CVE-2019-17023

2020-01-08T22:15:00

Description

After a HelloRetryRequest has been sent, the client may negotiate a lower protocol that TLS 1.3, resulting in an invalid state transition in the TLS State Machine. If the client gets into this state, incoming Application Data records will be ignored. This vulnerability affects Firefox < 72.

Affected Software

CPE Name	Name	Version
mozilla:firefox	mozilla firefox	72.0
canonical:ubuntu_linux	canonical ubuntu linux	16.04
canonical:ubuntu_linux	canonical ubuntu linux	18.04
canonical:ubuntu_linux	canonical ubuntu linux	19.04
canonical:ubuntu_linux	canonical ubuntu linux	19.10
canonical:ubuntu_linux	canonical ubuntu linux	20.04
debian:debian_linux	debian debian linux	10.0

{"id": "CVE-2019-17023", "vendorId": null, "type": "cve", "bulletinFamily": "NVD", "title": "CVE-2019-17023", "description": "After a HelloRetryRequest has been sent, the client may negotiate a lower protocol that TLS 1.3, resulting in an invalid state transition in the TLS State Machine. If the client gets into this state, incoming Application Data records will be ignored. This vulnerability affects Firefox < 72.", "published": "2020-01-08T22:15:00", "modified": "2023-01-27T18:24:00", "epss": [{"cve": "CVE-2019-17023", "epss": 0.00264, "percentile": 0.62754, "modified": "2023-06-13"}], "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "accessVector": "NETWORK", "accessComplexity": "MEDIUM", "authentication": "NONE", "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "availabilityImpact": "NONE", "baseScore": 4.3}, "severity": "MEDIUM", "exploitabilityScore": 8.6, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": true}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM"}, "exploitabilityScore": 2.8, "impactScore": 3.6}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-17023", "reporter": "security@mozilla.org", "references": ["https://bugzilla.mozilla.org/show_bug.cgi?id=1590001", "https://www.mozilla.org/security/advisories/mfsa2020-01/", "https://usn.ubuntu.com/4234-1/", "https://usn.ubuntu.com/4397-1/", "https://www.debian.org/security/2020/dsa-4726"], "cvelist": ["CVE-2019-17023"], "immutableFields": [], "lastseen": "2023-06-13T14:48:46", "viewCount": 314, "enchantments": {"dependencies": {"references": [{"type": "almalinux", "idList": ["ALSA-2020:3280"]}, {"type": "alpinelinux", "idList": ["ALPINE:CVE-2019-17023"]}, {"type": "amazon", "idList": ["ALAS-2021-1522", "ALAS2-2020-1559"]}, {"type": "archlinux", "idList": ["ASA-202001-1"]}, {"type": "centos", "idList": ["CESA-2020:4076"]}, {"type": "debian", "idList": ["DEBIAN:DSA-4726-1:A1D0C"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2019-17023"]}, {"type": "ibm", "idList": ["18350C8CFDA428FFE8D03D8AF52B480419325DE4650723C8EB99383D1C4F7938", "71B326DA1818D1C755649BEC7DF6788BEB9DB87F212A5DE7C63619B1FBF2FE69", "FD39A731E3BFE5F8DE4A120F1ED300B4BC52F7B3B3FDDCEE6A7C56B4F2DEB7C3"]}, {"type": "kaspersky", "idList": ["KLA11628"]}, {"type": "mozilla", "idList": ["MFSA2020-01"]}, {"type": "nessus", "idList": ["AL2_ALAS-2020-1559.NASL", "ALA_ALAS-2021-1522.NASL", "CENTOS8_RHSA-2020-3280.NASL", "CENTOS_RHSA-2020-4076.NASL", "DEBIAN_DSA-4726.NASL", "MACOS_FIREFOX_72_0.NASL", "MOZILLA_FIREFOX_72_0.NASL", "NEWSTART_CGSL_NS-SA-2021-0019_NSS.NASL", "NEWSTART_CGSL_NS-SA-2021-0053_NSS.NASL", "NEWSTART_CGSL_NS-SA-2021-0156_NSS.NASL", "NUTANIX_NXSA-AHV-20201105_1021.NASL", "NUTANIX_NXSA-AOS-5_15_5.NASL", "NUTANIX_NXSA-AOS-5_19_0_5.NASL", "NUTANIX_NXSA-AOS-5_19_1.NASL", "ORACLELINUX_ELSA-2020-3280.NASL", "ORACLELINUX_ELSA-2020-4076.NASL", "REDHAT-RHSA-2020-3280.NASL", "REDHAT-RHSA-2020-4076.NASL", "SL_20201001_NSS_AND_NSPR_ON_SL7_X.NASL", "UBUNTU_USN-4234-1.NASL", "UBUNTU_USN-4397-1.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310704726", "OPENVAS:1361412562310815881", "OPENVAS:1361412562310815882", "OPENVAS:1361412562310844289", "OPENVAS:1361412562310844470"]}, {"type": "oraclelinux", "idList": ["ELSA-2020-3280", "ELSA-2020-4076"]}, {"type": "osv", "idList": ["OSV:CVE-2019-17023", "OSV:DSA-4726-1"]}, {"type": "redhat", "idList": ["RHSA-2020:3280", "RHSA-2020:4076", "RHSA-2020:4201", "RHSA-2020:4254", "RHSA-2020:4255", "RHSA-2020:4264", "RHSA-2021:0778", "RHSA-2021:0949", "RHSA-2021:1079", "RHSA-2021:1129"]}, {"type": "redhatcve", "idList": ["RH:CVE-2019-17023"]}, {"type": "rocky", "idList": ["RLSA-2020:3280"]}, {"type": "ubuntu", "idList": ["USN-4234-1", "USN-4397-1"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2019-17023"]}, {"type": "veracode", "idList": ["VERACODE:26036"]}]}, "score": {"value": 2.8, "vector": "NONE"}, "twitter": {"counter": 4, "tweets": [{"link": "https://twitter.com/micsieg/status/1399882620826181632", "text": "Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to a security vulnerability (CVE-2019-17006, CVE-2019-17023, CVE-2020-12403)"}, {"link": "https://twitter.com/micsieg/status/1399882620826181632", "text": "Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to a security vulnerability (CVE-2019-17006, CVE-2019-17023, CVE-2020-12403)"}, {"link": "https://twitter.com/hashitom4work/status/1399911065962516480", "text": "\u3010\u8106\u5f31\u6027:\u9ad8\u3011Security Bulletin:\nIBM \u306f\u3001\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u30fc\u8106\u5f31\u6027\u306b\u5bfe\u5fdc\u306e IBM Security Identity Governance and Intelligence \u306e\u30ea\u30ea\u30fc\u30b9\u3092\u767a\u8868\u3057\u307e\u3057\u305f\u3002 (CVE-2019-17-17-17006\u3001 CVE-2019-17023\u3001 CVE-2020-12403)"}, {"link": "https://twitter.com/VulmonFeeds/status/1399919582119350273", "text": "CVE-2019-17023\n\nAfter a HelloRetryRequest has been sent, the client may negotiate...\n\nhttps://t.co/67pw1evQCS?amp=1\n\nCustomizable Vulnerability Alerts: https://t.co/U7998fz7yk?amp=1"}], "modified": "2021-04-23T00:45:17"}, "backreferences": {"references": [{"type": "almalinux", "idList": ["ALSA-2020:3280"]}, {"type": "amazon", "idList": ["ALAS2-2020-1559"]}, {"type": "archlinux", "idList": ["ASA-202001-1"]}, {"type": "centos", "idList": ["CESA-2020:4076"]}, {"type": "debian", "idList": ["DEBIAN:DSA-4726-1:A1D0C"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2019-17023"]}, {"type": "ibm", "idList": ["18350C8CFDA428FFE8D03D8AF52B480419325DE4650723C8EB99383D1C4F7938"]}, {"type": "kaspersky", "idList": ["KLA11628"]}, {"type": "mozilla", "idList": ["MFSA2020-01"]}, {"type": "nessus", "idList": ["AL2_ALAS-2020-1559.NASL", "CENTOS_RHSA-2020-4076.NASL", "MACOS_FIREFOX_72_0.NASL", "MOZILLA_FIREFOX_72_0.NASL", "UBUNTU_USN-4234-1.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310815881", "OPENVAS:1361412562310815882", "OPENVAS:1361412562310844289"]}, {"type": "oraclelinux", "idList": ["ELSA-2020-3280"]}, {"type": "redhat", "idList": ["RHSA-2021:1129"]}, {"type": "redhatcve", "idList": ["RH:CVE-2019-17023"]}, {"type": "ubuntu", "idList": ["USN-4234-1"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2019-17023"]}]}, "exploitation": null, "affected_software": {"major_version": [{"name": "mozilla firefox", "version": 72}, {"name": "canonical ubuntu linux", "version": 16}, {"name": "canonical ubuntu linux", "version": 18}, {"name": "canonical ubuntu linux", "version": 19}, {"name": "canonical ubuntu linux", "version": 19}, {"name": "canonical ubuntu linux", "version": 20}, {"name": "debian debian linux", "version": 10}]}, "epss": [{"cve": "CVE-2019-17023", "epss": 0.00343, "percentile": 0.67214, "modified": "2023-05-06"}], "vulnersScore": 2.8}, "_state": {"dependencies": 1686668443, "score": 1686668798, "affected_software_major_version": 0, "epss": 0}, "_internal": {"score_hash": "443edb5feb7d96b2e253955d9dc28432"}, "cna_cvss": {"cna": null, "cvss": {}}, "cpe": ["cpe:/o:canonical:ubuntu_linux:19.04", "cpe:/o:canonical:ubuntu_linux:16.04", "cpe:/o:debian:debian_linux:10.0", "cpe:/o:canonical:ubuntu_linux:19.10", "cpe:/o:canonical:ubuntu_linux:20.04", "cpe:/o:canonical:ubuntu_linux:18.04"], "cpe23": ["cpe:2.3:o:canonical:ubuntu_linux:19.10:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:19.04:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*"], "cwe": ["CWE-287"], "affectedSoftware": [{"cpeName": "mozilla:firefox", "version": "72.0", "operator": "lt", "name": "mozilla firefox"}, {"cpeName": "canonical:ubuntu_linux", "version": "16.04", "operator": "eq", "name": "canonical ubuntu linux"}, {"cpeName": "canonical:ubuntu_linux", "version": "18.04", "operator": "eq", "name": "canonical ubuntu linux"}, {"cpeName": "canonical:ubuntu_linux", "version": "19.04", "operator": "eq", "name": "canonical ubuntu linux"}, {"cpeName": "canonical:ubuntu_linux", "version": "19.10", "operator": "eq", "name": "canonical ubuntu linux"}, {"cpeName": "canonical:ubuntu_linux", "version": "20.04", "operator": "eq", "name": "canonical ubuntu linux"}, {"cpeName": "debian:debian_linux", "version": "10.0", "operator": "eq", "name": "debian debian linux"}], "affectedConfiguration": [], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:a:mozilla:firefox:72.0:*:*:*:*:*:*:*", "versionEndExcluding": "72.0", "cpe_name": []}]}, {"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:o:canonical:ubuntu_linux:19.04:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:o:canonical:ubuntu_linux:19.10:*:*:*:*:*:*:*", "cpe_name": []}, {"vulnerable": true, "cpe23Uri": "cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*", "cpe_name": []}]}, {"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "cpe_name": []}]}]}, "extraReferences": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1590001", "name": "https://bugzilla.mozilla.org/show_bug.cgi?id=1590001", "refsource": "MISC", "tags": ["Issue Tracking", "Permissions Required"]}, {"url": "https://www.mozilla.org/security/advisories/mfsa2020-01/", "name": "https://www.mozilla.org/security/advisories/mfsa2020-01/", "refsource": "CONFIRM", "tags": ["Vendor Advisory"]}, {"url": "https://usn.ubuntu.com/4234-1/", "name": "USN-4234-1", "refsource": "UBUNTU", "tags": ["Third Party Advisory"]}, {"url": "https://usn.ubuntu.com/4397-1/", "name": "USN-4397-1", "refsource": "UBUNTU", "tags": ["Third Party Advisory"]}, {"url": "https://www.debian.org/security/2020/dsa-4726", "name": "DSA-4726", "refsource": "DEBIAN", "tags": ["Third Party Advisory"]}], "product_info": [{"vendor": "Mozilla", "product": "Firefox"}], "solutions": [], "workarounds": [], "impacts": [], "problemTypes": [{"descriptions": [{"description": "NSS may negotiate TLS 1.2 or below after a TLS 1.3 HelloRetryRequest had been sent", "lang": "en", "type": "text"}]}], "exploits": [], "assigned": "1976-01-01T00:00:00"}

{"veracode": [{"lastseen": "2023-04-18T12:45:13", "description": "nss is vulnerable to authorization bypass. The vulnerability exists as TLS 1.3 HelloRetryRequest downgrade request sets client into invalid state.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 3.6}, "published": "2020-08-04T02:02:54", "type": "veracode", "title": "Authorization Bypass", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-17023"], "modified": "2023-01-27T19:42:41", "id": "VERACODE:26036", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-26036/summary", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "osv": [{"lastseen": "2023-01-27T19:49:10", "description": "After a HelloRetryRequest has been sent, the client may negotiate a lower protocol that TLS 1.3, resulting in an invalid state transition in the TLS State Machine. If the client gets into this state, incoming Application Data records will be ignored. This vulnerability affects Firefox < 72.", "cvss3": {}, "published": "2020-01-08T22:15:00", "type": "osv", "title": "CVE-2019-17023", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2019-17023"], "modified": "2023-01-27T19:49:08", "id": "OSV:CVE-2019-17023", "href": "https://osv.dev/vulnerability/CVE-2019-17023", "cvss": {"score": 0.0, "vector": "NONE"}}], "alpinelinux": [{"lastseen": "2023-09-11T16:16:29", "description": "After a HelloRetryRequest has been sent, the client may negotiate a lower protocol that TLS 1.3, resulting in an invalid state transition in the TLS State Machine. If the client gets into this state, incoming Application Data records will be ignored. This vulnerability affects Firefox < 72.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 3.6}, "published": "2020-01-08T22:15:00", "type": "alpinelinux", "title": "CVE-2019-17023", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-17023"], "modified": "2023-01-27T18:24:00", "id": "ALPINE:CVE-2019-17023", "href": "https://security.alpinelinux.org/vuln/CVE-2019-17023", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "redhatcve": [{"lastseen": "2023-06-13T14:57:02", "description": "A protocol downgrade flaw was found in Network Security Services (NSS). After a HelloRetryRequest has been sent, the client may negotiate a lower protocol than TLS 1.3, resulting in an invalid state transition in the TLS State Machine. If the client gets into this state, incoming Application Data records will be ignored.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 3.6}, "published": "2020-01-15T09:58:33", "type": "redhatcve", "title": "CVE-2019-17023", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-17023"], "modified": "2023-04-06T05:57:13", "id": "RH:CVE-2019-17023", "href": "https://access.redhat.com/security/cve/cve-2019-17023", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "ubuntucve": [{"lastseen": "2023-06-29T14:18:58", "description": "After a HelloRetryRequest has been sent, the client may negotiate a lower\nprotocol that TLS 1.3, resulting in an invalid state transition in the TLS\nState Machine. If the client gets into this state, incoming Application\nData records will be ignored. This vulnerability affects Firefox < 72.\n\n#### Bugs\n\n * <https://bugzilla.mozilla.org/show_bug.cgi?id=1590001>\n\n\n#### Notes\n\nAuthor| Note \n---|--- \n[mdeslaur](<https://launchpad.net/~mdeslaur>) | nss in xenial is built with NSS_DISABLE_TLS_1_3, so this issue doesn't affect it.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 3.6}, "published": "2020-01-08T00:00:00", "type": "ubuntucve", "title": "CVE-2019-17023", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-17023"], "modified": "2020-01-08T00:00:00", "id": "UB:CVE-2019-17023", "href": "https://ubuntu.com/security/CVE-2019-17023", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "debiancve": [{"lastseen": "2023-06-13T18:10:48", "description": "After a HelloRetryRequest has been sent, the client may negotiate a lower protocol that TLS 1.3, resulting in an invalid state transition in the TLS State Machine. If the client gets into this state, incoming Application Data records will be ignored. This vulnerability affects Firefox < 72.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 3.6}, "published": "2020-01-08T22:15:00", "type": "debiancve", "title": "CVE-2019-17023", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-17023"], "modified": "2020-01-08T22:15:00", "id": "DEBIANCVE:CVE-2019-17023", "href": "https://security-tracker.debian.org/tracker/CVE-2019-17023", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "openvas": [{"lastseen": "2020-06-25T14:01:48", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2020-06-17T00:00:00", "type": "openvas", "title": "Ubuntu: Security Advisory for nss (USN-4397-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-17023", "CVE-2020-12399"], "modified": "2020-06-24T00:00:00", "id": "OPENVAS:1361412562310844470", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310844470", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.844470\");\n script_version(\"2020-06-24T03:42:18+0000\");\n script_cve_id(\"CVE-2019-17023\", \"CVE-2020-12399\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_tag(name:\"last_modification\", value:\"2020-06-24 03:42:18 +0000 (Wed, 24 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-06-17 03:00:15 +0000 (Wed, 17 Jun 2020)\");\n script_name(\"Ubuntu: Security Advisory for nss (USN-4397-1)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=(UBUNTU19\\.10|UBUNTU18\\.04 LTS|UBUNTU16\\.04 LTS|UBUNTU20\\.04 LTS)\");\n\n script_xref(name:\"USN\", value:\"4397-1\");\n script_xref(name:\"URL\", value:\"https://lists.ubuntu.com/archives/ubuntu-security-announce/2020-June/005481.html\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'nss'\n package(s) announced via the USN-4397-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"It was discovered that NSS incorrectly handled the TLS State Machine. A\nremote attacker could possibly use this issue to cause NSS to hang,\nresulting in a denial of service. This issue only affected Ubuntu 18.04 LTS\nand Ubuntu 19.10. (CVE-2019-17023)\n\nCesar Pereida Garcia discovered that NSS incorrectly handled DSA key\ngeneration. A local attacker could possibly use this issue to perform a\ntiming attack and recover DSA keys. (CVE-2020-12399)\");\n\n script_tag(name:\"affected\", value:\"'nss' package(s) on Ubuntu 20.04 LTS, Ubuntu 19.10, Ubuntu 18.04 LTS, Ubuntu 16.04 LTS.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"UBUNTU19.10\") {\n\n if(!isnull(res = isdpkgvuln(pkg:\"libnss3\", ver:\"2:3.45-1ubuntu2.3\", rls:\"UBUNTU19.10\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nif(release == \"UBUNTU18.04 LTS\") {\n\n if(!isnull(res = isdpkgvuln(pkg:\"libnss3\", ver:\"2:3.35-2ubuntu2.8\", rls:\"UBUNTU18.04 LTS\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nif(release == \"UBUNTU16.04 LTS\") {\n\n if(!isnull(res = isdpkgvuln(pkg:\"libnss3\", ver:\"2:3.28.4-0ubuntu0.16.04.11\", rls:\"UBUNTU16.04 LTS\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nif(release == \"UBUNTU20.04 LTS\") {\n\n if(!isnull(res = isdpkgvuln(pkg:\"libnss3\", ver:\"2:3.49.1-1ubuntu1.1\", rls:\"UBUNTU20.04 LTS\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2020-07-21T20:07:28", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2020-07-19T00:00:00", "type": "openvas", "title": "Debian: Security Advisory for nss (DSA-4726-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-12402", "CVE-2019-17023", "CVE-2020-12399", "CVE-2019-17006"], "modified": "2020-07-19T00:00:00", "id": "OPENVAS:1361412562310704726", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310704726", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.704726\");\n script_version(\"2020-07-19T03:00:17+0000\");\n script_cve_id(\"CVE-2019-17006\", \"CVE-2019-17023\", \"CVE-2020-12399\", \"CVE-2020-12402\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_tag(name:\"last_modification\", value:\"2020-07-19 03:00:17 +0000 (Sun, 19 Jul 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-07-19 03:00:17 +0000 (Sun, 19 Jul 2020)\");\n script_name(\"Debian: Security Advisory for nss (DSA-4726-1)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB10\");\n\n script_xref(name:\"URL\", value:\"https://www.debian.org/security/2020/dsa-4726.html\");\n script_xref(name:\"URL\", value:\"https://security-tracker.debian.org/tracker/DSA-4726-1\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'nss'\n package(s) announced via the DSA-4726-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Several vulnerabilities were discovered in NSS, a set of cryptographic\nlibraries, which may result in side channel/timing attacks or denial\nof service.\");\n\n script_tag(name:\"affected\", value:\"'nss' package(s) on Debian Linux.\");\n\n script_tag(name:\"solution\", value:\"For the stable distribution (buster), these problems have been fixed in\nversion 2:3.42.1-1+deb10u3.\n\nWe recommend that you upgrade your nss packages.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"libnss3\", ver:\"2:3.42.1-1+deb10u3\", rls:\"DEB10\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libnss3-dev\", ver:\"2:3.42.1-1+deb10u3\", rls:\"DEB10\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libnss3-tools\", ver:\"2:3.42.1-1+deb10u3\", rls:\"DEB10\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}\n\nexit(0);\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2020-03-05T16:54:34", "description": "This host is installed with\n Mozilla Firefox and is prone to multiple vulnerabilities.", "cvss3": {}, "published": "2020-01-08T00:00:00", "type": "openvas", "title": "Mozilla Firefox Security Updates(mfsa_2020-01_2020-02)-MAC OS X", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-17025", "CVE-2019-17022", "CVE-2019-17024", "CVE-2019-17020", "CVE-2019-17017", "CVE-2019-17016", "CVE-2019-17023"], "modified": "2020-03-04T00:00:00", "id": "OPENVAS:1361412562310815882", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310815882", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA\n\nCPE = \"cpe:/a:mozilla:firefox\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.815882\");\n script_version(\"2020-03-04T09:29:37+0000\");\n script_cve_id(\"CVE-2019-17016\", \"CVE-2019-17017\", \"CVE-2019-17020\", \"CVE-2019-17022\",\n \"CVE-2019-17023\", \"CVE-2019-17024\", \"CVE-2019-17025\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-03-04 09:29:37 +0000 (Wed, 04 Mar 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-08 13:09:16 +0530 (Wed, 08 Jan 2020)\");\n script_name(\"Mozilla Firefox Security Updates(mfsa_2020-01_2020-02)-MAC OS X\");\n\n script_tag(name:\"summary\", value:\"This host is installed with\n Mozilla Firefox and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is\n present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to,\n\n - Bypass of @namespace CSS sanitization during pasting.\n\n - A type Confusion error in XPCVariant.cpp.\n\n - Content Security Policy not applied to XSL stylesheets applied to XML documents.\n\n - CSS sanitization does not escape HTML tags.\n\n - NSS may negotiate TLS 1.2 or below after a TLS 1.3 HelloRetryRequest\n had been sent.\n\n - Memory safety bugs.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation allows attackers\n to run arbitrary code, disclose sensitive information and bypass security\n restrictions.