The versions of Oracle Database Server installed on the remote host are affected by multiple vulnerabilities as referenced in the January 2024 CPU advisory.

  - Vulnerability in the Java VM component of Oracle Database Server. Supported versions that are affected     are 19.3-19.21 and 21.3-21.12. Easily exploitable vulnerability allows low privileged attacker having     Create Session, Create Procedure privilege with network access via Oracle Net to compromise Java VM.
    Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification     access to critical data or all Java VM accessible data. (CVE-2024-20903)

  - Vulnerability in the Oracle Spatial and Graph (curl) component of Oracle Database Server. Supported     versions that are affected are 19.3-19.21, 21.3-21.12 and 23.3. Easily exploitable vulnerability allows     low privileged attacker having Authenticated User privilege with network access via HTTP to compromise     Oracle Spatial and Graph (curl). Successful attacks of this vulnerability can result in unauthorized     ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Spatial and Graph (curl).
    (CVE-2023-38545)

  - Vulnerability in the Oracle Text component of Oracle Database Server. Supported versions that are affected     are 19.3-19.21. Easily exploitable vulnerability allows high privileged attacker having DBA privilege with     network access via Oracle Net to compromise Oracle Text. Successful attacks of this vulnerability can     result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Text.
    (CVE-2022-21432)

  - Security-in-depth update for non-exploitable vulnerabilities CVE-2022-41409, CVE-2022-46337, CVE-2023-2976,     CVE-2023-4043, CVE-2023-36479, CVE-2023-40167, CVE-2023-41900, CVE-2023-42794, CVE-2023-42795,     CVE-2023-44487, CVE-2023-45648 and CVE-2023-46589,.


Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Debian 11 / 12 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-5507 advisory.

  - Jetty is a java based web server and servlet engine. In affected versions servlets with multipart support     (e.g. annotated with `@MultipartConfig`) that call `HttpServletRequest.getParameter()` or     `HttpServletRequest.getParts()` may cause `OutOfMemoryError` when the client sends a multipart request     with a part that has a name but no filename and very large content. This happens even with the default     settings of `fileSizeThreshold=0` which should stream the whole part content to disk. An attacker client     may send a large multipart request and cause the server to throw `OutOfMemoryError`. However, the server     may be able to recover after the `OutOfMemoryError` and continue its service -- although it may take some     time. This issue has been patched in versions 9.4.51, 10.0.14, and 11.0.14. Users are advised to upgrade.
    Users unable to upgrade may set the multipart parameter `maxRequestSize` which must be set to a non-     negative value, so the whole multipart content is limited (although still read into memory).
    (CVE-2023-26048)

  - Jetty is a java based web server and servlet engine. Nonstandard cookie parsing in Jetty may allow an     attacker to smuggle cookies within other cookies, or otherwise perform unintended behavior by tampering     with the cookie parsing mechanism. If Jetty sees a cookie VALUE that starts with `` (double quote), it     will continue to read the cookie string until it sees a closing quote -- even if a semicolon is     encountered. So, a cookie header such as: `DISPLAY_LANGUAGE=b; JSESSIONID=1337; c=d` will be parsed as     one cookie, with the name DISPLAY_LANGUAGE and a value of b; JSESSIONID=1337; c=d instead of 3 separate     cookies. This has security implications because if, say, JSESSIONID is an HttpOnly cookie, and the     DISPLAY_LANGUAGE cookie value is rendered on the page, an attacker can smuggle the JSESSIONID cookie into     the DISPLAY_LANGUAGE cookie and thereby exfiltrate it. This is significant when an intermediary is     enacting some policy based on cookies, so a smuggled cookie can bypass that policy yet still be seen by     the Jetty server or its logging system. This issue has been addressed in versions 9.4.51, 10.0.14,     11.0.14, and 12.0.0.beta0 and users are advised to upgrade. There are no known workarounds for this issue.
    (CVE-2023-26049)

