According to the versions of the curl packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - When saving HSTS data to an excessively long file name, curl could end up removing all contents, making     subsequent requests using that file unaware of the HSTS status they should otherwise use. (CVE-2023-46219)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the curl packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

    When saving HSTS data to an excessively long file name, curl could end up removing all contents, making     subsequent requests using that file unaware of the HSTS status they should otherwise use.(CVE-2023-46219)

Tenable has extracted the preceding description block directly from the EulerOS curl security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

According to the versions of the curl packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - This flaw allows a malicious HTTP server to set 'super cookies' in curl that are then passed back to more     origins than what is otherwise allowed or possible. This allows a site to set cookies that then would get     sent to different and unrelated sites and domains. It could do this by exploiting a mixed case flaw in     curl's function that verifies a given cookie domain against the Public Suffix List (PSL). For example a     cookie could be set with `domain=co.UK` when the URL used a lower case hostname `curl.co.uk`, even though     `co.uk` is listed as a PSL domain. (CVE-2023-46218)

  - When saving HSTS data to an excessively long file name, curl could end up removing all contents, making     subsequent requests using that file unaware of the HSTS status they should otherwise use. (CVE-2023-46219)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the curl packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - This flaw allows a malicious HTTP server to set 'super cookies' in curl that are then passed back to more     origins than what is otherwise allowed or possible. This allows a site to set cookies that then would get     sent to different and unrelated sites and domains. It could do this by exploiting a mixed case flaw in     curl's function that verifies a given cookie domain against the Public Suffix List (PSL). For example a     cookie could be set with `domain=co.UK` when the URL used a lower case hostname `curl.co.uk`, even though     `co.uk` is listed as a PSL domain. (CVE-2023-46218)

  - When saving HSTS data to an excessively long file name, curl could end up removing all contents, making     subsequent requests using that file unaware of the HSTS status they should otherwise use. (CVE-2023-46219)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote Fedora 39 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2023-9de8973300 advisory.

  - This flaw allows a malicious HTTP server to set super cookies in curl that are then passed back to more     origins than what is otherwise allowed or possible. This allows a site to set cookies that then would get     sent to different and unrelated sites and domains. It could do this by exploiting a mixed case flaw in     curl's function that verifies a given cookie domain against the Public Suffix List (PSL). For example a     cookie could be set with `domain=co.UK` when the URL used a lower case hostname `curl.co.uk`, even though     `co.uk` is listed as a PSL domain. (CVE-2023-46218)

  - When saving HSTS data to an excessively long file name, curl could end up removing all contents, making     subsequent requests using that file unaware of the HSTS status they should otherwise use. (CVE-2023-46219)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 7 / 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2024:1316 advisory.

    Red Hat JBoss Core Services is a set of supplementary software for Red Hat JBoss middleware products. This     software, such as Apache HTTP Server, is common to multiple JBoss middleware products and packaged under     Red Hat JBoss Core Services, to allow for faster distribution of updates and for a more consistent update     experience.

    This release of Red Hat JBoss Core Services Apache HTTP Server 2.4.57 Service Pack 3 serves as a     replacement for Red Hat JBoss Core Services Apache HTTP Server 2.4.57 Service Pack 2, and includes bug     fixes and enhancements, which are documented in the Release Notes linked to in the References section.

    Security Fix(es):

    * curl: information disclosure by exploiting a mixed case flaw (CVE-2023-46218)
    * curl: excessively long file name may lead to unknown HSTS status (CVE-2023-46219)
    * httpd: mod_macro: out-of-bounds read vulnerability (CVE-2023-31122)
    * jbcs-httpd24-mod_proxy_cluster: mod_cluster/mod_proxy_cluster: Stored Cross site Scripting     (CVE-2023-6710)
    * jbcs-httpd24-openssl: openssl: Generating excessively long X9.42 DH keys or checking excessively long     X9.42 DH keys or parameters may be very slow (CVE-2023-5678)

    A Red Hat Security Bulletin which addresses further details about this flaw is available in the References     section.

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Splunk installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the SVD-2024-0304 advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Published	Updated	Severity
197130	EulerOS Virtualization 2.11.0 : curl (EulerOS-SA-2024-1625)	Nessus	Huawei Local Security Checks	5/15/2024	5/15/2024	medium
198194	EulerOS 2.0 SP12 : curl (EulerOS-SA-2024-1760)	Nessus	Huawei Local Security Checks	5/30/2024	5/30/2024	medium
191987	EulerOS 2.0 SP10 : curl (EulerOS-SA-2024-1310)	Nessus	Huawei Local Security Checks	3/12/2024	3/12/2024	medium
191992	EulerOS 2.0 SP10 : curl (EulerOS-SA-2024-1332)	Nessus	Huawei Local Security Checks	3/12/2024	3/12/2024	medium
193631	EulerOS Virtualization 2.10.1 : curl (EulerOS-SA-2024-1543)	Nessus	Huawei Local Security Checks	4/19/2024	4/19/2024	medium
186705	Fedora 39 : curl (2023-9de8973300)	Nessus	Fedora Local Security Checks	12/9/2023	4/29/2024	medium
192200	RHEL 7 / 8 : Red Hat JBoss Core Services Apache HTTP Server 2.4.57 SP3 (RHSA-2024:1316)	Nessus	Red Hat Local Security Checks	3/18/2024	6/3/2024	medium
194921	Splunk Universal Forwarder 9.0.0 < 9.0.9, 9.1.0 < 9.1.4, 9.2.0 < 9.2.1 (SVD-2024-0304)	Nessus	CGI abuses	5/2/2024	5/30/2024	critical

Detections

Analytics

Plugins Search

medium

medium

medium

medium

medium

medium

medium

critical