ruby-git versions prior to v1.13.0 allows a remote authenticated attacker to execute an arbitrary ruby code by having a user to load a repository containing a specially crafted filename to the product. This vulnerability is different from CVE-2022-47318.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2023:6818 advisory.

    Red Hat Satellite is a systems management tool for Linux-based     infrastructure. It allows for provisioning, remote management, and     monitoring of multiple Linux deployments with a single centralized tool.

    Security Fix(es):

    * golang: net/http, x/net/http2: rapid stream resets can cause excessive work (CVE-2023-44487)     (CVE-2023-39325)

    * HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack)     (CVE-2023-44487)

    * GitPython: Insecure non-multi options in clone and clone_from is not blocked (CVE-2023-40267)

    * kubeclient: kubeconfig parsing error can lead to MITM attacks (CVE-2022-0759)

    * foreman: OS command injection via ct_command and fcct_command (CVE-2022-3874)

    * ruby-git: code injection vulnerability (CVE-2022-46648)

    * ruby-git: code injection vulnerability (CVE-2022-47318)

    * Foreman: Arbitrary code execution through templates (CVE-2023-0118)

    * rubygem-activerecord: SQL Injection (CVE-2023-22794)

    * openssl: c_rehash script allows command injection (CVE-2022-1292)

    * openssl: the c_rehash script allows command injection (CVE-2022-2068)

    * Pulp:Tokens stored in plaintext (CVE-2022-3644)

    * satellite: Blind SSRF via Referer header (CVE-2022-4130)

    * python-future: remote attackers can cause denial of service via crafted Set-Cookie header from malicious     web server (CVE-2022-40899)

    * golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests (CVE-2022-41717)

    * rubygem-activerecord: Denial of Service (CVE-2022-44566)

    * rubygem-rack: denial of service in Content-Disposition parsing (CVE-2022-44570)

    * rubygem-rack: denial of service in Content-Disposition parsing (CVE-2022-44571)

    * rubygem-rack: denial of service in Content-Disposition parsing (CVE-2022-44572)

    * Foreman: Stored cross-site scripting in host tab (CVE-2023-0119)

    * puppet: Puppet Server ReDoS (CVE-2023-1894)

    * rubygem-actionpack: Denial of Service in Action Dispatch (CVE-2023-22792)

    * rubygem-actionpack: Denial of Service in Action Dispatch (CVE-2023-22795)

    * rubygem-activesupport: Regular Expression Denial of Service (CVE-2023-22796)

    * rubygem-globalid: ReDoS vulnerability (CVE-2023-22799)

    * rubygem-rack: Denial of service in Multipart MIME parsing (CVE-2023-27530)

    * rubygem-rack: denial of service in header parsing (CVE-2023-27539)

    * golang: net/http: insufficient sanitization of Host header (CVE-2023-29406)

    * sqlparse: Parser contains a regular expression that is vulnerable to ReDOS (Regular Expression Denial of     Service) (CVE-2023-30608)

    * python-django: Potential bypass of validation when uploading multiple files using one form field     (CVE-2023-31047)

    * python-requests: Unintended leak of Proxy-Authorization header (CVE-2023-32681)

    * python-django: Potential regular expression denial of service vulnerability in     EmailValidator/URLValidator (CVE-2023-36053)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

    Additional Changes:

    This update also fixes several bugs and adds various enhancements. Documentation for these changes is     available from the Release Notes document linked to in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 7 / 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2023:5980 advisory.

    Red Hat Satellite is a system management solution that allows organizations to configure and maintain     their systems without the necessity to provide public Internet access to their servers or other client     systems. It performs provisioning and configuration management of predefined standard operating     environments.

    Security fix(es):

    * golang: net/http, x/net/http2: rapid stream resets can cause excessive work (Rapid Reset)     (CVE-2023-39325)

    * HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset)     (CVE-2023-44487)

    A Red Hat Security Bulletin which addresses further details about the Rapid Reset flaws is available in     the References section.