\");\n\n script_tag(name:\"affected\", value:\"Mozilla Firefox version before 72 on MAC OS X.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Mozilla Firefox version 72 or later.\n Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"executable_version\");\n script_xref(name:\"URL\", value:\"https://www.mozilla.org/en-US/security/advisories/mfsa2020-01/\");\n script_xref(name:\"URL\", value:\"https://www.mozilla.org/en-US/firefox/\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_mozilla_prdts_detect_macosx.nasl\");\n script_mandatory_keys(\"Mozilla/Firefox/MacOSX/Version\");\n exit(0);\n}\n\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!infos = get_app_version_and_location(cpe:CPE, exit_no_version:TRUE)) exit(0);\n\nffVer = infos['version'];\nffPath = infos['location'];\n\nif(version_is_less(version:ffVer, test_version:\"72\"))\n{\n report = report_fixed_ver(installed_version:ffVer, fixed_version:\"72\", install_path:ffPath);\n security_message(data:report);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-03-10T16:55:29", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2020-01-11T00:00:00", "type": "openvas", "title": "Ubuntu Update for firefox USN-4234-1", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-17025", "CVE-2019-17022", "CVE-2019-17024", "CVE-2019-17020", "CVE-2019-17017", "CVE-2019-17016", "CVE-2019-17023", "CVE-2019-17026"], "modified": "2020-03-09T00:00:00", "id": "OPENVAS:1361412562310844289", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310844289", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.844289\");\n script_version(\"2020-03-09T07:44:23+0000\");\n script_cve_id(\"CVE-2019-17016\", \"CVE-2019-17017\", \"CVE-2019-17020\", \"CVE-2019-17022\", \"CVE-2019-17023\", \"CVE-2019-17024\", \"CVE-2019-17025\", \"CVE-2019-17026\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-03-09 07:44:23 +0000 (Mon, 09 Mar 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-11 04:00:53 +0000 (Sat, 11 Jan 2020)\");\n script_name(\"Ubuntu Update for firefox USN-4234-1\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=(UBUNTU18\\.04 LTS|UBUNTU19\\.10|UBUNTU19\\.04|UBUNTU16\\.04 LTS)\");\n\n script_xref(name:\"USN\", value:\"4234-1\");\n script_xref(name:\"URL\", value:\"https://lists.ubuntu.com/archives/ubuntu-security-announce/2020-January/005264.html\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'firefox'\n package(s) announced via the USN-4234-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple security issues were discovered in Firefox. If a user were\ntricked in to opening a specially crafted website, an attacker could\npotentially exploit these to cause a denial of service, obtain sensitive\ninformation, bypass Content Security Policy (CSP) restrictions, conduct\ncross-site scripting (XSS) attacks, or execute arbitrary code.\");\n\n script_tag(name:\"affected\", value:\"'firefox' package(s) on Ubuntu 19.10, Ubuntu 19.04, Ubuntu 18.04 LTS, Ubuntu 16.04 LTS.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"UBUNTU18.04 LTS\") {\n\n if(!isnull(res = isdpkgvuln(pkg:\"firefox\", ver:\"72.0.1+build1-0ubuntu0.18.04.1\", rls:\"UBUNTU18.04 LTS\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nif(release == \"UBUNTU19.10\") {\n\n if(!isnull(res = isdpkgvuln(pkg:\"firefox\", ver:\"72.0.1+build1-0ubuntu0.19.10.1\", rls:\"UBUNTU19.10\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nif(release == \"UBUNTU19.04\") {\n\n if(!isnull(res = isdpkgvuln(pkg:\"firefox\", ver:\"72.0.1+build1-0ubuntu0.19.04.1\", rls:\"UBUNTU19.04\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nif(release == \"UBUNTU16.04 LTS\") {\n\n if(!isnull(res = isdpkgvuln(pkg:\"firefox\", ver:\"72.0.1+build1-0ubuntu0.16.04.1\", rls:\"UBUNTU16.04 LTS\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-03-05T16:54:36", "description": "This host is installed with\n Mozilla Firefox and is prone to multiple vulnerabilities.", "cvss3": {}, "published": "2020-01-08T00:00:00", "type": "openvas", "title": "Mozilla Firefox Security Updates(mfsa_2020-01_2020-02)-Windows", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-17025", "CVE-2019-17022", "CVE-2019-17019", "CVE-2019-17018", "CVE-2019-17024", "CVE-2019-17021", "CVE-2019-17020", "CVE-2019-17017", "CVE-2019-17016", "CVE-2019-17015", "CVE-2019-17023"], "modified": "2020-03-04T00:00:00", "id": "OPENVAS:1361412562310815881", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310815881", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA\n\nCPE = \"cpe:/a:mozilla:firefox\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.815881\");\n script_version(\"2020-03-04T09:29:37+0000\");\n script_cve_id(\"CVE-2019-17015\", \"CVE-2019-17016\", \"CVE-2019-17017\", \"CVE-2019-17018\",\n \"CVE-2019-17019\", \"CVE-2019-17020\", \"CVE-2019-17021\", \"CVE-2019-17022\",\n \"CVE-2019-17023\", \"CVE-2019-17024\", \"CVE-2019-17025\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-03-04 09:29:37 +0000 (Wed, 04 Mar 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-08 13:08:56 +0530 (Wed, 08 Jan 2020)\");\n script_name(\"Mozilla Firefox Security Updates(mfsa_2020-01_2020-02)-Windows\");\n\n script_tag(name:\"summary\", value:\"This host is installed with\n Mozilla Firefox and is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is\n present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to,\n\n - A memory corruption error in parent process during new content process\n initialization on Windows.\n\n - Bypass of namespace CSS sanitization during pasting.\n\n - A type Confusion error in XPCVariant.cpp.\n\n - Windows Keyboard in Private Browsing Mode may retain word suggestions.\n\n - Python files could be inadvertently executed upon opening a download.\n\n - Content Security Policy not applied to XSL stylesheets applied to XML documents.\n\n - Heap address disclosure in parent process during content process initialization.\n\n - CSS sanitization does not escape HTML tags.\n\n - NSS may negotiate TLS 1.2 or below after a TLS 1.3 HelloRetryRequest\n had been sent.\n\n - Memory safety bugs.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation allows attackers\n to run arbitrary code, disclose sensitive information, conduct xss attacks\n and bypass security restrictions.\");\n\n script_tag(name:\"affected\", value:\"Mozilla Firefox version before 72 on Windows.\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Mozilla Firefox version 72 or later.\n Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"registry\");\n script_xref(name:\"URL\", value:\"https://www.mozilla.org/en-US/security/advisories/mfsa2020-01/\");\n script_xref(name:\"URL\", value:\"https://www.mozilla.org/en-US/firefox/\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_firefox_detect_win.nasl\");\n script_mandatory_keys(\"Firefox/Win/Ver\");\n exit(0);\n}\n\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!infos = get_app_version_and_location(cpe:CPE, exit_no_version:TRUE)) exit(0);\nffVer = infos['version'];\nffPath = infos['location'];\n\nif(version_is_less(version:ffVer, test_version:\"72\"))\n{\n report = report_fixed_ver(installed_version:ffVer, fixed_version:\"72\", install_path:ffPath);\n security_message(data:report);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2023-05-27T14:20:15", "description": "It was discovered that NSS incorrectly handled the TLS State Machine.\nA remote attacker could possibly use this issue to cause NSS to hang, resulting in a denial of service. This issue only affected Ubuntu 18.04 LTS and Ubuntu 19.10. (CVE-2019-17023)\n\nCesar Pereida Garcia discovered that NSS incorrectly handled DSA key generation. A local attacker could possibly use this issue to perform a timing attack and recover DSA keys. (CVE-2020-12399).\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2020-06-17T00:00:00", "type": "nessus", "title": "Ubuntu 16.04 LTS / 18.04 LTS / 19.10 / 20.04 : NSS vulnerabilities (USN-4397-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-17023", "CVE-2020-12399"], "modified": "2023-05-11T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:libnss3", "cpe:/o:canonical:ubuntu_linux:16.04", "cpe:/o:canonical:ubuntu_linux:18.04:-:lts", "cpe:/o:canonical:ubuntu_linux:19.10", "cpe:/o:canonical:ubuntu_linux:20.04"], "id": "UBUNTU_USN-4397-1.NASL", "href": "https://www.tenable.com/plugins/nessus/137555", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-4397-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(137555);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/05/11\");\n\n script_cve_id(\"CVE-2019-17023\", \"CVE-2020-12399\");\n script_xref(name:\"USN\", value:\"4397-1\");\n\n script_name(english:\"Ubuntu 16.04 LTS / 18.04 LTS / 19.10 / 20.04 : NSS vulnerabilities (USN-4397-1)\");\n script_summary(english:\"Checks dpkg output for updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Ubuntu host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"It was discovered that NSS incorrectly handled the TLS State Machine.\nA remote attacker could possibly use this issue to cause NSS to hang,\nresulting in a denial of service. This issue only affected Ubuntu\n18.04 LTS and Ubuntu 19.10. (CVE-2019-17023)\n\nCesar Pereida Garcia discovered that NSS incorrectly handled DSA key\ngeneration. A local attacker could possibly use this issue to perform\na timing attack and recover DSA keys. (CVE-2020-12399).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/4397-1/\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\"Update the affected libnss3 package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-17023\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libnss3\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:16.04\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:18.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:19.10\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:20.04\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/01/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/06/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/06/17\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2020-2023 Canonical, Inc. / NASL script (C) 2020-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar release = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(16\\.04|18\\.04|19\\.10|20\\.04)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 16.04 / 18.04 / 19.10 / 20.04\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);\n\nvar flag = 0;\n\nif (ubuntu_check(osver:\"16.04\", pkgname:\"libnss3\", pkgver:\"2:3.28.4-0ubuntu0.16.04.11\")) flag++;\nif (ubuntu_check(osver:\"18.04\", pkgname:\"libnss3\", pkgver:\"2:3.35-2ubuntu2.8\")) flag++;\nif (ubuntu_check(osver:\"19.10\", pkgname:\"libnss3\", pkgver:\"2:3.45-1ubuntu2.3\")) flag++;\nif (ubuntu_check(osver:\"20.04\", pkgname:\"libnss3\", pkgver:\"2:3.49.1-1ubuntu1.1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"libnss3\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:25:53", "description": "The remote NewStart CGSL host, running version MAIN 6.02, has nss packages installed that are affected by multiple vulnerabilities:\n\n - Improper refcounting of soft token session objects could cause a use-after-free and crash (likely limited to a denial of service). This vulnerability affects Firefox < 71. (CVE-2019-11756)\n\n - In Network Security Services (NSS) before 3.46, several cryptographic primitives had missing length checks. In cases where the application calling the library did not perform a sanity check on the inputs it could result in a crash due to a buffer overflow. (CVE-2019-17006)\n\n - After a HelloRetryRequest has been sent, the client may negotiate a lower protocol that TLS 1.3, resulting in an invalid state transition in the TLS State Machine. If the client gets into this state, incoming Application Data records will be ignored. This vulnerability affects Firefox < 72. (CVE-2019-17023)\n\n - During RSA key generation, bignum implementations used a variation of the Binary Extended Euclidean Algorithm which entailed significantly input-dependent flow. This allowed an attacker able to perform electromagnetic-based side channel attacks to record traces leading to the recovery of the secret primes.\n *Note:* An unmodified Firefox browser does not generate RSA keys in normal operation and is not affected, but products built on top of it might. This vulnerability affects Firefox < 78. (CVE-2020-12402)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-03-10T00:00:00", "type": "nessus", "title": "NewStart CGSL MAIN 6.02 : nss Multiple Vulnerabilities (NS-SA-2021-0053)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-11756", "CVE-2019-17006", "CVE-2019-17023", "CVE-2020-12402"], "modified": "2021-03-10T00:00:00", "cpe": [], "id": "NEWSTART_CGSL_NS-SA-2021-0053_NSS.NASL", "href": "https://www.tenable.com/plugins/nessus/147281", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from ZTE advisory NS-SA-2021-0053. The text\n# itself is copyright (C) ZTE, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(147281);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/03/10\");\n\n script_cve_id(\n \"CVE-2019-11756\",\n \"CVE-2019-17006\",\n \"CVE-2019-17023\",\n \"CVE-2020-12402\"\n );\n\n script_name(english:\"NewStart CGSL MAIN 6.02 : nss Multiple Vulnerabilities (NS-SA-2021-0053)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote machine is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote NewStart CGSL host, running version MAIN 6.02, has nss packages installed that are affected by multiple\nvulnerabilities:\n\n - Improper refcounting of soft token session objects could cause a use-after-free and crash (likely limited\n to a denial of service). This vulnerability affects Firefox < 71. (CVE-2019-11756)\n\n - In Network Security Services (NSS) before 3.46, several cryptographic primitives had missing length\n checks. In cases where the application calling the library did not perform a sanity check on the inputs it\n could result in a crash due to a buffer overflow. (CVE-2019-17006)\n\n - After a HelloRetryRequest has been sent, the client may negotiate a lower protocol that TLS 1.3, resulting\n in an invalid state transition in the TLS State Machine. If the client gets into this state, incoming\n Application Data records will be ignored. This vulnerability affects Firefox < 72. (CVE-2019-17023)\n\n - During RSA key generation, bignum implementations used a variation of the Binary Extended Euclidean\n Algorithm which entailed significantly input-dependent flow. This allowed an attacker able to perform\n electromagnetic-based side channel attacks to record traces leading to the recovery of the secret primes.\n *Note:* An unmodified Firefox browser does not generate RSA keys in normal operation and is not affected,\n but products built on top of it might. This vulnerability affects Firefox < 78. (CVE-2020-12402)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://security.gd-linux.com/notice/NS-SA-2021-0053\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade the vulnerable CGSL nss packages. Note that updated packages may not be available yet. Please contact ZTE for\nmore information.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-17006\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/12/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/03/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/03/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"NewStart CGSL Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/ZTE-CGSL/release\", \"Host/ZTE-CGSL/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item('Host/ZTE-CGSL/release');\nif (isnull(release) || release !~ \"^CGSL (MAIN|CORE)\") audit(AUDIT_OS_NOT, 'NewStart Carrier Grade Server Linux');\n\nif (release !~ \"CGSL MAIN 6.02\")\n audit(AUDIT_OS_NOT, 'NewStart CGSL MAIN 6.02');\n\nif (!get_kb_item('Host/ZTE-CGSL/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'NewStart Carrier Grade Server Linux', cpu);\n\nflag = 0;\n\npkgs = {\n 'CGSL MAIN 6.02': [\n 'nss-3.53.1-11.el8_2',\n 'nss-debuginfo-3.53.1-11.el8_2',\n 'nss-debugsource-3.53.1-11.el8_2',\n 'nss-devel-3.53.1-11.el8_2',\n 'nss-pkcs11-devel-3.53.1-11.el8_2',\n 'nss-softokn-3.53.1-11.el8_2',\n 'nss-softokn-debuginfo-3.53.1-11.el8_2',\n 'nss-softokn-devel-3.53.1-11.el8_2',\n 'nss-softokn-freebl-3.53.1-11.el8_2',\n 'nss-softokn-freebl-debuginfo-3.53.1-11.el8_2',\n 'nss-softokn-freebl-devel-3.53.1-11.el8_2',\n 'nss-sysinit-3.53.1-11.el8_2',\n 'nss-sysinit-debuginfo-3.53.1-11.el8_2',\n 'nss-tools-3.53.1-11.el8_2',\n 'nss-tools-debuginfo-3.53.1-11.el8_2',\n 'nss-util-3.53.1-11.el8_2',\n 'nss-util-debuginfo-3.53.1-11.el8_2',\n 'nss-util-devel-3.53.1-11.el8_2'\n ]\n};\npkg_list = pkgs[release];\n\nforeach (pkg in pkg_list)\n if (rpm_check(release:'ZTE ' + release, reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'nss');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:23:53", "description": "The remote CentOS Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the CESA-2020:3280 advisory.\n\n - nss: Use-after-free in sftk_FreeSession due to improper refcounting (CVE-2019-11756)\n\n - nss: Check length of inputs for cryptographic primitives (CVE-2019-17006)\n\n - nss: TLS 1.3 HelloRetryRequest downgrade request sets client into invalid state (CVE-2019-17023)\n\n - nss: Side channel vulnerabilities during RSA key generation (CVE-2020-12402)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-02-01T00:00:00", "type": "nessus", "title": "CentOS 8 : nss and nspr (CESA-2020:3280)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-11756", "CVE-2019-17006", "CVE-2019-17023", "CVE-2020-12402"], "modified": "2021-03-23T00:00:00", "cpe": ["cpe:/o:centos:centos:8", "p-cpe:/a:centos:centos:nspr", "p-cpe:/a:centos:centos:nspr-devel", "p-cpe:/a:centos:centos:nss", "p-cpe:/a:centos:centos:nss-devel", "p-cpe:/a:centos:centos:nss-softokn", "p-cpe:/a:centos:centos:nss-softokn-devel", "p-cpe:/a:centos:centos:nss-softokn-freebl", "p-cpe:/a:centos:centos:nss-softokn-freebl-devel", "p-cpe:/a:centos:centos:nss-sysinit", "p-cpe:/a:centos:centos:nss-tools", "p-cpe:/a:centos:centos:nss-util", "p-cpe:/a:centos:centos:nss-util-devel"], "id": "CENTOS8_RHSA-2020-3280.NASL", "href": "https://www.tenable.com/plugins/nessus/145878", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n#\n# The package checks in this plugin were extracted from\n# Red Hat Security Advisory RHSA-2020:3280. The text\n# itself is copyright (C) Red Hat, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(145878);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/03/23\");\n\n script_cve_id(\n \"CVE-2019-11756\",\n \"CVE-2019-17006\",\n \"CVE-2019-17023\",\n \"CVE-2020-12402\"\n );\n script_xref(name:\"RHSA\", value:\"2020:3280\");\n\n script_name(english:\"CentOS 8 : nss and nspr (CESA-2020:3280)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote CentOS host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote CentOS Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the\nCESA-2020:3280 advisory.\n\n - nss: Use-after-free in sftk_FreeSession due to improper refcounting (CVE-2019-11756)\n\n - nss: Check length of inputs for cryptographic primitives (CVE-2019-17006)\n\n - nss: TLS 1.3 HelloRetryRequest downgrade request sets client into invalid state (CVE-2019-17023)\n\n - nss: Side channel vulnerabilities during RSA key generation (CVE-2020-12402)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2020:3280\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-17006\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/12/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/08/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/02/01\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:8\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:nspr\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:nspr-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:nss\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:nss-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:nss-softokn\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:nss-softokn-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:nss-softokn-freebl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:nss-softokn-freebl-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:nss-sysinit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:nss-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:nss-util\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:nss-util-devel\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CentOS Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('misc_func.inc');\ninclude('rpm.inc');\ninclude('rhel.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item('Host/CentOS/release');\nif (isnull(release) || 'CentOS' >!< release) audit(AUDIT_OS_NOT, 'CentOS');\nos_ver = pregmatch(pattern: \"CentOS(?: Stream)?