The version of Apache Tomcat installed on the remote host is 8.5.0 to 8.5.75 or 9.0.0.M1 to 9.0.20. It is, therefore, affected by a request mix-up vulnerability. If a web application sends a WebSocket message concurrently with the WebSocket connection closing, it is possible that the application will continue to use the socket after it has been closed. The error handling triggered in this case could cause the a pooled object to be placed in the pool twice. This could result in subsequent connections using the same object concurrently which could result in data being returned to the wrong use and/or other errors.

Note that the scanner has not attempted to exploit these issues but has instead relied only on the application's self-reported version number.

The version of AOS installed on the remote host is prior to 6.6. It is, therefore, affected by multiple vulnerabilities as referenced in the NXSA-AOS-6.6 advisory.

  - In Expat (aka libexpat) before 2.4.3, a left shift by 29 (or more) places in the storeAtts function in     xmlparse.c can lead to realloc misbehavior (e.g., allocating too few bytes, or only freeing memory).
    (CVE-2021-45960)

  - Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and     expanded. The standard format for interpolation is ${prefix:name}, where prefix is used to locate an     instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with     version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that     could result in arbitrary code execution or contact with remote servers. These lookups are: - script -     execute expressions using the JVM script execution engine (javax.script) - dns - resolve dns records -     url - load values from urls, including from remote servers Applications using the interpolation defaults     in the affected versions may be vulnerable to remote code execution or unintentional contact with remote     servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons     Text 1.10.0, which disables the problematic interpolators by default. (CVE-2022-42889)

  - In Apache Tomcat 10.1.0-M1 to 10.1.0-M16, 10.0.0-M1 to 10.0.22, 9.0.30 to 9.0.64 and 8.5.50 to 8.5.81 the     Form authentication example in the examples web application displayed user provided data without     filtering, exposing a XSS vulnerability. (CVE-2022-34305)

  - An arbitrary file write vulnerability was found in GNU gzip's zgrep utility. When zgrep is applied on the     attacker's chosen file name (for example, a crafted file name), this can overwrite an attacker's content     to an arbitrary attacker-selected file. This flaw occurs due to insufficient validation when processing     filenames with two or more newlines where selected content and the target file names are embedded in     crafted multi-line file names. This flaw allows a remote, low privileged attacker to force zgrep to write     arbitrary files on the system. (CVE-2022-1271)

  - http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5     allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR     and LF control characters in the first argument of HTTPConnection.request. (CVE-2020-26116)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:4847 advisory.

    The Public Key Infrastructure (PKI) Core contains fundamental packages required by Red Hat Certificate     System.

    Security Fix(es):

    * jquery: Cross-site scripting via cross-domain ajax requests (CVE-2015-9251)

    * bootstrap: XSS in the data-target attribute (CVE-2016-10735)

    * bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute (CVE-2018-14040)

    * bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip (CVE-2018-14042)

    * bootstrap: XSS in the tooltip or popover data-template attribute (CVE-2019-8331)

    * jquery: Prototype pollution in object's prototype leading to denial of service, remote code execution,     or property injection (CVE-2019-11358)

    * jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method (CVE-2020-11022)

    * jquery: Passing HTML containing <option> elements to manipulation methods could result in untrusted code     execution (CVE-2020-11023)

    * pki: Dogtag's python client does not validate certificates (CVE-2020-15720)

    * pki-core: Reflected XSS in 'path length' constraint field in CA's Agent page (CVE-2019-10146)

    * pki-core/pki-kra: Reflected XSS in recoveryID search field at KRA's DRM agent page in authorize recovery     tab (CVE-2019-10179)

    * pki-core: Reflected XSS in getcookies?url= endpoint in CA (CVE-2019-10221)

    * pki-core: KRA vulnerable to reflected XSS via the getPk12 page (CVE-2020-1721)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

    Additional Changes:

    For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.3 Release Notes     linked from the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of AOS installed on the remote host is prior to 6.1.1.5. It is, therefore, affected by multiple vulnerabilities as referenced in the NXSA-AOS-6.1.1.5 advisory.