    * ruby-git: code injection vulnerability (CVE-2022-46648)

    * ruby-git: code injection vulnerability (CVE-2022-47318)

    * Foreman: Arbitrary code execution through templates (CVE-2023-0118)

    * Satellite/Foreman: Arbitrary code execution through yaml global parameters (CVE-2023-0462)

    * openssl: c_rehash script allows command injection (CVE-2022-1292)

    * openssl: the c_rehash script allows command injection (CVE-2022-2068)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

    This update fixes the following bugs:

    2159417 - CVE-2023-0118 foreman: Arbitrary code execution through templates [rhn_satellite_6.11]     2163523 - CVE-2023-0462 foreman: Satellite/Foreman: Arbitrary code execution through yaml global     parameters [rhn_satellite_6.11]     2242355 - CVE-2022-1292 CVE-2022-2068 puppet-agent for Satellite and Capsule: various flaws     [rhn_satellite_6.11]     2242360 - CVE-2022-47318 tfm-rubygem-git: ruby-git: code injection vulnerability [rhn_satellite_6.11]     2242364 - CVE-2022-46648 rubygem-git: ruby-git: code injection vulnerability [rhn_satellite_6.11]     2243832 - [Major Incident] CVE-2023-39325 CVE-2023-44487 yggdrasil-worker-forwarder: various flaws     [rhn_satellite_6.11]

    Users of Red Hat Satellite are advised to upgrade to these updated packages,     which fix these bugs.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2023:5931 advisory.

    Red Hat Satellite is a system management solution that allows organizations to configure and maintain     their systems without the necessity to provide public Internet access to their servers or other client     systems. It performs provisioning and configuration management of predefined standard operating     environments.

    Security fix(es):

    * Yggdrasil-worker-forwarder (gRPC): Rapid Reset Attack through HTTP/2 enabled web service which leads to     DDoS attack (CVE-2023-44487 & CVE-2023-39325)

    A Red Hat Security Bulletin which addresses further details about this flaw is available in the References     section.

    * Foreman: OS command injection via ct_command and fcct_command (CVE-2022-3874)

    * Foreman: Arbitrary code execution through yaml global parameters (CVE-2023-0462)

    * GitPython: Remote code execution and improper input validation vulnerability (CVE-2022-24439 &     CVE-2023-40267)

    * Ruby-git & tfm-rubygem-git: Code injection vulnerability (CVE-2022-47318 & CVE-2022-46648)

    * Python-django: Multiple flaws (CVE-2023-31047 & CVE-2023-36053)

    * Puppet-agent (openssl): Multiple flaws (CVE-2022-1292 CVE-2022-2068)

    This update fixes the following bugs:

    2238346 - Red Hat supported provisioning templates are not recognized by RH icon on the row for a given     template     2238348 - when creating a backup on rhel7 and restoring on rhel8, the restore process will fail with     permission issues     2238350 - Virtual machine goes in re-provisioning mode while registration host using Global registration     template.
    2238359 - Capsule redundantly synces *-Export-Library repos     2238361 - Can't update the redhat_repository_url without changing the cdn_configuration to custom_cdn     2238363 - katello-certs-check does not cause the installer to halt execution on failure     2238367 - Satellite Web UI >> Hosts >> All Hosts page loading slow even after power isn't selected from     the new option Manage columns.
    2238369 - Content-export incremental with syncable format based does not include productid file into     repodata directory     2238371 - SELinux is preventing pulpcore-worker from read access on the key labeled pulpcore_server_t     2239041 - Reclaim space for repository fails with Cannot delete some instances of model 'Artifact' because     they are referenced through protected foreign keys: 'ContentArtifact.artifact'.
    2238353 - The hammer export command using single thread encryption causes a performance bottleneck.
    2240781 - Remediation from CRC via Satellite shows Failed status even after successful remediation of     Insights recommendations.
    2241914 - NoMethodError: undefined method `fact_values' while trying to perform inventory upload

    Users of Red Hat Satellite are advised to upgrade to these updated packages, which fix these bugs.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2023:5979 advisory.

    Red Hat Satellite is a system management solution that allows organizations to     configure and maintain their systems without the necessity to provide public     Internet access to their servers or other client systems. It performs     provisioning and configuration management of predefined standard operating     environments.

    Security fix(es):

    foreman: Arbitrary code execution through templates

    foreman: Satellite/Foreman: Arbitrary code execution through yaml global parameters

    foreman: OS command injection via ct_command and fcct_command

    puppet-agent for Satellite and Capsule: various flaws

    tfm-rubygem-git: ruby-git: code injection vulnerability

    rubygem-git: ruby-git: code injection vulnerability

    yggdrasil-worker-forwarder: various flaws

    This update fixes the following bugs:

