Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Notes: none

This plugin has been deprecated as it does not adhere to established standards for this style of check.

The version of Splunk installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the SVD-2023-0613 advisory.

  - A prototype pollution vulnerability exists in the function copy in dom.js in the xmldom (published as     @xmldom/xmldom) package before 0.8.3 for Node.js via the p variable. NOTE: the vendor states we are in     the process of marking this report as invalid; however, some third parties takes the position that A     prototype injection/Prototype pollution is not just when global objects are polluted with recursive merge     or deep cloning but also when a target object is polluted. (CVE-2022-37616)

  - When curl < 7.84.0 saves cookies, alt-svc and hsts data to local files, it makes the operation atomic by     finalizing the operation with a rename from a temporary name to the final target file name.In that rename     operation, it might accidentally *widen* the permissions for the target file, leaving the updated file     accessible to more users than intended. (CVE-2022-32207)

  - An issue was discovered in libxml2 before 2.10.3. When parsing a multi-gigabyte XML document with the     XML_PARSE_HUGE parser option enabled, several integer counters can overflow. This results in an attempt to     access an array at a negative 2GB offset, typically leading to a segmentation fault. (CVE-2022-40303)

  - An issue was discovered in libxml2 before 2.10.3. Certain invalid XML entity definitions can corrupt a     hash table key, potentially leading to subsequent logic errors. In one case, a double-free can be     provoked. (CVE-2022-40304)

  - There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName.
    X.400 addresses were parsed as an ASN1_STRING but the public structure definition for GENERAL_NAME     incorrectly specified the type of the x400Address field as ASN1_TYPE. This field is subsequently     interpreted by the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather than an ASN1_STRING. When CRL     checking is enabled (i.e. the application sets the X509_V_FLAG_CRL_CHECK flag), this vulnerability may     allow an attacker to pass arbitrary pointers to a memcmp call, enabling them to read memory contents or     enact a denial of service. In most cases, the attack requires the attacker to provide both the certificate     chain and CRL, neither of which need to have a valid signature. If the attacker only controls one of these     inputs, the other input must already contain an X.400 address as a CRL distribution point, which is     uncommon. As such, this vulnerability is most likely to only affect applications which have implemented     their own functionality for retrieving CRLs over a network. (CVE-2023-0286)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2021-4151 advisory.

  - In Python 3 through 3.9.0, the Lib/test/multibytecodec_support.py CJK codec tests call eval() on content     retrieved via HTTP. (CVE-2020-27619)

  - The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.10, from 3.8.0 and before     3.8.8, from 3.9.0 and before 3.9.2 are vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and     urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query     parameters using a semicolon (;), they can cause a difference in the interpretation of the request between     the proxy (running with default configuration) and the server. This can result in malicious requests being     cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and     therefore would not include it in a cache key of an unkeyed parameter. (CVE-2021-23336)

  - Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn     by its CNA. Notes: none (CVE-2021-20095)

  - Babel.Locale in Babel before 2.9.1 allows attackers to load arbitrary locale .dat files (containing     serialized Python objects) via directory traversal, leading to code execution. (CVE-2021-42771)

  - An infinite loop in SMLLexer in Pygments versions 1.5 to 2.7.3 may lead to denial of service when     performing syntax highlighting of a Standard ML (SML) source file, as demonstrated by input that only     contains the exception keyword. (CVE-2021-20270)

  - In pygments 1.1+, fixed in 2.7.4, the lexers used to parse programming languages rely heavily on regular     expressions. Some of the regular expressions have exponential or cubic worst-case complexity and are     vulnerable to ReDoS. By crafting malicious input, an attacker can cause a denial of service.
    (CVE-2021-27291)

  - This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDoS vulnerability is mainly due to the     `_punctuation_re regex` operator and its use of multiple wildcards. The last wildcard is the most     exploitable as it searches for trailing punctuation. This issue can be mitigated by Markdown to format     user content instead of the urlize filter, or by implementing request timeouts and limiting process     memory. (CVE-2020-28493)

  - An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. When disabling     the safe_attrs_only and forms arguments, the Cleaner class does not remove the formaction attribute     allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run arbitrary JS     code on users who interact with incorrectly sanitized HTML. This issue is patched in lxml 4.6.3.
    (CVE-2021-28957)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2021-4162 advisory.

  - The package python/cpython from 0 and before 3.6.13, from 3.7.0 and before 3.7.10, from 3.8.0 and before     3.8.8, from 3.9.0 and before 3.9.2 are vulnerable to Web Cache Poisoning via urllib.parse.parse_qsl and     urllib.parse.parse_qs by using a vector called parameter cloaking. When the attacker can separate query     parameters using a semicolon (;), they can cause a difference in the interpretation of the request between     the proxy (running with default configuration) and the server. This can result in malicious requests being     cached as completely safe ones, as the proxy would usually not see the semicolon as a separator, and     therefore would not include it in a cache key of an unkeyed parameter. (CVE-2021-23336)

  - Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn     by its CNA. Notes: none (CVE-2021-20095)

  - psutil (aka python-psutil) through 5.6.5 can have a double free. This occurs because of refcount     mishandling within a while or for loop that converts system data into a Python object. (CVE-2019-18874)

  - Babel.Locale in Babel before 2.9.1 allows attackers to load arbitrary locale .dat files (containing     serialized Python objects) via directory traversal, leading to code execution. (CVE-2021-42771)

