The remote Fedora 37 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2022-e9d65906c4 advisory.

    - url: use IDN decoded names for HSTS checks (CVE-2022-42916)
    - http_proxy: restore the protocol pointer on error (CVE-2022-42915)
    - netrc: replace fgets with Curl_get_line (CVE-2022-35260)
    - fix POST following PUT confusion (CVE-2022-32221)


Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2023-083 advisory.

    2024-02-15: CVE-2022-27781 was added to this advisory.

    A vulnerability was found in curl. This security flaw allows reusing OAUTH2-authenticated connections     without properly ensuring that the connection was authenticated with the same credentials set for this     transfer. This issue leads to an authentication bypass, either by mistake or by a malicious actor.
    (CVE-2022-22576)

    A vulnerability was found in curl. This security flaw allows leaking credentials to other servers when it     follows redirects from auth-protected HTTP(S) URLs to other protocols and port numbers. (CVE-2022-27774)

    A vulnerability was found in curl. This security flaw occurs due to errors in the logic where the config     matching function did not take the IPv6 address zone id into account. This issue can lead to curl reusing     the wrong connection when one transfer uses a zone id, and the subsequent transfer uses another.
    (CVE-2022-27775)

    A vulnerability was found in curl. This security flaw allows leak authentication or cookie header data on     HTTP redirects to the same host but another port number. Sending the same set of headers to a server on a     different port number is a problem for applications that pass on custom `Authorization:` or     `Cookie:`headers. Those headers often contain privacy-sensitive information or data. (CVE-2022-27776)

    A vulnerability was found in curl. The issue occurs because curl wrongly allows HTTP cookies to be set for     Top Level Domains (TLDs) if the hostname is provided with a trailing dot. This flaw allows arbitrary sites     to set cookies that get sent to a different and unrelated site or domain by a malicious actor.
    (CVE-2022-27779)

    A vulnerability was found in curl. This issue occurs because the curl URL parser wrongly accepts percent-     encoded URL separators like / when decoding the hostname part of a URL, making it a different URL using     the wrong hostname when it is later retrieved. This flaw allows a malicious actor to make circumventing     filters. (CVE-2022-27780)

    libcurl provides the `CURLOPT_CERTINFO` option to allow applications torequest details to be returned     about a server's certificate chain.Due to an erroneous function, a malicious server could make libcurl     built withNSS get stuck in a never-ending busy-loop when trying to retrieve thatinformation.
    (CVE-2022-27781)

    A vulnerability was found in curl. This issue occurs because curl can reuse a previously created     connection even when a TLS or SSH-related option is changed that should have prohibited reuse. This flaw     leads to an authentication bypass, either by mistake or by a malicious actor. (CVE-2022-27782)

    A vulnerability was found in curl. This issue occurs because when using its HTTP Strict Transport     Security(HSTS) support, it can instruct curl to use HTTPS directly instead of using an insecure clear text     HTTP step even when HTTP is provided in the URL. This flaw leads to a clear text transmission of sensitive     information. (CVE-2022-30115)

    A vulnerability was found in curl. This issue occurs because a malicious server can serve excessive     amounts of `Set-Cookie:` headers in an HTTP response to curl, which stores all of them. This flaw leads to     a denial of service, either by mistake or by a malicious actor. (CVE-2022-32205)

    A vulnerability was found in curl. This issue occurs because the number of acceptable links in the     decompression chain was unbounded, allowing a malicious server to insert a virtually unlimited number of     compression steps. This flaw leads to a denial of service, either by mistake or by a malicious actor.
    (CVE-2022-32206)

    A vulnerability was found in curl. This issue occurs because when curl saves cookies, alt-svc, and HSTS     data to local files, it makes the operation atomic by finalizing the process with a rename from a     temporary name to the final target file name. This flaw leads to unpreserved file permissions, either by     mistake or by a malicious actor. (CVE-2022-32207)

    A vulnerability was found in curl. This issue occurs because it mishandles message verification failures     when curl does FTP transfers secured by krb5. This flaw makes it possible for a Man-in-the-middle attack     to go unnoticed and allows data injection into the client. (CVE-2022-32208)

    A vulnerability was found in curl. The issue occurs when doing HTTP(S) transfers, where curl might     erroneously use the read callback () to ask for data to send, even when the  option has been set if it     previously used the same handle to issue a  request which used that callback. This flaw may surprise the     application and cause it to misbehave and either send off the wrong data or use memory after free or     similar in the subsequent  request. (CVE-2022-32221)