    2159656 - CVE-2023-0118 foreman: Arbitrary code execution through templates [rhn_satellite_6.12]     2163524 - CVE-2023-0462 foreman: Satellite/Foreman: Arbitrary code execution through yaml global     parameters [rhn_satellite_6.12]     2163694 - CVE-2022-3874 foreman: OS command injection via ct_command and fcct_command [rhn_satellite_6.12]     2242354 - CVE-2022-1292 CVE-2022-2068 puppet-agent for Satellite and Capsule: various flaws     [rhn_satellite_6.12]     2242359 - CVE-2022-47318 tfm-rubygem-git: ruby-git: code injection vulnerability [rhn_satellite_6.12]     2242362 - CVE-2022-46648 rubygem-git: ruby-git: code injection vulnerability [rhn_satellite_6.12]     2243833 - [Major Incident] CVE-2023-39325 CVE-2023-44487 yggdrasil-worker-forwarder: various flaws     [rhn_satellite_6.12]

    Users of Red Hat Satellite are advised to upgrade to these updated packages,     which fix these bugs.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Rocky Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2023:6818 advisory.

  - A flaw was found in all versions of kubeclient up to (but not including) v4.9.3, the Ruby client for     Kubernetes REST API, in the way it parsed kubeconfig files. When the kubeconfig file does not configure     custom CA to verify certs, kubeclient ends up accepting any certificate (it wrongly returns VERIFY_NONE).
    Ruby applications that leverage kubeclient to parse kubeconfig files are susceptible to Man-in-the-middle     attacks (MITM). (CVE-2022-0759)

  - The c_rehash script does not properly sanitise shell metacharacters to prevent command injection. This     script is distributed by some operating systems in a manner where it is automatically executed. On such     operating systems, an attacker could execute arbitrary commands with the privileges of the script. Use of     the c_rehash script is considered obsolete and should be replaced by the OpenSSL rehash command line tool.
    Fixed in OpenSSL 3.0.3 (Affected 3.0.0,3.0.1,3.0.2). Fixed in OpenSSL 1.1.1o (Affected 1.1.1-1.1.1n).
    Fixed in OpenSSL 1.0.2ze (Affected 1.0.2-1.0.2zd). (CVE-2022-1292)

  - In addition to the c_rehash shell command injection identified in CVE-2022-1292, further circumstances     where the c_rehash script does not properly sanitise shell metacharacters to prevent command injection     were found by code review. When the CVE-2022-1292 was fixed it was not discovered that there are other     places in the script where the file names of certificates being hashed were possibly passed to a command     executed through the shell. This script is distributed by some operating systems in a manner where it is     automatically executed. On such operating systems, an attacker could execute arbitrary commands with the     privileges of the script. Use of the c_rehash script is considered obsolete and should be replaced by the     OpenSSL rehash command line tool. Fixed in OpenSSL 3.0.4 (Affected 3.0.0,3.0.1,3.0.2,3.0.3). Fixed in     OpenSSL 1.1.1p (Affected 1.1.1-1.1.1o). Fixed in OpenSSL 1.0.2zf (Affected 1.0.2-1.0.2ze). (CVE-2022-2068)

  - The collection remote for pulp_ansible stores tokens in plaintext instead of using pulp's encrypted field     and exposes them in read/write mode via the API () instead of marking it as write only. (CVE-2022-3644)

  - A command injection flaw was found in foreman. This flaw allows an authenticated user with admin     privileges on the foreman instance to transpile commands through CoreOS and Fedora CoreOS configurations     in templates, possibly resulting in arbitrary command execution on the underlying operating system.
    (CVE-2022-3874)

  - An issue discovered in Python Charmers Future 0.18.2 and earlier allows remote attackers to cause a denial     of service via crafted Set-Cookie header from malicious web server. (CVE-2022-40899)

  - A blind site-to-site request forgery vulnerability was found in Satellite server. It is possible to     trigger an external interaction to an attacker's server by modifying the Referer header in an HTTP request     of specific resources in the server. (CVE-2022-4130)

  - An attacker can cause excessive memory growth in a Go server accepting HTTP/2 requests. HTTP/2 server     connections contain a cache of HTTP header keys sent by the client. While the total number of entries in     this cache is capped, an attacker sending very large keys can cause the server to allocate approximately     64 MiB per open connection. (CVE-2022-41717)

  - A denial of service vulnerability present in ActiveRecord's PostgreSQL adapter <7.0.4.1 and <6.1.7.1. When     a value outside the range for a 64bit signed integer is provided to the PostgreSQL connection adapter, it     will treat the target column type as numeric. Comparing integer values against numeric values can result     in a slow sequential scan resulting in potential Denial of Service. (CVE-2022-44566)

