CBL Mariner 2.0 Security Update: mysql / rust / cmake / curl / tensorflow (CVE-2023-28322)

low Nessus Plugin ID 201825

Synopsis

The remote CBL Mariner host is missing one or more security updates.

Description

The version of mysql / rust / cmake / curl / tensorflow installed on the remote CBL Mariner 2.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2023-28322 advisory.

- An information disclosure vulnerability exists in curl <v8.1.0 when doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to ask for data to send, even when the `CURLOPT_POSTFIELDS` option has been set, if the same handle previously wasused to issue a `PUT` request which used that callback. This flaw May surprise the application and cause it to misbehave and either send off the wrong data or use memory after free or similar in the second transfer. The problem exists in the logic for a reused handle when it is (expected to be) changed from a PUT to a POST. (CVE-2023-28322)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

https://nvd.nist.gov/vuln/detail/CVE-2023-28322

Plugin Details

Severity: Low

ID: 201825

File Name: mariner_CVE-2023-28322.nasl

Version: 1.1

Type: local

Published: 7/3/2024

Updated: 7/3/2024

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Low

Score: 2.2

CVSS v2

Risk Factor: Low

Base Score: 2.6

Temporal Score: 2

Vector: CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N

CVSS Score Source: CVE-2023-28322

CVSS v3

Risk Factor: Low

Base Score: 3.7

Temporal Score: 3.4

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:microsoft:cbl-mariner:curl-libs, p-cpe:/a:microsoft:cbl-mariner:curl-devel, p-cpe:/a:microsoft:cbl-mariner:rust-debuginfo, p-cpe:/a:microsoft:cbl-mariner:mysql-devel, p-cpe:/a:microsoft:cbl-mariner:cmake-debuginfo, p-cpe:/a:microsoft:cbl-mariner:curl-debuginfo, p-cpe:/a:microsoft:cbl-mariner:rust, p-cpe:/a:microsoft:cbl-mariner:curl, p-cpe:/a:microsoft:cbl-mariner:mysql, x-cpe:/o:microsoft:cbl-mariner, p-cpe:/a:microsoft:cbl-mariner:mysql-debuginfo, p-cpe:/a:microsoft:cbl-mariner:cmake, p-cpe:/a:microsoft:cbl-mariner:rust-doc

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/CBLMariner/release, Host/CBLMariner/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 7/1/2024

Vulnerability Publication Date: 5/19/2023

Reference Information

CVE: CVE-2023-28322

IAVA: 2023-A-0259-S