The remote Fedora 38 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2023-27ec59a486 advisory.

    Update to version 4.7.4     Security fix for CVE-2022-41854


Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2023-375 advisory.

    Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the     parser is running on user supplied input, an attacker may supply content that causes the parser to crash     by stack-overflow. (CVE-2022-38752)

    Those using Snakeyaml to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS).
    If the parser is running on user supplied input, an attacker may supply content that causes the parser to     crash by stack overflow. This effect may support a denial of service attack. (CVE-2022-41854)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - Those using Snakeyaml to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS).
    If the parser is running on user supplied input, an attacker may supply content that causes the parser to     crash by stack overflow. This effect may support a denial of service attack. (CVE-2022-41854)

Note that Nessus relies on the presence of the package as reported by the vendor.

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2023:2707 advisory.

    Red Hat Single Sign-On 7.6 is a standalone server, based on the Keycloak project, that provides     authentication and standards-based single sign-on capabilities for web and mobile applications.

    This release of Red Hat Single Sign-On 7.6.3 on RHEL 9 serves as a replacement for Red Hat Single Sign-On     7.6.2, and includes bug fixes and enhancements, which are documented in the Release Notes document linked     to in the References.

    Security Fix(es):

    * okhttp: information disclosure via improperly used cryptographic function (CVE-2021-0341)

    * undertow: Server identity in https connection is not checked by the undertow client (CVE-2022-4492)

    * snakeyaml: Uncaught exception in java.base/java.util.ArrayList.hashCode (CVE-2022-38752)

    * dev-java/snakeyaml: DoS via stack overflow (CVE-2022-41854)

    * codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS (CVE-2022-41881)

    * apache-james-mime4j: Temporary File Information Disclosure in MIME4J TempFileStorageProvider     (CVE-2022-45787)

    * RESTEasy: creation of insecure temp files (CVE-2023-0482)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2023:1514 advisory.

    Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly     application runtime.

    This release of Red Hat JBoss Enterprise Application Platform 7.4.10 serves as a replacement for Red Hat     JBoss Enterprise Application Platform 7.4.9, and includes bug fixes and enhancements. See the Red Hat     JBoss Enterprise Application Platform 7.4.10 Release Notes for information about the most significant bug     fixes and enhancements included in this release.

    Security Fix(es):

    * SnakeYaml: Constructor Deserialization Remote Code Execution (CVE-2022-1471)

    * hsqldb: Untrusted input may lead to RCE attack (CVE-2022-41853)

    * Undertow: Infinite loop in SslConduit during close (CVE-2023-1108)

    * undertow: Server identity in https connection is not checked by the undertow client (CVE-2022-4492)

    * snakeyaml: Uncaught exception in java.base/java.util.ArrayList.hashCode (CVE-2022-38752)

    * dev-java/snakeyaml: DoS via stack overflow (CVE-2022-41854)

    * codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS (CVE-2022-41881)

    * apache-james-mime4j: Temporary File Information Disclosure in MIME4J TempFileStorageProvider     (CVE-2022-45787)

    * RESTEasy: creation of insecure temp files (CVE-2023-0482)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Fedora 37 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2022-c01dd659fa advisory.

    Security fix for CVE-2022-41854

Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2023:1513 advisory.

    Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly     application runtime.

    This release of Red Hat JBoss Enterprise Application Platform 7.4.10 serves as a replacement for Red Hat     JBoss Enterprise Application Platform 7.4.9, and includes bug fixes and enhancements. See the Red Hat     JBoss Enterprise Application Platform 7.4.10 Release Notes for information about the most significant bug     fixes and enhancements included in this release.