(?: Linux)? release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'CentOS');\nos_ver = os_ver[1];\nif ('CentOS Stream' >< release) audit(AUDIT_OS_NOT, 'CentOS 8.x', 'CentOS Stream ' + os_ver);\nif (!rhel_check_release(operator: 'ge', os_version: os_ver, rhel_version: '8')) audit(AUDIT_OS_NOT, 'CentOS 8.x', 'CentOS ' + os_ver);\n\nif (!get_kb_item('Host/CentOS/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'CentOS', cpu);\n\npkgs = [\n {'reference':'nspr-4.25.0-2.el8_2', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nspr-4.25.0-2.el8_2', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nspr-devel-4.25.0-2.el8_2', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nspr-devel-4.25.0-2.el8_2', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nss-3.53.1-11.el8_2', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nss-3.53.1-11.el8_2', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nss-devel-3.53.1-11.el8_2', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nss-devel-3.53.1-11.el8_2', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nss-softokn-3.53.1-11.el8_2', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nss-softokn-3.53.1-11.el8_2', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nss-softokn-devel-3.53.1-11.el8_2', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nss-softokn-devel-3.53.1-11.el8_2', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nss-softokn-freebl-3.53.1-11.el8_2', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nss-softokn-freebl-3.53.1-11.el8_2', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nss-softokn-freebl-devel-3.53.1-11.el8_2', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nss-softokn-freebl-devel-3.53.1-11.el8_2', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nss-sysinit-3.53.1-11.el8_2', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nss-sysinit-3.53.1-11.el8_2', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nss-tools-3.53.1-11.el8_2', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nss-tools-3.53.1-11.el8_2', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nss-util-3.53.1-11.el8_2', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nss-util-3.53.1-11.el8_2', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nss-util-devel-3.53.1-11.el8_2', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nss-util-devel-3.53.1-11.el8_2', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE}\n];\n\nflag = 0;\nforeach package_array ( pkgs ) {\n reference = NULL;\n release = NULL;\n sp = NULL;\n cpu = NULL;\n el_string = NULL;\n rpm_spec_vers_cmp = NULL;\n epoch = NULL;\n allowmaj = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = 'CentOS-' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (reference && release) {\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'nspr / nspr-devel / nss / nss-devel / nss-softokn / nss-softokn-devel / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:03:47", "description": "Several vulnerabilities were discovered in NSS, a set of cryptographic libraries, which may result in side channel/timing attacks or denial of service.", "cvss3": {}, "published": "2020-07-20T00:00:00", "type": "nessus", "title": "Debian DSA-4726-1 : nss - security update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-17006", "CVE-2019-17023", "CVE-2020-12399", "CVE-2020-12402"], "modified": "2020-10-28T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:nss", "cpe:/o:debian:debian_linux:10.0"], "id": "DEBIAN_DSA-4726.NASL", "href": "https://www.tenable.com/plugins/nessus/138646", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-4726. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(138646);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/10/28\");\n\n script_cve_id(\"CVE-2019-17006\", \"CVE-2019-17023\", \"CVE-2020-12399\", \"CVE-2020-12402\");\n script_xref(name:\"DSA\", value:\"4726\");\n\n script_name(english:\"Debian DSA-4726-1 : nss - security update\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Several vulnerabilities were discovered in NSS, a set of cryptographic\nlibraries, which may result in side channel/timing attacks or denial\nof service.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/source-package/nss\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/buster/nss\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2020/dsa-4726\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"Upgrade the nss packages.\n\nFor the stable distribution (buster), these problems have been fixed\nin version 2:3.42.1-1+deb10u3.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-17006\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:nss\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:10.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/01/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/07/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/07/20\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"10.0\", prefix:\"libnss3\", reference:\"2:3.42.1-1+deb10u3\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"libnss3-dev\", reference:\"2:3.42.1-1+deb10u3\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"libnss3-tools\", reference:\"2:3.42.1-1+deb10u3\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:06:51", "description": "From Red Hat Security Advisory 2020:3280 :\n\nThe remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:3280 advisory.\n\n - nss: UAF in sftk_FreeSession due to improper refcounting (CVE-2019-11756)\n\n - nss: Check length of inputs for cryptographic primitives (CVE-2019-17006)\n\n - nss: TLS 1.3 HelloRetryRequest downgrade request sets client into invalid state (CVE-2019-17023)\n\n - nss: Side channel vulnerabilities during RSA key generation (CVE-2020-12402)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2020-08-07T00:00:00", "type": "nessus", "title": "Oracle Linux 8 : nspr / nss (ELSA-2020-3280)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-11756", "CVE-2019-17006", "CVE-2019-17023", "CVE-2020-12402"], "modified": "2022-01-26T00:00:00", "cpe": ["p-cpe:/a:oracle:linux:nspr", "p-cpe:/a:oracle:linux:nspr-devel", "p-cpe:/a:oracle:linux:nss", "p-cpe:/a:oracle:linux:nss-devel", "p-cpe:/a:oracle:linux:nss-softokn", "p-cpe:/a:oracle:linux:nss-softokn-devel", "p-cpe:/a:oracle:linux:nss-softokn-freebl", "p-cpe:/a:oracle:linux:nss-softokn-freebl-devel", "p-cpe:/a:oracle:linux:nss-sysinit", "p-cpe:/a:oracle:linux:nss-tools", "p-cpe:/a:oracle:linux:nss-util", "p-cpe:/a:oracle:linux:nss-util-devel", "cpe:/o:oracle:linux:8"], "id": "ORACLELINUX_ELSA-2020-3280.NASL", "href": "https://www.tenable.com/plugins/nessus/139397", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2020:3280 and \n# Oracle Linux Security Advisory ELSA-2020-3280 respectively.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(139397);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/26\");\n\n script_cve_id(\n \"CVE-2019-11756\",\n \"CVE-2019-17006\",\n \"CVE-2019-17023\",\n \"CVE-2020-12402\"\n );\n script_xref(name:\"RHSA\", value:\"2020:3280\");\n\n script_name(english:\"Oracle Linux 8 : nspr / nss (ELSA-2020-3280)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Oracle Linux host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"From Red Hat Security Advisory 2020:3280 :\n\nThe remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as\nreferenced in the RHSA-2020:3280 advisory.\n\n - nss: UAF in sftk_FreeSession due to improper refcounting\n (CVE-2019-11756)\n\n - nss: Check length of inputs for cryptographic primitives\n (CVE-2019-17006)\n\n - nss: TLS 1.3 HelloRetryRequest downgrade request sets\n client into invalid state (CVE-2019-17023)\n\n - nss: Side channel vulnerabilities during RSA key\n generation (CVE-2020-12402)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://oss.oracle.com/pipermail/el-errata/2020-August/010197.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected nspr and / or nss packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-17006\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/01/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/08/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/08/07\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:nspr\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:nspr-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:nss\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:nss-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:nss-softokn\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:nss-softokn-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:nss-softokn-freebl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:nss-softokn-freebl-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:nss-sysinit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:nss-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:nss-util\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:nss-util-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:8\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^8([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 8\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\nif (\"x86_64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"EL8\", cpu:\"x86_64\", reference:\"nspr-4.25.0-2.el8_2\")) flag++;\nif (rpm_check(release:\"EL8\", cpu:\"x86_64\", reference:\"nspr-devel-4.25.0-2.el8_2\")) flag++;\nif (rpm_check(release:\"EL8\", cpu:\"x86_64\", reference:\"nss-3.53.1-11.el8_2\")) flag++;\nif (rpm_check(release:\"EL8\", cpu:\"x86_64\", reference:\"nss-devel-3.53.1-11.el8_2\")) flag++;\nif (rpm_check(release:\"EL8\", cpu:\"x86_64\", reference:\"nss-softokn-3.53.1-11.el8_2\")) flag++;\nif (rpm_check(release:\"EL8\", cpu:\"x86_64\", reference:\"nss-softokn-devel-3.53.1-11.el8_2\")) flag++;\nif (rpm_check(release:\"EL8\", cpu:\"x86_64\", reference:\"nss-softokn-freebl-3.53.1-11.el8_2\")) flag++;\nif (rpm_check(release:\"EL8\", cpu:\"x86_64\", reference:\"nss-softokn-freebl-devel-3.53.1-11.el8_2\")) flag++;\nif (rpm_check(release:\"EL8\", cpu:\"x86_64\", reference:\"nss-sysinit-3.53.1-11.el8_2\")) flag++;\nif (rpm_check(release:\"EL8\", cpu:\"x86_64\", reference:\"nss-tools-3.53.1-11.el8_2\")) flag++;\nif (rpm_check(release:\"EL8\", cpu:\"x86_64\", reference:\"nss-util-3.53.1-11.el8_2\")) flag++;\nif (rpm_check(release:\"EL8\", cpu:\"x86_64\", reference:\"nss-util-devel-3.53.1-11.el8_2\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"nspr / nspr-devel / nss / nss-devel / nss-softokn / etc\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-26T14:22:38", "description": "The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:3280 advisory.\n\n - nss: Use-after-free in sftk_FreeSession due to improper refcounting (CVE-2019-11756)\n\n - nss: Check length of inputs for cryptographic primitives (CVE-2019-17006)\n\n - nss: TLS 1.3 HelloRetryRequest downgrade request sets client into invalid state (CVE-2019-17023)\n\n - nss: Timing attack on DSA signature generation (CVE-2020-12399)\n\n - nss: Side channel vulnerabilities during RSA key generation (CVE-2020-12402)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2020-08-03T00:00:00", "type": "nessus", "title": "RHEL 8 : nss and nspr (RHSA-2020:3280)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-11756", "CVE-2019-17006", "CVE-2019-17023", "CVE-2020-12399", "CVE-2020-12402"], "modified": "2023-05-25T00:00:00", "cpe": ["cpe:/o:redhat:enterprise_linux:8", "cpe:/o:redhat:rhel_aus:8.2", "cpe:/o:redhat:rhel_aus:8.4", "cpe:/o:redhat:rhel_aus:8.6", "cpe:/o:redhat:rhel_e4s:8.2", "cpe:/o:redhat:rhel_e4s:8.4", "cpe:/o:redhat:rhel_e4s:8.6", "cpe:/o:redhat:rhel_eus:8.2", "cpe:/o:redhat:rhel_eus:8.4", "cpe:/o:redhat:rhel_eus:8.6", "cpe:/o:redhat:rhel_tus:8.2", "cpe:/o:redhat:rhel_tus:8.4", "cpe:/o:redhat:rhel_tus:8.6", "p-cpe:/a:redhat:enterprise_linux:nspr", "p-cpe:/a:redhat:enterprise_linux:nspr-devel", "p-cpe:/a:redhat:enterprise_linux:nss", "p-cpe:/a:redhat:enterprise_linux:nss-devel", "p-cpe:/a:redhat:enterprise_linux:nss-softokn", "p-cpe:/a:redhat:enterprise_linux:nss-softokn-devel", "p-cpe:/a:redhat:enterprise_linux:nss-softokn-freebl", "p-cpe:/a:redhat:enterprise_linux:nss-softokn-freebl-devel", "p-cpe:/a:redhat:enterprise_linux:nss-sysinit", "p-cpe:/a:redhat:enterprise_linux:nss-tools", "p-cpe:/a:redhat:enterprise_linux:nss-util", "p-cpe:/a:redhat:enterprise_linux:nss-util-devel"], "id": "REDHAT-RHSA-2020-3280.NASL", "href": "https://www.tenable.com/plugins/nessus/139293", "sourceData": "##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2020:3280. The text\n# itself is copyright (C) Red Hat, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(139293);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/05/25\");\n\n script_cve_id(\n \"CVE-2019-11756\",\n \"CVE-2019-17006\",\n \"CVE-2019-17023\",\n \"CVE-2020-12399\",\n \"CVE-2020-12402\"\n );\n script_xref(name:\"IAVA\", value:\"2020-A-0287-S\");\n script_xref(name:\"RHSA\", value:\"2020:3280\");\n script_xref(name:\"IAVA\", value:\"2020-A-0002-S\");\n script_xref(name:\"IAVA\", value:\"2019-A-0438-S\");\n\n script_name(english:\"RHEL 8 : nss and nspr (RHSA-2020:3280)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as\nreferenced in the RHSA-2020:3280 advisory.\n\n - nss: Use-after-free in sftk_FreeSession due to improper refcounting (CVE-2019-11756)\n\n - nss: Check length of inputs for cryptographic primitives (CVE-2019-17006)\n\n - nss: TLS 1.3 HelloRetryRequest downgrade request sets client into invalid state (CVE-2019-17023)\n\n - nss: Timing attack on DSA signature generation (CVE-2020-12399)\n\n - nss: Side channel vulnerabilities during RSA key generation (CVE-2020-12402)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-11756\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-17006\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-17023\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-12399\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-12402\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2020:3280\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1774835\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1775916\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1791225\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1826177\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1826231\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-17006\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_cwe_id(122, 327, 416);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/12/03\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/08/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/08/03\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:8\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_aus:8.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_aus:8.4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_aus:8.6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_e4s:8.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_e4s:8.4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_e4s:8.6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_eus:8.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_eus:8.4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_eus:8.6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_tus:8.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_tus:8.4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:rhel_tus:8.6\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nspr\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nspr-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nss\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nss-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nss-softokn\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nss-softokn-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nss-softokn-freebl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nss-softokn-freebl-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nss-sysinit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nss-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nss-util\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nss-util-devel\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"redhat_repos.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('rpm.inc');\ninclude('rhel.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item('Host/RedHat/release');\nif (isnull(os_release) || 'Red Hat' >!< os_release) audit(AUDIT_OS_NOT, 'Red Hat');\nvar os_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:os_release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');\nos_ver = os_ver[1];\nif (!rhel_check_release(operator: 'ge', os_version: os_ver, rhel_version: '8')) audit(AUDIT_OS_NOT, 'Red Hat 8.x', 'Red Hat ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu && 'ppc' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);\n\nvar constraints = [\n {\n 'repo_relative_urls': [\n 'content/aus/rhel8/8.2/x86_64/appstream/debug',\n 'content/aus/rhel8/8.2/x86_64/appstream/os',\n 'content/aus/rhel8/8.2/x86_64/appstream/source/SRPMS',\n 'content/aus/rhel8/8.2/x86_64/baseos/debug',\n 'content/aus/rhel8/8.2/x86_64/baseos/os',\n 'content/aus/rhel8/8.2/x86_64/baseos/source/SRPMS',\n 'content/e4s/rhel8/8.2/ppc64le/appstream/debug',\n 'content/e4s/rhel8/8.2/ppc64le/appstream/os',\n 'content/e4s/rhel8/8.2/ppc64le/appstream/source/SRPMS',\n 'content/e4s/rhel8/8.2/ppc64le/baseos/debug',\n 'content/e4s/rhel8/8.2/ppc64le/baseos/os',\n 'content/e4s/rhel8/8.2/ppc64le/baseos/source/SRPMS',\n 'content/e4s/rhel8/8.2/ppc64le/highavailability/debug',\n 'content/e4s/rhel8/8.2/ppc64le/highavailability/os',\n 'content/e4s/rhel8/8.2/ppc64le/highavailability/source/SRPMS',\n 'content/e4s/rhel8/8.2/ppc64le/sap-solutions/debug',\n 'content/e4s/rhel8/8.2/ppc64le/sap-solutions/os',\n 'content/e4s/rhel8/8.2/ppc64le/sap-solutions/source/SRPMS',\n 'content/e4s/rhel8/8.2/ppc64le/sap/debug',\n 'content/e4s/rhel8/8.2/ppc64le/sap/os',\n 'content/e4s/rhel8/8.2/ppc64le/sap/source/SRPMS',\n 'content/e4s/rhel8/8.2/x86_64/appstream/debug',\n 'content/e4s/rhel8/8.2/x86_64/appstream/os',\n 'content/e4s/rhel8/8.2/x86_64/appstream/source/SRPMS',\n 'content/e4s/rhel8/8.2/x86_64/baseos/debug',\n 'content/e4s/rhel8/8.2/x86_64/baseos/os',\n 'content/e4s/rhel8/8.2/x86_64/baseos/source/SRPMS',\n 'content/e4s/rhel8/8.2/x86_64/highavailability/debug',\n 'content/e4s/rhel8/8.2/x86_64/highavailability/os',\n 'content/e4s/rhel8/8.2/x86_64/highavailability/source/SRPMS',\n 'content/e4s/rhel8/8.2/x86_64/sap-solutions/debug',\n 'content/e4s/rhel8/8.2/x86_64/sap-solutions/os',\n 'content/e4s/rhel8/8.2/x86_64/sap-solutions/source/SRPMS',\n 'content/e4s/rhel8/8.2/x86_64/sap/debug',\n 'content/e4s/rhel8/8.2/x86_64/sap/os',\n 'content/e4s/rhel8/8.2/x86_64/sap/source/SRPMS',\n 'content/eus/rhel8/8.2/aarch64/appstream/debug',\n 'content/eus/rhel8/8.2/aarch64/appstream/os',\n 'content/eus/rhel8/8.2/aarch64/appstream/source/SRPMS',\n 'content/eus/rhel8/8.2/aarch64/baseos/debug',\n 'content/eus/rhel8/8.2/aarch64/baseos/os',\n 'content/eus/rhel8/8.2/aarch64/baseos/source/SRPMS',\n 'content/eus/rhel8/8.2/aarch64/codeready-builder/debug',\n 'content/eus/rhel8/8.2/aarch64/codeready-builder/os',\n 'content/eus/rhel8/8.2/aarch64/codeready-builder/source/SRPMS',\n 'content/eus/rhel8/8.2/aarch64/highavailability/debug',\n 'content/eus/rhel8/8.2/aarch64/highavailability/os',\n 'content/eus/rhel8/8.2/aarch64/highavailability/source/SRPMS',\n 'content/eus/rhel8/8.2/aarch64/supplementary/debug',\n 'content/eus/rhel8/8.2/aarch64/supplementary/os',\n 'content/eus/rhel8/8.2/aarch64/supplementary/source/SRPMS',\n 'content/eus/rhel8/8.2/ppc64le/appstream/debug',\n 'content/eus/rhel8/8.2/ppc64le/appstream/os',\n 'content/eus/rhel8/8.2/ppc64le/appstream/source/SRPMS',\n 'content/eus/rhel8/8.2/ppc64le/baseos/debug',\n 'content/eus/rhel8/8.2/ppc64le/baseos/os',\n 'content/eus/rhel8/8.2/ppc64le/baseos/source/SRPMS',\n 'content/eus/rhel8/8.2/ppc64le/codeready-builder/debug',\n 'content/eus/rhel8/8.2/ppc64le/codeready-builder/os',\n 'content/eus/rhel8/8.2/ppc64le/codeready-builder/source/SRPMS',\n 'content/eus/rhel8/8.2/ppc64le/highavailability/debug',\n 'content/eus/rhel8/8.2/ppc64le/highavailability/os',\n 'content/eus/rhel8/8.2/ppc64le/highavailability/source/SRPMS',\n 'content/eus/rhel8/8.2/ppc64le/resilientstorage/debug',\n 'content/eus/rhel8/8.2/ppc64le/resilientstorage/os',\n 'content/eus/rhel8/8.2/ppc64le/resilientstorage/source/SRPMS',\n 'content/eus/rhel8/8.2/ppc64le/sap-solutions/debug',\n 'content/eus/rhel8/8.2/ppc64le/sap-solutions/os',\n 'content/eus/rhel8/8.2/ppc64le/sap-solutions/source/SRPMS',\n 'content/eus/rhel8/8.2/ppc64le/sap/debug',\n 'content/eus/rhel8/8.2/ppc64le/sap/os',\n 'content/eus/rhel8/8.2/ppc64le/sap/source/SRPMS',\n 'content/eus/rhel8/8.2/ppc64le/supplementary/debug',\n 'content/eus/rhel8/8.2/ppc64le/supplementary/os',\n 'content/eus/rhel8/8.2/ppc64le/supplementary/source/SRPMS',\n 'content/eus/rhel8/8.2/s390x/appstream/debug',\n 'content/eus/rhel8/8.2/s390x/appstream/os',\n 'content/eus/rhel8/8.2/s390x/appstream/source/SRPMS',\n 'content/eus/rhel8/8.2/s390x/baseos/debug',\n 'content/eus/rhel8/8.2/s390x/baseos/os',\n 'content/eus/rhel8/8.2/s390x/baseos/source/SRPMS',\n 'content/eus/rhel8/8.2/s390x/codeready-builder/debug',\n 'content/eus/rhel8/8.2/s390x/codeready-builder/os',\n 'content/eus/rhel8/8.2/s390x/codeready-builder/source/SRPMS',\n 'content/eus/rhel8/8.2/s390x/highavailability/debug',\n 'content/eus/rhel8/8.2/s390x/highavailability/os',\n 'content/eus/rhel8/8.2/s390x/highavailability/source/SRPMS',\n 'content/eus/rhel8/8.2/s390x/resilientstorage/debug',\n 'content/eus/rhel8/8.2/s390x/resilientstorage/os',\n 'content/eus/rhel8/8.2/s390x/resilientstorage/source/SRPMS',\n 'content/eus/rhel8/8.2/s390x/sap/debug',\n 'content/eus/rhel8/8.2/s390x/sap/os',\n 'content/eus/rhel8/8.2/s390x/sap/source/SRPMS',\n 'content/eus/rhel8/8.2/s390x/supplementary/debug',\n 'content/eus/rhel8/8.2/s390x/supplementary/os',\n 'content/eus/rhel8/8.2/s390x/supplementary/source/SRPMS',\n 'content/eus/rhel8/8.2/x86_64/appstream/debug',\n 'content/eus/rhel8/8.2/x86_64/appstream/os',\n 'content/eus/rhel8/8.2/x86_64/appstream/source/SRPMS',\n 'content/eus/rhel8/8.2/x86_64/baseos/debug',\n 'content/eus/rhel8/8.2/x86_64/baseos/os',\n 'content/eus/rhel8/8.2/x86_64/baseos/source/SRPMS',\n 'content/eus/rhel8/8.2/x86_64/codeready-builder/debug',\n 'content/eus/rhel8/8.2/x86_64/codeready-builder/os',\n 'content/eus/rhel8/8.2/x86_64/codeready-builder/source/SRPMS',\n 'content/eus/rhel8/8.2/x86_64/highavailability/debug',\n 'content/eus/rhel8/8.2/x86_64/highavailability/os',\n 'content/eus/rhel8/8.2/x86_64/highavailability/source/SRPMS',\n 'content/eus/rhel8/8.2/x86_64/resilientstorage/debug',\n 'content/eus/rhel8/8.2/x86_64/resilientstorage/os',\n 'content/eus/rhel8/8.2/x86_64/resilientstorage/source/SRPMS',\n 'content/eus/rhel8/8.2/x86_64/sap-solutions/debug',\n 