  - If a web application sends a WebSocket message concurrently with the WebSocket connection closing when     running on Apache Tomcat 8.5.0 to 8.5.75 or Apache Tomcat 9.0.0.M1 to 9.0.20, it is possible that the     application will continue to use the socket after it has been closed. The error handling triggered in this     case could cause the a pooled object to be placed in the pool twice. This could result in subsequent     connections using the same object concurrently which could result in data being returned to the wrong use     and/or other errors. (CVE-2022-25762)

  - An arbitrary file write vulnerability was found in GNU gzip's zgrep utility. When zgrep is applied on the     attacker's chosen file name (for example, a crafted file name), this can overwrite an attacker's content     to an arbitrary attacker-selected file. This flaw occurs due to insufficient validation when processing     filenames with two or more newlines where selected content and the target file names are embedded in     crafted multi-line file names. This flaw allows a remote, low privileged attacker to force zgrep to write     arbitrary files on the system. (CVE-2022-1271)

  - zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many     distant matches. (CVE-2018-25032)

  - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE     (component: JAXP). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2,     18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability     allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE,     Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized     ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise     Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java     Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes     from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by     using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.
    (CVE-2022-21426)

  - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE     (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14,     17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable     vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise     Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in     unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition     accessible data. Note: This vulnerability applies to Java deployments, typically in clients running     sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g.,     code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also     be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to     the APIs. (CVE-2022-21434)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of AOS installed on the remote host is prior to 5.20.4.5. It is, therefore, affected by multiple vulnerabilities as referenced in the NXSA-AOS-5.20.4.5 advisory.

  - If a web application sends a WebSocket message concurrently with the WebSocket connection closing when     running on Apache Tomcat 8.5.0 to 8.5.75 or Apache Tomcat 9.0.0.M1 to 9.0.20, it is possible that the     application will continue to use the socket after it has been closed. The error handling triggered in this     case could cause the a pooled object to be placed in the pool twice. This could result in subsequent     connections using the same object concurrently which could result in data being returned to the wrong use     and/or other errors. (CVE-2022-25762)

  - An arbitrary file write vulnerability was found in GNU gzip's zgrep utility. When zgrep is applied on the     attacker's chosen file name (for example, a crafted file name), this can overwrite an attacker's content     to an arbitrary attacker-selected file. This flaw occurs due to insufficient validation when processing     filenames with two or more newlines where selected content and the target file names are embedded in     crafted multi-line file names. This flaw allows a remote, low privileged attacker to force zgrep to write     arbitrary files on the system. (CVE-2022-1271)

  - zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many     distant matches. (CVE-2018-25032)

  - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE     (component: JAXP). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2,     18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability     allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE,     Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized     ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise     Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java     Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes     from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by     using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.
    (CVE-2022-21426)

  - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE     (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14,     17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable     vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise     Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in     unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition     accessible data. Note: This vulnerability applies to Java deployments, typically in clients running     sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g.,     code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also     be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to     the APIs. (CVE-2022-21434)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Tomcat installed on the remote host is prior to 8.5.76. It is, therefore, affected by a vulnerability as referenced in the fixed_in_apache_tomcat_8.5.76_security-8 advisory.

  - If a web application sends a WebSocket message concurrently with the WebSocket connection closing when     running on Apache Tomcat 8.5.0 to 8.5.75 or Apache Tomcat 9.0.0.M1 to 9.0.20, it is possible that the     application will continue to use the socket after it has been closed. The error handling triggered in this     case could cause the a pooled object to be placed in the pool twice. This could result in subsequent     connections using the same object concurrently which could result in data being returned to the wrong use     and/or other errors. (CVE-2022-25762)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of tomcat8 installed on the remote host is prior to 8.5.81-1.91. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS-2022-1627 advisory.

    A flaw was found in the tomcat package. When a web application sends a WebSocket message concurrently with     the WebSocket connection closing, the application may continue to use the socket after it has been closed.
    In this case, the error handling triggered could cause the pooled object to be placed in the pool twice.
    This issue results in subsequent connections using the same object concurrently, which causes data to be     potentially returned to the wrong user or application stability issues. (CVE-2022-25762)

    The documentation of Apache Tomcat 10.1.0-M1 to 10.1.0-M14, 10.0.0-M1 to 10.0.20, 9.0.13 to 9.0.62 and     8.5.38 to 8.5.78 for the EncryptInterceptor incorrectly stated it enabled Tomcat clustering to run over an     untrusted network. This was not correct. While the EncryptInterceptor does provide confidentiality and     integrity protection, it does not protect against all risks associated with running over any untrusted     network, particularly DoS risks. (CVE-2022-29885)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Tomcat installed on the remote host is prior to 9.0.21. It is, therefore, affected by a vulnerability as referenced in the fixed_in_apache_tomcat_9.0.21_security-9 advisory.