  - A flaw was found in python-pip in the way it handled Unicode separators in git references. A remote     attacker could possibly use this issue to install a different revision on a repository. The highest threat     from this vulnerability is to data integrity. This is fixed in python-pip version 21.1. (CVE-2021-3572)

  - There's a flaw in Python 3's pydoc. A local or adjacent attacker who discovers or is able to convince     another local or adjacent user to start a pydoc server could access the server and use it to disclose     sensitive information belonging to the other user that they would not normally be able to access. The     highest risk of this flaw is to data confidentiality. This flaw affects Python versions before 3.8.9,     Python versions before 3.9.3 and Python versions before 3.10.0a7. (CVE-2021-3426)

  - This affects the package jinja2 from 0.0.0 and before 2.11.3. The ReDoS vulnerability is mainly due to the     `_punctuation_re regex` operator and its use of multiple wildcards. The last wildcard is the most     exploitable as it searches for trailing punctuation. This issue can be mitigated by Markdown to format     user content instead of the urlize filter, or by implementing request timeouts and limiting process     memory. (CVE-2020-28493)

  - An XSS vulnerability was discovered in python-lxml's clean module versions before 4.6.3. When disabling     the safe_attrs_only and forms arguments, the Cleaner class does not remove the formaction attribute     allowing for JS to bypass the sanitizer. A remote attacker could exploit this flaw to run arbitrary JS     code on users who interact with incorrectly sanitized HTML. This issue is patched in lxml 4.6.3.
    (CVE-2021-28957)

  - An issue was discovered in urllib3 before 1.26.5. When provided with a URL containing many @ characters in     the authority component, the authority regular expression exhibits catastrophic backtracking, causing a     denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect.
    (CVE-2021-33503)

  - In Python before 3,9,5, the ipaddress library mishandles leading zero characters in the octets of an IP     address string. This (in some situations) allows attackers to bypass access control that is based on IP     addresses. (CVE-2021-29921)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the ELSA-2021-4201 advisory.

    [2.5.1-7]
    - Include the /usr/bin/pybabel binary that runs on Python 3.6 in the       python3-babel package     Resolves: rhbz#1967173

    [2.5.1-6]
    - Fix CVE-2021-20095     Resolves: rhbz#1955615

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:3254 advisory.

  - python-cryptography: Bleichenbacher timing oracle attack against RSA decryption (CVE-2020-25659)

  - python: Unsafe use of eval() on data retrieved via HTTP in the test suite (CVE-2020-27619)

  - python-lxml: mXSS due to the use of improper parser (CVE-2020-27783)

  - python-jinja2: ReDoS vulnerability in the urlize filter (CVE-2020-28493)

  - python-cryptography: Large inputs for symmetric encryption can trigger integer overflow leading to buffer     overflow (CVE-2020-36242)

  - python: Stack-based buffer overflow in PyCArg_repr in _ctypes/callproc.c (CVE-2021-3177)

  - python: Information disclosure via pydoc (CVE-2021-3426)

  - python-pip: Incorrect handling of unicode separators in git references (CVE-2021-3572)

  - python: urllib: Regular expression DoS in AbstractBasicAuthHandler (CVE-2021-3733)

  - python: ftplib should not use the host from the PASV response (CVE-2021-4189)

  - python-babel: Relative path traversal allows attacker to load arbitrary locale files and execute arbitrary     code (CVE-2021-20095, CVE-2021-42771)

  - python: Web cache poisoning via urllib.parse.parse_qsl and urllib.parse.parse_qs by using a semicolon in     query parameters (CVE-2021-23336)

  - python-lxml: Missing input sanitization for formaction HTML5 attributes may lead to XSS (CVE-2021-28957)

  - python-ipaddress: Improper input validation of octal strings (CVE-2021-29921)

  - python-urllib3: ReDoS in the parsing of authority part of URL (CVE-2021-33503)

  - python: urllib.parse does not sanitize URLs containing ASCII newline and tabs (CVE-2022-0391)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

** REJECT **   DO NOT USE THIS CANDIDATE NUMBER.   ConsultIDs: none. Reason:   This candidate was withdrawn by its CNA.   Notes: none.

ID	Name	Product	Family	Severity
196294	RHEL 6 : python-babel (Unpatched Vulnerability) (deprecated)	Nessus	Red Hat Local Security Checks	high
196286	RHEL 7 : python-babel (Unpatched Vulnerability) (deprecated)	Nessus	Red Hat Local Security Checks	high
194919	Splunk Enterprise < 8.1.14, 8.2.0 < 8.2.11, 9.0.0 < 9.0.5 (SVD-2023-0613)	Nessus	CGI abuses	critical
155987	Oracle Linux 8 : python27:2.7 (ELSA-2021-4151)	Nessus	Oracle Linux Local Security Checks	high
155969	Oracle Linux 8 : python38:3.8 / and / python38-devel:3.8 (ELSA-2021-4162)	Nessus	Oracle Linux Local Security Checks	high
155390	Oracle Linux 8 : babel (ELSA-2021-4201)	Nessus	Oracle Linux Local Security Checks	high
152781	RHEL 7 : rh-python38 (RHSA-2021:3254)	Nessus	Red Hat Local Security Checks	critical
149834	Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS / 20.10 / 21.04 : Babel vulnerability (USN-4962-1) (deprecated)	Nessus	Ubuntu Local Security Checks	high

Detections

Analytics

CVE-2021-20095

No Score

Tenable Plugins

high

high

critical

high

high

high

critical

high