  - A denial of service vulnerability in the Range header parsing component of Rack >= 1.5.0. A Carefully     crafted input can cause the Range header parsing component in Rack to take an unexpected amount of time,     possibly resulting in a denial of service attack vector. Any applications that deal with Range requests     (such as streaming applications, or applications that serve files) may be impacted. (CVE-2022-44570)

  - There is a denial of service vulnerability in the Content-Disposition parsingcomponent of Rack fixed in     2.0.9.2, 2.1.4.2, 2.2.4.1, 3.0.0.1. This could allow an attacker to craft an input that can cause Content-     Disposition header parsing in Rackto take an unexpected amount of time, possibly resulting in a denial     ofservice attack vector. This header is used typically used in multipartparsing. Any applications that     parse multipart posts using Rack (virtuallyall Rails applications) are impacted. (CVE-2022-44571)

  - A denial of service vulnerability in the multipart parsing component of Rack fixed in 2.0.9.2, 2.1.4.2,     2.2.4.1 and 3.0.0.1 could allow an attacker tocraft input that can cause RFC2183 multipart boundary     parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack     vector. Any applications that parse multipart posts using Rack (virtually all Rails applications) are     impacted. (CVE-2022-44572)

  - ruby-git versions prior to v1.13.0 allows a remote authenticated attacker to execute an arbitrary ruby     code by having a user to load a repository containing a specially crafted filename to the product. This     vulnerability is different from CVE-2022-47318. (CVE-2022-46648)

  - ruby-git versions prior to v1.13.0 allows a remote authenticated attacker to execute an arbitrary ruby     code by having a user to load a repository containing a specially crafted filename to the product. This     vulnerability is different from CVE-2022-46648. (CVE-2022-47318)

  - An arbitrary code execution flaw was found in Foreman. This flaw allows an admin user to bypass safe mode     in templates and execute arbitrary code on the underlying operating system. (CVE-2023-0118)

  - A stored Cross-site scripting vulnerability was found in foreman. The Comment section in the Hosts tab has     incorrect filtering of user input data. As a result of the attack, an attacker with an existing account on     the system can steal another user's session, make requests on behalf of the user, and obtain user     credentials. (CVE-2023-0119)

  - A Regular Expression Denial of Service (ReDoS) issue was discovered in Puppet Server 7.9.2 certificate     validation. An issue related to specifically crafted certificate names significantly slowed down server     operations. (CVE-2023-1894)

  - A regular expression based DoS vulnerability in Action Dispatch <6.0.6.1,< 6.1.7.1, and <7.0.4.1.
    Specially crafted cookies, in combination with a specially crafted X_FORWARDED_HOST header can cause the     regular expression engine to enter a state of catastrophic backtracking. This can cause the process to use     large amounts of CPU and memory, leading to a possible DoS vulnerability All users running an affected     release should either upgrade or use one of the workarounds immediately. (CVE-2023-22792)

  - A vulnerability in ActiveRecord <6.0.6.1, v6.1.7.1 and v7.0.4.1 related to the sanitization of comments.
    If malicious user input is passed to either the `annotate` query method, the `optimizer_hints` query     method, or through the QueryLogs interface which automatically adds annotations, it may be sent to the     database withinsufficient sanitization and be able to inject SQL outside of the comment. (CVE-2023-22794)

  - A regular expression based DoS vulnerability in Action Dispatch <6.1.7.1 and <7.0.4.1 related to the If-     None-Match header. A specially crafted HTTP If-None-Match header can cause the regular expression engine     to enter a state of catastrophic backtracking, when on a version of Ruby below 3.2.0. This can cause the     process to use large amounts of CPU and memory, leading to a possible DoS vulnerability All users running     an affected release should either upgrade or use one of the workarounds immediately. (CVE-2023-22795)

  - A regular expression based DoS vulnerability in Active Support <6.1.7.1 and <7.0.4.1. A specially crafted     string passed to the underscore method can cause the regular expression engine to enter a state of     catastrophic backtracking. This can cause the process to use large amounts of CPU and memory, leading to a     possible DoS vulnerability. (CVE-2023-22796)

  - A ReDoS based DoS vulnerability in the GlobalID <1.0.1 which could allow an attacker supplying a carefully     crafted input can cause the regular expression engine to take an unexpected amount of time. All users     running an affected release should either upgrade or use one of the workarounds immediately.
    (CVE-2023-22799)

  - A DoS vulnerability exists in Rack <v3.0.4.2, <v2.2.6.3, <v2.1.4.3 and <v2.0.9.3 within in the Multipart     MIME parsing code in which could allow an attacker to craft requests that can be abuse to cause multipart     parsing to take longer than expected. (CVE-2023-27530)