  - Eclipse Jetty Canonical Repository is the canonical repository for the Jetty project. Users of the     CgiServlet with a very specific command structure may have the wrong command executed. If a user sends a     request to a org.eclipse.jetty.servlets.CGI Servlet for a binary with a space in its name, the servlet     will escape the command by wrapping it in quotation marks. This wrapped command, plus an optional command     prefix, will then be executed through a call to Runtime.exec. If the original binary name provided by the     user contains a quotation mark followed by a space, the resulting command line will contain multiple     tokens instead of one. This issue was patched in version 9.4.52, 10.0.16, 11.0.16 and 12.0.0-beta2.
    (CVE-2023-36479)

  - Jetty is a Java based web server and servlet engine. Prior to versions 9.4.52, 10.0.16, 11.0.16, and     12.0.1, Jetty accepts the `+` character proceeding the content-length value in a HTTP/1 header field. This     is more permissive than allowed by the RFC and other servers routinely reject such requests with 400     responses. There is no known exploit scenario, but it is conceivable that request smuggling could result     if jetty is used in combination with a server that does not close the connection after sending such a 400     response. Versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1 contain a patch for this issue. There is no     workaround as there is no known exploit scenario. (CVE-2023-40167)

  - Jetty is a Java based web server and servlet engine. Versions 9.4.21 through 9.4.51, 10.0.15, and 11.0.15     are vulnerable to weak authentication. If a Jetty `OpenIdAuthenticator` uses the optional nested     `LoginService`, and that `LoginService` decides to revoke an already authenticated user, then the current     request will still treat the user as authenticated. The authentication is then cleared from the session     and subsequent requests will not be treated as authenticated. So a request on a previously authenticated     session could be allowed to bypass authentication after it had been rejected by the `LoginService`. This     impacts usages of the jetty-openid which have configured a nested `LoginService` and where that     `LoginService` will is capable of rejecting previously authenticated users. Versions 9.4.52, 10.0.16, and     11.0.16 have a patch for this issue. (CVE-2023-41900)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2023:4210-1 advisory.

  - Eclipse Jetty provides a web server and servlet container. In versions 11.0.0 through 11.0.15, 10.0.0     through 10.0.15, and 9.0.0 through 9.4.52, an integer overflow in `MetaDataBuilder.checkSize` allows for     HTTP/2 HPACK header values to exceed their size limit. `MetaDataBuilder.java` determines if a header name     or value exceeds the size limit, and throws an exception if the limit is exceeded. However, when length is     very large and huffman is true, the multiplication by 4 in line 295 will overflow, and length will become     negative. `(_size+length)` will now be negative, and the check on line 296 will not be triggered.
    Furthermore, `MetaDataBuilder.checkSize` allows for user-entered HPACK header value sizes to be negative,     potentially leading to a very large buffer allocation later on when the user-entered size is multiplied by     2. This means that if a user provides a negative length value (or, more precisely, a length value which,     when multiplied by the 4/3 fudge factor, is negative), and this length value is a very large positive     number when multiplied by 2, then the user can cause a very large buffer to be allocated on the server.
    Users of HTTP/2 can be impacted by a remote denial of service attack. The issue has been fixed in versions     11.0.16, 10.0.16, and 9.4.53. There are no known workarounds. (CVE-2023-36478)

  - Eclipse Jetty Canonical Repository is the canonical repository for the Jetty project. Users of the     CgiServlet with a very specific command structure may have the wrong command executed. If a user sends a     request to a org.eclipse.jetty.servlets.CGI Servlet for a binary with a space in its name, the servlet     will escape the command by wrapping it in quotation marks. This wrapped command, plus an optional command     prefix, will then be executed through a call to Runtime.exec. If the original binary name provided by the     user contains a quotation mark followed by a space, the resulting command line will contain multiple     tokens instead of one. This issue was patched in version 9.4.52, 10.0.16, 11.0.16 and 12.0.0-beta2.
    (CVE-2023-36479)

