The remote Redhat Enterprise Linux 8 / 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2024:1640 advisory.

    Red Hat Ansible Automation Platform provides an enterprise framework for building, deploying and managing     IT automation at scale. IT Managers can provide top-down guidelines on how automation is applied to     individual teams, while automation developers retain the freedom to write tasks that leverage existing     knowledge without the overhead. Ansible Automation Platform makes it possible for users across an     organization to share, vet, and manage automation content by means of a simple, powerful, and agentless     language.

    Security Fix(es):

    * automation-controller: Django: denial-of-service in 'intcomma' template filter (CVE-2024-24680)
    * automation-controller: aiohttp: http request smuggling (CVE-2024-23829)
    * automation-controller: aiohttp: follow_symlinks directory traversal vulnerability (CVE-2024-23334)
    * automation-controller: Jinja2: HTML attribute injection when passing user input as keys to xmlattr     filter (CVE-2024-22195)
    * automation-controller: cryptography: NULL-dereference when loading PKCS7 certificates (CVE-2023-49083)
    * automation-controller: aiohttp: numerous issues in HTTP parser with header parsing (CVE-2023-47627)
    * automation-controller: Twisted: disordered HTTP pipeline response in twisted.web (CVE-2023-46137)
    * automation-controller: axios: exposure of confidential data stored in cookies (CVE-2023-45857)
    * automation-controller: GitPython: Blind local file inclusion (CVE-2023-41040)
    * python3-aiohttp/python39-aiohttp: http request smuggling (CVE-2024-23829)
    * python3-aiohttp/python39-aiohttp: follow_symlinks directory traversal vulnerability (CVE-2024-23334)
    * python3-django/python39-django: Potential regular expression denial-of-service in     django.utils.text.Truncator.words() (CVE-2024-27351)
    * receptor: golang-fips/openssl: Memory leaks in code encrypting and decrypting RSA payloads     (CVE-2024-1394)
    * receptor: golang: net/http/internal: Denial of Service (DoS) via Resource Consumption via HTTP requests     (CVE-2023-39326)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

    Updates and fixes for automation controller:
    * Fixed bug where schedule prompted variables and survey answers were reset on edit when changing one of     the basic form fields (AAP-20967)
    * Fixed the update execution environment image to no longer fail jobs that use the previous image     (AAP-21733)
    * Removed string validation using comparisons of English literals for comparison, replacing validation     with error/op codes as a universal approach to validation and comparison (AAP-21721)
    * Fixed dispatcher to appropriately terminate child processes when dispatcher terminates (AAP-21049)
    * Fixed upgrade from Ansible Tower 3.8.6 to AAP 2.4 to no longer fail upon database schema migration     (AAP-19738)
    * automation-controller has been updated to 4.5.5

    Updates and fixes for receptor:
    * Fixes a receptor dialing issue where the connection attempt is timed out too aggressively (AAP-21838,     AAP-21828)
    * receptor has been updated to 1.4.5

    Additional fixes:
    * ansible-core has been updated to 2.15.10
    * ansible-runner has been updated to 2.3.6
    * python3-aiohttp/python39-aiohttp has been updated to 3.9.3
    * python3-django/python39-django has been updated  4.2.11
    * python3-pulpcore/python39-pulpcore has been updated 3.28.24

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Fedora 39 host has packages installed that are affected by multiple vulnerabilities as referenced in the FEDORA-2023-5130a73b00 advisory.

    Security fix for CVE-2023-47627

    https://pagure.io/fesco/issue/3106

    ## python-aiohttp 3.8.6 (2023-10-07)

    https://github.com/aio-libs/aiohttp/blob/v3.8.6/CHANGES.rst#386-2023-10-07

    ### Security bugfixes

    - Upgraded `llhttp` to v9.1.3: https://github.com/aio-libs/aiohttp/security/advisories/GHSA-pjjw-qhg8-p2p9
    - Updated Python parser to comply with RFCs 9110/9112: https://github.com/aio-     libs/aiohttp/security/advisories/GHSA-gfw2-4jvh-wgfg

    ### Deprecation

    - Added `fallback_charset_resolver` parameter in `ClientSession` to allow a user-supplied character set     detection function. Character set detection will no longer be included in 3.9 as a default. If this     feature is needed, please use     [`fallback_charset_resolver`](https://docs.aiohttp.org/en/stable/client_advanced.html#character-set-     detection).

    ### Features

    - Enabled lenient response parsing for more flexible parsing in the client (this should resolve some     regressions when dealing with badly formatted HTTP responses).

    ### Bugfixes

    - Fixed `PermissionError` when `.netrc` is unreadable due to permissions.
    - Fixed output of parsing errors pointing to a `\n`.
    - Fixed `GunicornWebWorker` max_requests_jitter not working.
    - Fixed sorting in `filter_cookies` to use cookie with longest path.
    - Fixed display of `BadStatusLine` messages from `llhttp`.