  - The HTTP/1 client does not fully validate the contents of the Host header. A maliciously crafted Host     header can inject additional headers or entire requests. With fix, the HTTP/1 client now refuses to send     requests containing an invalid Request.Host or Request.URL.Host value. (CVE-2023-29406)

  - sqlparse is a non-validating SQL parser module for Python. In affected versions the SQL parser contains a     regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service). This issue was     introduced by commit `e75e358`. The vulnerability may lead to Denial of Service (DoS). This issues has     been fixed in sqlparse 0.4.4 by commit `c457abd5f`. Users are advised to upgrade. There are no known     workarounds for this issue. (CVE-2023-30608)

  - In Django 3.2 before 3.2.19, 4.x before 4.1.9, and 4.2 before 4.2.1, it was possible to bypass validation     when using one form field to upload multiple files. This multiple upload has never been supported by     forms.FileField or forms.ImageField (only the last uploaded file was validated). However, Django's     Uploading multiple files documentation suggested otherwise. (CVE-2023-31047)

  - Requests is a HTTP library. Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to     destination servers when redirected to an HTTPS endpoint. This is a product of how we use     `rebuild_proxies` to reattach the `Proxy-Authorization` header to requests. For HTTP connections sent     through the tunnel, the proxy will identify the header in the request itself and remove it prior to     forwarding to the destination server. However when sent over HTTPS, the `Proxy-Authorization` header must     be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in     Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious     actor to potentially exfiltrate sensitive information. This issue has been patched in version 2.31.0.
    (CVE-2023-32681)

  - In Django 3.2 before 3.2.20, 4 before 4.1.10, and 4.2 before 4.2.3, EmailValidator and URLValidator are     subject to a potential ReDoS (regular expression denial of service) attack via a very large number of     domain name labels of emails and URLs. (CVE-2023-36053)

  - A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive     server resource consumption. While the total number of requests is bounded by the     http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create     a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound     the number of simultaneously executing handler goroutines to the stream concurrency limit     (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client     has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows     too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2     for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per     HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the     Server.MaxConcurrentStreams setting and the ConfigureServer function. (CVE-2023-39325)

  - GitPython before 3.1.32 does not block insecure non-multi options in clone and clone_from. NOTE: this     issue exists because of an incomplete fix for CVE-2022-24439. (CVE-2023-40267)

  - The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation     can reset many streams quickly, as exploited in the wild in August through October 2023. (CVE-2023-44487)

  - The Ruby on Rails advisory describes this vulnerability as follows: (CVE-2023-27539)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Debian 10 host has a package installed that is affected by multiple vulnerabilities as referenced in the dla-3303 advisory.

  - The package git before 1.11.0 are vulnerable to Command Injection via git argument injection. When calling     the fetch(remote = 'origin', opts = {}) function, the remote parameter is passed to the git fetch     subcommand in a way that additional flags can be set. The additional flags can be used to perform a     command injection. (CVE-2022-25648)

  - ruby-git versions prior to v1.13.0 allows a remote authenticated attacker to execute an arbitrary ruby     code by having a user to load a repository containing a specially crafted filename to the product. This     vulnerability is different from CVE-2022-47318. (CVE-2022-46648)

  - ruby-git versions prior to v1.13.0 allows a remote authenticated attacker to execute an arbitrary ruby     code by having a user to load a repository containing a specially crafted filename to the product. This     vulnerability is different from CVE-2022-46648. (CVE-2022-47318)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
194436	RHEL 8 : Satellite 6.14 (RHSA-2023:6818)	Nessus	Red Hat Local Security Checks	critical
194416	RHEL 7 / 8 : Satellite 6.11.5.6 async (RHSA-2023:5980)	Nessus	Red Hat Local Security Checks	critical
194378	RHEL 8 : Satellite 6.13.5 Async Security Update (Important) (RHSA-2023:5931)	Nessus	Red Hat Local Security Checks	critical
194359	RHEL 8 : Satellite 6.12.5.2 Async Security Update (Important) (RHSA-2023:5979)	Nessus	Red Hat Local Security Checks	critical
185473	Rocky Linux 8 : Satellite 6.14 (RLSA-2023:6818)	Nessus	Rocky Linux Local Security Checks	critical
170879	Debian DLA-3303-1 : ruby-git - LTS security update	Nessus	Debian Local Security Checks	critical

Detections

Analytics

CVE-2022-46648

high

Tenable Plugins

critical

critical

critical

critical

critical

critical