    Security Fix(es):

    * SnakeYaml: Constructor Deserialization Remote Code Execution (CVE-2022-1471)

    * hsqldb: Untrusted input may lead to RCE attack (CVE-2022-41853)

    * Undertow: Infinite loop in SslConduit during close (CVE-2023-1108)

    * undertow: Server identity in https connection is not checked by the undertow client (CVE-2022-4492)

    * snakeyaml: Uncaught exception in java.base/java.util.ArrayList.hashCode (CVE-2022-38752)

    * dev-java/snakeyaml: DoS via stack overflow (CVE-2022-41854)

    * codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS (CVE-2022-41881)

    * apache-james-mime4j: Temporary File Information Disclosure in MIME4J TempFileStorageProvider     (CVE-2022-45787)

    * RESTEasy: creation of insecure temp files (CVE-2023-0482)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Fedora 36 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2022-8a4e8aa190 advisory.

    Security fix for CVE-2022-41854

Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2023:2706 advisory.

    Red Hat Single Sign-On 7.6 is a standalone server, based on the Keycloak project, that provides     authentication and standards-based single sign-on capabilities for web and mobile applications.

    This release of Red Hat Single Sign-On 7.6.3 on RHEL 8 serves as a replacement for Red Hat Single Sign-On     7.6.2, and includes bug fixes and enhancements, which are documented in the Release Notes document linked     to in the References.

    Security Fix(es):

    * okhttp: information disclosure via improperly used cryptographic function (CVE-2021-0341)

    * undertow: Server identity in https connection is not checked by the undertow client (CVE-2022-4492)

    * snakeyaml: Uncaught exception in java.base/java.util.ArrayList.hashCode (CVE-2022-38752)

    * dev-java/snakeyaml: DoS via stack overflow (CVE-2022-41854)

    * codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS (CVE-2022-41881)

    * apache-james-mime4j: Temporary File Information Disclosure in MIME4J TempFileStorageProvider     (CVE-2022-45787)

    * RESTEasy: creation of insecure temp files (CVE-2023-0482)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2023:2705 advisory.

    Red Hat Single Sign-On 7.6 is a standalone server, based on the Keycloak project, that provides     authentication and standards-based single sign-on capabilities for web and mobile applications.

    This release of Red Hat Single Sign-On 7.6.3 on RHEL 7 serves as a replacement for Red Hat Single Sign-On     7.6.2, and includes bug fixes and enhancements, which are documented in the Release Notes document linked     to in the References.

    Security Fix(es):

    * okhttp: information disclosure via improperly used cryptographic function (CVE-2021-0341)

    * undertow: Server identity in https connection is not checked by the undertow client (CVE-2022-4492)

    * snakeyaml: Uncaught exception in java.base/java.util.ArrayList.hashCode (CVE-2022-38752)

    * dev-java/snakeyaml: DoS via stack overflow (CVE-2022-41854)

    * codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS (CVE-2022-41881)

    * apache-james-mime4j: Temporary File Information Disclosure in MIME4J TempFileStorageProvider     (CVE-2022-45787)

    * RESTEasy: creation of insecure temp files (CVE-2023-0482)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2023:1512 advisory.

    Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly     application runtime.

    This release of Red Hat JBoss Enterprise Application Platform 7.4.10 serves as a replacement for Red Hat     JBoss Enterprise Application Platform 7.4.9 and includes bug fixes and enhancements. See the Red Hat JBoss     Enterprise Application Platform 7.4.10 Release Notes for information about the most significant bug fixes     and enhancements included in this release.

    Security Fix(es):

    * SnakeYaml: Constructor Deserialization Remote Code Execution (CVE-2022-1471)

    * hsqldb: Untrusted input may lead to RCE attack (CVE-2022-41853)

    * Undertow: Infinite loop in SslConduit during close (CVE-2023-1108)

    * undertow: Server identity in https connection is not checked by the undertow client (CVE-2022-4492)

    * snakeyaml: Uncaught exception in java.base/java.util.ArrayList.hashCode (CVE-2022-38752)

    * dev-java/snakeyaml: DoS via stack overflow (CVE-2022-41854)

    * codec-haproxy: HAProxyMessageDecoder Stack Exhaustion DoS (CVE-2022-41881)

