The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2023:7637 advisory.

    Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly     application runtime.

    This release of Red Hat JBoss Enterprise Application Platform 7.4.14 serves as a replacement for Red Hat     JBoss Enterprise Application Platform 7.4.13, and includes bug fixes and enhancements.

    See the Red Hat JBoss Enterprise Application Platform 7.4.14 Release Notes for information about the most     significant bug fixes and enhancements included in this release.

    Security Fix(es):

    * undertow: HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset     Attack) (CVE-2023-44487)

    * avro: apache-avro: Apache Avro Java SDK: Memory when deserializing untrusted data in Avro Java SDK     (CVE-2023-39410)

    * guava: insecure temporary directory creation (CVE-2023-2976)

    * eap-galleon: custom provisioning creates unsecured http-invoker (CVE-2023-4503)

    * jetty-server: OutOfMemoryError for large multipart without filename read via request.getParameter()     (CVE-2023-26048)

    * jetty-server: Cookie parsing of quoted values can exfiltrate values from other cookies (CVE-2023-26049)

    * sshd-common: apache-mina-sshd: information exposure in SFTP server implementations (CVE-2023-35887)

    A Red Hat Security Bulletin which addresses further details about the Rapid Reset flaw is available in the     References section.

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2023:7638 advisory.

    Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly     application runtime.

    This release of Red Hat JBoss Enterprise Application Platform 7.4.14 serves as a replacement for Red Hat     JBoss Enterprise Application Platform 7.4.13, and includes bug fixes and enhancements.

    See the Red Hat JBoss Enterprise Application Platform 7.4.14 Release Notes for information about the most     significant bug fixes and enhancements included in this release.

    Security Fix(es):

    * undertow: HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset     Attack) (CVE-2023-44487)

    * avro: apache-avro: Apache Avro Java SDK: Memory when deserializing untrusted data in Avro Java SDK     (CVE-2023-39410)

    * guava: insecure temporary directory creation (CVE-2023-2976)

    * eap-galleon: custom provisioning creates unsecured http-invoker (CVE-2023-4503)

    * jetty-server: OutOfMemoryError for large multipart without filename read via request.getParameter()     (CVE-2023-26048)

    * jetty-server: Cookie parsing of quoted values can exfiltrate values from other cookies (CVE-2023-26049)

    * sshd-common: apache-mina-sshd: information exposure in SFTP server implementations (CVE-2023-35887)

    A Red Hat Security Bulletin which addresses further details about the Rapid Reset flaw is available in the     References section.

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2024:0800 advisory.

    Red Hat Single Sign-On 7.6 is a standalone server, based on the Keycloak project, that provides     authentication and standards-based single sign-on capabilities for web and mobile applications.

    This release of Red Hat Single Sign-On 7.6.7 on RHEL 9 serves as a replacement for Red Hat Single Sign-On     7.6.6, and includes bug fixes and enhancements, which are documented in the Release Notes document linked     to in the References.

    Security Fix(es):
    * redirect_uri validation logic that allows for a bypass of otherwise explicitly allowed hosts     (CVE-2023-6291)
    * guava: insecure temporary directory creation (CVE-2023-2976)
    * jetty-server: OutOfMemoryError for large multipart without filename read via request.getParameter()     (CVE-2023-26048)
    * jetty-server: Cookie parsing of quoted values can exfiltrate values from other cookies (CVE-2023-26049)
    * reflected XSS via wildcard in OIDC redirect_uri (CVE-2023-6134)
    * open redirect via form_post.jwt JARM response mode (CVE-2023-6927)
    * santuario: Private Key disclosure in debug-log output (CVE-2023-44483)
    * Log Injection during WebAuthn authentication or registration (CVE-2023-6484)

    For more details about the security issue(s), including the impact, a CVSS score, and other related     information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2023:2539-1 advisory.