'content/eus/rhel8/8.2/x86_64/sap-solutions/os',\n 'content/eus/rhel8/8.2/x86_64/sap-solutions/source/SRPMS',\n 'content/eus/rhel8/8.2/x86_64/sap/debug',\n 'content/eus/rhel8/8.2/x86_64/sap/os',\n 'content/eus/rhel8/8.2/x86_64/sap/source/SRPMS',\n 'content/eus/rhel8/8.2/x86_64/supplementary/debug',\n 'content/eus/rhel8/8.2/x86_64/supplementary/os',\n 'content/eus/rhel8/8.2/x86_64/supplementary/source/SRPMS',\n 'content/tus/rhel8/8.2/x86_64/appstream/debug',\n 'content/tus/rhel8/8.2/x86_64/appstream/os',\n 'content/tus/rhel8/8.2/x86_64/appstream/source/SRPMS',\n 'content/tus/rhel8/8.2/x86_64/baseos/debug',\n 'content/tus/rhel8/8.2/x86_64/baseos/os',\n 'content/tus/rhel8/8.2/x86_64/baseos/source/SRPMS',\n 'content/tus/rhel8/8.2/x86_64/highavailability/debug',\n 'content/tus/rhel8/8.2/x86_64/highavailability/os',\n 'content/tus/rhel8/8.2/x86_64/highavailability/source/SRPMS',\n 'content/tus/rhel8/8.2/x86_64/nfv/debug',\n 'content/tus/rhel8/8.2/x86_64/nfv/os',\n 'content/tus/rhel8/8.2/x86_64/nfv/source/SRPMS',\n 'content/tus/rhel8/8.2/x86_64/rt/debug',\n 'content/tus/rhel8/8.2/x86_64/rt/os',\n 'content/tus/rhel8/8.2/x86_64/rt/source/SRPMS'\n ],\n 'pkgs': [\n {'reference':'nspr-4.25.0-2.el8_2', 'sp':'2', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nspr-devel-4.25.0-2.el8_2', 'sp':'2', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nss-3.53.1-11.el8_2', 'sp':'2', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nss-devel-3.53.1-11.el8_2', 'sp':'2', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nss-softokn-3.53.1-11.el8_2', 'sp':'2', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nss-softokn-devel-3.53.1-11.el8_2', 'sp':'2', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nss-softokn-freebl-3.53.1-11.el8_2', 'sp':'2', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nss-softokn-freebl-devel-3.53.1-11.el8_2', 'sp':'2', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nss-sysinit-3.53.1-11.el8_2', 'sp':'2', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nss-tools-3.53.1-11.el8_2', 'sp':'2', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nss-util-3.53.1-11.el8_2', 'sp':'2', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nss-util-devel-3.53.1-11.el8_2', 'sp':'2', 'release':'8', 'rpm_spec_vers_cmp':TRUE}\n ]\n },\n {\n 'repo_relative_urls': [\n 'content/aus/rhel8/8.4/x86_64/appstream/debug',\n 'content/aus/rhel8/8.4/x86_64/appstream/os',\n 'content/aus/rhel8/8.4/x86_64/appstream/source/SRPMS',\n 'content/aus/rhel8/8.4/x86_64/baseos/debug',\n 'content/aus/rhel8/8.4/x86_64/baseos/os',\n 'content/aus/rhel8/8.4/x86_64/baseos/source/SRPMS',\n 'content/e4s/rhel8/8.4/aarch64/appstream/debug',\n 'content/e4s/rhel8/8.4/aarch64/appstream/os',\n 'content/e4s/rhel8/8.4/aarch64/appstream/source/SRPMS',\n 'content/e4s/rhel8/8.4/aarch64/baseos/debug',\n 'content/e4s/rhel8/8.4/aarch64/baseos/os',\n 'content/e4s/rhel8/8.4/aarch64/baseos/source/SRPMS',\n 'content/e4s/rhel8/8.4/ppc64le/appstream/debug',\n 'content/e4s/rhel8/8.4/ppc64le/appstream/os',\n 'content/e4s/rhel8/8.4/ppc64le/appstream/source/SRPMS',\n 'content/e4s/rhel8/8.4/ppc64le/baseos/debug',\n 'content/e4s/rhel8/8.4/ppc64le/baseos/os',\n 'content/e4s/rhel8/8.4/ppc64le/baseos/source/SRPMS',\n 'content/e4s/rhel8/8.4/ppc64le/highavailability/debug',\n 'content/e4s/rhel8/8.4/ppc64le/highavailability/os',\n 'content/e4s/rhel8/8.4/ppc64le/highavailability/source/SRPMS',\n 'content/e4s/rhel8/8.4/ppc64le/sap-solutions/debug',\n 'content/e4s/rhel8/8.4/ppc64le/sap-solutions/os',\n 'content/e4s/rhel8/8.4/ppc64le/sap-solutions/source/SRPMS',\n 'content/e4s/rhel8/8.4/ppc64le/sap/debug',\n 'content/e4s/rhel8/8.4/ppc64le/sap/os',\n 'content/e4s/rhel8/8.4/ppc64le/sap/source/SRPMS',\n 'content/e4s/rhel8/8.4/s390x/appstream/debug',\n 'content/e4s/rhel8/8.4/s390x/appstream/os',\n 'content/e4s/rhel8/8.4/s390x/appstream/source/SRPMS',\n 'content/e4s/rhel8/8.4/s390x/baseos/debug',\n 'content/e4s/rhel8/8.4/s390x/baseos/os',\n 'content/e4s/rhel8/8.4/s390x/baseos/source/SRPMS',\n 'content/e4s/rhel8/8.4/x86_64/appstream/debug',\n 'content/e4s/rhel8/8.4/x86_64/appstream/os',\n 'content/e4s/rhel8/8.4/x86_64/appstream/source/SRPMS',\n 'content/e4s/rhel8/8.4/x86_64/baseos/debug',\n 'content/e4s/rhel8/8.4/x86_64/baseos/os',\n 'content/e4s/rhel8/8.4/x86_64/baseos/source/SRPMS',\n 'content/e4s/rhel8/8.4/x86_64/highavailability/debug',\n 'content/e4s/rhel8/8.4/x86_64/highavailability/os',\n 'content/e4s/rhel8/8.4/x86_64/highavailability/source/SRPMS',\n 'content/e4s/rhel8/8.4/x86_64/nfv/debug',\n 'content/e4s/rhel8/8.4/x86_64/nfv/os',\n 'content/e4s/rhel8/8.4/x86_64/nfv/source/SRPMS',\n 'content/e4s/rhel8/8.4/x86_64/sap-solutions/debug',\n 'content/e4s/rhel8/8.4/x86_64/sap-solutions/os',\n 'content/e4s/rhel8/8.4/x86_64/sap-solutions/source/SRPMS',\n 'content/e4s/rhel8/8.4/x86_64/sap/debug',\n 'content/e4s/rhel8/8.4/x86_64/sap/os',\n 'content/e4s/rhel8/8.4/x86_64/sap/source/SRPMS',\n 'content/eus/rhel8/8.4/aarch64/appstream/debug',\n 'content/eus/rhel8/8.4/aarch64/appstream/os',\n 'content/eus/rhel8/8.4/aarch64/appstream/source/SRPMS',\n 'content/eus/rhel8/8.4/aarch64/baseos/debug',\n 'content/eus/rhel8/8.4/aarch64/baseos/os',\n 'content/eus/rhel8/8.4/aarch64/baseos/source/SRPMS',\n 'content/eus/rhel8/8.4/aarch64/codeready-builder/debug',\n 'content/eus/rhel8/8.4/aarch64/codeready-builder/os',\n 'content/eus/rhel8/8.4/aarch64/codeready-builder/source/SRPMS',\n 'content/eus/rhel8/8.4/aarch64/highavailability/debug',\n 'content/eus/rhel8/8.4/aarch64/highavailability/os',\n 'content/eus/rhel8/8.4/aarch64/highavailability/source/SRPMS',\n 'content/eus/rhel8/8.4/aarch64/supplementary/debug',\n 'content/eus/rhel8/8.4/aarch64/supplementary/os',\n 'content/eus/rhel8/8.4/aarch64/supplementary/source/SRPMS',\n 'content/eus/rhel8/8.4/ppc64le/appstream/debug',\n 'content/eus/rhel8/8.4/ppc64le/appstream/os',\n 'content/eus/rhel8/8.4/ppc64le/appstream/source/SRPMS',\n 'content/eus/rhel8/8.4/ppc64le/baseos/debug',\n 'content/eus/rhel8/8.4/ppc64le/baseos/os',\n 'content/eus/rhel8/8.4/ppc64le/baseos/source/SRPMS',\n 'content/eus/rhel8/8.4/ppc64le/codeready-builder/debug',\n 'content/eus/rhel8/8.4/ppc64le/codeready-builder/os',\n 'content/eus/rhel8/8.4/ppc64le/codeready-builder/source/SRPMS',\n 'content/eus/rhel8/8.4/ppc64le/highavailability/debug',\n 'content/eus/rhel8/8.4/ppc64le/highavailability/os',\n 'content/eus/rhel8/8.4/ppc64le/highavailability/source/SRPMS',\n 'content/eus/rhel8/8.4/ppc64le/resilientstorage/debug',\n 'content/eus/rhel8/8.4/ppc64le/resilientstorage/os',\n 'content/eus/rhel8/8.4/ppc64le/resilientstorage/source/SRPMS',\n 'content/eus/rhel8/8.4/ppc64le/sap-solutions/debug',\n 'content/eus/rhel8/8.4/ppc64le/sap-solutions/os',\n 'content/eus/rhel8/8.4/ppc64le/sap-solutions/source/SRPMS',\n 'content/eus/rhel8/8.4/ppc64le/sap/debug',\n 'content/eus/rhel8/8.4/ppc64le/sap/os',\n 'content/eus/rhel8/8.4/ppc64le/sap/source/SRPMS',\n 'content/eus/rhel8/8.4/ppc64le/supplementary/debug',\n 'content/eus/rhel8/8.4/ppc64le/supplementary/os',\n 'content/eus/rhel8/8.4/ppc64le/supplementary/source/SRPMS',\n 'content/eus/rhel8/8.4/s390x/appstream/debug',\n 'content/eus/rhel8/8.4/s390x/appstream/os',\n 'content/eus/rhel8/8.4/s390x/appstream/source/SRPMS',\n 'content/eus/rhel8/8.4/s390x/baseos/debug',\n 'content/eus/rhel8/8.4/s390x/baseos/os',\n 'content/eus/rhel8/8.4/s390x/baseos/source/SRPMS',\n 'content/eus/rhel8/8.4/s390x/codeready-builder/debug',\n 'content/eus/rhel8/8.4/s390x/codeready-builder/os',\n 'content/eus/rhel8/8.4/s390x/codeready-builder/source/SRPMS',\n 'content/eus/rhel8/8.4/s390x/highavailability/debug',\n 'content/eus/rhel8/8.4/s390x/highavailability/os',\n 'content/eus/rhel8/8.4/s390x/highavailability/source/SRPMS',\n 'content/eus/rhel8/8.4/s390x/resilientstorage/debug',\n 'content/eus/rhel8/8.4/s390x/resilientstorage/os',\n 'content/eus/rhel8/8.4/s390x/resilientstorage/source/SRPMS',\n 'content/eus/rhel8/8.4/s390x/sap/debug',\n 'content/eus/rhel8/8.4/s390x/sap/os',\n 'content/eus/rhel8/8.4/s390x/sap/source/SRPMS',\n 'content/eus/rhel8/8.4/s390x/supplementary/debug',\n 'content/eus/rhel8/8.4/s390x/supplementary/os',\n 'content/eus/rhel8/8.4/s390x/supplementary/source/SRPMS',\n 'content/eus/rhel8/8.4/x86_64/appstream/debug',\n 'content/eus/rhel8/8.4/x86_64/appstream/os',\n 'content/eus/rhel8/8.4/x86_64/appstream/source/SRPMS',\n 'content/eus/rhel8/8.4/x86_64/baseos/debug',\n 'content/eus/rhel8/8.4/x86_64/baseos/os',\n 'content/eus/rhel8/8.4/x86_64/baseos/source/SRPMS',\n 'content/eus/rhel8/8.4/x86_64/codeready-builder/debug',\n 'content/eus/rhel8/8.4/x86_64/codeready-builder/os',\n 'content/eus/rhel8/8.4/x86_64/codeready-builder/source/SRPMS',\n 'content/eus/rhel8/8.4/x86_64/highavailability/debug',\n 'content/eus/rhel8/8.4/x86_64/highavailability/os',\n 'content/eus/rhel8/8.4/x86_64/highavailability/source/SRPMS',\n 'content/eus/rhel8/8.4/x86_64/resilientstorage/debug',\n 'content/eus/rhel8/8.4/x86_64/resilientstorage/os',\n 'content/eus/rhel8/8.4/x86_64/resilientstorage/source/SRPMS',\n 'content/eus/rhel8/8.4/x86_64/sap-solutions/debug',\n 'content/eus/rhel8/8.4/x86_64/sap-solutions/os',\n 'content/eus/rhel8/8.4/x86_64/sap-solutions/source/SRPMS',\n 'content/eus/rhel8/8.4/x86_64/sap/debug',\n 'content/eus/rhel8/8.4/x86_64/sap/os',\n 'content/eus/rhel8/8.4/x86_64/sap/source/SRPMS',\n 'content/eus/rhel8/8.4/x86_64/supplementary/debug',\n 'content/eus/rhel8/8.4/x86_64/supplementary/os',\n 'content/eus/rhel8/8.4/x86_64/supplementary/source/SRPMS',\n 'content/tus/rhel8/8.4/x86_64/appstream/debug',\n 'content/tus/rhel8/8.4/x86_64/appstream/os',\n 'content/tus/rhel8/8.4/x86_64/appstream/source/SRPMS',\n 'content/tus/rhel8/8.4/x86_64/baseos/debug',\n 'content/tus/rhel8/8.4/x86_64/baseos/os',\n 'content/tus/rhel8/8.4/x86_64/baseos/source/SRPMS',\n 'content/tus/rhel8/8.4/x86_64/highavailability/debug',\n 'content/tus/rhel8/8.4/x86_64/highavailability/os',\n 'content/tus/rhel8/8.4/x86_64/highavailability/source/SRPMS',\n 'content/tus/rhel8/8.4/x86_64/nfv/debug',\n 'content/tus/rhel8/8.4/x86_64/nfv/os',\n 'content/tus/rhel8/8.4/x86_64/nfv/source/SRPMS',\n 'content/tus/rhel8/8.4/x86_64/rt/debug',\n 'content/tus/rhel8/8.4/x86_64/rt/os',\n 'content/tus/rhel8/8.4/x86_64/rt/source/SRPMS'\n ],\n 'pkgs': [\n {'reference':'nspr-4.25.0-2.el8_2', 'sp':'4', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nspr-devel-4.25.0-2.el8_2', 'sp':'4', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nss-3.53.1-11.el8_2', 'sp':'4', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nss-devel-3.53.1-11.el8_2', 'sp':'4', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nss-softokn-3.53.1-11.el8_2', 'sp':'4', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nss-softokn-devel-3.53.1-11.el8_2', 'sp':'4', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nss-softokn-freebl-3.53.1-11.el8_2', 'sp':'4', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nss-softokn-freebl-devel-3.53.1-11.el8_2', 'sp':'4', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nss-sysinit-3.53.1-11.el8_2', 'sp':'4', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nss-tools-3.53.1-11.el8_2', 'sp':'4', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nss-util-3.53.1-11.el8_2', 'sp':'4', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nss-util-devel-3.53.1-11.el8_2', 'sp':'4', 'release':'8', 'rpm_spec_vers_cmp':TRUE}\n ]\n },\n {\n 'repo_relative_urls': [\n 'content/aus/rhel8/8.6/x86_64/appstream/debug',\n 'content/aus/rhel8/8.6/x86_64/appstream/os',\n 'content/aus/rhel8/8.6/x86_64/appstream/source/SRPMS',\n 'content/aus/rhel8/8.6/x86_64/baseos/debug',\n 'content/aus/rhel8/8.6/x86_64/baseos/os',\n 'content/aus/rhel8/8.6/x86_64/baseos/source/SRPMS',\n 'content/e4s/rhel8/8.6/ppc64le/appstream/debug',\n 'content/e4s/rhel8/8.6/ppc64le/appstream/os',\n 'content/e4s/rhel8/8.6/ppc64le/appstream/source/SRPMS',\n 'content/e4s/rhel8/8.6/ppc64le/baseos/debug',\n 'content/e4s/rhel8/8.6/ppc64le/baseos/os',\n 'content/e4s/rhel8/8.6/ppc64le/baseos/source/SRPMS',\n 'content/e4s/rhel8/8.6/ppc64le/highavailability/debug',\n 'content/e4s/rhel8/8.6/ppc64le/highavailability/os',\n 'content/e4s/rhel8/8.6/ppc64le/highavailability/source/SRPMS',\n 'content/e4s/rhel8/8.6/ppc64le/sap-solutions/debug',\n 'content/e4s/rhel8/8.6/ppc64le/sap-solutions/os',\n 'content/e4s/rhel8/8.6/ppc64le/sap-solutions/source/SRPMS',\n 'content/e4s/rhel8/8.6/ppc64le/sap/debug',\n 'content/e4s/rhel8/8.6/ppc64le/sap/os',\n 'content/e4s/rhel8/8.6/ppc64le/sap/source/SRPMS',\n 'content/e4s/rhel8/8.6/x86_64/appstream/debug',\n 'content/e4s/rhel8/8.6/x86_64/appstream/os',\n 'content/e4s/rhel8/8.6/x86_64/appstream/source/SRPMS',\n 'content/e4s/rhel8/8.6/x86_64/baseos/debug',\n 'content/e4s/rhel8/8.6/x86_64/baseos/os',\n 'content/e4s/rhel8/8.6/x86_64/baseos/source/SRPMS',\n 'content/e4s/rhel8/8.6/x86_64/highavailability/debug',\n 'content/e4s/rhel8/8.6/x86_64/highavailability/os',\n 'content/e4s/rhel8/8.6/x86_64/highavailability/source/SRPMS',\n 'content/e4s/rhel8/8.6/x86_64/sap-solutions/debug',\n 'content/e4s/rhel8/8.6/x86_64/sap-solutions/os',\n 'content/e4s/rhel8/8.6/x86_64/sap-solutions/source/SRPMS',\n 'content/e4s/rhel8/8.6/x86_64/sap/debug',\n 'content/e4s/rhel8/8.6/x86_64/sap/os',\n 'content/e4s/rhel8/8.6/x86_64/sap/source/SRPMS',\n 'content/eus/rhel8/8.6/aarch64/appstream/debug',\n 'content/eus/rhel8/8.6/aarch64/appstream/os',\n 'content/eus/rhel8/8.6/aarch64/appstream/source/SRPMS',\n 'content/eus/rhel8/8.6/aarch64/baseos/debug',\n 'content/eus/rhel8/8.6/aarch64/baseos/os',\n 'content/eus/rhel8/8.6/aarch64/baseos/source/SRPMS',\n 'content/eus/rhel8/8.6/aarch64/codeready-builder/debug',\n 'content/eus/rhel8/8.6/aarch64/codeready-builder/os',\n 'content/eus/rhel8/8.6/aarch64/codeready-builder/source/SRPMS',\n 'content/eus/rhel8/8.6/aarch64/highavailability/debug',\n 'content/eus/rhel8/8.6/aarch64/highavailability/os',\n 'content/eus/rhel8/8.6/aarch64/highavailability/source/SRPMS',\n 'content/eus/rhel8/8.6/aarch64/supplementary/debug',\n 'content/eus/rhel8/8.6/aarch64/supplementary/os',\n 'content/eus/rhel8/8.6/aarch64/supplementary/source/SRPMS',\n 'content/eus/rhel8/8.6/ppc64le/appstream/debug',\n 'content/eus/rhel8/8.6/ppc64le/appstream/os',\n 'content/eus/rhel8/8.6/ppc64le/appstream/source/SRPMS',\n 'content/eus/rhel8/8.6/ppc64le/baseos/debug',\n 'content/eus/rhel8/8.6/ppc64le/baseos/os',\n 'content/eus/rhel8/8.6/ppc64le/baseos/source/SRPMS',\n 'content/eus/rhel8/8.6/ppc64le/codeready-builder/debug',\n 'content/eus/rhel8/8.6/ppc64le/codeready-builder/os',\n 'content/eus/rhel8/8.6/ppc64le/codeready-builder/source/SRPMS',\n 'content/eus/rhel8/8.6/ppc64le/highavailability/debug',\n 'content/eus/rhel8/8.6/ppc64le/highavailability/os',\n 'content/eus/rhel8/8.6/ppc64le/highavailability/source/SRPMS',\n 'content/eus/rhel8/8.6/ppc64le/resilientstorage/debug',\n 'content/eus/rhel8/8.6/ppc64le/resilientstorage/os',\n 'content/eus/rhel8/8.6/ppc64le/resilientstorage/source/SRPMS',\n 'content/eus/rhel8/8.6/ppc64le/sap-solutions/debug',\n 'content/eus/rhel8/8.6/ppc64le/sap-solutions/os',\n 'content/eus/rhel8/8.6/ppc64le/sap-solutions/source/SRPMS',\n 'content/eus/rhel8/8.6/ppc64le/sap/debug',\n 'content/eus/rhel8/8.6/ppc64le/sap/os',\n 'content/eus/rhel8/8.6/ppc64le/sap/source/SRPMS',\n 'content/eus/rhel8/8.6/ppc64le/supplementary/debug',\n 'content/eus/rhel8/8.6/ppc64le/supplementary/os',\n 'content/eus/rhel8/8.6/ppc64le/supplementary/source/SRPMS',\n 'content/eus/rhel8/8.6/s390x/appstream/debug',\n 'content/eus/rhel8/8.6/s390x/appstream/os',\n 'content/eus/rhel8/8.6/s390x/appstream/source/SRPMS',\n 'content/eus/rhel8/8.6/s390x/baseos/debug',\n 'content/eus/rhel8/8.6/s390x/baseos/os',\n 'content/eus/rhel8/8.6/s390x/baseos/source/SRPMS',\n 'content/eus/rhel8/8.6/s390x/codeready-builder/debug',\n 'content/eus/rhel8/8.6/s390x/codeready-builder/os',\n 'content/eus/rhel8/8.6/s390x/codeready-builder/source/SRPMS',\n 'content/eus/rhel8/8.6/s390x/highavailability/debug',\n 'content/eus/rhel8/8.6/s390x/highavailability/os',\n 'content/eus/rhel8/8.6/s390x/highavailability/source/SRPMS',\n 'content/eus/rhel8/8.6/s390x/resilientstorage/debug',\n 'content/eus/rhel8/8.6/s390x/resilientstorage/os',\n 'content/eus/rhel8/8.6/s390x/resilientstorage/source/SRPMS',\n 'content/eus/rhel8/8.6/s390x/sap/debug',\n 'content/eus/rhel8/8.6/s390x/sap/os',\n 'content/eus/rhel8/8.6/s390x/sap/source/SRPMS',\n 'content/eus/rhel8/8.6/s390x/supplementary/debug',\n 'content/eus/rhel8/8.6/s390x/supplementary/os',\n 'content/eus/rhel8/8.6/s390x/supplementary/source/SRPMS',\n 'content/eus/rhel8/8.6/x86_64/appstream/debug',\n 'content/eus/rhel8/8.6/x86_64/appstream/os',\n 'content/eus/rhel8/8.6/x86_64/appstream/source/SRPMS',\n 'content/eus/rhel8/8.6/x86_64/baseos/debug',\n 'content/eus/rhel8/8.6/x86_64/baseos/os',\n 'content/eus/rhel8/8.6/x86_64/baseos/source/SRPMS',\n 'content/eus/rhel8/8.6/x86_64/codeready-builder/debug',\n 'content/eus/rhel8/8.6/x86_64/codeready-builder/os',\n 'content/eus/rhel8/8.6/x86_64/codeready-builder/source/SRPMS',\n 'content/eus/rhel8/8.6/x86_64/highavailability/debug',\n 'content/eus/rhel8/8.6/x86_64/highavailability/os',\n 'content/eus/rhel8/8.6/x86_64/highavailability/source/SRPMS',\n 'content/eus/rhel8/8.6/x86_64/resilientstorage/debug',\n 'content/eus/rhel8/8.6/x86_64/resilientstorage/os',\n 'content/eus/rhel8/8.6/x86_64/resilientstorage/source/SRPMS',\n 'content/eus/rhel8/8.6/x86_64/sap-solutions/debug',\n 'content/eus/rhel8/8.6/x86_64/sap-solutions/os',\n 'content/eus/rhel8/8.6/x86_64/sap-solutions/source/SRPMS',\n 'content/eus/rhel8/8.6/x86_64/sap/debug',\n 'content/eus/rhel8/8.6/x86_64/sap/os',\n 'content/eus/rhel8/8.6/x86_64/sap/source/SRPMS',\n 'content/eus/rhel8/8.6/x86_64/supplementary/debug',\n 'content/eus/rhel8/8.6/x86_64/supplementary/os',\n 'content/eus/rhel8/8.6/x86_64/supplementary/source/SRPMS',\n 'content/tus/rhel8/8.6/x86_64/appstream/debug',\n 'content/tus/rhel8/8.6/x86_64/appstream/os',\n 'content/tus/rhel8/8.6/x86_64/appstream/source/SRPMS',\n 'content/tus/rhel8/8.6/x86_64/baseos/debug',\n 'content/tus/rhel8/8.6/x86_64/baseos/os',\n 'content/tus/rhel8/8.6/x86_64/baseos/source/SRPMS',\n 'content/tus/rhel8/8.6/x86_64/highavailability/debug',\n 'content/tus/rhel8/8.6/x86_64/highavailability/os',\n 'content/tus/rhel8/8.6/x86_64/highavailability/source/SRPMS',\n 'content/tus/rhel8/8.6/x86_64/rt/os',\n 'content/tus/rhel8/8.6/x86_64/rt/source/SRPMS'\n ],\n 'pkgs': [\n {'reference':'nspr-4.25.0-2.el8_2', 'sp':'6', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nspr-devel-4.25.0-2.el8_2', 'sp':'6', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nss-3.53.1-11.el8_2', 'sp':'6', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nss-devel-3.53.1-11.el8_2', 'sp':'6', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nss-softokn-3.53.1-11.el8_2', 'sp':'6', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nss-softokn-devel-3.53.1-11.el8_2', 'sp':'6', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nss-softokn-freebl-3.53.1-11.el8_2', 'sp':'6', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nss-softokn-freebl-devel-3.53.1-11.el8_2', 'sp':'6', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nss-sysinit-3.53.1-11.el8_2', 'sp':'6', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nss-tools-3.53.1-11.el8_2', 'sp':'6', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nss-util-3.53.1-11.el8_2', 'sp':'6', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nss-util-devel-3.53.1-11.el8_2', 'sp':'6', 'release':'8', 'rpm_spec_vers_cmp':TRUE}\n ]\n },\n {\n 'repo_relative_urls': [\n 'content/dist/rhel8/8/aarch64/appstream/debug',\n 'content/dist/rhel8/8/aarch64/appstream/os',\n 'content/dist/rhel8/8/aarch64/appstream/source/SRPMS',\n 'content/dist/rhel8/8/aarch64/baseos/debug',\n 'content/dist/rhel8/8/aarch64/baseos/os',\n 'content/dist/rhel8/8/aarch64/baseos/source/SRPMS',\n 'content/dist/rhel8/8/aarch64/codeready-builder/debug',\n 'content/dist/rhel8/8/aarch64/codeready-builder/os',\n 'content/dist/rhel8/8/aarch64/codeready-builder/source/SRPMS',\n 'content/dist/rhel8/8/aarch64/highavailability/debug',\n 'content/dist/rhel8/8/aarch64/highavailability/os',\n 'content/dist/rhel8/8/aarch64/highavailability/source/SRPMS',\n 'content/dist/rhel8/8/aarch64/supplementary/debug',\n 'content/dist/rhel8/8/aarch64/supplementary/os',\n 'content/dist/rhel8/8/aarch64/supplementary/source/SRPMS',\n 'content/dist/rhel8/8/ppc64le/appstream/debug',\n 'content/dist/rhel8/8/ppc64le/appstream/os',\n 'content/dist/rhel8/8/ppc64le/appstream/source/SRPMS',\n 'content/dist/rhel8/8/ppc64le/baseos/debug',\n 'content/dist/rhel8/8/ppc64le/baseos/os',\n 'content/dist/rhel8/8/ppc64le/baseos/source/SRPMS',\n 'content/dist/rhel8/8/ppc64le/codeready-builder/debug',\n 'content/dist/rhel8/8/ppc64le/codeready-builder/os',\n 'content/dist/rhel8/8/ppc64le/codeready-builder/source/SRPMS',\n 'content/dist/rhel8/8/ppc64le/highavailability/debug',\n 'content/dist/rhel8/8/ppc64le/highavailability/os',\n 'content/dist/rhel8/8/ppc64le/highavailability/source/SRPMS',\n 'content/dist/rhel8/8/ppc64le/resilientstorage/debug',\n 'content/dist/rhel8/8/ppc64le/resilientstorage/os',\n 'content/dist/rhel8/8/ppc64le/resilientstorage/source/SRPMS',\n 'content/dist/rhel8/8/ppc64le/sap-solutions/debug',\n 'content/dist/rhel8/8/ppc64le/sap-solutions/os',\n 'content/dist/rhel8/8/ppc64le/sap-solutions/source/SRPMS',\n 'content/dist/rhel8/8/ppc64le/sap/debug',\n 'content/dist/rhel8/8/ppc64le/sap/os',\n 'content/dist/rhel8/8/ppc64le/sap/source/SRPMS',\n 'content/dist/rhel8/8/ppc64le/supplementary/debug',\n 'content/dist/rhel8/8/ppc64le/supplementary/os',\n 'content/dist/rhel8/8/ppc64le/supplementary/source/SRPMS',\n 'content/dist/rhel8/8/s390x/appstream/debug',\n 'content/dist/rhel8/8/s390x/appstream/os',\n 'content/dist/rhel8/8/s390x/appstream/source/SRPMS',\n 'content/dist/rhel8/8/s390x/baseos/debug',\n 'content/dist/rhel8/8/s390x/baseos/os',\n 'content/dist/rhel8/8/s390x/baseos/source/SRPMS',\n 