    * apache-james-mime4j: Temporary File Information Disclosure in MIME4J TempFileStorageProvider     (CVE-2022-45787)

    * RESTEasy: creation of insecure temp files (CVE-2023-0482)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of IBM Cognos Analytics installed on the remote host is prior to 11.1.7 FP8, 11.2.4 FP3, or 12.0.2. It is, therefore, affected by multiple vulnerabilities as referenced in the IBM Security Bulletin No. 7123154, including the following:

  - When deserializing untrusted or corrupted data, it is possible for a reader to consume memory beyond the   allowed constraints and thus lead to out of memory on the system. This issue affects Java applications using   Apache Avro Java SDK up to and including 1.11.2. Users should update to apache-avro version 1.11.3 which   addresses this issue. (CVE-2023-39410)

  - In order to decrypt SM2 encrypted data an application is expected to call the API function   EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the   'out' parameter can be NULL and, on exit, the 'outlen' parameter is populated with the buffer size required   to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call   EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the 'out' parameter. A bug in the   implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the   plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by   the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a   second time with a buffer that is too small. A malicious attacker who is able present SM2 content for   decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of   62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour   or causing the application to crash. The location of the buffer is application dependent but is typically   heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k). (CVE-2021-3711)

  - SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization.
  Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using   SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend   upgrading to version 2.0 and beyond. (CVE-2022-1471)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Published	Updated	Severity
178005	Fedora 38 : picocli (2023-27ec59a486)	Nessus	Fedora Local Security Checks	7/6/2023	11/14/2024	medium
182465	Amazon Linux 2023 : snakeyaml, snakeyaml-javadoc (ALAS2023-2023-375)	Nessus	Amazon Linux Local Security Checks	10/3/2023	12/11/2024	medium
224974	Linux Distros Unpatched Vulnerability : CVE-2022-41854	Nessus	Misc.	3/5/2025	3/5/2025	medium
175556	RHEL 9 : Red Hat Single Sign-On 7.6.3 security update on RHEL 9 (Moderate) (RHSA-2023:2707)	Nessus	Red Hat Local Security Checks	5/13/2023	11/7/2024	high
173691	RHEL 9 : Red Hat JBoss Enterprise Application Platform 7.4.10 on RHEL 9 (RHSA-2023:1514)	Nessus	Red Hat Local Security Checks	3/30/2023	11/8/2024	critical
211029	Fedora 37 : snakeyaml (2022-c01dd659fa)	Nessus	Fedora Local Security Checks	11/14/2024	11/14/2024	medium
173692	RHEL 8 : Red Hat JBoss Enterprise Application Platform 7.4.10 on RHEL 8 (RHSA-2023:1513)	Nessus	Red Hat Local Security Checks	3/30/2023	11/7/2024	critical
169224	Fedora 36 : snakeyaml (2022-8a4e8aa190)	Nessus	Fedora Local Security Checks	12/23/2022	11/14/2024	medium
175557	RHEL 8 : Red Hat Single Sign-On 7.6.3 security update on RHEL 8 (Moderate) (RHSA-2023:2706)	Nessus	Red Hat Local Security Checks	5/13/2023	11/7/2024	high
175558	RHEL 7 : Red Hat Single Sign-On 7.6.3 security update on RHEL 7 (Moderate) (RHSA-2023:2705)	Nessus	Red Hat Local Security Checks	5/13/2023	11/7/2024	high
173690	RHEL 7 : Red Hat JBoss Enterprise Application Platform 7.4.10 on RHEL 7 (RHSA-2023:1512)	Nessus	Red Hat Local Security Checks	3/30/2023	11/7/2024	critical
193868	IBM Cognos Analytics 11.1.1 < 11.1.7 FP8 / 11.2.x < 11.2.4 FP3 / 12.0.x < 12.0.2 (7123154)	Nessus	CGI abuses	4/25/2024	12/18/2024	critical

Detections

Analytics

Plugins Search

medium

medium

medium

high

critical

medium

critical

medium

high

high

critical

critical