Detections
Analytics
SUSE SLED15 / SLES15 / openSUSE 15 Security Update : pgadmin4 (SUSE-SU-2024:3771-1)
critical Nessus Plugin ID 209968
Language:
Synopsis
The remote SUSE host is missing one or more security updates.Description
The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2024:3771-1 advisory.- CVE-2024-38355: Fixed socket.io: unhandled 'error' event (bsc#1226967)
- CVE-2024-38998: Fixed requirejs: prototype pollution via function config (bsc#1227248)
- CVE-2024-38999: Fixed requirejs: prototype pollution via function s.contexts._.configure (bsc#1227252)
- CVE-2024-39338: Fixed axios: server-side request forgery due to requests for path relative URLs being processed as protocol relative URLs in axios (bsc#1229423)
- CVE-2024-4067: Fixed micromatch: vulnerable to Regular Expression Denial of Service (ReDoS) (bsc#1224366)
- CVE-2024-4068: Fixed braces: fails to limit the number of characters it can handle, which could lead to Memory Exhaustion (bsc#1224295)
- CVE-2024-43788: Fixed webpack: DOM clobbering gadget in AutoPublicPathRuntimeModule could lead to XSS (bsc#1229861)
- CVE-2024-48948: Fixed elliptic: ECDSA signature verification error due to leading zero may reject legitimate transactions in elliptic (bsc#1231684)
- CVE-2024-48949: Fixed elliptic: Missing Validation in Elliptic's EDDSA Signature Verification (bsc#1231564)
- CVE-2024-9014: Fixed OAuth2 issue that could lead to information leak (bsc#1230928)
Tenable has extracted the preceding description block directly from the SUSE security advisory.
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
Solution
Update the affected packages.See Also
https://bugzilla.suse.com/1224295
https://bugzilla.suse.com/1224366
https://bugzilla.suse.com/1226967
https://bugzilla.suse.com/1227248
https://bugzilla.suse.com/1227252
https://bugzilla.suse.com/1229423
https://bugzilla.suse.com/1229861
https://bugzilla.suse.com/1230928
https://bugzilla.suse.com/1231564
https://bugzilla.suse.com/1231684
http://www.nessus.org/u?47d06711
https://www.suse.com/security/cve/CVE-2024-38355
https://www.suse.com/security/cve/CVE-2024-38998
https://www.suse.com/security/cve/CVE-2024-38999
https://www.suse.com/security/cve/CVE-2024-39338
https://www.suse.com/security/cve/CVE-2024-4067
https://www.suse.com/security/cve/CVE-2024-4068
https://www.suse.com/security/cve/CVE-2024-43788
https://www.suse.com/security/cve/CVE-2024-48948
Plugin Details
Severity: Critical
ID: 209968
File Name: suse_SU-2024-3771-1.nasl
Version: 1.1
Type: local
Agent: unix
Family: SuSE Local Security Checks
Published: 10/31/2024
Updated: 10/31/2024
Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus
Risk Information
VPR
Risk Factor: High
Score: 7.3
CVSS v2
Risk Factor: Critical
Base Score: 10
Temporal Score: 7.8
Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS Score Source: CVE-2024-38998
CVSS v3
Risk Factor: Critical
Base Score: 9.8
Temporal Score: 8.8
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C
Vulnerability Information
CPE: p-cpe:/a:novell:suse_linux:pgadmin4, p-cpe:/a:novell:suse_linux:pgadmin4-doc, p-cpe:/a:novell:suse_linux:system-user-pgadmin, cpe:/o:novell:suse_linux:15
Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list
Exploit Available: true
Exploit Ease: Exploits are available
Patch Publication Date: 10/29/2024
Vulnerability Publication Date: 5/13/2024
Reference Information
CVE: CVE-2024-38355, CVE-2024-38998, CVE-2024-38999, CVE-2024-39338, CVE-2024-4067, CVE-2024-4068, CVE-2024-43788, CVE-2024-48948, CVE-2024-48949, CVE-2024-9014
SuSE: SUSE-SU-2024:3771-1