'content/dist/rhel8/8/s390x/codeready-builder/debug',\n 'content/dist/rhel8/8/s390x/codeready-builder/os',\n 'content/dist/rhel8/8/s390x/codeready-builder/source/SRPMS',\n 'content/dist/rhel8/8/s390x/highavailability/debug',\n 'content/dist/rhel8/8/s390x/highavailability/os',\n 'content/dist/rhel8/8/s390x/highavailability/source/SRPMS',\n 'content/dist/rhel8/8/s390x/resilientstorage/debug',\n 'content/dist/rhel8/8/s390x/resilientstorage/os',\n 'content/dist/rhel8/8/s390x/resilientstorage/source/SRPMS',\n 'content/dist/rhel8/8/s390x/sap/debug',\n 'content/dist/rhel8/8/s390x/sap/os',\n 'content/dist/rhel8/8/s390x/sap/source/SRPMS',\n 'content/dist/rhel8/8/s390x/supplementary/debug',\n 'content/dist/rhel8/8/s390x/supplementary/os',\n 'content/dist/rhel8/8/s390x/supplementary/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/appstream/debug',\n 'content/dist/rhel8/8/x86_64/appstream/os',\n 'content/dist/rhel8/8/x86_64/appstream/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/baseos/debug',\n 'content/dist/rhel8/8/x86_64/baseos/os',\n 'content/dist/rhel8/8/x86_64/baseos/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/codeready-builder/debug',\n 'content/dist/rhel8/8/x86_64/codeready-builder/os',\n 'content/dist/rhel8/8/x86_64/codeready-builder/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/highavailability/debug',\n 'content/dist/rhel8/8/x86_64/highavailability/os',\n 'content/dist/rhel8/8/x86_64/highavailability/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/nfv/debug',\n 'content/dist/rhel8/8/x86_64/nfv/os',\n 'content/dist/rhel8/8/x86_64/nfv/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/resilientstorage/debug',\n 'content/dist/rhel8/8/x86_64/resilientstorage/os',\n 'content/dist/rhel8/8/x86_64/resilientstorage/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/rt/debug',\n 'content/dist/rhel8/8/x86_64/rt/os',\n 'content/dist/rhel8/8/x86_64/rt/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/sap-solutions/debug',\n 'content/dist/rhel8/8/x86_64/sap-solutions/os',\n 'content/dist/rhel8/8/x86_64/sap-solutions/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/sap/debug',\n 'content/dist/rhel8/8/x86_64/sap/os',\n 'content/dist/rhel8/8/x86_64/sap/source/SRPMS',\n 'content/dist/rhel8/8/x86_64/supplementary/debug',\n 'content/dist/rhel8/8/x86_64/supplementary/os',\n 'content/dist/rhel8/8/x86_64/supplementary/source/SRPMS'\n ],\n 'pkgs': [\n {'reference':'nspr-4.25.0-2.el8_2', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nspr-devel-4.25.0-2.el8_2', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nss-3.53.1-11.el8_2', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nss-devel-3.53.1-11.el8_2', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nss-softokn-3.53.1-11.el8_2', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nss-softokn-devel-3.53.1-11.el8_2', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nss-softokn-freebl-3.53.1-11.el8_2', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nss-softokn-freebl-devel-3.53.1-11.el8_2', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nss-sysinit-3.53.1-11.el8_2', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nss-tools-3.53.1-11.el8_2', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nss-util-3.53.1-11.el8_2', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nss-util-devel-3.53.1-11.el8_2', 'release':'8', 'rpm_spec_vers_cmp':TRUE}\n ]\n }\n];\n\nvar applicable_repo_urls = rhel_determine_applicable_repository_urls(constraints:constraints);\nif(applicable_repo_urls == RHEL_REPOS_NO_OVERLAP_MESSAGE) exit(0, RHEL_REPO_NOT_ENABLED);\n\nvar flag = 0;\nforeach var constraint_array ( constraints ) {\n var repo_relative_urls = NULL;\n if (!empty_or_null(constraint_array['repo_relative_urls'])) repo_relative_urls = constraint_array['repo_relative_urls'];\n var enterprise_linux_flag = rhel_repo_urls_has_content_dist_rhel(repo_urls:repo_relative_urls);\n foreach var pkg ( constraint_array['pkgs'] ) {\n var reference = NULL;\n var _release = NULL;\n var sp = NULL;\n var _cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];\n if (!empty_or_null(pkg['release'])) _release = 'RHEL' + pkg['release'];\n if (!empty_or_null(pkg['sp']) && !enterprise_linux_flag) sp = pkg['sp'];\n if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];\n if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];\n if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];\n if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];\n if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];\n if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];\n if (reference &&\n _release &&\n rhel_decide_repo_relative_url_check(required_repo_url_list:repo_relative_urls) &&\n (applicable_repo_urls || (!exists_check || rpm_exists(release:_release, rpm:exists_check))) &&\n rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n var extra = NULL;\n if (empty_or_null(applicable_repo_urls)) extra = rpm_report_get() + redhat_report_repo_caveat();\n else extra = rpm_report_get() + redhat_report_package_caveat();\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : extra\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'nspr / nspr-devel / nss / nss-devel / nss-softokn / nss-softokn-devel / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:55:23", "description": "The version of Firefox installed on the remote macOS or Mac OS X host is prior to 72.0. It is, therefore, affected by multiple vulnerabilities as referenced in the mfsa2020-01 advisory, including the following:\n\n- When pasting a <style> tag from the clipboard into a rich text editor, the CSS sanitizer incorrectly rewrites a @namespace rule. This could allow for injection into certain types of websites resulting in data exfiltration. (CVE-2019-17016)\n\n- Due to a missing case handling object types, a type confusion vulnerability could occur, resulting in a crash. We presume that with enough effort that it could be exploited to run arbitrary code.\n (CVE-2019-17017)\n\n- If an XML file is served with a Content Security Policy and the XML file includes an XSL stylesheet, the Content Security Policy will not be applied to the contents of the XSL stylesheet. If the XSL sheet e.g.\n includes JavaScript, it would bypass any of the restrictions of the Content Security Policy applied to the XML document. (CVE-2019-17020)\n\n- When pasting a <style> tag from the clipboard into a rich text editor, the CSS sanitizer does not escape < and > characters. Because the resulting string is pasted directly into the text node of the element this does not result in a direct injection into the webpage; however, if a webpage subsequently copies the node's innerHTML, assigning it to another innerHTML, this would result in an XSS vulnerability. Two WYSIWYG editors were identified with this behavior, more may exist. (CVE-2019-17022) \n- After a HelloRetryRequest has been sent, the client may negotiate a lower protocol that TLS 1.3, resulting in an invalid state transition in the TLS State Machine. If the client gets into this state, incoming Application Data records will be ignored. (CVE-2019-17023)\n\n- Mozilla developers Jason Kratzer, Christian Holler, and Bob Clary reported memory safety bugs present in Firefox 71 and Firefox ESR 68.3. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. (CVE-2019-17024)\n\n- Mozilla developers Karl Tomlinson, Jason Kratzer, Tyson Smith, Jon Coppeard, and Christian Holler reported memory safety bugs present in Firefox 71. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. (CVE-2019-17025)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2020-01-08T00:00:00", "type": "nessus", "title": "Mozilla Firefox < 72.0 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-17016", "CVE-2019-17017", "CVE-2019-17020", "CVE-2019-17022", "CVE-2019-17023", "CVE-2019-17024", "CVE-2019-17025"], "modified": "2020-02-14T00:00:00", "cpe": ["cpe:/a:mozilla:firefox"], "id": "MACOS_FIREFOX_72_0.NASL", "href": "https://www.tenable.com/plugins/nessus/132708", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\n# The descriptive text and package checks in this plugin were\n# extracted from Mozilla Foundation Security Advisory mfsa2020-01.\n# The text itself is copyright (C) Mozilla Foundation.\n\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(132708);\n script_version(\"1.5\");\n script_cvs_date(\"Date: 2020/02/14\");\n\n script_cve_id(\n \"CVE-2019-17016\",\n \"CVE-2019-17017\",\n \"CVE-2019-17020\",\n \"CVE-2019-17022\",\n \"CVE-2019-17023\",\n \"CVE-2019-17024\",\n \"CVE-2019-17025\"\n );\n script_xref(name:\"MFSA\", value:\"2020-01\");\n\n script_name(english:\"Mozilla Firefox < 72.0 Multiple Vulnerabilities\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web browser installed on the remote macOS or Mac OS X host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Firefox installed on the remote macOS or Mac OS X host is prior to 72.0. It is, therefore, affected by\nmultiple vulnerabilities as referenced in the mfsa2020-01 advisory, including the following:\n\n- When pasting a <style> tag from the clipboard into a rich text editor, the CSS sanitizer incorrectly\n rewrites a @namespace rule. This could allow for injection into certain types of websites resulting in\n data exfiltration. (CVE-2019-17016)\n\n- Due to a missing case handling object types, a type confusion vulnerability could occur, resulting in a\n crash. We presume that with enough effort that it could be exploited to run arbitrary code.\n (CVE-2019-17017)\n\n- If an XML file is served with a Content Security Policy and the XML file includes an XSL stylesheet, the\n Content Security Policy will not be applied to the contents of the XSL stylesheet. If the XSL sheet e.g.\n includes JavaScript, it would bypass any of the restrictions of the Content Security Policy applied to\n the XML document. (CVE-2019-17020)\n\n- When pasting a <style> tag from the clipboard into a rich text editor, the CSS sanitizer does not escape\n < and > characters. Because the resulting string is pasted directly into the text node of the element\n this does not result in a direct injection into the webpage; however, if a webpage subsequently copies\n the node's innerHTML, assigning it to another innerHTML, this would result in an XSS vulnerability. Two\n WYSIWYG editors were identified with this behavior, more may exist. (CVE-2019-17022)\n \n- After a HelloRetryRequest has been sent, the client may negotiate a lower protocol that TLS 1.3,\n resulting in an invalid state transition in the TLS State Machine. If the client gets into this state,\n incoming Application Data records will be ignored. (CVE-2019-17023)\n\n- Mozilla developers Jason Kratzer, Christian Holler, and Bob Clary reported memory safety bugs present in\n Firefox 71 and Firefox ESR 68.3. Some of these bugs showed evidence of memory corruption and we presume\n that with enough effort some of these could have been exploited to run arbitrary code. (CVE-2019-17024)\n\n- Mozilla developers Karl Tomlinson, Jason Kratzer, Tyson Smith, Jon Coppeard, and Christian Holler\n reported memory safety bugs present in Firefox 71. Some of these bugs showed evidence of memory\n corruption and we presume that with enough effort some of these could have been exploited to run\n arbitrary code. (CVE-2019-17025)\n\nNote that Nessus has not tested for this issue but\nhas instead relied only on the application's self-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.mozilla.org/en-US/security/advisories/mfsa2020-01/\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Mozilla Firefox version 72.0 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-17025\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/01/07\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/01/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/01/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:mozilla:firefox\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"MacOS X Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"macosx_firefox_installed.nasl\");\n script_require_keys(\"MacOSX/Firefox/Installed\");\n\n exit(0);\n}\n\ninclude('mozilla_version.inc');\n\nkb_base = 'MacOSX/Firefox';\nget_kb_item_or_exit(kb_base+'/Installed');\n\nversion = get_kb_item_or_exit(kb_base+'/Version', exit_code:1);\npath = get_kb_item_or_exit(kb_base+'/Path', exit_code:1);\n\nis_esr = get_kb_item(kb_base+'/is_esr');\nif (is_esr) exit(0, 'The Mozilla Firefox installation is in the ESR branch.');\n\nmozilla_check_version(version:version, path:path, product:'firefox', esr:FALSE, fix:'72.0', xss:TRUE, severity:SECURITY_WARNING);\n\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-19T14:01:56", "description": "Multiple security issues were discovered in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service, obtain sensitive information, bypass Content Security Policy (CSP) restrictions, conduct cross-site scripting (XSS) attacks, or execute arbitrary code.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2020-01-13T00:00:00", "type": "nessus", "title": "Ubuntu 16.04 LTS / 18.04 LTS / 19.04 / 19.10 : firefox vulnerabilities (USN-4234-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-17016", "CVE-2019-17017", "CVE-2019-17020", "CVE-2019-17022", "CVE-2019-17023", "CVE-2019-17024", "CVE-2019-17025", "CVE-2019-17026"], "modified": "2023-05-11T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:firefox", "cpe:/o:canonical:ubuntu_linux:16.04", "cpe:/o:canonical:ubuntu_linux:18.04:-:lts", "cpe:/o:canonical:ubuntu_linux:19.04", "cpe:/o:canonical:ubuntu_linux:19.10"], "id": "UBUNTU_USN-4234-1.NASL", "href": "https://www.tenable.com/plugins/nessus/132854", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-4234-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(132854);\n script_version(\"1.12\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/05/11\");\n\n script_cve_id(\"CVE-2019-17016\", \"CVE-2019-17017\", \"CVE-2019-17020\", \"CVE-2019-17022\", \"CVE-2019-17023\", \"CVE-2019-17024\", \"CVE-2019-17025\", \"CVE-2019-17026\");\n script_xref(name:\"USN\", value:\"4234-1\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0007\");\n\n script_name(english:\"Ubuntu 16.04 LTS / 18.04 LTS / 19.04 / 19.10 : firefox vulnerabilities (USN-4234-1)\");\n script_summary(english:\"Checks dpkg output for updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Ubuntu host is missing a security-related patch.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Multiple security issues were discovered in Firefox. If a user were\ntricked in to opening a specially crafted website, an attacker could\npotentially exploit these to cause a denial of service, obtain\nsensitive information, bypass Content Security Policy (CSP)\nrestrictions, conduct cross-site scripting (XSS) attacks, or execute\narbitrary code.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://usn.ubuntu.com/4234-1/\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\"Update the affected firefox package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-17025\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:firefox\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:16.04\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:18.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:19.04\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:19.10\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/01/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/01/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/01/13\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"Ubuntu Security Notice (C) 2020-2023 Canonical, Inc. / NASL script (C) 2020-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"ubuntu.inc\");\ninclude(\"misc_func.inc\");\n\nif ( ! get_kb_item(\"Host/local_checks_enabled\") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar release = get_kb_item(\"Host/Ubuntu/release\");\nif ( isnull(release) ) audit(AUDIT_OS_NOT, \"Ubuntu\");\nrelease = chomp(release);\nif (! preg(pattern:\"^(16\\.04|18\\.04|19\\.04|19\\.10)$\", string:release)) audit(AUDIT_OS_NOT, \"Ubuntu 16.04 / 18.04 / 19.04 / 19.10\", \"Ubuntu \" + release);\nif ( ! get_kb_item(\"Host/Debian/dpkg-l\") ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);\n\nvar flag = 0;\n\nif (ubuntu_check(osver:\"16.04\", pkgname:\"firefox\", pkgver:\"72.0.1+build1-0ubuntu0.16.04.1\")) flag++;\nif (ubuntu_check(osver:\"18.04\", pkgname:\"firefox\", pkgver:\"72.0.1+build1-0ubuntu0.18.04.1\")) flag++;\nif (ubuntu_check(osver:\"19.04\", pkgname:\"firefox\", pkgver:\"72.0.1+build1-0ubuntu0.19.04.1\")) flag++;\nif (ubuntu_check(osver:\"19.10\", pkgname:\"firefox\", pkgver:\"72.0.1+build1-0ubuntu0.19.10.1\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"firefox\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:34:36", "description": "The remote NewStart CGSL host, running version CORE 5.05 / MAIN 5.05, has nss packages installed that are affected by multiple vulnerabilities:\n\n - When importing a curve25519 private key in PKCS#8format with leading 0x00 bytes, it is possible to trigger an out-of-bounds read in the Network Security Services (NSS) library. This could lead to information disclosure. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8.\n (CVE-2019-11719)\n\n - A vulnerability exists where it possible to force Network Security Services (NSS) to sign CertificateVerify with PKCS#1 v1.5 signatures when those are the only ones advertised by server in CertificateRequest in TLS 1.3. PKCS#1 v1.5 signatures should not be used for TLS 1.3 messages. This vulnerability affects Firefox < 68. (CVE-2019-11727)\n\n - Improper refcounting of soft token session objects could cause a use-after-free and crash (likely limited to a denial of service). This vulnerability affects Firefox < 71. (CVE-2019-11756)\n\n - In Network Security Services (NSS) before 3.46, several cryptographic primitives had missing length checks. In cases where the application calling the library did not perform a sanity check on the inputs it could result in a crash due to a buffer overflow. (CVE-2019-17006)\n\n - After a HelloRetryRequest has been sent, the client may negotiate a lower protocol that TLS 1.3, resulting in an invalid state transition in the TLS State Machine. If the client gets into this state, incoming Application Data records will be ignored. This vulnerability affects Firefox < 72. (CVE-2019-17023)\n\n - When converting coordinates from projective to affine, the modular inversion was not performed in constant time, resulting in a possible timing-based side channel attack. This vulnerability affects Firefox < 80 and Firefox for Android < 80. (CVE-2020-12400)\n\n - During ECDSA signature generation, padding applied in the nonce designed to ensure constant-time scalar multiplication was removed, resulting in variable-time execution dependent on secret data. This vulnerability affects Firefox < 80 and Firefox for Android < 80. (CVE-2020-12401)\n\n - During RSA key generation, bignum implementations used a variation of the Binary Extended Euclidean Algorithm which entailed significantly input-dependent flow. This allowed an attacker able to perform electromagnetic-based side channel attacks to record traces leading to the recovery of the secret primes.\n *Note:* An unmodified Firefox browser does not generate RSA keys in normal operation and is not affected, but products built on top of it might. This vulnerability affects Firefox < 78. (CVE-2020-12402)\n\n - A flaw was found in the way CHACHA20-POLY1305 was implemented in NSS in versions before 3.55. When using multi-part Chacha20, it could cause out-of-bounds reads. This issue was fixed by explicitly disabling multi-part ChaCha20 (which was not functioning correctly) and strictly enforcing tag length. The highest threat from this vulnerability is to confidentiality and system availability. (CVE-2020-12403)\n\n - When performing EC scalar point multiplication, the wNAF point multiplication algorithm was used; which leaked partial information about the nonce used during signature generation. Given an electro-magnetic trace of a few signature generations, the private key could have been computed. This vulnerability affects Firefox < 80 and Firefox for Android < 80. (CVE-2020-6829)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-10-27T00:00:00", "type": "nessus", "title": "NewStart CGSL CORE 5.05 / MAIN 5.05 : nss Multiple Vulnerabilities (NS-SA-2021-0156)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-11719", "CVE-2019-11727", "CVE-2019-11756", "CVE-2019-17006", "CVE-2019-17023", "CVE-2020-12400", "CVE-2020-12401", "CVE-2020-12402", "CVE-2020-12403", "CVE-2020-6829"], "modified": "2021-10-27T00:00:00", "cpe": ["p-cpe:/a:zte:cgsl_core:nss", "p-cpe:/a:zte:cgsl_core:nss-devel", "p-cpe:/a:zte:cgsl_core:nss-pkcs11-devel", "p-cpe:/a:zte:cgsl_core:nss-sysinit", "p-cpe:/a:zte:cgsl_core:nss-tools", "p-cpe:/a:zte:cgsl_main:nss", "p-cpe:/a:zte:cgsl_main:nss-devel", "p-cpe:/a:zte:cgsl_main:nss-pkcs11-devel", "p-cpe:/a:zte:cgsl_main:nss-sysinit", "p-cpe:/a:zte:cgsl_main:nss-tools", "cpe:/o:zte:cgsl_core:5", "cpe:/o:zte:cgsl_main:5"], "id": "NEWSTART_CGSL_NS-SA-2021-0156_NSS.NASL", "href": "https://www.tenable.com/plugins/nessus/154457", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from ZTE advisory NS-SA-2021-0156. The text\n# itself is copyright (C) ZTE, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(154457);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/10/27\");\n\n script_cve_id(\n \"CVE-2019-11719\",\n \"CVE-2019-11727\",\n \"CVE-2019-11756\",\n \"CVE-2019-17006\",\n \"CVE-2019-17023\",\n \"CVE-2020-6829\",\n \"CVE-2020-12400\",\n \"CVE-2020-12401\",\n \"CVE-2020-12402\",\n \"CVE-2020-12403\"\n );\n script_xref(name:\"IAVA\", value:\"2019-A-0231-S\");\n script_xref(name:\"IAVA\", value:\"2019-A-0438-S\");\n script_xref(name:\"IAVA\", value:\"2020-A-0002-S\");\n script_xref(name:\"IAVA\", value:\"2020-A-0391-S\");\n script_xref(name:\"IAVA\", value:\"2020-A-0287-S\");\n\n script_name(english:\"NewStart CGSL CORE 5.05 / MAIN 5.05 : nss Multiple Vulnerabilities (NS-SA-2021-0156)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote NewStart CGSL host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote NewStart CGSL host, running version CORE 5.05 / MAIN 5.05, has nss packages installed that are affected by\nmultiple vulnerabilities:\n\n - When importing a curve25519 private key in PKCS#8format with leading 0x00 bytes, it is possible to trigger\n an out-of-bounds read in the Network Security Services (NSS) library. This could lead to information\n disclosure. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8.\n (CVE-2019-11719)\n\n - A vulnerability exists where it possible to force Network Security Services (NSS) to sign\n CertificateVerify with PKCS#1 v1.5 signatures when those are the only ones advertised by server in\n CertificateRequest in TLS 1.3. PKCS#1 v1.5 signatures should not be used for TLS 1.3 messages. This\n vulnerability affects Firefox < 68. (CVE-2019-11727)\n\n - Improper refcounting of soft token session objects could cause a use-after-free and crash (likely limited\n to a denial of service). This vulnerability affects Firefox < 71. (CVE-2019-11756)\n\n - In Network Security Services (NSS) before 3.46, several cryptographic primitives had missing length\n checks. In cases where the application calling the library did not perform a sanity check on the inputs it\n could result in a crash due to a buffer overflow. (CVE-2019-17006)\n\n - After a HelloRetryRequest has been sent, the client may negotiate a lower protocol that TLS 1.3, resulting\n in an invalid state transition in the TLS State Machine. If the client gets into this state, incoming\n Application Data records will be ignored. This vulnerability affects Firefox < 72. (CVE-2019-17023)\n\n - When converting coordinates from projective to affine, the modular inversion was not performed in constant\n time, resulting in a possible timing-based side channel attack. This vulnerability affects Firefox < 80\n and Firefox for Android < 80. (CVE-2020-12400)\n\n - During ECDSA signature generation, padding applied in the nonce designed to ensure constant-time scalar\n multiplication was removed, resulting in variable-time execution dependent on secret data. This\n vulnerability affects Firefox < 80 and Firefox for Android < 80. (CVE-2020-12401)\n\n - During RSA key generation, bignum implementations used a variation of the Binary Extended Euclidean\n Algorithm which entailed significantly input-dependent flow. This allowed an attacker able to perform\n electromagnetic-based side channel attacks to record traces leading to the recovery of the secret primes.\n *Note:* An unmodified Firefox browser does not generate RSA keys in normal operation and is not affected,\n but products built on top of it might. This vulnerability affects Firefox < 78. (CVE-2020-12402)\n\n - A flaw was found in the way CHACHA20-POLY1305 was implemented in NSS in versions before 3.55. When using\n multi-part Chacha20, it could cause out-of-bounds reads. This issue was fixed by explicitly disabling\n multi-part ChaCha20 (which was not functioning correctly) and strictly enforcing tag length. The highest\n threat from this vulnerability is to confidentiality and system availability. (CVE-2020-12403)\n\n - When performing EC scalar point multiplication, the wNAF point multiplication algorithm was used; which\n leaked partial information about the nonce used during signature generation. Given an electro-magnetic\n trace of a few signature generations, the private key could have been computed. This vulnerability affects\n Firefox < 80 and Firefox for Android < 80. (CVE-2020-6829)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://security.gd-linux.com/notice/NS-SA-2021-0156\");\n script_set_attribute(attribute:\"see_also\", value:\"http://security.gd-linux.com/info/CVE-2019-11719\");\n script_set_attribute(attribute:\"see_also\", value:\"http://security.gd-linux.com/info/CVE-2019-11727\");\n script_set_attribute(attribute:\"see_also\", value:\"http://security.gd-linux.com/info/CVE-2019-11756\");\n script_set_attribute(attribute:\"see_also\", value:\"http://security.gd-linux.com/info/CVE-2019-17006\");\n script_set_attribute(attribute:\"see_also\", value:\"http://security.gd-linux.com/info/CVE-2019-17023\");\n script_set_attribute(attribute:\"see_also\", value:\"http://security.gd-linux.com/info/CVE-2020-12400\");\n script_set_attribute(attribute:\"see_also\", value:\"http://security.gd-linux.com/info/CVE-2020-12401\");\n script_set_attribute(attribute:\"see_also\", value:\"http://security.gd-linux.com/info/CVE-2020-12402\");\n script_set_attribute(attribute:\"see_also\", value:\"http://security.gd-linux.com/info/CVE-2020-12403\");\n script_set_attribute(attribute:\"see_also\", value:\"http://security.gd-linux.com/info/CVE-2020-6829\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade the vulnerable CGSL nss packages. Note that updated packages may not be available yet. Please contact ZTE for\nmore information.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-17006\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/07/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/09/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/10/27\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:zte:cgsl_core:nss\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:zte:cgsl_core:nss-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:zte:cgsl_core:nss-pkcs11-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:zte:cgsl_core:nss-sysinit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:zte:cgsl_core:nss-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:zte:cgsl_main:nss\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:zte:cgsl_main:nss-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:zte:cgsl_main:nss-pkcs11-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:zte:cgsl_main:nss-sysinit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:zte:cgsl_main:nss-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:zte:cgsl_core:5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:zte:cgsl_main:5\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"NewStart CGSL Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/ZTE-CGSL/release\", \"Host/ZTE-CGSL/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nvar release = get_kb_item('Host/ZTE-CGSL/release');\nif (isnull(release) || release !~ \"^CGSL (MAIN|CORE)\") audit(AUDIT_OS_NOT, 'NewStart Carrier Grade Server Linux');\n\nif (release !~ \"CGSL CORE 5.05\" &&\n release !~ \"CGSL MAIN 5.05\")\n audit(AUDIT_OS_NOT, 'NewStart CGSL CORE 5.05 / NewStart CGSL MAIN 5.05');\n\nif (!get_kb_item('Host/ZTE-CGSL/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'NewStart Carrier Grade Server Linux', cpu);\n\nvar flag = 0;\n\nvar pkgs = {\n 'CGSL CORE 5.05': [\n 'nss-3.53.1-3.el7.cgslv5_5.0.2.g68c96f6.lite',\n 'nss-devel-3.53.1-3.el7.cgslv5_5.0.2.g68c96f6.lite',\n 'nss-pkcs11-devel-3.53.1-3.el7.cgslv5_5.0.2.g68c96f6.lite',\n 'nss-sysinit-3.53.1-3.el7.cgslv5_5.0.2.g68c96f6.lite',\n 'nss-tools-3.53.1-3.el7.cgslv5_5.0.2.g68c96f6.lite'\n ],\n 'CGSL MAIN 5.05': [\n 'nss-3.53.1-3.el7.cgslv5_5.0.1.g3b7ac85',\n 'nss-devel-3.53.1-3.el7.cgslv5_5.0.1.g3b7ac85',\n 'nss-pkcs11-devel-3.53.1-3.el7.cgslv5_5.0.1.g3b7ac85',\n 'nss-sysinit-3.53.1-3.el7.cgslv5_5.0.1.g3b7ac85',\n 'nss-tools-3.53.1-3.el7.cgslv5_5.0.1.g3b7ac85'\n ]\n};\nvar pkg_list = pkgs[release];\n\nforeach (pkg in pkg_list)\n if (rpm_check(release:'ZTE ' + release, reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'nss');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:31:21", "description": "The version of nspr installed on the remote host is prior to 4.25.0-2.45. The version of nss-softokn installed on the remote host is prior to 3.53.1-6.46. The version of nss-util installed on the remote host is prior to 3.53.1-1.58. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS-2021-1522 advisory.\n\n - When importing a curve25519 private key in PKCS#8format with leading 0x00 bytes, it is possible to trigger an out-of-bounds read in the Network Security Services (NSS) library. This could lead to information disclosure. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8.\n (CVE-2019-11719)\n\n - A vulnerability exists where it possible to force Network Security Services (NSS) to sign CertificateVerify with PKCS#1 v1.5 signatures when those are the only ones advertised by server in CertificateRequest in TLS 1.3. PKCS#1 v1.5 signatures should not be used for TLS 1.3 messages. This vulnerability affects Firefox < 68. (CVE-2019-11727)\n\n - Improper refcounting of soft token session objects could cause a use-after-free and crash (likely limited to a denial of service). This vulnerability affects Firefox < 71. (CVE-2019-11756)\n\n - In Network Security Services (NSS) before 3.46, several cryptographic primitives had missing length checks. In cases where the application calling the library did not perform a sanity check on the inputs it could result in a crash due to a buffer overflow. (CVE-2019-17006)\n\n - After a HelloRetryRequest has been sent, the client may negotiate a lower protocol that TLS 1.3, resulting in an invalid state transition in the TLS State Machine. If the client gets into this state, incoming Application Data records will be ignored. This vulnerability affects Firefox < 72. (CVE-2019-17023)\n\n - When converting coordinates from projective to affine, the modular inversion was not performed in constant time, resulting in a possible timing-based side channel attack. This vulnerability affects Firefox < 80 and Firefox for Android < 80. (CVE-2020-12400)\n\n - During ECDSA signature generation, padding applied in the nonce designed to ensure constant-time scalar multiplication was removed, resulting in variable-time execution dependent on secret data. This vulnerability affects Firefox < 80 and Firefox for Android < 80. (CVE-2020-12401)\n\n - During RSA key generation, bignum implementations used a variation of the Binary Extended Euclidean Algorithm which entailed significantly input-dependent flow. This allowed an attacker able to perform electromagnetic-based side channel attacks to record traces leading to the recovery of the secret primes.\n *Note:* An unmodified Firefox browser does not generate RSA keys in normal operation and is not affected, but products built on top of it might. This vulnerability affects Firefox < 78. (CVE-2020-12402)\n\n - A flaw was found in the way CHACHA20-POLY1305 was implemented in NSS in versions before 3.55. When using multi-part Chacha20, it could cause out-of-bounds reads. This issue was fixed by explicitly disabling multi-part ChaCha20 (which was not functioning correctly) and strictly enforcing tag length. The highest threat from this vulnerability is to confidentiality and system availability. (CVE-2020-12403)\n\n - When performing EC scalar point multiplication, the wNAF point multiplication algorithm was used; which leaked partial information about the nonce used during signature generation. Given an electro-magnetic trace of a few signature generations, the private key could have been computed. This vulnerability affects Firefox < 80 and Firefox for Android < 80. (CVE-2020-6829)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-07-13T00:00:00", "type": "nessus", "title": "Amazon Linux AMI : nspr, nss-softokn, nss-util (ALAS-2021-1522)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-11719", "CVE-2019-11727", "CVE-2019-11756", "CVE-2019-17006", "CVE-2019-17023", "CVE-2020-12400", "CVE-2020-12401", "CVE-2020-12402", "CVE-2020-12403", "CVE-2020-6829"], "modified": "2021-07-13T00:00:00", "cpe": ["p-cpe:/a:amazon:linux:nspr", "p-cpe:/a:amazon:linux:nspr-debuginfo", "p-cpe:/a:amazon:linux:nspr-devel", "p-cpe:/a:amazon:linux:nss-softokn", "p-cpe:/a:amazon:linux:nss-softokn-debuginfo", "p-cpe:/a:amazon:linux:nss-softokn-devel", "p-cpe:/a:amazon:linux:nss-softokn-freebl", "p-cpe:/a:amazon:linux:nss-softokn-freebl-devel", "p-cpe:/a:amazon:linux:nss-util", "p-cpe:/a:amazon:linux:nss-util-debuginfo", "p-cpe:/a:amazon:linux:nss-util-devel", "cpe:/o:amazon:linux"], "id": "ALA_ALAS-2021-1522.NASL", "href": "https://www.tenable.com/plugins/nessus/151520", "sourceData": "#%NASL_MIN_LEVEL 70300\n##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux AMI Security Advisory ALAS-2021-1522.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(151520);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/07/13\");\n\n script_cve_id(\n \"CVE-2019-11719\",\n \"CVE-2019-11727\",\n \"CVE-2019-11756\",\n \"CVE-2019-17006\",\n \"CVE-2019-17023\",\n \"CVE-2020-6829\",\n \"CVE-2020-12400\",\n \"CVE-2020-12401\",\n \"CVE-2020-12402\",\n \"CVE-2020-12403\"\n );\n script_xref(name:\"IAVA\", value:\"2019-A-0231-S\");\n script_xref(name:\"IAVA\", value:\"2019-A-0438-S\");\n script_xref(name:\"IAVA\", value:\"2020-A-0002-S\");\n script_xref(name:\"IAVA\", value:\"2020-A-0391-S\");\n script_xref(name:\"IAVA\", value:\"2020-A-0287-S\");\n script_xref(name:\"ALAS\", value:\"2021-1522\");\n\n script_name(english:\"Amazon Linux AMI : nspr, nss-softokn, nss-util (ALAS-2021-1522)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Amazon Linux AMI host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of nspr installed on the remote host is prior to 4.25.0-2.45. The version of nss-softokn installed on the\nremote host is prior to 3.53.1-6.46. The version of nss-util installed on the remote host is prior to 3.53.1-1.58. It\nis, therefore, affected by multiple vulnerabilities as referenced in the ALAS-2021-1522 advisory.\n\n - When importing a curve25519 private key in PKCS#8format with leading 0x00 bytes, it is possible to trigger\n an out-of-bounds read in the Network Security Services (NSS) library. This could lead to information\n disclosure. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8.\n (CVE-2019-11719)\n\n - A vulnerability exists where it possible to force Network Security Services (NSS) to sign\n CertificateVerify with PKCS#1 v1.5 signatures when those are the only ones advertised by server in\n CertificateRequest in TLS 1.3. PKCS#1 v1.5 signatures should not be used for TLS 1.3 messages. This\n vulnerability affects Firefox < 68. (CVE-2019-11727)\n\n - Improper refcounting of soft token session objects could cause a use-after-free and crash (likely limited\n to a denial of service). This vulnerability affects Firefox < 71. (CVE-2019-11756)\n\n - In Network Security Services (NSS) before 3.46, several cryptographic primitives had missing length\n checks. In cases where the application calling the library did not perform a sanity check on the inputs it\n could result in a crash due to a buffer overflow. (CVE-2019-17006)\n\n - After a HelloRetryRequest has been sent, the client may negotiate a lower protocol that TLS 1.3, resulting\n in an invalid state transition in the TLS State Machine. If the client gets into this state, incoming\n Application Data records will be ignored. This vulnerability affects Firefox < 72. (CVE-2019-17023)\n\n - When converting coordinates from projective to affine, the modular inversion was not performed in constant\n time, resulting in a possible timing-based side channel attack. This vulnerability affects Firefox < 80\n and Firefox for Android < 80. (CVE-2020-12400)\n\n - During ECDSA signature generation, padding applied in the nonce designed to ensure constant-time scalar\n multiplication was removed, resulting in variable-time execution dependent on secret data. This\n vulnerability affects Firefox < 80 and Firefox for Android < 80. (CVE-2020-12401)\n\n - During RSA key generation, bignum implementations used a variation of the Binary Extended Euclidean\n Algorithm which entailed significantly input-dependent flow. This allowed an attacker able to perform\n electromagnetic-based side channel attacks to record traces leading to the recovery of the secret primes.\n *Note:* An unmodified Firefox browser does not generate RSA keys in normal operation and is not affected,\n but products built on top of it might. This vulnerability affects Firefox < 78. (CVE-2020-12402)\n\n - A flaw was found in the way CHACHA20-POLY1305 was implemented in NSS in versions before 3.55. When using\n multi-part Chacha20, it could cause out-of-bounds reads. This issue was fixed by explicitly disabling\n multi-part ChaCha20 (which was not functioning correctly) and strictly enforcing tag length. The highest\n threat from this vulnerability is to confidentiality and system availability. (CVE-2020-12403)\n\n - When performing EC scalar point multiplication, the wNAF point multiplication algorithm was used; which\n leaked partial information about the nonce used during signature generation. Given an electro-magnetic\n trace of a few signature generations, the private key could have been computed. This vulnerability affects\n Firefox < 80 and Firefox for Android < 80. (CVE-2020-6829)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/ALAS-2021-1522.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-11719\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-11727\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-11756\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-17006\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-17023\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-12400\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-12401\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-12402\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-12403\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-6829\");\n script_set_attribute(attribute:\"solution\", value:\n\"Run 'yum update nspr' to update your system.\n Run 'yum update nss-softokn' to update your system.\n Run 'yum update nss-util' to update your system.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-17006\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/07/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/07/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/07/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:nspr\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:nspr-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:nspr-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:nss-softokn\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:nss-softokn-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:nss-softokn-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:nss-softokn-freebl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:nss-softokn-freebl-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:nss-util\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:nss-util-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:nss-util-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nos_ver = pregmatch(pattern: \"^AL(A|\\d)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nos_ver = os_ver[1];\nif (os_ver != \"A\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux AMI\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\npkgs = [\n {'reference':'nspr-4.25.0-2.45.amzn1', 'cpu':'i686', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nspr-4.25.0-2.45.amzn1', 'cpu':'x86_64', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nspr-debuginfo-4.25.0-2.45.amzn1', 'cpu':'i686', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nspr-debuginfo-4.25.0-2.45.amzn1', 'cpu':'x86_64', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nspr-devel-4.25.0-2.45.amzn1', 'cpu':'i686', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nspr-devel-4.25.0-2.45.amzn1', 'cpu':'x86_64', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nss-softokn-3.53.1-6.46.amzn1', 'cpu':'i686', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nss-softokn-3.53.1-6.46.amzn1', 'cpu':'x86_64', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nss-softokn-debuginfo-3.53.1-6.46.amzn1', 'cpu':'i686', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nss-softokn-debuginfo-3.53.1-6.46.amzn1', 'cpu':'x86_64', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nss-softokn-devel-3.53.1-6.46.amzn1', 'cpu':'i686', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nss-softokn-devel-3.53.1-6.46.amzn1', 'cpu':'x86_64', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nss-softokn-freebl-3.53.1-6.46.amzn1', 'cpu':'i686', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nss-softokn-freebl-3.53.1-6.46.amzn1', 'cpu':'x86_64', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nss-softokn-freebl-devel-3.53.1-6.46.amzn1', 'cpu':'i686', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nss-softokn-freebl-devel-3.53.1-6.46.amzn1', 'cpu':'x86_64', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nss-util-3.53.1-1.58.amzn1', 'cpu':'i686', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nss-util-3.53.1-1.58.amzn1', 'cpu':'x86_64', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nss-util-debuginfo-3.53.1-1.58.amzn1', 'cpu':'i686', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nss-util-debuginfo-3.53.1-1.58.amzn1', 'cpu':'x86_64', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nss-util-devel-3.53.1-1.58.amzn1', 'cpu':'i686', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nss-util-devel-3.53.1-1.58.amzn1', 'cpu':'x86_64', 'release':'ALA', 'rpm_spec_vers_cmp':TRUE}\n];\n\nflag = 0;\nforeach package_array ( pkgs ) {\n reference = NULL;\n release = NULL;\n cpu = NULL;\n el_string = NULL;\n rpm_spec_vers_cmp = NULL;\n allowmaj = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = package_array['release'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (reference && release) {\n if (rpm_check(release:release, cpu:cpu, reference:reference, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"nspr / nspr-debuginfo / nspr-devel / etc\");\n}", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:23:07", "description": "The remote Oracle Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2020-4076 advisory.