  - Jetty is a java based web server and servlet engine. In affected versions servlets with multipart support     (e.g. annotated with `@MultipartConfig`) that call `HttpServletRequest.getParameter()` or     `HttpServletRequest.getParts()` may cause `OutOfMemoryError` when the client sends a multipart request     with a part that has a name but no filename and very large content. This happens even with the default     settings of `fileSizeThreshold=0` which should stream the whole part content to disk. An attacker client     may send a large multipart request and cause the server to throw `OutOfMemoryError`. However, the server     may be able to recover after the `OutOfMemoryError` and continue its service -- although it may take some     time. This issue has been patched in versions 9.4.51, 10.0.14, and 11.0.14. Users are advised to upgrade.
    Users unable to upgrade may set the multipart parameter `maxRequestSize` which must be set to a non-     negative value, so the whole multipart content is limited (although still read into memory).
    (CVE-2023-26048)

  - Jetty is a java based web server and servlet engine. Nonstandard cookie parsing in Jetty may allow an     attacker to smuggle cookies within other cookies, or otherwise perform unintended behavior by tampering     with the cookie parsing mechanism. If Jetty sees a cookie VALUE that starts with `` (double quote), it     will continue to read the cookie string until it sees a closing quote -- even if a semicolon is     encountered. So, a cookie header such as: `DISPLAY_LANGUAGE=b; JSESSIONID=1337; c=d` will be parsed as     one cookie, with the name DISPLAY_LANGUAGE and a value of b; JSESSIONID=1337; c=d instead of 3 separate     cookies. This has security implications because if, say, JSESSIONID is an HttpOnly cookie, and the     DISPLAY_LANGUAGE cookie value is rendered on the page, an attacker can smuggle the JSESSIONID cookie into     the DISPLAY_LANGUAGE cookie and thereby exfiltrate it. This is significant when an intermediary is     enacting some policy based on cookies, so a smuggled cookie can bypass that policy yet still be seen by     the Jetty server or its logging system. This issue has been addressed in versions 9.4.51, 10.0.14,     11.0.14, and 12.0.0.beta0 and users are advised to upgrade. There are no known workarounds for this issue.
    (CVE-2023-26049)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 9 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched.

  - jetty-server: Cookie parsing of quoted values can exfiltrate values from other cookies (CVE-2023-26049)

  - Jetty is a java based web server and servlet engine. In affected versions servlets with multipart support     (e.g. annotated with `@MultipartConfig`) that call `HttpServletRequest.getParameter()` or     `HttpServletRequest.getParts()` may cause `OutOfMemoryError` when the client sends a multipart request     with a part that has a name but no filename and very large content. This happens even with the default     settings of `fileSizeThreshold=0` which should stream the whole part content to disk. An attacker client     may send a large multipart request and cause the server to throw `OutOfMemoryError`. However, the server     may be able to recover after the `OutOfMemoryError` and continue its service -- although it may take some     time. This issue has been patched in versions 9.4.51, 10.0.14, and 11.0.14. Users are advised to upgrade.
    Users unable to upgrade may set the multipart parameter `maxRequestSize` which must be set to a non-     negative value, so the whole multipart content is limited (although still read into memory).
    (CVE-2023-26048)

  - ** UNSUPPORTED WHEN ASSIGNED ** When using the Chainsaw or SocketAppender components with Log4j 1.x on JRE     less than 1.7, an attacker that manages to cause a logging entry involving a specially-crafted (ie, deeply     nested) hashmap or hashtable (depending on which logging component is in use) to be processed could     exhaust the available memory in the virtual machine and achieve Denial of Service when the object is     deserialized. This issue affects Apache Log4j before 2. Affected users are recommended to update to Log4j     2.x. NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
    (CVE-2023-26464)

Note that Nessus has not tested for these issues but has instead relied on the package manager's report that the package is installed.

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2024:0798 advisory.

    Red Hat Single Sign-On 7.6 is a standalone server, based on the Keycloak project, that provides     authentication and standards-based single sign-on capabilities for web and mobile applications.

    This release of Red Hat Single Sign-On 7.6.7 on RHEL 7 serves as a replacement for Red Hat Single Sign-On     7.6.6, and includes bug fixes and enhancements, which are documented in the Release Notes document linked     to in the References.