  - Jetty is a Java based web server and servlet engine. Prior to versions 9.4.52, 10.0.16, 11.0.16, and     12.0.1, Jetty accepts the `+` character proceeding the content-length value in a HTTP/1 header field. This     is more permissive than allowed by the RFC and other servers routinely reject such requests with 400     responses. There is no known exploit scenario, but it is conceivable that request smuggling could result     if jetty is used in combination with a server that does not close the connection after sending such a 400     response. Versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1 contain a patch for this issue. There is no     workaround as there is no known exploit scenario. (CVE-2023-40167)

  - Jetty is a Java based web server and servlet engine. Versions 9.4.21 through 9.4.51, 10.0.15, and 11.0.15     are vulnerable to weak authentication. If a Jetty `OpenIdAuthenticator` uses the optional nested     `LoginService`, and that `LoginService` decides to revoke an already authenticated user, then the current     request will still treat the user as authenticated. The authentication is then cleared from the session     and subsequent requests will not be treated as authenticated. So a request on a previously authenticated     session could be allowed to bypass authentication after it had been rejected by the `LoginService`. This     impacts usages of the jetty-openid which have configured a nested `LoginService` and where that     `LoginService` will is capable of rejecting previously authenticated users. Versions 9.4.52, 10.0.16, and     11.0.16 have a patch for this issue. (CVE-2023-41900)

  - The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation     can reset many streams quickly, as exploited in the wild in August through October 2023. (CVE-2023-44487)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2024:0797 advisory.

    Red Hat Satellite is a system management solution that allows organizations     to configure and maintain their systems without the necessity to provide     public Internet access to their servers or other client systems. It     performs provisioning and configuration management of predefined standard     operating environments.

    Security fix(es):
    * CVE-2023-26049 (puppetserver): Cookie parsing of quoted values can exfiltrate values from other cookies
    * CVE-2023-26141 (rubygem-sidekiq): Denial of Service (DoS) in dashboard-charts
    * CVE-2023-36479 (puppetserver): Improper addition of quotation marks to user inputs in CgiServlet
    * CVE-2023-38545 (puppet-agent): Heap-based buffer overflow in the SOCKS5 proxy handshake
    * CVE-2023-40167 (puppetserver): Improper validation of HTTP/1 content-length
    * CVE-2023-40175 (rubygem-puma): HTTP request smuggling when parsing chunked transfer encoding bodies and     zero-length content-length headers
    * CVE-2023-4785 (rubygem-grpc): File descriptor exhaustion leads to denial of service
    * CVE-2023-0809, CVE-2023-28366, CVE-2023-3592 (mosquitto): Memory leak leads to unresponsive broker

    This update fixes the following bugs:
    2250347 - 'Sun, 11 Jun 2023 17:51:29 GMT' could not be parsed at index 0 at     java.time.format.DateTimeFormatter.parseResolved     2254974 - satellite-convert2rhel-toolkit install fails on latest rpm with `/usr/bin/bash:
    /usr/libexec/satellite-convert2rhel-appliance/action-install.sh: No such file or directory`     2255260 - 6.14 - satellite-convert2rhel-toolkit is part of the satellite module     2257321 - Request for UEFI Kickstart Provisioning to handle naming convention for VLAN tagged interfaces     of the format <parent_device>.<vlan_id> in addition to vlan<vlan_id>     2257324 - Generate applicability tasks fails with error ERROR: insert or update on table     katello_content_facet_errata violates foreign key constraint katello_content_facet_errata_ca_id     2257326 - Show failed resources in failed installation report     2257327 - Puppet reports without any messages don't get an origin     2257329 - Host registration fails with error Attached to can't be blank when the VLAN name includes     UPPERCASE letters     2257330 - default tuning profile leaves httpd MaxClients 150 which httpd raises a warning     2257331 - Registering host through load balancer causes REX not to know what capsule to choose for     'registered_through'     2257332 - Registration can't find any Capsules when their locations are not assigned to admin user     2257415 - Provisioning vm host fails with error Failed to attach ISO image to CDROM drive of instance     client.example.com: InvalidPowerState: The attempted operation cannot be performed in the current state     (Powered on).
    2260525 - [Improvement] RefreshRepos step in Capsule Sync to refresh just repos to sync     2262131 - Unable to sync library/busybox from gcr.io

    Users of Red Hat Satellite are advised to upgrade to these updated     packages, which fix these bugs.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2024:2010 advisory.