    ----

    ## llhttp 9.1.3

    ### Fixes

    - Restart the parser on HTTP 100
    - Fix chunk extensions quoted-string value parsing
    - Fix lenient_flags truncated on reset
    - Fix chunk extensions parameters parsing when more then one name-value pair provided

    ## llhttp 9.1.2

    ### What's Changed

    - Fix HTTP 1xx handling

    ## llhttp 9.1.1

    ### What's Changed

    - feat: Expose new lenient methods

    ## llhttp 9.1.0

    ### What's Changed

    - New lenient flag to make CR completely optional
    - New lenient flag to have spaces after chunk header

Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2024:2010 advisory.

    For more details about the security issue(s), including the impact, a CVSS     score, acknowledgments, and other related information, refer to the CVE page(s)     listed in the References section.

    Security fixes:
    * python-pygments: ReDoS in pygments (CVE-2022-40896)
    * python-pycryptodomex: Side-channel leakage for OAEP decryption in PyCryptodome and pycryptodomex     (CVE-2023-52323)
    * satellite: Arithmetic overflow in satellite (CVE-2023-4320)
    * automation-hub: Ansible Automation Hub: insecure galaxy-importer tarfile extraction (CVE-2023-5189)
    * jetty: Improper addition of quotation marks to user inputs in CgiServlet (CVE-2023-36479)
    * python-aiohttp: HTTP request smuggling via llhttp HTTP request parser (CVE-2023-37276)
    * rubygem-activesupport: File Disclosure of Locally Encrypted Files (CVE-2023-38037)
    * jetty: Improper validation of HTTP/1 content-length (CVE-2023-40167)
    * python-django: Potential denial of service vulnerability in `django.utils.encoding.uri_to_iri()`     (CVE-2023-41164)
    * python-django: Denial-of-service possibility in django.utils.text.Truncator (CVE-2023-43665)
    * python-aiohttp: Numerous issues in HTTP parser with header parsing (CVE-2023-47627)
    * python-aiohttp: HTTP request modification (CVE-2023-49081)
    * python-aiohttp: CRLF injection if user controls the HTTP method using aiohttp client (CVE-2023-49082)
    * rubygem-puma: HTTP request smuggling when parsing chunked Transfer-Encoding Bodies (CVE-2024-21647)
    * rubygem-audited: Race condition can lead to audit logs being incorrectly attributed to the wrong user     (CVE-2024-22047)
    * python-jinja2: HTML attribute injection when passing user input as keys to xmlattr filter     (CVE-2024-22195)
    * python-aiohttp: Follow_symlinks directory traversal vulnerability (CVE-2024-23334)
    * python-aiohttp: HTTP request smuggling (CVE-2024-23829)

    Additional Changes:
    This update also fixes several bugs and adds various enhancements.

    Documentation for these changes is available from the Release Notes document linked to in the References     section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Fedora 38 host has packages installed that are affected by multiple vulnerabilities as referenced in the FEDORA-2023-bc1f081ca0 advisory.

    Security fix for CVE-2023-47627

    https://pagure.io/fesco/issue/3106

    ## python-aiohttp 3.8.6 (2023-10-07)

    https://github.com/aio-libs/aiohttp/blob/v3.8.6/CHANGES.rst#386-2023-10-07

    ### Security bugfixes

    - Upgraded `llhttp` to v9.1.3: https://github.com/aio-libs/aiohttp/security/advisories/GHSA-pjjw-qhg8-p2p9
    - Updated Python parser to comply with RFCs 9110/9112: https://github.com/aio-     libs/aiohttp/security/advisories/GHSA-gfw2-4jvh-wgfg

    ### Deprecation

    - Added `fallback_charset_resolver` parameter in `ClientSession` to allow a user-supplied character set     detection function. Character set detection will no longer be included in 3.9 as a default. If this     feature is needed, please use     [`fallback_charset_resolver`](https://docs.aiohttp.org/en/stable/client_advanced.html#character-set-     detection).

    ### Features

    - Enabled lenient response parsing for more flexible parsing in the client (this should resolve some     regressions when dealing with badly formatted HTTP responses).

    ### Bugfixes

    - Fixed `PermissionError` when `.netrc` is unreadable due to permissions.
    - Fixed output of parsing errors pointing to a `\n`.
    - Fixed `GunicornWebWorker` max_requests_jitter not working.
    - Fixed sorting in `filter_cookies` to use cookie with longest path.
    - Fixed display of `BadStatusLine` messages from `llhttp`.

    ----

    ## llhttp 9.1.3

    ### Fixes

    - Restart the parser on HTTP 100
    - Fix chunk extensions quoted-string value parsing
    - Fix lenient_flags truncated on reset
    - Fix chunk extensions parameters parsing when more then one name-value pair provided

    ## llhttp 9.1.2

    ### What's Changed

    - Fix HTTP 1xx handling

    ## llhttp 9.1.1

    ### What's Changed

    - feat: Expose new lenient methods

    ## llhttp 9.1.0

    ### What's Changed

    - New lenient flag to make CR completely optional
    - New lenient flag to have spaces after chunk header

Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Splunk installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the SVD-2024-0718 advisory.