    Security Fix(es):
    * redirect_uri validation logic that allows for a bypass of otherwise explicitly allowed hosts     (CVE-2023-6291)
    * guava: insecure temporary directory creation (CVE-2023-2976)
    * jetty-server: OutOfMemoryError for large multipart without filename read via request.getParameter()     (CVE-2023-26048)
    * jetty-server: Cookie parsing of quoted values can exfiltrate values from other cookies (CVE-2023-26049)
    * reflected XSS via wildcard in OIDC redirect_uri (CVE-2023-6134)
    * open redirect via form_post.jwt JARM response mode (CVE-2023-6927)
    * santuario: Private Key disclosure in debug-log output (CVE-2023-44483)
    * Log Injection during WebAuthn authentication or registration (CVE-2023-6484)

    For more details about the security issue(s), including the impact, a CVSS score, and other related     information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Debian 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-3592 advisory.

  - Jetty is a java based web server and servlet engine. In affected versions servlets with multipart support     (e.g. annotated with `@MultipartConfig`) that call `HttpServletRequest.getParameter()` or     `HttpServletRequest.getParts()` may cause `OutOfMemoryError` when the client sends a multipart request     with a part that has a name but no filename and very large content. This happens even with the default     settings of `fileSizeThreshold=0` which should stream the whole part content to disk. An attacker client     may send a large multipart request and cause the server to throw `OutOfMemoryError`. However, the server     may be able to recover after the `OutOfMemoryError` and continue its service -- although it may take some     time. This issue has been patched in versions 9.4.51, 10.0.14, and 11.0.14. Users are advised to upgrade.
    Users unable to upgrade may set the multipart parameter `maxRequestSize` which must be set to a non-     negative value, so the whole multipart content is limited (although still read into memory).
    (CVE-2023-26048)

  - Jetty is a java based web server and servlet engine. Nonstandard cookie parsing in Jetty may allow an     attacker to smuggle cookies within other cookies, or otherwise perform unintended behavior by tampering     with the cookie parsing mechanism. If Jetty sees a cookie VALUE that starts with `` (double quote), it     will continue to read the cookie string until it sees a closing quote -- even if a semicolon is     encountered. So, a cookie header such as: `DISPLAY_LANGUAGE=b; JSESSIONID=1337; c=d` will be parsed as     one cookie, with the name DISPLAY_LANGUAGE and a value of b; JSESSIONID=1337; c=d instead of 3 separate     cookies. This has security implications because if, say, JSESSIONID is an HttpOnly cookie, and the     DISPLAY_LANGUAGE cookie value is rendered on the page, an attacker can smuggle the JSESSIONID cookie into     the DISPLAY_LANGUAGE cookie and thereby exfiltrate it. This is significant when an intermediary is     enacting some policy based on cookies, so a smuggled cookie can bypass that policy yet still be seen by     the Jetty server or its logging system. This issue has been addressed in versions 9.4.51, 10.0.14,     11.0.14, and 12.0.0.beta0 and users are advised to upgrade. There are no known workarounds for this issue.
    (CVE-2023-26049)

  - Eclipse Jetty Canonical Repository is the canonical repository for the Jetty project. Users of the     CgiServlet with a very specific command structure may have the wrong command executed. If a user sends a     request to a org.eclipse.jetty.servlets.CGI Servlet for a binary with a space in its name, the servlet     will escape the command by wrapping it in quotation marks. This wrapped command, plus an optional command     prefix, will then be executed through a call to Runtime.exec. If the original binary name provided by the     user contains a quotation mark followed by a space, the resulting command line will contain multiple     tokens instead of one. This issue was patched in version 9.4.52, 10.0.16, 11.0.16 and 12.0.0-beta2.
    (CVE-2023-36479)

  - Jetty is a Java based web server and servlet engine. Prior to versions 9.4.52, 10.0.16, 11.0.16, and     12.0.1, Jetty accepts the `+` character proceeding the content-length value in a HTTP/1 header field. This     is more permissive than allowed by the RFC and other servers routinely reject such requests with 400     responses. There is no known exploit scenario, but it is conceivable that request smuggling could result     if jetty is used in combination with a server that does not close the connection after sending such a 400     response. Versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1 contain a patch for this issue. There is no     workaround as there is no known exploit scenario. (CVE-2023-40167)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Debian 11 / 12 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-5507 advisory.