  - If a web application sends a WebSocket message concurrently with the WebSocket connection closing when     running on Apache Tomcat 8.5.0 to 8.5.75 or Apache Tomcat 9.0.0.M1 to 9.0.20, it is possible that the     application will continue to use the socket after it has been closed. The error handling triggered in this     case could cause the a pooled object to be placed in the pool twice. This could result in subsequent     connections using the same object concurrently which could result in data being returned to the wrong use     and/or other errors. (CVE-2022-25762)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of IBM Engineering Requirements Management DOORS (formerly IBM Rational DOORS) installed on the remote host is 9.7.2.x prior to 9.7.2.8. It is, therefore, affected by multiple vulnerabilities as referenced in the 7124058 advisory.

  - Apache Shiro before 1.9.1, A RegexRequestMatcher can be misconfigured to be bypassed on some servlet     containers. Applications using RegExPatternMatcher with `.` in the regular expression are possibly     vulnerable to an authorization bypass. (CVE-2022-32532)

  - The Java OpenWire protocol marshaller is vulnerable to Remote Code Execution. This vulnerability may allow     a remote attacker with network access to either a Java-based OpenWire broker or client to run arbitrary     shell commands by manipulating serialized class types in the OpenWire protocol to cause either the client     or the broker (respectively) to instantiate any class on the classpath. Users are recommended to upgrade     both brokers and clients to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3 which fixes this issue.
    (CVE-2023-46604)

  - Scala 2.13.x before 2.13.9 has a Java deserialization chain in its JAR file. On its own, it cannot be     exploited. There is only a risk in conjunction with Java object deserialization within an application. In     such situations, it allows attackers to erase contents of arbitrary files, make network connections, or     possibly run arbitrary code (specifically, Function0 functions) via a gadget chain. (CVE-2022-36944)

  - IBM Engineering Requirements Management DOORS 9.7.2.7 is vulnerable to cross-site request forgery which     could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the     website trusts. IBM X-Force ID: 251216. (CVE-2023-28949)

  - A cross-site scripting (XSS) vulnerability in the HTML Data Processor for CKEditor 4.0 before 4.14 allows     remote attackers to inject arbitrary web script through a crafted protected comment (with the     cke_protected syntax). (CVE-2020-9281)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Published	Updated	Severity
113231	Apache Tomcat 9.0.0.M1 < 9.0.21 Request Mix-Up	Web App Scanning	Component Vulnerability	5/13/2022	3/14/2023	high
113232	Apache Tomcat 8.5.x < 8.5.76 Request Mix-Up	Web App Scanning	Component Vulnerability	5/13/2022	3/14/2023	high
170557	Nutanix AOS : Multiple Vulnerabilities (NXSA-AOS-6.6)	Nessus	Misc.	1/24/2023	2/17/2025	critical
142409	RHEL 8 : pki-core:10.6 and pki-deps:10.6 (RHSA-2020:4847)	Nessus	Red Hat Local Security Checks	11/4/2020	3/6/2025	critical
167224	Nutanix AOS : Multiple Vulnerabilities (NXSA-AOS-5.20.5)	Nessus	Misc.	11/9/2022	6/7/2024	critical
164600	Nutanix AOS : Multiple Vulnerabilities (NXSA-AOS-6.1.1.5)	Nessus	Misc.	9/1/2022	2/17/2025	high
164613	Nutanix AOS : Multiple Vulnerabilities (NXSA-AOS-5.20.4.5)	Nessus	Misc.	9/1/2022	2/17/2025	high
161181	Apache Tomcat 8.5.0 < 8.5.76	Nessus	Web Servers	5/13/2022	5/23/2024	high
163869	Amazon Linux AMI : tomcat8 (ALAS-2022-1627)	Nessus	Amazon Linux Local Security Checks	8/5/2022	12/11/2024	high
161159	Apache Tomcat 9.0.0.M1 < 9.0.21	Nessus	Web Servers	5/13/2022	5/23/2024	high
191754	IBM Engineering Requirements Management DOORS 9.7.2.x < 9.7.2.8 Multiple Vulnerabilities (7124058)	Nessus	Windows	3/8/2024	3/12/2024	critical

Detections

Analytics

Plugins Search

high

high

critical

critical

critical

high

high

high

high

high

critical