  - jackson-databind through 2.15.2 allows attackers to cause a denial of service or other unspecified impact     via a crafted object that uses cyclic dependencies. NOTE: the vendor's perspective is that this is not a     valid vulnerability report, because the steps of constructing a cyclic data structure and trying to     serialize it cannot be achieved by an external attacker. (CVE-2023-35116)

  - In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input     string, like //../foo, or \\..\foo, the result would be the same value, thus possibly providing access     to files in the parent directory, but not further above (thus limited path traversal), if the calling     code would use the result to construct a path value. (CVE-2021-29425)

  - snappy-java is a Java port of the snappy, a fast C++ compresser/decompresser developed by Google. The     SnappyInputStream was found to be vulnerable to Denial of Service (DoS) attacks when decompressing data     with a too large chunk size. Due to missing upper bound check on chunk length, an unrecoverable fatal     error can occur. All versions of snappy-java including the latest released version 1.1.10.3 are vulnerable     to this issue. A fix has been introduced in commit `9f8c3cf74` which will be included in the 1.1.10.4     release. Users are advised to upgrade. Users unable to upgrade should only accept compressed data from     trusted sources. (CVE-2023-43642)

  - snappy-java is a fast compressor/decompressor for Java. Due to unchecked multiplications, an integer     overflow may occur in versions prior to 1.1.10.1, causing a fatal error. The function `shuffle(int[]     input)` in the file `BitShuffle.java` receives an array of integers and applies a bit shuffle on it. It     does so by multiplying the length by 4 and passing it to the natively compiled shuffle function. Since the     length is not tested, the multiplication by four can cause an integer overflow and become a smaller value     than the true size, or even zero or negative. In the case of a negative value, a     `java.lang.NegativeArraySizeException` exception will raise, which can crash the program. In a case of a     value that is zero or too small, the code that afterwards references the shuffled array will assume a     bigger size of the array, which might cause exceptions such as `java.lang.ArrayIndexOutOfBoundsException`.
    The same issue exists also when using the `shuffle` functions that receive a double, float, long and     short, each using a different multiplier that may cause the same issue. Version 1.1.10.1 contains a patch     for this vulnerability. (CVE-2023-34453)

  - snappy-java is a fast compressor/decompressor for Java. Due to unchecked multiplications, an integer     overflow may occur in versions prior to 1.1.10.1, causing an unrecoverable fatal error. The function     `compress(char[] input)` in the file `Snappy.java` receives an array of characters and compresses it. It     does so by multiplying the length by 2 and passing it to the rawCompress` function. Since the length is     not tested, the multiplication by two can cause an integer overflow and become negative. The rawCompress     function then uses the received length and passes it to the natively compiled maxCompressedLength     function, using the returned value to allocate a byte array. Since the maxCompressedLength function treats     the length as an unsigned integer, it doesn't care that it is negative, and it returns a valid value,     which is casted to a signed integer by the Java engine. If the result is negative, a     `java.lang.NegativeArraySizeException` exception will be raised while trying to allocate the array `buf`.
    On the other side, if the result is positive, the `buf` array will successfully be allocated, but its size     might be too small to use for the compression, causing a fatal Access Violation error. The same issue     exists also when using the `compress` functions that receive double, float, int, long and short, each     using a different multiplier that may cause the same issue. The issue most likely won't occur when using a     byte array, since creating a byte array of size 0x80000000 (or any other negative value) is impossible in     the first place. Version 1.1.10.1 contains a patch for this issue. (CVE-2023-34454)

  - snappy-java is a fast compressor/decompressor for Java. Due to use of an unchecked chunk length, an     unrecoverable fatal error can occur in versions prior to 1.1.10.1. The code in the function hasNextChunk     in the fileSnappyInputStream.java checks if a given stream has more chunks to read. It does that by     attempting to read 4 bytes. If it wasn't possible to read the 4 bytes, the function returns false.
    Otherwise, if 4 bytes were available, the code treats them as the length of the next chunk. In the case     that the `compressed` variable is null, a byte array is allocated with the size given by the input data.
    Since the code doesn't test the legality of the `chunkSize` variable, it is possible to pass a negative     number (such as 0xFFFFFFFF which is -1), which will cause the code to raise a     `java.lang.NegativeArraySizeException` exception. A worse case would happen when passing a huge positive     value (such as 0x7FFFFFFF), which would raise the fatal `java.lang.OutOfMemoryError` error. Version     1.1.10.1 contains a patch for this issue. (CVE-2023-34455)

  - When deserializing untrusted or corrupted data, it is possible for a reader to consume memory beyond the     allowed constraints and thus lead to out of memory on the system. This issue affects Java applications     using Apache Avro Java SDK up to and including 1.11.2. Users should update to apache-avro version 1.11.3     which addresses this issue. (CVE-2023-39410)

  - Apache Calcite Avatica JDBC driver creates HTTP client instances based on class names provided via     `httpclient_impl` connection property; however, the driver does not verify if the class implements the     expected interface before instantiating it, which can lead to code execution loaded via arbitrary classes     and in rare cases remote code execution. To exploit the vulnerability: 1) the attacker needs to have     privileges to control JDBC connection parameters; 2) and there should be a vulnerable class (constructor     with URL parameter and ability to execute code) in the classpath. From Apache Calcite Avatica 1.22.0     onwards, it will be verified that the class implements the expected interface before invoking its     constructor. (CVE-2022-36364)

