EulerOS 2.0 SP5 : python (EulerOS-SA-2021-2669)

high Nessus Plugin ID 155235

Synopsis

The remote EulerOS host is missing multiple security updates.

Description

According to the versions of the python packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

- There's a flaw in urllib's AbstractBasicAuthHandler class. An attacker who controls a malicious HTTP server that an HTTP client (such as web browser) connects to, could trigger a Regular Expression Denial of Service (ReDOS) during an authentication request with a specially crafted payload that is sent by the server to the client. The greatest threat that this flaw poses is to application availability.
(CVE-2021-3733)

- A flaw was found in python. An improperly handled HTTP response in the HTTP client code of python may allow a remote attacker, who controls the HTTP server, to make the client script enter an infinite loop, consuming CPU time. The highest threat from this vulnerability is to system availability. (CVE-2021-3737)

Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory.

Solution

Update the affected python packages.

See Also

http://www.nessus.org/u?0a3b4180

Plugin Details

Severity: High

ID: 155235

File Name: EulerOS_SA-2021-2669.nasl

Version: 1.8

Type: local

Published: 11/11/2021

Updated: 11/24/2023

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 4.4

CVSS v2

Risk Factor: High

Base Score: 7.1

Temporal Score: 5.6

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:C

CVSS Score Source: CVE-2021-3737

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:huawei:euleros:python-libs, p-cpe:/a:huawei:euleros:tkinter, p-cpe:/a:huawei:euleros:python-devel, p-cpe:/a:huawei:euleros:python, cpe:/o:huawei:euleros:2.0

Required KB Items: Host/local_checks_enabled, Host/EulerOS/release, Host/EulerOS/rpm-list, Host/EulerOS/sp

Excluded KB Items: Host/EulerOS/uvp_version

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 11/11/2021

Vulnerability Publication Date: 9/20/2021

Reference Information

CVE: CVE-2021-3733, CVE-2021-3737

IAVA: 2021-A-0497-S