  - Jetty is a java based web server and servlet engine. In affected versions servlets with multipart support     (e.g. annotated with `@MultipartConfig`) that call `HttpServletRequest.getParameter()` or     `HttpServletRequest.getParts()` may cause `OutOfMemoryError` when the client sends a multipart request     with a part that has a name but no filename and very large content. This happens even with the default     settings of `fileSizeThreshold=0` which should stream the whole part content to disk. An attacker client     may send a large multipart request and cause the server to throw `OutOfMemoryError`. However, the server     may be able to recover after the `OutOfMemoryError` and continue its service -- although it may take some     time. This issue has been patched in versions 9.4.51, 10.0.14, and 11.0.14. Users are advised to upgrade.
    Users unable to upgrade may set the multipart parameter `maxRequestSize` which must be set to a non-     negative value, so the whole multipart content is limited (although still read into memory).
    (CVE-2023-26048)

  - Jetty is a java based web server and servlet engine. Nonstandard cookie parsing in Jetty may allow an     attacker to smuggle cookies within other cookies, or otherwise perform unintended behavior by tampering     with the cookie parsing mechanism. If Jetty sees a cookie VALUE that starts with `` (double quote), it     will continue to read the cookie string until it sees a closing quote -- even if a semicolon is     encountered. So, a cookie header such as: `DISPLAY_LANGUAGE=b; JSESSIONID=1337; c=d` will be parsed as     one cookie, with the name DISPLAY_LANGUAGE and a value of b; JSESSIONID=1337; c=d instead of 3 separate     cookies. This has security implications because if, say, JSESSIONID is an HttpOnly cookie, and the     DISPLAY_LANGUAGE cookie value is rendered on the page, an attacker can smuggle the JSESSIONID cookie into     the DISPLAY_LANGUAGE cookie and thereby exfiltrate it. This is significant when an intermediary is     enacting some policy based on cookies, so a smuggled cookie can bypass that policy yet still be seen by     the Jetty server or its logging system. This issue has been addressed in versions 9.4.51, 10.0.14,     11.0.14, and 12.0.0.beta0 and users are advised to upgrade. There are no known workarounds for this issue.
    (CVE-2023-26049)

  - Eclipse Jetty Canonical Repository is the canonical repository for the Jetty project. Users of the     CgiServlet with a very specific command structure may have the wrong command executed. If a user sends a     request to a org.eclipse.jetty.servlets.CGI Servlet for a binary with a space in its name, the servlet     will escape the command by wrapping it in quotation marks. This wrapped command, plus an optional command     prefix, will then be executed through a call to Runtime.exec. If the original binary name provided by the     user contains a quotation mark followed by a space, the resulting command line will contain multiple     tokens instead of one. This issue was patched in version 9.4.52, 10.0.16, 11.0.16 and 12.0.0-beta2.
    (CVE-2023-36479)

  - Jetty is a Java based web server and servlet engine. Prior to versions 9.4.52, 10.0.16, 11.0.16, and     12.0.1, Jetty accepts the `+` character proceeding the content-length value in a HTTP/1 header field. This     is more permissive than allowed by the RFC and other servers routinely reject such requests with 400     responses. There is no known exploit scenario, but it is conceivable that request smuggling could result     if jetty is used in combination with a server that does not close the connection after sending such a 400     response. Versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1 contain a patch for this issue. There is no     workaround as there is no known exploit scenario. (CVE-2023-40167)

  - Jetty is a Java based web server and servlet engine. Versions 9.4.21 through 9.4.51, 10.0.15, and 11.0.15     are vulnerable to weak authentication. If a Jetty `OpenIdAuthenticator` uses the optional nested     `LoginService`, and that `LoginService` decides to revoke an already authenticated user, then the current     request will still treat the user as authenticated. The authentication is then cleared from the session     and subsequent requests will not be treated as authenticated. So a request on a previously authenticated     session could be allowed to bypass authentication after it had been rejected by the `LoginService`. This     impacts usages of the jetty-openid which have configured a nested `LoginService` and where that     `LoginService` will is capable of rejecting previously authenticated users. Versions 9.4.52, 10.0.16, and     11.0.16 have a patch for this issue. (CVE-2023-41900)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2023:7639 advisory.

    Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly     application runtime.

    This release of Red Hat JBoss Enterprise Application Platform 7.4.14 serves as a replacement for Red Hat     JBoss Enterprise Application Platform 7.4.13, and includes bug fixes and enhancements.

    See the Red Hat JBoss Enterprise Application Platform 7.4.14 Release Notes for information about the most     significant bug fixes and enhancements included in this release.

    Security Fix(es):

    * undertow: HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset     Attack) (CVE-2023-44487)

    * avro: apache-avro: Apache Avro Java SDK: Memory when deserializing untrusted data in Avro Java SDK     (CVE-2023-39410)

    * guava: insecure temporary directory creation (CVE-2023-2976)

    * eap-galleon: custom provisioning creates unsecured http-invoker (CVE-2023-4503)

    * jetty-server: OutOfMemoryError for large multipart without filename read via request.getParameter()     (CVE-2023-26048)

    * jetty-server: Cookie parsing of quoted values can exfiltrate values from other cookies (CVE-2023-26049)

    * sshd-common: apache-mina-sshd: information exposure in SFTP server implementations (CVE-2023-35887)

    A Red Hat Security Bulletin which addresses further details about the Rapid Reset flaw is available in the     References section.

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2024:0778 advisory.

    Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a     software project or jobs run by cron.

    Security Fix(es):

    * apache-commons-text: variable interpolation RCE (CVE-2022-42889)

    * google-oauth-client: missing PKCE support in accordance with the RFC for OAuth 2.0 for Native Apps can     lead to improper authorization (CVE-2020-7692)

    * maven: Block repositories using http by default (CVE-2021-26291)

    * snakeyaml: Denial of Service due to missing nested depth limitation for collections (CVE-2022-25857)

    * maven-shared-utils: Command injection via Commandline class (CVE-2022-29599)

    * jenkins-2-plugins/script-security: Sandbox bypass vulnerability in Script Security Plugin     (CVE-2023-24422)

    * jenkins: Arbitrary file read vulnerability through the CLI can lead to RCE (CVE-2024-23897)

    * jenkins: cross-site WebSocket hijacking (CVE-2024-23898)

    * golang: go/parser: stack exhaustion in all Parse* functions (CVE-2022-1962)

    * guava: insecure temporary directory creation (CVE-2023-2976)

    * springframework: Spring Expression DoS Vulnerability (CVE-2023-20861)

    * spring-security: Empty SecurityContext Is Not Properly Saved Upon Logout (CVE-2023-20862)

    * jenkins-2-plugins/JUnit: Stored XSS vulnerability in JUnit Plugin (CVE-2023-25761)

    * jenkins-2-plugins/pipeline-build-step: Stored XSS vulnerability in Pipeline: Build Step Plugin     (CVE-2023-25762)

    * jetty-server: OutOfMemoryError for large multipart without filename read via request.getParameter()     (CVE-2023-26048)

    * jetty-server: Cookie parsing of quoted values can exfiltrate values from other cookies (CVE-2023-26049)

    * Jenkins: Open redirect vulnerability in OpenShift Login Plugin (CVE-2023-37947)

    * jetty: Improper validation of HTTP/1 content-length (CVE-2023-40167)

    * jenkins-plugins: cloudbees-folder: CSRF vulnerability in Folders Plugin (CVE-2023-40337)

    * jenkins-plugins: cloudbees-folder: Information disclosure in Folders Plugin (CVE-2023-40338)

    * jenkins-plugins: config-file-provider: Improper masking of credentials in Config File Provider Plugin     (CVE-2023-40339)

    * jenkins-plugins: blueocean: CSRF vulnerability in Blue Ocean Plugin allows capturing credentials     (CVE-2023-40341)

    * Jenkins: Temporary file parameter created with insecure permissions (CVE-2023-27903)

    * Jenkins: Information disclosure through error stack traces related to agents (CVE-2023-27904)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2024:0799 advisory.