  - A temp directory creation vulnerability exists in all versions of Guava, allowing an attacker with access     to the machine to potentially access data in a temporary directory created by the Guava API     com.google.common.io.Files.createTempDir(). By default, on unix-like systems, the created directory is     world-readable (readable by an attacker with access to the system). The method in question has been marked     @Deprecated in versions 30.0 and later and should not be used. For Android developers, we recommend     choosing a temporary directory API provided by Android, such as context.getCacheDir(). For other Java     developers, we recommend migrating to the Java 7 API java.nio.file.Files.createTempDirectory() which     explicitly configures permissions of 700, or configuring the Java runtime's java.io.tmpdir system property     to point to a location whose permissions are appropriately configured. (CVE-2020-8908)

  - Use of Java's default temporary directory for file creation in `FileBackedOutputStream` in Google Guava     versions 1.0 to 31.1 on Unix systems and Android Ice Cream Sandwich allows other users and apps on the     machine with access to the default Java temporary directory to be able to access the files created by the     class. Even though the security vulnerability is fixed in version 32.0.0, we recommend using version     32.0.1 as version 32.0.0 breaks some functionality under Windows. (CVE-2023-2976)

  - Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to     conduct denial of service attacks against servers that depend on this library and deserialize attacker-     provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the     CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without     appropriate checks on what a client has sent and whether the data size is reasonable. (CVE-2018-10237)

  - aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. aiohttp v3.8.4 and earlier     are bundled with llhttp v6.0.6. Vulnerable code is used by aiohttp for its HTTP request parser when     available which is the default case when installing from a wheel. This vulnerability only affects users of     aiohttp as an HTTP server (ie `aiohttp.Application`), you are not affected by this vulnerability if you     are using aiohttp as an HTTP client library (ie `aiohttp.ClientSession`). Sending a crafted HTTP request     will cause the server to misinterpret one of the HTTP header values leading to HTTP request smuggling.
    This issue has been addressed in version 3.8.5. Users are advised to upgrade. Users unable to upgrade can     reinstall aiohttp using `AIOHTTP_NO_EXTENSIONS=1` as an environment variable to disable the llhttp HTTP     request parser implementation. The pure Python implementation isn't vulnerable. (CVE-2023-37276)

  - aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. The HTTP parser in AIOHTTP     has numerous problems with header parsing, which could lead to request smuggling. This parser is only used     when AIOHTTP_NO_EXTENSIONS is enabled (or not using a prebuilt wheel). These bugs have been addressed in     commit `d5c12ba89` which has been included in release version 3.8.6. Users are advised to upgrade. There     are no known workarounds for these issues. (CVE-2023-47627)

  - urllib3 is a user-friendly HTTP client library for Python. urllib3 doesn't treat the `Cookie` HTTP header     special or provide any helpers for managing cookies over HTTP, that is the responsibility of the user.
    However, it is possible for a user to specify a `Cookie` header and unknowingly leak information via HTTP     redirects to a different origin if that user doesn't disable redirects explicitly. This issue has been     patched in urllib3 version 1.26.17 or 2.0.5. (CVE-2023-43804)

  - urllib3 is a user-friendly HTTP client library for Python. urllib3 previously wouldn't remove the HTTP     request body when an HTTP redirect response using status 301, 302, or 303 after the request had its method     changed from one that could accept a request body (like `POST`) to `GET` as is required by HTTP RFCs.
    Although this behavior is not specified in the section for redirects, it can be inferred by piecing     together information from different sections and we have observed the behavior in other major HTTP client     implementations like curl and web browsers. Because the vulnerability requires a previously trusted     service to become compromised in order to have an impact on confidentiality we believe the exploitability     of this vulnerability is low. Additionally, many users aren't putting sensitive data in HTTP request     bodies, if this is the case then this vulnerability isn't exploitable. Both of the following conditions     must be true to be affected by this vulnerability: 1. Using urllib3 and submitting sensitive information     in the HTTP request body (such as form data or JSON) and 2. The origin service is compromised and starts     redirecting using 301, 302, or 303 to a malicious peer or the redirected-to service becomes compromised.
    This issue has been addressed in versions 1.26.18 and 2.0.7 and users are advised to update to resolve     this issue. Users unable to update should disable redirects for services that aren't expecting to respond     with redirects with `redirects=False` and disable automatic redirects with `redirects=False` and handle     301, 302, and 303 redirects manually by stripping the HTTP request body. (CVE-2023-45803)

  - Certifi is a curated collection of Root Certificates for validating the trustworthiness of SSL     certificates while verifying the identity of TLS hosts. Certifi prior to version 2023.07.22 recognizes     e-Tugra root certificates. e-Tugra's root certificates were subject to an investigation prompted by     reporting of security issues in their systems. Certifi 2023.07.22 removes root certificates from e-Tugra     from the root store. (CVE-2023-37920)

  - When installing a package from a Mercurial VCS URL (ie pip install hg+...) with pip prior to v23.3, the     specified Mercurial revision could be used to inject arbitrary configuration options to the hg clone     call (ie --config). Controlling the Mercurial configuration can modify how and which repository is     installed. This vulnerability does not affect users who aren't installing from Mercurial. (CVE-2023-5752)

