Seal option was used when creating a template for Linux virtual machines, the     original host name was not removed from the template.
    In this release, the host name is set to localhost or the new virtual machine host name. (BZ#1860492)

    * Previously, the used memory of the host didn't take the SReclaimable memory into consideration while it     did for free memory. As a result, there were discrepancies in the host statistics.
    In this release, the SReclaimable memory is a part of the used memory calculation. (BZ#1916519)

    Security Fix(es):

    * datatables.net: prototype pollution if 'constructor' were used in a data property name (CVE-2020-28458)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
193868	IBM Cognos Analytics 11.1.1 < 11.1.7 FP8 / 11.2.x < 11.2.4 FP3 / 12.0.x < 12.0.2 (7123154)	Nessus	CGI abuses	critical
172124	Tenable Nessus <= 10.4.2 Multiple Vulnerabilities (TNS-2023-09)	Nessus	Misc.	high
166600	Tenable Nessus 10.x < 10.3.1 Multiple Vulnerabilities (TNS-2022-20)	Nessus	Misc.	critical
148572	RHEL 8 : RHV Manager (ovirt-engine) 4.4.z [ovirt-4.4.5] security, (Moderate) (RHSA-2021:1169)	Nessus	Red Hat Local Security Checks	high
148566	RHEL 8 : RHV Manager (ovirt-engine) 4.4.z [ovirt-4.4.5] 0-day security, enhance (Moderate) (RHSA-2021:1186)	Nessus	Red Hat Local Security Checks	high
148540	RHEL 8 : RHV Host (ovirt-host) 4.4.z security, (Moderate) (RHSA-2021:1184)	Nessus	Red Hat Local Security Checks	high

Detections

Analytics

CVE-2020-28458

high

Tenable Plugins

critical

high

critical

high

high

high