    A vulnerability found in curl. This security flaw happens when curl is used to retrieve and parse cookies     from an HTTP(S) server, where it accepts cookies using control codes (byte values below 32), and also when     cookies that contain such control codes are later sent back to an HTTP(S) server, possibly causing the     server to return a 400 response. This issue effectively allows a sister site to deny service to siblings     and cause a denial of service attack. (CVE-2022-35252)

    A vulnerability was found in curl. The issue occurs when curl is told to parse a `.netrc` file for     credentials. If that file ends in a line with consecutive non-white space letters and no newline, curl     could read past the end of the stack-based buffer, and if the read works, it can write a zero byte beyond     its boundary. This issue, in most cases, causes a segfault or similar problem. A denial of service can     occur if a malicious user can provide a custom netrc file to an application or otherwise affect its     contents. (CVE-2022-35260)

    A vulnerability was found in curl. The issue occurs if curl is told to use an HTTP proxy for a transfer     with a non-HTTP(S) URL. It sets up the connection to the remote server by issuing a `CONNECT` request to     the proxy and then tunnels the rest of the protocol through. An HTTP proxy might refuse this request (HTTP     proxies often only allow outgoing connections to specific port numbers, like 443 for HTTPS) and instead     return a non-200 response code to the client. Due to flaws in the error/cleanup handling, this could     trigger a double-free issue in curl if using one of the following schemes in the URL for the transfer:
    `dict,` `gopher,` `gophers,` `ldap`, `ldaps`, `rtmp`, `rtmps`, `telnet.` (CVE-2022-42915)

    A vulnerability was found in curl. The issue occurs because curl's HSTS check can be bypassed to trick it     to keep using HTTP. Using its HSTS support, it can instruct curl to use HTTPS directly instead of using an     insecure clear-text HTTP step even when HTTP is provided in the URL. This mechanism can be bypassed if the     hostname in the given URL uses IDN characters that get replaced with ASCII counterparts as part of the IDN     conversion. Like using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full     stop (U+002E) . (CVE-2022-42916)

    A vulnerability exists in curl <7.87.0 HSTS check that could be bypassed to trick it to keep using HTTP.
    Using its HSTS support, curl can be instructed to use HTTPS instead of using an insecure clear-text HTTP     step even when HTTP is provided in the URL. However, the HSTS mechanism could be bypassed if the host name     in the given URL first uses IDN characters that get replaced to ASCII counterparts as part of the IDN     conversion. Like using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full     stop (U+002E) `.`. Then in a subsequent request, it does not detect the HSTS state and makes a clear text     transfer. Because it would store the info IDN encoded but look for it IDN decoded. (CVE-2022-43551)

    A vulnerability was found in curl. In this issue, curl can be asked to tunnel all protocols virtually it     supports through an HTTP proxy. HTTP proxies can deny these tunnel operations using an appropriate HTTP     error response code. When getting denied to tunnel the specific SMB or TELNET protocols, curl can use a     heap-allocated struct after it has been freed and shut down the code path in its transfer.
    (CVE-2022-43552)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2023:4139 advisory.

    The curl packages provide the libcurl library and the curl utility for downloading files from servers     using various protocols, including HTTP, FTP, and LDAP.

    Security Fix(es):

    * curl: POST following PUT confusion (CVE-2022-32221)

    * curl: HTTP multi-header compression denial of service (CVE-2023-23916)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Splunk installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the SVD-2023-0808 advisory.

  - The go command may execute arbitrary code at build time when using cgo. This may occur when running go     get on a malicious module, or when running any other command which builds untrusted code. This is can by     triggered by linker flags, specified via a #cgo LDFLAGS directive. Flags containing embedded spaces are     mishandled, allowing disallowed flags to be smuggled through the LDFLAGS sanitization by including them in     the argument of another flag. This only affects usage of the gccgo compiler. (CVE-2023-29405)

  - When curl < 7.84.0 saves cookies, alt-svc and hsts data to local files, it makes the operation atomic by     finalizing the operation with a rename from a temporary name to the final target file name.In that rename     operation, it might accidentally *widen* the permissions for the target file, leaving the updated file     accessible to more users than intended. (CVE-2022-32207)

  - decode-uri-component 0.2.0 is vulnerable to Improper Input Validation resulting in DoS. (CVE-2022-38900)

  - The got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket.
    (CVE-2022-33987)

  - Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils via the     name variable in parseQuery.js. This affects all versions prior to 1.4.1 and 2.0.3. (CVE-2022-37601)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the dc49f6dc-99d2-11ed-86e9-d4c9ef517024 advisory.