  - Python Packaging Authority (PyPA) setuptools before 65.5.1 allows remote attackers to cause a denial of     service via HTML in a crafted package or custom PackageIndex page. There is a Regular Expression Denial of     Service (ReDoS) in package_index.py. (CVE-2022-40897)

  - A ReDoS issue was discovered in pygments/lexers/smithy.py in pygments through 2.15.0 via SmithyLexer.
    (CVE-2022-40896)

  - An issue discovered in Python Packaging Authority (PyPA) Wheel 0.37.1 and earlier allows remote attackers     to cause a denial of service via attacker controlled input to wheel cli. (CVE-2022-40898)

  - Requests is a HTTP library. Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to     destination servers when redirected to an HTTPS endpoint. This is a product of how we use     `rebuild_proxies` to reattach the `Proxy-Authorization` header to requests. For HTTP connections sent     through the tunnel, the proxy will identify the header in the request itself and remove it prior to     forwarding to the destination server. However when sent over HTTPS, the `Proxy-Authorization` header must     be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in     Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious     actor to potentially exfiltrate sensitive information. This issue has been patched in version 2.31.0.
    (CVE-2023-32681)

  - An issue discovered in Python Charmers Future 0.18.2 and earlier allows remote attackers to cause a denial     of service via crafted Set-Cookie header from malicious web server. (CVE-2022-40899)

  - python-idna: potential DoS via resource consumption via specially crafted inputs to idna.encode()     (CVE-2024-3651)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Debian 12 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-5828 advisory.

    - -------------------------------------------------------------------------     Debian Security Advisory DSA-5828-1                   security@debian.org     https://www.debian.org/security/                       Moritz Muehlenhoff     December 11, 2024                     https://www.debian.org/security/faq
    - -------------------------------------------------------------------------

    Package        : python-aiohttp     CVE ID         : CVE-2023-47627 CVE-2023-49081 CVE-2023-49082                      CVE-2024-23334 CVE-2024-30251 CVE-2024-52304

    Multiple security vulnerabilities were discovered in python-aiohttp,     a HTTP client/server for asyncio, which could result in denial of     service, directory traversal, CRLF injection or request smuggling.

    For the stable distribution (bookworm), these problems have been fixed in     version 3.8.4-1+deb12u1.

    We recommend that you upgrade your python-aiohttp packages.

    For the detailed security status of python-aiohttp please refer to     its security tracker page at:
    https://security-tracker.debian.org/tracker/python-aiohttp

    Further information about Debian Security Advisories, how to apply     these updates to your system and frequently asked questions can be     found at: https://www.debian.org/security/

    Mailing list: debian-security-announce@lists.debian.org

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Debian 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-4041 advisory.

    -------------------------------------------------------------------------     Debian LTS Advisory DLA-4041-1                debian-lts@lists.debian.org     https://www.debian.org/lts/security/                   Jochen Sprickerhof     February 03, 2025                             https://wiki.debian.org/LTS
    -------------------------------------------------------------------------

    Package        : python-aiohttp     Version        : 3.7.4-1+deb11u1     CVE ID         : CVE-2023-47627 CVE-2023-47641 CVE-2023-49081 CVE-2023-49082                      CVE-2024-23334 CVE-2024-23829 CVE-2024-27306 CVE-2024-30251                      CVE-2024-52304     Debian Bug     :

    Several issues have been found in aiohttp, an asynchronous HTTP     client/server framework for asyncio and Python. Those issues are related     to the HTTP parser, link traversal and XSS on the index pages.

    CVE-2023-47627

         The HTTP parser in AIOHTTP has numerous problems with header          parsing, which could lead to request smuggling. This parser is only          used when AIOHTTP_NO_EXTENSIONS is enabled (or not using a prebuilt          wheel).

    CVE-2023-47641

        Affected versions of aiohttp have a security vulnerability regarding         the inconsistent interpretation of the http protocol. HTTP/1.1 is a         persistent protocol, if both Content-Length(CL) and         Transfer-Encoding(TE) header values are present it can lead to         incorrect interpretation of two entities that parse the HTTP and we         can poison other sockets with this incorrect interpretation. A         possible Proof-of-Concept (POC) would be a configuration with a         reverse proxy(frontend) that accepts both CL and TE headers and         aiohttp as backend. As aiohttp parses anything with chunked, we can         pass a chunked123 as TE, the frontend entity will ignore this header         and will parse Content-Length. The impact of this vulnerability is         that it is possible to bypass any proxy rule, poisoning sockets to         other users like passing Authentication Headers, also if it is         present an Open Redirect an attacker could combine it to redirect         random users to another website and log the request.

    CVE-2023-49081

        Improper validation made it possible for an attacker to modify the         HTTP request (e.g. to insert a new header) or create a new HTTP         request if the attacker controls the HTTP version. The vulnerability         only occurs if the attacker can control the HTTP version of the         request.

    CVE-2023-49082

        Improper validation makes it possible for an attacker to modify the         HTTP request (e.g. insert a new header) or even create a new HTTP         request if the attacker controls the HTTP method. The vulnerability         occurs only if the attacker can control the HTTP method (GET, POST         etc.) of the request. If the attacker can control the HTTP version         of the request it will be able to modify the request (request         smuggling).