\n\n - When importing a curve25519 private key in PKCS#8format with leading 0x00 bytes, it is possible to trigger an out-of-bounds read in the Network Security Services (NSS) library. This could lead to information disclosure. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8.\n (CVE-2019-11719)\n\n - A vulnerability exists where it possible to force Network Security Services (NSS) to sign CertificateVerify with PKCS#1 v1.5 signatures when those are the only ones advertised by server in CertificateRequest in TLS 1.3. PKCS#1 v1.5 signatures should not be used for TLS 1.3 messages. This vulnerability affects Firefox < 68. (CVE-2019-11727)\n\n - Improper refcounting of soft token session objects could cause a use-after-free and crash (likely limited to a denial of service). This vulnerability affects Firefox < 71. (CVE-2019-11756)\n\n - After a HelloRetryRequest has been sent, the client may negotiate a lower protocol that TLS 1.3, resulting in an invalid state transition in the TLS State Machine. If the client gets into this state, incoming Application Data records will be ignored. This vulnerability affects Firefox < 72. (CVE-2019-17023)\n\n - When converting coordinates from projective to affine, the modular inversion was not performed in constant time, resulting in a possible timing-based side channel attack. This vulnerability affects Firefox < 80 and Firefox for Android < 80. (CVE-2020-12400)\n\n - During ECDSA signature generation, padding applied in the nonce designed to ensure constant-time scalar multiplication was removed, resulting in variable-time execution dependent on secret data. This vulnerability affects Firefox < 80 and Firefox for Android < 80. (CVE-2020-12401)\n\n - During RSA key generation, bignum implementations used a variation of the Binary Extended Euclidean Algorithm which entailed significantly input-dependent flow. This allowed an attacker able to perform electromagnetic-based side channel attacks to record traces leading to the recovery of the secret primes.\n *Note:* An unmodified Firefox browser does not generate RSA keys in normal operation and is not affected, but products built on top of it might. This vulnerability affects Firefox < 78. (CVE-2020-12402)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2020-10-08T00:00:00", "type": "nessus", "title": "Oracle Linux 7 : nss / and / nspr (ELSA-2020-4076)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-11719", "CVE-2019-11727", "CVE-2019-11756", "CVE-2019-17006", "CVE-2019-17023", "CVE-2020-12400", "CVE-2020-12401", "CVE-2020-12402", "CVE-2020-12403", "CVE-2020-6829"], "modified": "2020-10-27T00:00:00", "cpe": ["cpe:/o:oracle:linux:7", "p-cpe:/a:oracle:linux:nspr", "p-cpe:/a:oracle:linux:nspr-devel", "p-cpe:/a:oracle:linux:nss", "p-cpe:/a:oracle:linux:nss-devel", "p-cpe:/a:oracle:linux:nss-pkcs11-devel", "p-cpe:/a:oracle:linux:nss-softokn", "p-cpe:/a:oracle:linux:nss-softokn-devel", "p-cpe:/a:oracle:linux:nss-softokn-freebl", "p-cpe:/a:oracle:linux:nss-softokn-freebl-devel", "p-cpe:/a:oracle:linux:nss-sysinit", "p-cpe:/a:oracle:linux:nss-tools", "p-cpe:/a:oracle:linux:nss-util", "p-cpe:/a:oracle:linux:nss-util-devel"], "id": "ORACLELINUX_ELSA-2020-4076.NASL", "href": "https://www.tenable.com/plugins/nessus/141312", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Oracle Linux Security Advisory ELSA-2020-4076.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(141312);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/10/27\");\n\n script_cve_id(\n \"CVE-2019-11719\",\n \"CVE-2019-11727\",\n \"CVE-2019-11756\",\n \"CVE-2019-17006\",\n \"CVE-2019-17023\",\n \"CVE-2020-6829\",\n \"CVE-2020-12400\",\n \"CVE-2020-12401\",\n \"CVE-2020-12402\",\n \"CVE-2020-12403\"\n );\n script_bugtraq_id(109085, 109086);\n\n script_name(english:\"Oracle Linux 7 : nss / and / nspr (ELSA-2020-4076)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Oracle Linux host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Oracle Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the\nELSA-2020-4076 advisory.\n\n - When importing a curve25519 private key in PKCS#8format with leading 0x00 bytes, it is possible to trigger\n an out-of-bounds read in the Network Security Services (NSS) library. This could lead to information\n disclosure. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8.\n (CVE-2019-11719)\n\n - A vulnerability exists where it possible to force Network Security Services (NSS) to sign\n CertificateVerify with PKCS#1 v1.5 signatures when those are the only ones advertised by server in\n CertificateRequest in TLS 1.3. PKCS#1 v1.5 signatures should not be used for TLS 1.3 messages. This\n vulnerability affects Firefox < 68. (CVE-2019-11727)\n\n - Improper refcounting of soft token session objects could cause a use-after-free and crash (likely limited\n to a denial of service). This vulnerability affects Firefox < 71. (CVE-2019-11756)\n\n - After a HelloRetryRequest has been sent, the client may negotiate a lower protocol that TLS 1.3, resulting\n in an invalid state transition in the TLS State Machine. If the client gets into this state, incoming\n Application Data records will be ignored. This vulnerability affects Firefox < 72. (CVE-2019-17023)\n\n - When converting coordinates from projective to affine, the modular inversion was not performed in constant\n time, resulting in a possible timing-based side channel attack. This vulnerability affects Firefox < 80\n and Firefox for Android < 80. (CVE-2020-12400)\n\n - During ECDSA signature generation, padding applied in the nonce designed to ensure constant-time scalar\n multiplication was removed, resulting in variable-time execution dependent on secret data. This\n vulnerability affects Firefox < 80 and Firefox for Android < 80. (CVE-2020-12401)\n\n - During RSA key generation, bignum implementations used a variation of the Binary Extended Euclidean\n Algorithm which entailed significantly input-dependent flow. This allowed an attacker able to perform\n electromagnetic-based side channel attacks to record traces leading to the recovery of the secret primes.\n *Note:* An unmodified Firefox browser does not generate RSA keys in normal operation and is not affected,\n but products built on top of it might. This vulnerability affects Firefox < 78. (CVE-2020-12402)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://linux.oracle.com/errata/ELSA-2020-4076.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-17006\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/07/23\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/10/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/10/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:7\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:nspr\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:nspr-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:nss\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:nss-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:nss-pkcs11-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:nss-softokn\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:nss-softokn-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:nss-softokn-freebl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:nss-softokn-freebl-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:nss-sysinit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:nss-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:nss-util\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:nss-util-devel\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/local_checks_enabled\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item('Host/OracleLinux')) audit(AUDIT_OS_NOT, 'Oracle Linux');\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, 'Oracle Linux');\nos_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Oracle Linux');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, 'Oracle Linux 7', 'Oracle Linux ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Oracle Linux', cpu);\n\npkgs = [\n {'reference':'nspr-4.25.0-2.el7_9', 'cpu':'i686', 'release':'7'},\n {'reference':'nspr-4.25.0-2.el7_9', 'cpu':'x86_64', 'release':'7'},\n {'reference':'nspr-devel-4.25.0-2.el7_9', 'cpu':'i686', 'release':'7'},\n {'reference':'nspr-devel-4.25.0-2.el7_9', 'cpu':'x86_64', 'release':'7'},\n {'reference':'nss-3.53.1-3.el7_9', 'cpu':'i686', 'release':'7'},\n {'reference':'nss-3.53.1-3.el7_9', 'cpu':'x86_64', 'release':'7'},\n {'reference':'nss-devel-3.53.1-3.el7_9', 'cpu':'i686', 'release':'7'},\n {'reference':'nss-devel-3.53.1-3.el7_9', 'cpu':'x86_64', 'release':'7'},\n {'reference':'nss-pkcs11-devel-3.53.1-3.el7_9', 'cpu':'i686', 'release':'7'},\n {'reference':'nss-pkcs11-devel-3.53.1-3.el7_9', 'cpu':'x86_64', 'release':'7'},\n {'reference':'nss-softokn-3.53.1-6.0.1.el7_9', 'cpu':'i686', 'release':'7'},\n {'reference':'nss-softokn-3.53.1-6.0.1.el7_9', 'cpu':'x86_64', 'release':'7'},\n {'reference':'nss-softokn-devel-3.53.1-6.0.1.el7_9', 'cpu':'i686', 'release':'7'},\n {'reference':'nss-softokn-devel-3.53.1-6.0.1.el7_9', 'cpu':'x86_64', 'release':'7'},\n {'reference':'nss-softokn-freebl-3.53.1-6.0.1.el7_9', 'cpu':'i686', 'release':'7'},\n {'reference':'nss-softokn-freebl-3.53.1-6.0.1.el7_9', 'cpu':'x86_64', 'release':'7'},\n {'reference':'nss-softokn-freebl-devel-3.53.1-6.0.1.el7_9', 'cpu':'i686', 'release':'7'},\n {'reference':'nss-softokn-freebl-devel-3.53.1-6.0.1.el7_9', 'cpu':'x86_64', 'release':'7'},\n {'reference':'nss-sysinit-3.53.1-3.el7_9', 'cpu':'x86_64', 'release':'7'},\n {'reference':'nss-tools-3.53.1-3.el7_9', 'cpu':'x86_64', 'release':'7'},\n {'reference':'nss-util-3.53.1-1.el7_9', 'cpu':'i686', 'release':'7'},\n {'reference':'nss-util-3.53.1-1.el7_9', 'cpu':'x86_64', 'release':'7'},\n {'reference':'nss-util-devel-3.53.1-1.el7_9', 'cpu':'i686', 'release':'7'},\n {'reference':'nss-util-devel-3.53.1-1.el7_9', 'cpu':'x86_64', 'release':'7'}\n];\n\nflag = 0;\nforeach package_array ( pkgs ) {\n reference = NULL;\n release = NULL;\n sp = NULL;\n cpu = NULL;\n el_string = NULL;\n rpm_spec_vers_cmp = NULL;\n epoch = NULL;\n allowmaj = NULL;\n rpm_prefix = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = 'EL' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (!empty_or_null(package_array['rpm_prefix'])) rpm_prefix = package_array['rpm_prefix'];\n if (reference && release) {\n if (rpm_prefix) {\n if (rpm_exists(release:release, rpm:rpm_prefix) && rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n } else {\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'nspr / nspr-devel / nss / etc');\n}", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-27T14:24:18", "description": "The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:4076 advisory.\n\n - nss: Out-of-bounds read when importing curve25519 private key (CVE-2019-11719)\n\n - nss: PKCS#1 v1.5 signatures can be used for TLS 1.3 (CVE-2019-11727)\n\n - nss: Use-after-free in sftk_FreeSession due to improper refcounting (CVE-2019-11756)\n\n - nss: Check length of inputs for cryptographic primitives (CVE-2019-17006)\n\n - nss: TLS 1.3 HelloRetryRequest downgrade request sets client into invalid state (CVE-2019-17023)\n\n - nss: P-384 and P-521 implementation uses a side-channel vulnerable modular inversion function (CVE-2020-12400)\n\n - nss: ECDSA timing attack mitigation bypass (CVE-2020-12401)\n\n - nss: Side channel vulnerabilities during RSA key generation (CVE-2020-12402)\n\n - nss: CHACHA20-POLY1305 decryption with undersized tag leads to out-of-bounds read (CVE-2020-12403)\n\n - nss: Side channel attack on ECDSA signature generation (CVE-2020-6829)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2020-09-30T00:00:00", "type": "nessus", "title": "RHEL 7 : nss and nspr (RHSA-2020:4076)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-11719", "CVE-2019-11727", "CVE-2019-11756", "CVE-2019-17006", "CVE-2019-17023", "CVE-2020-12400", "CVE-2020-12401", "CVE-2020-12402", "CVE-2020-12403", "CVE-2020-6829"], "modified": "2023-05-25T00:00:00", "cpe": ["cpe:/o:redhat:enterprise_linux:7", "p-cpe:/a:redhat:enterprise_linux:nspr", "p-cpe:/a:redhat:enterprise_linux:nspr-devel", "p-cpe:/a:redhat:enterprise_linux:nss", "p-cpe:/a:redhat:enterprise_linux:nss-devel", "p-cpe:/a:redhat:enterprise_linux:nss-pkcs11-devel", "p-cpe:/a:redhat:enterprise_linux:nss-softokn", "p-cpe:/a:redhat:enterprise_linux:nss-softokn-devel", "p-cpe:/a:redhat:enterprise_linux:nss-softokn-freebl", "p-cpe:/a:redhat:enterprise_linux:nss-softokn-freebl-devel", "p-cpe:/a:redhat:enterprise_linux:nss-sysinit", "p-cpe:/a:redhat:enterprise_linux:nss-tools", "p-cpe:/a:redhat:enterprise_linux:nss-util", "p-cpe:/a:redhat:enterprise_linux:nss-util-devel"], "id": "REDHAT-RHSA-2020-4076.NASL", "href": "https://www.tenable.com/plugins/nessus/141059", "sourceData": "##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2020:4076. The text\n# itself is copyright (C) Red Hat, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(141059);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/05/25\");\n\n script_cve_id(\n \"CVE-2019-11719\",\n \"CVE-2019-11727\",\n \"CVE-2019-11756\",\n \"CVE-2019-17006\",\n \"CVE-2019-17023\",\n \"CVE-2020-6829\",\n \"CVE-2020-12400\",\n \"CVE-2020-12401\",\n \"CVE-2020-12402\",\n \"CVE-2020-12403\"\n );\n script_bugtraq_id(109085, 109086);\n script_xref(name:\"RHSA\", value:\"2020:4076\");\n script_xref(name:\"IAVA\", value:\"2020-A-0287-S\");\n script_xref(name:\"IAVA\", value:\"2020-A-0391-S\");\n script_xref(name:\"IAVA\", value:\"2020-A-0002-S\");\n script_xref(name:\"IAVA\", value:\"2019-A-0231-S\");\n script_xref(name:\"IAVA\", value:\"2019-A-0438-S\");\n\n script_name(english:\"RHEL 7 : nss and nspr (RHSA-2020:4076)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as\nreferenced in the RHSA-2020:4076 advisory.\n\n - nss: Out-of-bounds read when importing curve25519 private key (CVE-2019-11719)\n\n - nss: PKCS#1 v1.5 signatures can be used for TLS 1.3 (CVE-2019-11727)\n\n - nss: Use-after-free in sftk_FreeSession due to improper refcounting (CVE-2019-11756)\n\n - nss: Check length of inputs for cryptographic primitives (CVE-2019-17006)\n\n - nss: TLS 1.3 HelloRetryRequest downgrade request sets client into invalid state (CVE-2019-17023)\n\n - nss: P-384 and P-521 implementation uses a side-channel vulnerable modular inversion function\n (CVE-2020-12400)\n\n - nss: ECDSA timing attack mitigation bypass (CVE-2020-12401)\n\n - nss: Side channel vulnerabilities during RSA key generation (CVE-2020-12402)\n\n - nss: CHACHA20-POLY1305 decryption with undersized tag leads to out-of-bounds read (CVE-2020-12403)\n\n - nss: Side channel attack on ECDSA signature generation (CVE-2020-6829)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-11719\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-11727\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-11756\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-17006\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-17023\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-6829\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-12400\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-12401\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-12402\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-12403\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2020:4076\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1728436\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1730988\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1774835\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1775916\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1791225\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1826187\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1826231\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1851294\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1853983\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1868931\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-17006\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(122, 125, 327, 416);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/07/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/09/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/09/30\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nspr\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nspr-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nss\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nss-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nss-pkcs11-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nss-softokn\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nss-softokn-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nss-softokn-freebl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nss-softokn-freebl-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nss-sysinit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nss-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nss-util\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:nss-util-devel\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"redhat_repos.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('rpm.inc');\ninclude('rhel.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item('Host/RedHat/release');\nif (isnull(os_release) || 'Red Hat' >!< os_release) audit(AUDIT_OS_NOT, 'Red Hat');\nvar os_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:os_release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');\nos_ver = os_ver[1];\nif (!rhel_check_release(operator: 'ge', os_version: os_ver, rhel_version: '7')) audit(AUDIT_OS_NOT, 'Red Hat 7.x', 'Red Hat ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu && 'ppc' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);\n\nvar constraints = [\n {\n 'repo_relative_urls': [\n 'content/dist/rhel-alt/server/7/7Server/power9/ppc64le/debug',\n 'content/dist/rhel-alt/server/7/7Server/power9/ppc64le/optional/debug',\n 'content/dist/rhel-alt/server/7/7Server/power9/ppc64le/optional/os',\n 'content/dist/rhel-alt/server/7/7Server/power9/ppc64le/optional/source/SRPMS',\n 'content/dist/rhel-alt/server/7/7Server/power9/ppc64le/os',\n 'content/dist/rhel-alt/server/7/7Server/power9/ppc64le/source/SRPMS',\n 'content/dist/rhel-alt/server/7/7Server/power9/ppc64le/supplementary/debug',\n 'content/dist/rhel-alt/server/7/7Server/power9/ppc64le/supplementary/source/SRPMS',\n 'content/dist/rhel-alt/server/7/7Server/system-z-a/s390x/debug',\n 'content/dist/rhel-alt/server/7/7Server/system-z-a/s390x/optional/debug',\n 'content/dist/rhel-alt/server/7/7Server/system-z-a/s390x/optional/os',\n 'content/dist/rhel-alt/server/7/7Server/system-z-a/s390x/optional/source/SRPMS',\n 'content/dist/rhel-alt/server/7/7Server/system-z-a/s390x/os',\n 'content/dist/rhel-alt/server/7/7Server/system-z-a/s390x/source/SRPMS',\n 'content/dist/rhel/client/7/7Client/x86_64/debug',\n 'content/dist/rhel/client/7/7Client/x86_64/optional/debug',\n 'content/dist/rhel/client/7/7Client/x86_64/optional/os',\n 'content/dist/rhel/client/7/7Client/x86_64/optional/source/SRPMS',\n 'content/dist/rhel/client/7/7Client/x86_64/oracle-java-rm/os',\n 'content/dist/rhel/client/7/7Client/x86_64/os',\n 'content/dist/rhel/client/7/7Client/x86_64/source/SRPMS',\n 'content/dist/rhel/client/7/7Client/x86_64/supplementary/debug',\n 'content/dist/rhel/client/7/7Client/x86_64/supplementary/os',\n 'content/dist/rhel/client/7/7Client/x86_64/supplementary/source/SRPMS',\n 'content/dist/rhel/computenode/7/7ComputeNode/x86_64/debug',\n 'content/dist/rhel/computenode/7/7ComputeNode/x86_64/optional/debug',\n 'content/dist/rhel/computenode/7/7ComputeNode/x86_64/optional/os',\n 'content/dist/rhel/computenode/7/7ComputeNode/x86_64/optional/source/SRPMS',\n 'content/dist/rhel/computenode/7/7ComputeNode/x86_64/oracle-java-rm/os',\n 'content/dist/rhel/computenode/7/7ComputeNode/x86_64/os',\n 'content/dist/rhel/computenode/7/7ComputeNode/x86_64/source/SRPMS',\n 'content/dist/rhel/computenode/7/7ComputeNode/x86_64/supplementary/debug',\n 'content/dist/rhel/computenode/7/7ComputeNode/x86_64/supplementary/os',\n 'content/dist/rhel/computenode/7/7ComputeNode/x86_64/supplementary/source/SRPMS',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/debug',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/highavailability/debug',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/highavailability/os',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/highavailability/source/SRPMS',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/optional/debug',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/optional/os',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/optional/source/SRPMS',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/os',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/resilientstorage/debug',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/resilientstorage/os',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/resilientstorage/source/SRPMS',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/sap-hana/debug',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/sap-hana/os',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/sap-hana/source/SRPMS',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/sap/debug',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/sap/os',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/sap/source/SRPMS',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/source/SRPMS',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/supplementary/debug',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/supplementary/os',\n 