Detections
Analytics

GLSA-202405-03 : Dalli: Code Injection

low Nessus Plugin ID 194975

Language:

Description

The remote host is affected by the vulnerability described in GLSA-202405-03 (Dalli: Code Injection)

 - A vulnerability was found in Dalli. It has been classified as problematic. Affected is the function self.meta_set of the file lib/dalli/protocol/meta/request_formatter.rb of the component Meta Protocol Handler. The manipulation leads to injection. The exploit has been disclosed to the public and may be used. The name of the patch is 48d594dae55934476fec61789e7a7c3700e0f50d. It is recommended to apply a patch to fix this issue. VDB-214026 is the identifier assigned to this vulnerability. (CVE-2022-4064)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

All Dalli users should upgrade to the latest version:

 # emerge --sync # emerge --ask --oneshot --verbose >=dev-ruby/dalli-3.2.3

See Also

https://security.gentoo.org/glsa/202405-03

https://bugs.gentoo.org/show_bug.cgi?id=882077

Plugin Details

Severity: Low

ID: 194975

File Name: gentoo_GLSA-202405-03.nasl

Version: 1.0

Type: local

Published: 5/4/2024

Updated: 5/4/2024

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Low

Score: 2.2

CVSS v2

Risk Factor: Low

Base Score: 2.6

Temporal Score: 2

Vector: CVSS2#AV:N/AC:H/Au:N/C:N/I:P/A:N

CVSS Score Source: CVE-2022-4064

CVSS v3

Risk Factor: Low

Base Score: 3.7

Temporal Score: 3.4

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:gentoo:linux:dalli, cpe:/o:gentoo:linux

Required KB Items: Host/local_checks_enabled, Host/Gentoo/release, Host/Gentoo/qpkg-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 5/4/2024

Vulnerability Publication Date: 11/19/2022

Reference Information

CVE: CVE-2022-4064