    CVE-2024-23334

        When using aiohttp as a web server and configuring static routes, it         is necessary to specify the root path for static files.
        Additionally, the option 'follow_symlinks' can be used to determine         whether to follow symbolic links outside the static root directory.
        When 'follow_symlinks' is set to True, there is no validation to         check if reading a file is within the root directory. This can lead         to directory traversal vulnerabilities, resulting in unauthorized         access to arbitrary files on the system, even when symlinks are not         present. Disabling follow_symlinks and using a reverse proxy are         encouraged mitigations.

    CVE-2024-23829

        Security-sensitive parts of the Python HTTP parser retained minor         differences in allowable character sets, that must trigger error         handling to robustly match frame boundaries of proxies in order to         protect against injection of additional requests. Additionally,         validation could trigger exceptions that were not handled         consistently with processing of other malformed input. Being more         lenient than internet standards require could, depending on         deployment environment, assist in request smuggling. The unhandled         exception could cause excessive resource consumption on the         application server and/or its logging facilities.

    CVE-2024-27306

        A XSS vulnerability exists on index pages for static file handling.

    CVE-2024-30251

         In affected versions an attacker can send a specially crafted POST          (multipart/form-data) request. When the aiohttp server processes          it, the server will enter an infinite loop and be unable to process          any further requests. An attacker can stop the application from          serving requests after sending a single request.

    CVE-2024-52304

        The Python parser parses newlines in chunk extensions incorrectly         which can lead to request smuggling vulnerabilities under certain         conditions. If a pure Python version of aiohttp is installed (i.e.
        without the usual C extensions) or `AIOHTTP_NO_EXTENSIONS` is         enabled, then an attacker may be able to execute a request smuggling         attack to bypass certain firewalls or proxy protections.

    For Debian 11 bullseye, these problems have been fixed in version     3.7.4-1+deb11u1.

    We recommend that you upgrade your python-aiohttp packages.

    For the detailed security status of python-aiohttp please refer to     its security tracker page at:
    https://security-tracker.debian.org/tracker/python-aiohttp

    Further information about Debian LTS security advisories, how to apply     these updates to your system and frequently asked questions can be     found at: https://wiki.debian.org/LTS     Attachment:
    signature.asc     Description: PGP signature

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2024:1536 advisory.

    Red Hat Satellite is a system management solution that allows organizations     to configure and maintain their systems without the necessity to provide     public Internet access to their servers or other client systems. It     performs provisioning and configuration management of predefined standard     operating environments.
    Security Fix(es):

    * automation-hub: Ansible Automation Hub: insecure galaxy-importer tarfile extraction (CVE-2023-5189)
    * python-aiohttp: aiohttp: follow_symlinks directory traversal vulnerability (CVE-2024-23334)
    * python-aiohttp: http request smuggling (CVE-2024-23829)
    * python-aiohttp: numerous issues in HTTP parser with header parsing (CVE-2023-47627)
    * python-aiohttp: aiohttp: HTTP request modification (CVE-2023-49081)
    * python-django: Denial-of-service possibility in django.utils.text.Truncator (CVE-2023-43665)
    * python-jinja2: jinja2: HTML attribute injection when passing user input as keys to xmlattr filter     (CVE-2024-22195)

    Bug Fix(es):
    2266107 - hammer host list does not print parameters even if they are present in the fields list like LCE     and CVs.
    2266110 - Incremental update of *multiple* CVs with same repo of different content generates wrong katello     content     2266139 - Failed incremental CV import shows error: duplicate key value violates unique constraint     rpm_updatecollectionname_name_update_record_id_6ef33bed_uniq     2266140 - wrong links to provisioning guide in CR help     2266142 - When using the customer data (json) with 13 diff conf files, we can see some weird behavior when     updating the hypervisors     2266144 - Promoting a composite content view to environment with registry name as <%=     lifecycle_environment.label %>/<%= repository.name %> on Red Hat Satellite 6 fails with 'undefined     method '#label' for NilClass::Jail (NilClass)'     2266145 - CertificateCleanupJob fails with foreign key constraint violation on table cp_certificate     2266146 - katello:reimport fails with TypeError: no implicit conversion of String into Integer when     there are product contents to move     2266147 - Postgresql logs contain PG::UniqueViolation: ERROR: duplicate key value violates unique     constraint katello_available_module_streams_name_stream_context     2266148 - Adding a CV to a CCV lists CV versions disorderly     2266149 - 'Remove orphans' task fails on DeleteOrphanAlternateContentSources step     2266413 - [RFE] Add content view window and Update version window should display content view version,     description and publishing date     2266113 - [RFE] To make customers aware about satellite versions going EOL by adding warning banner on the     Login page or on the Dashboard page.
    2266141 - wrong link to scap content documentation     Users of Red Hat Satellite are advised to upgrade to these updated     packages, which fix these bugs.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 / 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2024:1057 advisory.

    Red Hat Ansible Automation Platform provides an enterprise framework for building, deploying and managing     IT automation at scale. IT Managers can provide top-down guidelines on how automation is applied to     individual teams, while automation developers retain the freedom to write tasks that leverage existing     knowledge without the overhead. Ansible Automation Platform makes it possible for users across an     organization to share, vet, and manage automation content by means of a simple, powerful, and agentless     language.