  - A parsing vulnerability for the MessageSet type in the ProtocolBuffers versions prior to and including     3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 3.21.5 for protobuf-cpp, and versions prior to and including     3.16.1, 3.17.3, 3.18.2, 3.19.4, 3.20.1 and 4.21.5 for protobuf-python can lead to out of memory failures.
    A specially crafted message with multiple key-value per elements creates parsing issues, and can lead to a     Denial of Service against services receiving unsanitized input. We recommend upgrading to versions 3.18.3,     3.19.5, 3.20.2, 3.21.6 for protobuf-cpp and 3.18.3, 3.19.5, 3.20.2, 4.21.6 for protobuf-python. Versions     for 3.16 and 3.17 are no longer updated. (CVE-2022-1941)

  - In Cyrus SASL 2.1.17 through 2.1.27 before 2.1.28, plugins/sql.c does not escape the password for a SQL     INSERT or UPDATE statement. (CVE-2022-24407)

  - A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6     and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated     embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between     mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend     updating to the versions mentioned above. (CVE-2022-3171)

  - When doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to     ask for data to send, even when the `CURLOPT_POSTFIELDS` option has been set, if the same handle     previously was used to issue a `PUT` request which used that callback. This flaw may surprise the     application and cause it to misbehave and either send off the wrong data or use memory after free or     similar in the subsequent `POST` request. The problem exists in the logic for a reused handle when it is     changed from a PUT to a POST. (CVE-2022-32221)

  - Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). Supported versions     that are affected are 8.0.31 and prior. Easily exploitable vulnerability allows high privileged attacker     with network access via multiple protocols to compromise MySQL Server. Successful attacks of this     vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete     DOS) of MySQL Server. (CVE-2023-21836)

  - Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: PS). Supported versions that     are affected are 5.7.40 and prior. Easily exploitable vulnerability allows high privileged attacker with     network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability     can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL     Server. (CVE-2023-21840)

  - Vulnerability in the MySQL Cluster product of Oracle MySQL (component: Cluster: Internal Operations).
    Supported versions that are affected are 7.4.38 and prior, 7.5.28 and prior, 7.6.24 and prior and 8.0.31     and prior. Difficult to exploit vulnerability allows high privileged attacker with access to the physical     communication segment attached to the hardware where the MySQL Cluster executes to compromise MySQL     Cluster. Successful attacks require human interaction from a person other than the attacker. Successful     attacks of this vulnerability can result in takeover of MySQL Cluster. (CVE-2023-21860)

  - Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported     versions that are affected are 8.0.31 and prior. Easily exploitable vulnerability allows high privileged     attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this     vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete     DOS) of MySQL Server. (CVE-2023-21863, CVE-2023-21867, CVE-2023-21870, CVE-2023-21873, CVE-2023-21876,     CVE-2023-21878, CVE-2023-21879, CVE-2023-21881, CVE-2023-21883)

  - Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported     versions that are affected are 8.0.30 and prior. Easily exploitable vulnerability allows high privileged     attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this     vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete     DOS) of MySQL Server. (CVE-2023-21864, CVE-2023-21865)

  - Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported     versions that are affected are 8.0.28 and prior. Easily exploitable vulnerability allows high privileged     attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this     vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete     DOS) of MySQL Server. (CVE-2023-21866)

  - Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported     versions that are affected are 8.0.31 and prior. Easily exploitable vulnerability allows low privileged     attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this     vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete     DOS) of MySQL Server. (CVE-2023-21868)

  - Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are     affected are 8.0.31 and prior. Easily exploitable vulnerability allows high privileged attacker with     network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability     can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL     Server as well as unauthorized update, insert or delete access to some of MySQL Server accessible data.
    (CVE-2023-21869, CVE-2023-21877, CVE-2023-21880)

  - Vulnerability in the MySQL Server product of Oracle MySQL (component: InnoDB). Supported versions that are     affected are 8.0.31 and prior. Easily exploitable vulnerability allows high privileged attacker with     network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability     can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL     Server. (CVE-2023-21871)

  - Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported     versions that are affected are 8.0.29 and prior. Easily exploitable vulnerability allows high privileged     attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this     vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete     DOS) of MySQL Server as well as unauthorized update, insert or delete access to some of MySQL Server     accessible data. (CVE-2023-21872)

  - Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Thread Pooling). Supported     versions that are affected are 8.0.30 and prior. Easily exploitable vulnerability allows high privileged     attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this     vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of     MySQL Server. (CVE-2023-21874)

  - Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Encryption).
    Supported versions that are affected are 8.0.31 and prior. Difficult to exploit vulnerability allows high     privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful     attacks of this vulnerability can result in unauthorized creation, deletion or modification access to     critical data or all MySQL Server accessible data and unauthorized ability to cause a hang or frequently     repeatable crash (complete DOS) of MySQL Server. (CVE-2023-21875)

  - Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported     versions that are affected are 8.0.31 and prior. Easily exploitable vulnerability allows high privileged     attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this     vulnerability can result in unauthorized update, insert or delete access to some of MySQL Server     accessible data. (CVE-2023-21882)

  - Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: GIS). Supported versions     that are affected are 8.0.31 and prior. Easily exploitable vulnerability allows high privileged attacker     with network access via multiple protocols to compromise MySQL Server. Successful attacks of this     vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete     DOS) of MySQL Server. (CVE-2023-21887)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 7 / 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2022:8840 advisory.

    Red Hat JBoss Core Services is a set of supplementary software for Red Hat JBoss middleware products. This     software, such as Apache HTTP Server, is common to multiple JBoss middleware products, and is packaged     under Red Hat JBoss Core Services to allow for faster distribution of updates, and for a more consistent     update experience.

    This release of Red Hat JBoss Core Services Apache HTTP Server 2.4.51 Service Pack 1 serves as a     replacement for Red Hat JBoss Core Services Apache HTTP Server 2.4.51, and includes bug fixes and     enhancements, which are documented in the Release Notes document linked to in the References.

    Security Fix(es):

    * httpd: mod_sed: Read/write beyond bounds (CVE-2022-23943)

    * openssl: c_rehash script allows command injection (CVE-2022-1292)

    * openssl: the c_rehash script allows command injection (CVE-2022-2068)

    * httpd: core: Possible buffer overflow with very large or unlimited LimitXMLRequestBody (CVE-2022-22721)

    * httpd: mod_proxy_ajp: Possible request smuggling (CVE-2022-26377)

    * httpd: mod_sed: DoS vulnerability (CVE-2022-30522)

    * httpd: mod_proxy: X-Forwarded-For dropped by hop-by-hop mechanism (CVE-2022-31813)

    * curl: HTTP compression denial of service (CVE-2022-32206)

    * curl: Unpreserved file permissions (CVE-2022-32207)

    * curl: FTP-KRB bad message verification (CVE-2022-32208)

    * curl: POST following PUT confusion (CVE-2022-32221)

    * curl: HTTP proxy double-free (CVE-2022-42915)

    * curl: HSTS bypass via IDN (CVE-2022-42916)

    * curl: CERTINFO never-ending busy-loop (CVE-2022-27781)

    * httpd: Out-of-bounds read via ap_rwrite() (CVE-2022-28614)

    * httpd: Out-of-bounds read in ap_strcmp_match() (CVE-2022-28615)

    * curl: control code in cookie denial of service (CVE-2022-35252)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Published	Updated	Severity
211079	Fedora 37 : curl (2022-e9d65906c4)	Nessus	Fedora Local Security Checks	11/14/2024	11/14/2024	critical
173171	Amazon Linux 2023 : curl, curl-minimal, libcurl (ALAS2023-2023-083)	Nessus	Amazon Linux Local Security Checks	3/21/2023	12/11/2024	critical
178430	RHEL 9 : curl (RHSA-2023:4139)	Nessus	Red Hat Local Security Checks	7/18/2023	11/7/2024	critical
194928	Splunk Enterprise 8.2.0 < 8.2.12, 9.0.0 < 9.0.6, 9.1.0 < 9.1.1 (SVD-2023-0808)	Nessus	CGI abuses	5/2/2024	7/29/2024	critical
170256	FreeBSD : MySQL -- Multiple vulnerabilities (dc49f6dc-99d2-11ed-86e9-d4c9ef517024)	Nessus	FreeBSD Local Security Checks	1/21/2023	11/1/2023	critical
168498	RHEL 7 / 8 : Red Hat JBoss Core Services Apache HTTP Server 2.4.51 SP1 (RHSA-2022:8840)	Nessus	Red Hat Local Security Checks	12/8/2022	11/7/2024	critical

Detections

Analytics

Plugins Search

critical

critical

critical

critical

critical

critical