    For more details about the security issue(s), including the impact, a CVSS     score, acknowledgments, and other related information, refer to the CVE page(s)     listed in the References section.

    Security fixes:
    * python-pygments: ReDoS in pygments (CVE-2022-40896)
    * python-pycryptodomex: Side-channel leakage for OAEP decryption in PyCryptodome and pycryptodomex     (CVE-2023-52323)
    * satellite: Arithmetic overflow in satellite (CVE-2023-4320)
    * automation-hub: Ansible Automation Hub: insecure galaxy-importer tarfile extraction (CVE-2023-5189)
    * jetty: Improper addition of quotation marks to user inputs in CgiServlet (CVE-2023-36479)
    * python-aiohttp: HTTP request smuggling via llhttp HTTP request parser (CVE-2023-37276)
    * rubygem-activesupport: File Disclosure of Locally Encrypted Files (CVE-2023-38037)
    * jetty: Improper validation of HTTP/1 content-length (CVE-2023-40167)
    * python-django: Potential denial of service vulnerability in `django.utils.encoding.uri_to_iri()`     (CVE-2023-41164)
    * python-django: Denial-of-service possibility in django.utils.text.Truncator (CVE-2023-43665)
    * python-aiohttp: Numerous issues in HTTP parser with header parsing (CVE-2023-47627)
    * python-aiohttp: HTTP request modification (CVE-2023-49081)
    * python-aiohttp: CRLF injection if user controls the HTTP method using aiohttp client (CVE-2023-49082)
    * rubygem-puma: HTTP request smuggling when parsing chunked Transfer-Encoding Bodies (CVE-2024-21647)
    * rubygem-audited: Race condition can lead to audit logs being incorrectly attributed to the wrong user     (CVE-2024-22047)
    * python-jinja2: HTML attribute injection when passing user input as keys to xmlattr filter     (CVE-2024-22195)
    * python-aiohttp: Follow_symlinks directory traversal vulnerability (CVE-2024-23334)
    * python-aiohttp: HTTP request smuggling (CVE-2024-23829)

    Additional Changes:
    This update also fixes several bugs and adds various enhancements.

    Documentation for these changes is available from the Release Notes document linked to in the References     section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

This plugin has been deprecated as it does not adhere to established standards for this style of check.

It is, therefore, affected by a vulnerability as referenced in the ALAS2-2024-2394 advisory.

  - Eclipse Jetty Canonical Repository is the canonical repository for the Jetty project. Users of the     CgiServlet with a very specific command structure may have the wrong command executed. If a user sends a     request to a org.eclipse.jetty.servlets.CGI Servlet for a binary with a space in its name, the servlet     will escape the command by wrapping it in quotation marks. This wrapped command, plus an optional command     prefix, will then be executed through a call to Runtime.exec. If the original binary name provided by the     user contains a quotation mark followed by a space, the resulting command line will contain multiple     tokens instead of one. This issue was patched in version 9.4.52, 10.0.16, 11.0.16 and 12.0.0-beta2.
    (CVE-2023-36479)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Debian 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-3592 advisory.

  - Jetty is a java based web server and servlet engine. In affected versions servlets with multipart support     (e.g. annotated with `@MultipartConfig`) that call `HttpServletRequest.getParameter()` or     `HttpServletRequest.getParts()` may cause `OutOfMemoryError` when the client sends a multipart request     with a part that has a name but no filename and very large content. This happens even with the default     settings of `fileSizeThreshold=0` which should stream the whole part content to disk. An attacker client     may send a large multipart request and cause the server to throw `OutOfMemoryError`. However, the server     may be able to recover after the `OutOfMemoryError` and continue its service -- although it may take some     time. This issue has been patched in versions 9.4.51, 10.0.14, and 11.0.14. Users are advised to upgrade.
    Users unable to upgrade may set the multipart parameter `maxRequestSize` which must be set to a non-     negative value, so the whole multipart content is limited (although still read into memory).
    (CVE-2023-26048)

