Detections
Analytics
RHEL 7 : ipa (RHSA-2020:3936)
medium Nessus Plugin ID 143080
Language:
Synopsis
The remote Red Hat host is missing one or more security updates.Description
The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:3936 advisory.Red Hat Identity Management (IdM) is a centralized authentication, identity management, and authorization solution for both traditional and cloud-based enterprise environments.
The following packages have been upgraded to a later upstream version: ipa (4.6.8). (BZ#1819725)
Security Fix(es):
* js-jquery: Cross-site scripting via cross-domain ajax requests (CVE-2015-9251)
* bootstrap: XSS in the data-target attribute (CVE-2016-10735)
* bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute (CVE-2018-14040)
* bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip. (CVE-2018-14042)
* bootstrap: XSS in the tooltip data-viewport attribute (CVE-2018-20676)
* bootstrap: XSS in the affix configuration target property (CVE-2018-20677)
* bootstrap: XSS in the tooltip or popover data-template attribute (CVE-2019-8331)
* js-jquery: prototype pollution in object's prototype leading to denial of service or remote code execution or property injection (CVE-2019-11358)
* jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method (CVE-2020-11022)
* ipa: No password length restriction leads to denial of service (CVE-2020-1722)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
Additional Changes:
For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.9 Release Notes linked from the References section.
Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
Solution
Update the affected packages.See Also
http://www.nessus.org/u?220235b5
http://www.nessus.org/u?dd3afe18
https://access.redhat.com/security/updates/classification/#moderate
https://access.redhat.com/errata/RHSA-2020:3936
https://bugzilla.redhat.com/show_bug.cgi?id=1399546
https://bugzilla.redhat.com/show_bug.cgi?id=1404770
https://bugzilla.redhat.com/show_bug.cgi?id=1545755
https://bugzilla.redhat.com/show_bug.cgi?id=1601614
https://bugzilla.redhat.com/show_bug.cgi?id=1601617
https://bugzilla.redhat.com/show_bug.cgi?id=1668082
https://bugzilla.redhat.com/show_bug.cgi?id=1668089
https://bugzilla.redhat.com/show_bug.cgi?id=1668097
https://bugzilla.redhat.com/show_bug.cgi?id=1788907
https://bugzilla.redhat.com/show_bug.cgi?id=1793071
https://bugzilla.redhat.com/show_bug.cgi?id=1795890
https://bugzilla.redhat.com/show_bug.cgi?id=1801791
https://bugzilla.redhat.com/show_bug.cgi?id=1817886
https://bugzilla.redhat.com/show_bug.cgi?id=1817918
https://bugzilla.redhat.com/show_bug.cgi?id=1817919
https://bugzilla.redhat.com/show_bug.cgi?id=1817922
https://bugzilla.redhat.com/show_bug.cgi?id=1817923
https://bugzilla.redhat.com/show_bug.cgi?id=1817927
https://bugzilla.redhat.com/show_bug.cgi?id=1819725
https://bugzilla.redhat.com/show_bug.cgi?id=1825829
https://bugzilla.redhat.com/show_bug.cgi?id=1828406
https://bugzilla.redhat.com/show_bug.cgi?id=1829787
https://bugzilla.redhat.com/show_bug.cgi?id=1834385
https://bugzilla.redhat.com/show_bug.cgi?id=1842950
https://bugzilla.redhat.com/show_bug.cgi?id=1686454
https://bugzilla.redhat.com/show_bug.cgi?id=1701972
https://bugzilla.redhat.com/show_bug.cgi?id=1754902
https://bugzilla.redhat.com/show_bug.cgi?id=1755535
https://bugzilla.redhat.com/show_bug.cgi?id=1756568
https://bugzilla.redhat.com/show_bug.cgi?id=1758406
https://bugzilla.redhat.com/show_bug.cgi?id=1769791
https://bugzilla.redhat.com/show_bug.cgi?id=1771356
https://bugzilla.redhat.com/show_bug.cgi?id=1780548
Plugin Details
Severity: Medium
ID: 143080
File Name: redhat-RHSA-2020-3936.nasl
Version: 1.12
Type: local
Agent: unix
Family: Red Hat Local Security Checks
Published: 11/19/2020
Updated: 11/7/2024
Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus
Risk Information
VPR
Risk Factor: Medium
Score: 4.6
Vendor
Vendor Severity: Moderate
CVSS v2
Risk Factor: Medium
Base Score: 4.3
Temporal Score: 3.4
Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N
CVSS Score Source: CVE-2020-11022
CVSS v3
Risk Factor: Medium
Base Score: 6.1
Temporal Score: 5.5
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C
Vulnerability Information
CPE: p-cpe:/a:redhat:enterprise_linux:ipa-server, p-cpe:/a:redhat:enterprise_linux:ipa-server-trust-ad, p-cpe:/a:redhat:enterprise_linux:ipa-client, p-cpe:/a:redhat:enterprise_linux:ipa-client-common, cpe:/o:redhat:enterprise_linux:7, p-cpe:/a:redhat:enterprise_linux:python2-ipaclient, p-cpe:/a:redhat:enterprise_linux:python2-ipaserver, p-cpe:/a:redhat:enterprise_linux:ipa-python-compat, p-cpe:/a:redhat:enterprise_linux:ipa, p-cpe:/a:redhat:enterprise_linux:ipa-server-common, p-cpe:/a:redhat:enterprise_linux:python2-ipalib, p-cpe:/a:redhat:enterprise_linux:ipa-server-dns, p-cpe:/a:redhat:enterprise_linux:ipa-common
Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list, Host/cpu
Exploit Available: true
Exploit Ease: Exploits are available
Patch Publication Date: 9/29/2020
Vulnerability Publication Date: 1/18/2018
Reference Information
CVE: CVE-2015-9251, CVE-2016-10735, CVE-2018-14040, CVE-2018-14042, CVE-2018-20676, CVE-2018-20677, CVE-2019-11358, CVE-2019-8331, CVE-2020-11022, CVE-2020-1722