    Red Hat Single Sign-On 7.6 is a standalone server, based on the Keycloak project, that provides     authentication and standards-based single sign-on capabilities for web and mobile applications.

    This release of Red Hat Single Sign-On 7.6.7 on RHEL 8 serves as a replacement for Red Hat Single Sign-On     7.6.6, and includes bug fixes and enhancements, which are documented in the Release Notes document linked     to in the References.

    Security Fix(es):
    * redirect_uri validation logic that allows for a bypass of otherwise explicitly allowed hosts     (CVE-2023-6291)
    * guava: insecure temporary directory creation (CVE-2023-2976)
    * jetty-server: OutOfMemoryError for large multipart without filename read via request.getParameter()     (CVE-2023-26048)
    * jetty-server: Cookie parsing of quoted values can exfiltrate values from other cookies (CVE-2023-26049)
    * reflected XSS via wildcard in OIDC redirect_uri (CVE-2023-6134)
    * open redirect via form_post.jwt JARM response mode (CVE-2023-6927)
    * santuario: Private Key disclosure in debug-log output (CVE-2023-44483)
    * Log Injection during WebAuthn authentication or registration (CVE-2023-6484)3-44483)

    For more details about the security issue(s), including the impact, a CVSS score, and other related     information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Published	Updated	Severity
186542	RHEL 7 : Red Hat JBoss Enterprise Application Platform 7.4.14 on RHEL 7 (RHSA-2023:7637)	Nessus	Red Hat Local Security Checks	12/4/2023	11/7/2024	high
186543	RHEL 8 : Red Hat JBoss Enterprise Application Platform 7.4.14 on RHEL 8 (RHSA-2023:7638)	Nessus	Red Hat Local Security Checks	12/4/2023	11/7/2024	high
190496	RHEL 9 : Red Hat Single Sign-On 7.6.7 security update on RHEL 9 (Important) (RHSA-2024:0800)	Nessus	Red Hat Local Security Checks	2/13/2024	11/7/2024	high
177440	SUSE SLED15 / SLES15 / openSUSE 15 Security Update : jetty-minimal (SUSE-SU-2023:2539-1)	Nessus	SuSE Local Security Checks	6/20/2023	7/14/2023	medium
199118	RHEL 9 : log4j (Unpatched Vulnerability)	Nessus	Red Hat Local Security Checks	6/3/2024	7/16/2024	medium
190499	RHEL 7 : Red Hat Single Sign-On 7.6.7 security update on RHEL 7 (Important) (RHSA-2024:0798)	Nessus	Red Hat Local Security Checks	2/13/2024	11/7/2024	high
182409	Debian DLA-3592-1 : jetty9 - LTS security update	Nessus	Debian Local Security Checks	10/1/2023	3/21/2024	medium
182198	Debian DSA-5507-1 : jetty9 - security update	Nessus	Debian Local Security Checks	9/29/2023	3/21/2024	medium
186544	RHEL 9 : Red Hat JBoss Enterprise Application Platform 7.4.14 on RHEL 9 (RHSA-2023:7639)	Nessus	Red Hat Local Security Checks	12/4/2023	11/7/2024	high
194435	RHEL 8 : Jenkins and Jenkins-2-plugins (RHSA-2024:0778)	Nessus	Red Hat Local Security Checks	4/29/2024	11/7/2024	critical
190501	RHEL 8 : Red Hat Single Sign-On 7.6.7 security update on RHEL 8 (Important) (RHSA-2024:0799)	Nessus	Red Hat Local Security Checks	2/13/2024	11/7/2024	high

Detections

Analytics

Plugins Search

high

high

high

medium

medium

high

medium

medium

high

critical

high