    Security Fix(es):

    * automation-eda-controller / ansible-rulebook / ansible-automation-platform-installer: Insecure websocket     used when interacting with EDA server (CVE-2024-1657)

    * python3-django/python39-django: denial-of-service in 'intcomma' template filter (CVE-2024-24680)

    * python3-jinja2/python39-jinja2: HTML attribute injection when passing user input as keys to xmlattr     filter (CVE-2024-22195)

    * python3-aiohttp/python39-aiohttp: CRLF injection if user controls the HTTP method using aiohttp client     (CVE-2023-49082)

    * python3-aiohttp/python39-aiohttp: HTTP request modification (CVE-2023-49081)

    * python3-aiohttp/python39-aiohttp: numerous issues in HTTP parser with header parsing (CVE-2023-47627)

    * python3-pycryptodomex/python39-pycryptodomex: side-channel leakage for OAEP decryption in PyCryptodome     and pycryptodomex (CVE-2023-52323)

    * python3-pillow/python39-pillow: uncontrolled resource consumption when textlength in an ImageDraw     instance operates on a long text argument (CVE-2023-44271)

    * python3-pygments/python39-pygments: ReDoS in pygments (CVE-2022-40896)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

    Updates and fixes for automation controller:
    * automation-controller has been updated to 4.5.2
    * Enabled HashiCorp Vault LDAP and Userpass authentication (AAP-19842)

    Updates and fixes for automation hub:
    * automation-hub and python3-galaxy-ng/python39-galaxy-ng have been updated to 4.9.1
    * various dependencies have been updated

    Updates and fixes for Event-Driven Ansible:
    * automation-eda-controller has been updated to 1.0.5
    * various dependencies have been updated
    * Fixed a vulnerability that allowed command line injections in user and url fields for projects     (AAP-17778)
    * The communication between the activations and eda-server is now authenticated. Once EDA Controller is     upgraded, all the existing running activations must be restarted with upgraded Decision Environment images     (AAP-17619)
    * Removed 409 conflict error when enabling an activation (AAP-16305)
    * An activation status did not change to failed when an internal error occurred (AAP-16014)
    * Restarting the EDA server can cause activation states to become stale (AAP-13064)
    * RHEL 9.2 activations can not connect to the host (AAP-12929)
    * Added podman_containers_conf_logs_max_size variable to control max log size for podman installations     with a default value of 10 MiB (AAP-12295)

    Note: The 2.4-6 installer/setup should be used to update Event-Driven Ansible to 1.0.5

    Updates and fixes for installer and setup:
    * Added podman_containers_conf_logs_max_size variable for containers.conf to control max log size for     podman installations with a default value of 10 MiB (AAP-19775)
    * EDA debug flag of false will now correctly disable django debug mode (AAP-19577)
    * installer and setup have been updated to 2.4-6

    Additional changes:
    * ansible-builder has been updated to 3.0.1
    * ansible-runner has been updated to 2.3.5
    * ansible-dev-tools has been added

    For more details about the updates and fixes included in this release, refer to the Release Notes.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 / openSUSE 15 host has a package installed that is affected by multiple vulnerabilities as referenced in the SUSE-SU-2024:0577-1 advisory.

  - aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. The HTTP parser in AIOHTTP     has numerous problems with header parsing, which could lead to request smuggling. This parser is only used     when AIOHTTP_NO_EXTENSIONS is enabled (or not using a prebuilt wheel). These bugs have been addressed in     commit `d5c12ba89` which has been included in release version 3.8.6. Users are advised to upgrade. There     are no known workarounds for these issues. (CVE-2023-47627)

  - aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Affected versions of     aiohttp have a security vulnerability regarding the inconsistent interpretation of the http protocol.
    HTTP/1.1 is a persistent protocol, if both Content-Length(CL) and Transfer-Encoding(TE) header values are     present it can lead to incorrect interpretation of two entities that parse the HTTP and we can poison     other sockets with this incorrect interpretation. A possible Proof-of-Concept (POC) would be a     configuration with a reverse proxy(frontend) that accepts both CL and TE headers and aiohttp as backend.
    As aiohttp parses anything with chunked, we can pass a chunked123 as TE, the frontend entity will ignore     this header and will parse Content-Length. The impact of this vulnerability is that it is possible to     bypass any proxy rule, poisoning sockets to other users like passing Authentication Headers, also if it is     present an Open Redirect an attacker could combine it to redirect random users to another website and log     the request. This vulnerability has been addressed in release 3.8.0 of aiohttp. Users are advised to     upgrade. There are no known workarounds for this vulnerability. (CVE-2023-47641)

  - aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. When using aiohttp as a     web server and configuring static routes, it is necessary to specify the root path for static files.
    Additionally, the option 'follow_symlinks' can be used to determine whether to follow symbolic links     outside the static root directory. When 'follow_symlinks' is set to True, there is no validation to check     if reading a file is within the root directory. This can lead to directory traversal vulnerabilities,     resulting in unauthorized access to arbitrary files on the system, even when symlinks are not present.
    Disabling follow_symlinks and using a reverse proxy are encouraged mitigations. Version 3.9.2 fixes this     issue. (CVE-2024-23334)

  - aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. Security-sensitive parts     of the Python HTTP parser retained minor differences in allowable character sets, that must trigger error     handling to robustly match frame boundaries of proxies in order to protect against injection of additional     requests. Additionally, validation could trigger exceptions that were not handled consistently with     processing of other malformed input. Being more lenient than internet standards require could, depending     on deployment environment, assist in request smuggling. The unhandled exception could cause excessive     resource consumption on the application server and/or its logging facilities. This vulnerability exists     due to an incomplete fix for CVE-2023-47627. Version 3.9.2 fixes this vulnerability. (CVE-2024-23829)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2024:1878 advisory.