  - Jetty is a java based web server and servlet engine. Nonstandard cookie parsing in Jetty may allow an     attacker to smuggle cookies within other cookies, or otherwise perform unintended behavior by tampering     with the cookie parsing mechanism. If Jetty sees a cookie VALUE that starts with `` (double quote), it     will continue to read the cookie string until it sees a closing quote -- even if a semicolon is     encountered. So, a cookie header such as: `DISPLAY_LANGUAGE=b; JSESSIONID=1337; c=d` will be parsed as     one cookie, with the name DISPLAY_LANGUAGE and a value of b; JSESSIONID=1337; c=d instead of 3 separate     cookies. This has security implications because if, say, JSESSIONID is an HttpOnly cookie, and the     DISPLAY_LANGUAGE cookie value is rendered on the page, an attacker can smuggle the JSESSIONID cookie into     the DISPLAY_LANGUAGE cookie and thereby exfiltrate it. This is significant when an intermediary is     enacting some policy based on cookies, so a smuggled cookie can bypass that policy yet still be seen by     the Jetty server or its logging system. This issue has been addressed in versions 9.4.51, 10.0.14,     11.0.14, and 12.0.0.beta0 and users are advised to upgrade. There are no known workarounds for this issue.
    (CVE-2023-26049)

  - Eclipse Jetty Canonical Repository is the canonical repository for the Jetty project. Users of the     CgiServlet with a very specific command structure may have the wrong command executed. If a user sends a     request to a org.eclipse.jetty.servlets.CGI Servlet for a binary with a space in its name, the servlet     will escape the command by wrapping it in quotation marks. This wrapped command, plus an optional command     prefix, will then be executed through a call to Runtime.exec. If the original binary name provided by the     user contains a quotation mark followed by a space, the resulting command line will contain multiple     tokens instead of one. This issue was patched in version 9.4.52, 10.0.16, 11.0.16 and 12.0.0-beta2.
    (CVE-2023-36479)

  - Jetty is a Java based web server and servlet engine. Prior to versions 9.4.52, 10.0.16, 11.0.16, and     12.0.1, Jetty accepts the `+` character proceeding the content-length value in a HTTP/1 header field. This     is more permissive than allowed by the RFC and other servers routinely reject such requests with 400     responses. There is no known exploit scenario, but it is conceivable that request smuggling could result     if jetty is used in combination with a server that does not close the connection after sending such a 400     response. Versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1 contain a patch for this issue. There is no     workaround as there is no known exploit scenario. (CVE-2023-40167)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Published	Updated	Severity
189165	Oracle Database Server (January 2024 CPU)	Nessus	Databases	1/18/2024	4/19/2024	medium
182198	Debian DSA-5507-1 : jetty9 - security update	Nessus	Debian Local Security Checks	9/29/2023	3/21/2024	medium
183942	SUSE SLED15 / SLES15 / openSUSE 15 Security Update : jetty-minimal (SUSE-SU-2023:4210-1)	Nessus	SuSE Local Security Checks	10/27/2023	2/9/2024	medium
194396	RHEL 8 : Satellite 6.14.2 Async Security Update (Important) (RHSA-2024:0797)	Nessus	Red Hat Local Security Checks	4/28/2024	11/11/2024	critical
199805	RHEL 8 : Satellite 6.15.0 (Important) (RHSA-2024:2010)	Nessus	Red Hat Local Security Checks	6/3/2024	11/7/2024	high
196483	RHEL 7 : jetty (Unpatched Vulnerability) (deprecated)	Nessus	Red Hat Local Security Checks	5/11/2024	5/31/2024	high
187825	Amazon Linux 2 : jetty (ALAS-2024-2394)	Nessus	Amazon Linux Local Security Checks	1/9/2024	1/10/2024	medium
182409	Debian DLA-3592-1 : jetty9 - LTS security update	Nessus	Debian Local Security Checks	10/1/2023	3/21/2024	medium

Detections

Analytics

Plugins Search

medium

medium

medium

critical

high

high

medium

medium