    Red Hat Update Infrastructure (RHUI) offers a highly scalable, highly redundant     framework that enables you to manage repositories and content. It also enables     cloud providers to deliver content and updates to Red Hat Enterprise Linux     (RHEL) instances.

    Security Fix(es):

    * python-django: Potential regular expression denial of service vulnerability in     EmailValidator/URLValidator (CVE-2023-36053)

    * python-aiohttp: HTTP request smuggling via llhttp HTTP request parser (CVE-2023-37276)

    * python-django: Potential denial of service vulnerability in ``django.utils.encoding.uri_to_iri()``     (CVE-2023-41164)

    * python-django: Denial-of-service possibility in django.utils.text.Truncator (CVE-2023-43665)

    * python-aiohttp: numerous issues in HTTP parser with header parsing (CVE-2023-47627)

    * aiohttp: HTTP request modification (CVE-2023-49081)

    * python-cryptography: NULL-dereference when loading PKCS7 certificates (CVE-2023-49083)

    * jinja2: HTML attribute injection when passing user input as keys to xmlattr filter (CVE-2024-22195)

    * aiohttp: follow_symlinks directory traversal vulnerability (CVE-2024-23334)

    * python-ecdsa: vulnerable to the Minerva attack (CVE-2024-23342)

    * python-aiohttp: http request smuggling (CVE-2024-23829)

    * Django: denial-of-service in ``intcomma`` template filter (CVE-2024-24680)

    * python-django: Potential regular expression denial-of-service in django.utils.text.Truncator.words()     (CVE-2024-27351)

    * aiohttp: CRLF injection if user controls the HTTP method using aiohttp client (CVE-2023-49082)

    This RHUI update fixes the following bugs:

    * The rhui-installer failed on RHEL 8.10 Beta due to the use of distutils. This has been addressed by     updating to a newer version of ansible-collection-community-crypto which does not use the distutils.

    This RHUI update introduces the following enhancements:

    * A native Ansible module is now used to update the packages on the RHUA server when the RHUI installer is     run for the first time or rerun at any time. This update can be prevented by using the --ignore-newer-     rhel-packages flag on the rhui-installer command line.

    * PulpCore has been updated to version 3.39.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Published	Updated	Severity
193086	RHEL 8 / 9 : Red Hat Ansible Automation Platform 2.4 Product Security and Bug Fix Update (Moderate) (RHSA-2024:1640)	Nessus	Red Hat Local Security Checks	4/9/2024	11/7/2024	critical
186628	Fedora 39 : llhttp / python-aiohttp / uxplay (2023-5130a73b00)	Nessus	Fedora Local Security Checks	12/6/2023	11/14/2024	high
199805	RHEL 8 : Satellite 6.15.0 (Important) (RHSA-2024:2010)	Nessus	Red Hat Local Security Checks	6/3/2024	3/6/2025	high
186627	Fedora 38 : llhttp / python-aiohttp / uxplay (2023-bc1f081ca0)	Nessus	Fedora Local Security Checks	12/6/2023	11/14/2024	high
201209	Splunk Enterprise 9.0.0 < 9.0.9, 9.1.0 < 9.1.4, 9.2.0 < 9.2.1 (SVD-2024-0718)	Nessus	CGI abuses	7/1/2024	7/2/2024	critical
212515	Debian dsa-5828 : python-aiohttp-doc - security update	Nessus	Debian Local Security Checks	12/11/2024	12/11/2024	medium
214900	Debian dla-4041 : python-aiohttp-doc - security update	Nessus	Debian Local Security Checks	2/3/2025	2/3/2025	medium
194355	RHEL 8 : Satellite 6.14.3 Async Security Update (Moderate) (RHSA-2024:1536)	Nessus	Red Hat Local Security Checks	4/28/2024	3/6/2025	high
191748	RHEL 8 / 9 : Red Hat Ansible Automation Platform 2.4 Product Security and Bug Fix Update (Important) (RHSA-2024:1057)	Nessus	Red Hat Local Security Checks	3/8/2024	11/7/2024	high
190879	SUSE SLED15 / SLES15 / openSUSE 15 Security Update : python-aiohttp, python-time-machine (SUSE-SU-2024:0577-1)	Nessus	SuSE Local Security Checks	2/22/2024	2/23/2024	high
193467	RHEL 8 : RHUI 4.8 Release - Security Updates, Bug Fixes, and Enhancements (Moderate) (RHSA-2024:1878)	Nessus	Red Hat Local Security Checks	4/18/2024	11/7/2024	critical

Detections

Analytics

Plugins Search

critical

high

high

high

critical

medium

medium

high

high

high

critical