'content/dist/rhel/power-le/7/7Server/ppc64le/supplementary/source/SRPMS',\n 'content/dist/rhel/power/7/7Server/ppc64/debug',\n 'content/dist/rhel/power/7/7Server/ppc64/optional/debug',\n 'content/dist/rhel/power/7/7Server/ppc64/optional/os',\n 'content/dist/rhel/power/7/7Server/ppc64/optional/source/SRPMS',\n 'content/dist/rhel/power/7/7Server/ppc64/os',\n 'content/dist/rhel/power/7/7Server/ppc64/sap/debug',\n 'content/dist/rhel/power/7/7Server/ppc64/sap/os',\n 'content/dist/rhel/power/7/7Server/ppc64/sap/source/SRPMS',\n 'content/dist/rhel/power/7/7Server/ppc64/source/SRPMS',\n 'content/dist/rhel/power/7/7Server/ppc64/supplementary/debug',\n 'content/dist/rhel/power/7/7Server/ppc64/supplementary/os',\n 'content/dist/rhel/power/7/7Server/ppc64/supplementary/source/SRPMS',\n 'content/dist/rhel/server/7/7Server/x86_64/debug',\n 'content/dist/rhel/server/7/7Server/x86_64/highavailability/debug',\n 'content/dist/rhel/server/7/7Server/x86_64/highavailability/os',\n 'content/dist/rhel/server/7/7Server/x86_64/highavailability/source/SRPMS',\n 'content/dist/rhel/server/7/7Server/x86_64/nfv/debug',\n 'content/dist/rhel/server/7/7Server/x86_64/nfv/os',\n 'content/dist/rhel/server/7/7Server/x86_64/nfv/source/SRPMS',\n 'content/dist/rhel/server/7/7Server/x86_64/optional/debug',\n 'content/dist/rhel/server/7/7Server/x86_64/optional/os',\n 'content/dist/rhel/server/7/7Server/x86_64/optional/source/SRPMS',\n 'content/dist/rhel/server/7/7Server/x86_64/oracle-java-rm/os',\n 'content/dist/rhel/server/7/7Server/x86_64/os',\n 'content/dist/rhel/server/7/7Server/x86_64/resilientstorage/debug',\n 'content/dist/rhel/server/7/7Server/x86_64/resilientstorage/os',\n 'content/dist/rhel/server/7/7Server/x86_64/resilientstorage/source/SRPMS',\n 'content/dist/rhel/server/7/7Server/x86_64/rt/debug',\n 'content/dist/rhel/server/7/7Server/x86_64/rt/os',\n 'content/dist/rhel/server/7/7Server/x86_64/rt/source/SRPMS',\n 'content/dist/rhel/server/7/7Server/x86_64/sap-hana/debug',\n 'content/dist/rhel/server/7/7Server/x86_64/sap-hana/os',\n 'content/dist/rhel/server/7/7Server/x86_64/sap-hana/source/SRPMS',\n 'content/dist/rhel/server/7/7Server/x86_64/sap/debug',\n 'content/dist/rhel/server/7/7Server/x86_64/sap/os',\n 'content/dist/rhel/server/7/7Server/x86_64/sap/source/SRPMS',\n 'content/dist/rhel/server/7/7Server/x86_64/source/SRPMS',\n 'content/dist/rhel/server/7/7Server/x86_64/supplementary/debug',\n 'content/dist/rhel/server/7/7Server/x86_64/supplementary/os',\n 'content/dist/rhel/server/7/7Server/x86_64/supplementary/source/SRPMS',\n 'content/dist/rhel/system-z/7/7Server/s390x/debug',\n 'content/dist/rhel/system-z/7/7Server/s390x/highavailability/debug',\n 'content/dist/rhel/system-z/7/7Server/s390x/highavailability/os',\n 'content/dist/rhel/system-z/7/7Server/s390x/highavailability/source/SRPMS',\n 'content/dist/rhel/system-z/7/7Server/s390x/optional/debug',\n 'content/dist/rhel/system-z/7/7Server/s390x/optional/os',\n 'content/dist/rhel/system-z/7/7Server/s390x/optional/source/SRPMS',\n 'content/dist/rhel/system-z/7/7Server/s390x/os',\n 'content/dist/rhel/system-z/7/7Server/s390x/resilientstorage/debug',\n 'content/dist/rhel/system-z/7/7Server/s390x/resilientstorage/os',\n 'content/dist/rhel/system-z/7/7Server/s390x/resilientstorage/source/SRPMS',\n 'content/dist/rhel/system-z/7/7Server/s390x/sap/debug',\n 'content/dist/rhel/system-z/7/7Server/s390x/sap/os',\n 'content/dist/rhel/system-z/7/7Server/s390x/sap/source/SRPMS',\n 'content/dist/rhel/system-z/7/7Server/s390x/source/SRPMS',\n 'content/dist/rhel/system-z/7/7Server/s390x/supplementary/debug',\n 'content/dist/rhel/system-z/7/7Server/s390x/supplementary/os',\n 'content/dist/rhel/system-z/7/7Server/s390x/supplementary/source/SRPMS',\n 'content/dist/rhel/workstation/7/7Workstation/x86_64/debug',\n 'content/dist/rhel/workstation/7/7Workstation/x86_64/optional/debug',\n 'content/dist/rhel/workstation/7/7Workstation/x86_64/optional/os',\n 'content/dist/rhel/workstation/7/7Workstation/x86_64/optional/source/SRPMS',\n 'content/dist/rhel/workstation/7/7Workstation/x86_64/oracle-java-rm/os',\n 'content/dist/rhel/workstation/7/7Workstation/x86_64/os',\n 'content/dist/rhel/workstation/7/7Workstation/x86_64/source/SRPMS',\n 'content/dist/rhel/workstation/7/7Workstation/x86_64/supplementary/debug',\n 'content/dist/rhel/workstation/7/7Workstation/x86_64/supplementary/os',\n 'content/dist/rhel/workstation/7/7Workstation/x86_64/supplementary/source/SRPMS',\n 'content/fastrack/rhel/client/7/x86_64/debug',\n 'content/fastrack/rhel/client/7/x86_64/optional/debug',\n 'content/fastrack/rhel/client/7/x86_64/optional/os',\n 'content/fastrack/rhel/client/7/x86_64/optional/source/SRPMS',\n 'content/fastrack/rhel/client/7/x86_64/os',\n 'content/fastrack/rhel/client/7/x86_64/source/SRPMS',\n 'content/fastrack/rhel/computenode/7/x86_64/debug',\n 'content/fastrack/rhel/computenode/7/x86_64/optional/debug',\n 'content/fastrack/rhel/computenode/7/x86_64/optional/os',\n 'content/fastrack/rhel/computenode/7/x86_64/optional/source/SRPMS',\n 'content/fastrack/rhel/computenode/7/x86_64/os',\n 'content/fastrack/rhel/computenode/7/x86_64/source/SRPMS',\n 'content/fastrack/rhel/power/7/ppc64/debug',\n 'content/fastrack/rhel/power/7/ppc64/optional/debug',\n 'content/fastrack/rhel/power/7/ppc64/optional/os',\n 'content/fastrack/rhel/power/7/ppc64/optional/source/SRPMS',\n 'content/fastrack/rhel/power/7/ppc64/os',\n 'content/fastrack/rhel/power/7/ppc64/source/SRPMS',\n 'content/fastrack/rhel/server/7/x86_64/debug',\n 'content/fastrack/rhel/server/7/x86_64/highavailability/debug',\n 'content/fastrack/rhel/server/7/x86_64/highavailability/os',\n 'content/fastrack/rhel/server/7/x86_64/highavailability/source/SRPMS',\n 'content/fastrack/rhel/server/7/x86_64/optional/debug',\n 'content/fastrack/rhel/server/7/x86_64/optional/os',\n 'content/fastrack/rhel/server/7/x86_64/optional/source/SRPMS',\n 'content/fastrack/rhel/server/7/x86_64/os',\n 'content/fastrack/rhel/server/7/x86_64/resilientstorage/debug',\n 'content/fastrack/rhel/server/7/x86_64/resilientstorage/os',\n 'content/fastrack/rhel/server/7/x86_64/resilientstorage/source/SRPMS',\n 'content/fastrack/rhel/server/7/x86_64/source/SRPMS',\n 'content/fastrack/rhel/system-z/7/s390x/debug',\n 'content/fastrack/rhel/system-z/7/s390x/optional/debug',\n 'content/fastrack/rhel/system-z/7/s390x/optional/os',\n 'content/fastrack/rhel/system-z/7/s390x/optional/source/SRPMS',\n 'content/fastrack/rhel/system-z/7/s390x/os',\n 'content/fastrack/rhel/system-z/7/s390x/source/SRPMS',\n 'content/fastrack/rhel/workstation/7/x86_64/debug',\n 'content/fastrack/rhel/workstation/7/x86_64/optional/debug',\n 'content/fastrack/rhel/workstation/7/x86_64/optional/os',\n 'content/fastrack/rhel/workstation/7/x86_64/optional/source/SRPMS',\n 'content/fastrack/rhel/workstation/7/x86_64/os',\n 'content/fastrack/rhel/workstation/7/x86_64/source/SRPMS'\n ],\n 'pkgs': [\n {'reference':'nspr-4.25.0-2.el7_9', 'release':'7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nspr-devel-4.25.0-2.el7_9', 'release':'7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nss-3.53.1-3.el7_9', 'release':'7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nss-devel-3.53.1-3.el7_9', 'release':'7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nss-pkcs11-devel-3.53.1-3.el7_9', 'release':'7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nss-softokn-3.53.1-6.el7_9', 'release':'7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nss-softokn-devel-3.53.1-6.el7_9', 'release':'7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nss-softokn-freebl-3.53.1-6.el7_9', 'release':'7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nss-softokn-freebl-devel-3.53.1-6.el7_9', 'release':'7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nss-sysinit-3.53.1-3.el7_9', 'cpu':'ppc64', 'release':'7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nss-sysinit-3.53.1-3.el7_9', 'cpu':'ppc64le', 'release':'7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nss-sysinit-3.53.1-3.el7_9', 'cpu':'s390x', 'release':'7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nss-sysinit-3.53.1-3.el7_9', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nss-tools-3.53.1-3.el7_9', 'cpu':'ppc64', 'release':'7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nss-tools-3.53.1-3.el7_9', 'cpu':'ppc64le', 'release':'7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nss-tools-3.53.1-3.el7_9', 'cpu':'s390x', 'release':'7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nss-tools-3.53.1-3.el7_9', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nss-util-3.53.1-1.el7_9', 'release':'7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'nss-util-devel-3.53.1-1.el7_9', 'release':'7', 'rpm_spec_vers_cmp':TRUE}\n ]\n }\n];\n\nvar applicable_repo_urls = rhel_determine_applicable_repository_urls(constraints:constraints);\nif(applicable_repo_urls == RHEL_REPOS_NO_OVERLAP_MESSAGE) exit(0, RHEL_REPO_NOT_ENABLED);\n\nvar flag = 0;\nforeach var constraint_array ( constraints ) {\n var repo_relative_urls = NULL;\n if (!empty_or_null(constraint_array['repo_relative_urls'])) repo_relative_urls = constraint_array['repo_relative_urls'];\n foreach var pkg ( constraint_array['pkgs'] ) {\n var reference = NULL;\n var _release = NULL;\n var sp = NULL;\n var _cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];\n if (!empty_or_null(pkg['release'])) _release = 'RHEL' + pkg['release'];\n if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];\n if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];\n if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];\n if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];\n if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];\n if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];\n if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];\n if (reference &&\n _release &&\n rhel_decide_repo_relative_url_check(required_repo_url_list:repo_relative_urls) &&\n (applicable_repo_urls || (!exists_check || rpm_exists(release:_release, rpm:exists_check))) &&\n rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n var extra = NULL;\n if (empty_or_null(applicable_repo_urls)) extra = rpm_report_get() + redhat_report_repo_caveat();\n else extra = rpm_report_get() + redhat_report_package_caveat();\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : extra\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'nspr / nspr-devel / nss / nss-devel / nss-pkcs11-devel / nss-softokn / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:26:25", "description": "The remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has nss packages installed that are affected by multiple vulnerabilities:\n\n - A vulnerability exists where it possible to force Network Security Services (NSS) to sign CertificateVerify with PKCS#1 v1.5 signatures when those are the only ones advertised by server in CertificateRequest in TLS 1.3. PKCS#1 v1.5 signatures should not be used for TLS 1.3 messages. This vulnerability affects Firefox < 68. (CVE-2019-11727)\n\n - When importing a curve25519 private key in PKCS#8format with leading 0x00 bytes, it is possible to trigger an out-of-bounds read in the Network Security Services (NSS) library. This could lead to information disclosure. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8.\n (CVE-2019-11719)\n\n - Improper refcounting of soft token session objects could cause a use-after-free and crash (likely limited to a denial of service). This vulnerability affects Firefox < 71. (CVE-2019-11756)\n\n - In Network Security Services (NSS) before 3.46, several cryptographic primitives had missing length checks. In cases where the application calling the library did not perform a sanity check on the inputs it could result in a crash due to a buffer overflow. (CVE-2019-17006)\n\n - After a HelloRetryRequest has been sent, the client may negotiate a lower protocol that TLS 1.3, resulting in an invalid state transition in the TLS State Machine. If the client gets into this state, incoming Application Data records will be ignored. This vulnerability affects Firefox < 72. (CVE-2019-17023)\n\n - During RSA key generation, bignum implementations used a variation of the Binary Extended Euclidean Algorithm which entailed significantly input-dependent flow. This allowed an attacker able to perform electromagnetic-based side channel attacks to record traces leading to the recovery of the secret primes.\n *Note:* An unmodified Firefox browser does not generate RSA keys in normal operation and is not affected, but products built on top of it might. This vulnerability affects Firefox < 78. (CVE-2020-12402)\n\n - When performing EC scalar point multiplication, the wNAF point multiplication algorithm was used; which leaked partial information about the nonce used during signature generation. Given an electro-magnetic trace of a few signature generations, the private key could have been computed. This vulnerability affects Firefox < 80 and Firefox for Android < 80. (CVE-2020-6829)\n\n - During ECDSA signature generation, padding applied in the nonce designed to ensure constant-time scalar multiplication was removed, resulting in variable-time execution dependent on secret data. This vulnerability affects Firefox < 80 and Firefox for Android < 80. (CVE-2020-12401)\n\n - When converting coordinates from projective to affine, the modular inversion was not performed in constant time, resulting in a possible timing-based side channel attack. This vulnerability affects Firefox < 80 and Firefox for Android < 80. (CVE-2020-12400)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-03-10T00:00:00", "type": "nessus", "title": "NewStart CGSL CORE 5.04 / MAIN 5.04 : nss Multiple Vulnerabilities (NS-SA-2021-0019)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-11719", "CVE-2019-11727", "CVE-2019-11756", "CVE-2019-17006", "CVE-2019-17023", "CVE-2020-12400", "CVE-2020-12401", "CVE-2020-12402", "CVE-2020-12403", "CVE-2020-6829"], "modified": "2021-03-11T00:00:00", "cpe": [], "id": "NEWSTART_CGSL_NS-SA-2021-0019_NSS.NASL", "href": "https://www.tenable.com/plugins/nessus/147361", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from ZTE advisory NS-SA-2021-0019. The text\n# itself is copyright (C) ZTE, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(147361);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/03/11\");\n\n script_cve_id(\n \"CVE-2019-11719\",\n \"CVE-2019-11727\",\n \"CVE-2019-11756\",\n \"CVE-2019-17006\",\n \"CVE-2019-17023\",\n \"CVE-2020-6829\",\n \"CVE-2020-12400\",\n \"CVE-2020-12401\",\n \"CVE-2020-12402\",\n \"CVE-2020-12403\"\n );\n script_bugtraq_id(109085, 109086);\n\n script_name(english:\"NewStart CGSL CORE 5.04 / MAIN 5.04 : nss Multiple Vulnerabilities (NS-SA-2021-0019)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote machine is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has nss packages installed that are affected by\nmultiple vulnerabilities:\n\n - A vulnerability exists where it possible to force Network Security Services (NSS) to sign\n CertificateVerify with PKCS#1 v1.5 signatures when those are the only ones advertised by server in\n CertificateRequest in TLS 1.3. PKCS#1 v1.5 signatures should not be used for TLS 1.3 messages. This\n vulnerability affects Firefox < 68. (CVE-2019-11727)\n\n - When importing a curve25519 private key in PKCS#8format with leading 0x00 bytes, it is possible to trigger\n an out-of-bounds read in the Network Security Services (NSS) library. This could lead to information\n disclosure. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8.\n (CVE-2019-11719)\n\n - Improper refcounting of soft token session objects could cause a use-after-free and crash (likely limited\n to a denial of service). This vulnerability affects Firefox < 71. (CVE-2019-11756)\n\n - In Network Security Services (NSS) before 3.46, several cryptographic primitives had missing length\n checks. In cases where the application calling the library did not perform a sanity check on the inputs it\n could result in a crash due to a buffer overflow. (CVE-2019-17006)\n\n - After a HelloRetryRequest has been sent, the client may negotiate a lower protocol that TLS 1.3, resulting\n in an invalid state transition in the TLS State Machine. If the client gets into this state, incoming\n Application Data records will be ignored. This vulnerability affects Firefox < 72. (CVE-2019-17023)\n\n - During RSA key generation, bignum implementations used a variation of the Binary Extended Euclidean\n Algorithm which entailed significantly input-dependent flow. This allowed an attacker able to perform\n electromagnetic-based side channel attacks to record traces leading to the recovery of the secret primes.\n *Note:* An unmodified Firefox browser does not generate RSA keys in normal operation and is not affected,\n but products built on top of it might. This vulnerability affects Firefox < 78. (CVE-2020-12402)\n\n - When performing EC scalar point multiplication, the wNAF point multiplication algorithm was used; which\n leaked partial information about the nonce used during signature generation. Given an electro-magnetic\n trace of a few signature generations, the private key could have been computed. This vulnerability affects\n Firefox < 80 and Firefox for Android < 80. (CVE-2020-6829)\n\n - During ECDSA signature generation, padding applied in the nonce designed to ensure constant-time scalar\n multiplication was removed, resulting in variable-time execution dependent on secret data. This\n vulnerability affects Firefox < 80 and Firefox for Android < 80. (CVE-2020-12401)\n\n - When converting coordinates from projective to affine, the modular inversion was not performed in constant\n time, resulting in a possible timing-based side channel attack. This vulnerability affects Firefox < 80\n and Firefox for Android < 80. (CVE-2020-12400)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://security.gd-linux.com/notice/NS-SA-2021-0019\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade the vulnerable CGSL nss packages. Note that updated packages may not be available yet. Please contact ZTE for\nmore information.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-17006\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/07/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/03/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/03/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"NewStart CGSL Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/ZTE-CGSL/release\", \"Host/ZTE-CGSL/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item('Host/ZTE-CGSL/release');\nif (isnull(release) || release !~ \"^CGSL (MAIN|CORE)\") audit(AUDIT_OS_NOT, 'NewStart Carrier Grade Server Linux');\n\nif (release !~ \"CGSL CORE 5.04\" &&\n release !~ \"CGSL MAIN 5.04\")\n audit(AUDIT_OS_NOT, 'NewStart CGSL CORE 5.04 / NewStart CGSL MAIN 5.04');\n\nif (!get_kb_item('Host/ZTE-CGSL/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'NewStart Carrier Grade Server Linux', cpu);\n\nflag = 0;\n\npkgs = {\n 'CGSL CORE 5.04': [\n 'nss-3.53.1-3.el7_9.cgslv5.0.2.g95e6915.lite',\n 'nss-debuginfo-3.53.1-3.el7_9.cgslv5.0.2.g95e6915.lite',\n 'nss-devel-3.53.1-3.el7_9.cgslv5.0.2.g95e6915.lite',\n 'nss-pkcs11-devel-3.53.1-3.el7_9.cgslv5.0.2.g95e6915.lite',\n 'nss-sysinit-3.53.1-3.el7_9.cgslv5.0.2.g95e6915.lite',\n 'nss-tools-3.53.1-3.el7_9.cgslv5.0.2.g95e6915.lite'\n ],\n 'CGSL MAIN 5.04': [\n 'nss-3.53.1-3.el7_9.cgslv5.0.1.g523727f',\n 'nss-debuginfo-3.53.1-3.el7_9.cgslv5.0.1.g523727f',\n 'nss-devel-3.53.1-3.el7_9.cgslv5.0.1.g523727f',\n 'nss-pkcs11-devel-3.53.1-3.el7_9.cgslv5.0.1.g523727f',\n 'nss-sysinit-3.53.1-3.el7_9.cgslv5.0.1.g523727f',\n 'nss-tools-3.53.1-3.el7_9.cgslv5.0.1.g523727f'\n ]\n};\npkg_list = pkgs[release];\n\nforeach (pkg in pkg_list)\n if (rpm_check(release:'ZTE ' + release, reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'nss');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-19T14:11:02", "description": "Security Fix(es) :\n\n - nss: Out-of-bounds read when importing curve25519 private key (CVE-2019-11719)\n\n - nss: Use-after-free in sftk_FreeSession due to improper refcounting (CVE-2019-11756)\n\n - nss: Check length of inputs for cryptographic primitives (CVE-2019-17006)\n\n - nss: Side channel attack on ECDSA signature generation (CVE-2020-6829)\n\n - nss: P-384 and P-521 implementation uses a side-channel vulnerable modular inversion function (CVE-2020-12400)\n\n - nss: ECDSA timing attack mitigation bypass (CVE-2020-12401)\n\n - nss: Side channel vulnerabilities during RSA key generation (CVE-2020-12402)\n\n - nss: CHACHA20-POLY1305 decryption with undersized tag leads to out-of-bounds read (CVE-2020-12403)\n\n - nss: PKCS#1 v1.5 signatures can be used for TLS 1.3 (CVE-2019-11727)\n\n - nss: TLS 1.3 HelloRetryRequest downgrade request sets client into invalid state (CVE-2019-17023)", "cvss3": {}, "published": "2020-10-21T00:00:00", "type": "nessus", "title": "Scientific Linux Security Update : nss and nspr on SL7.x x86_64 (20201001)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-11719", "CVE-2019-11727", "CVE-2019-11756", "CVE-2019-17006", "CVE-2019-17023", "CVE-2020-12400", "CVE-2020-12401", "CVE-2020-12402", "CVE-2020-12403", "CVE-2020-6829"], "modified": "2020-10-28T00:00:00", "cpe": ["p-cpe:/a:fermilab:scientific_linux:nspr", "p-cpe:/a:fermilab:scientific_linux:nspr-debuginfo", "p-cpe:/a:fermilab:scientific_linux:nspr-devel", "p-cpe:/a:fermilab:scientific_linux:nss", "p-cpe:/a:fermilab:scientific_linux:nss-debuginfo", "p-cpe:/a:fermilab:scientific_linux:nss-devel", "p-cpe:/a:fermilab:scientific_linux:nss-pkcs11-devel", "p-cpe:/a:fermilab:scientific_linux:nss-softokn", "p-cpe:/a:fermilab:scientific_linux:nss-softokn-debuginfo", "p-cpe:/a:fermilab:scientific_linux:nss-softokn-devel", "p-cpe:/a:fermilab:scientific_linux:nss-softokn-freebl", "p-cpe:/a:fermilab:scientific_linux:nss-softokn-freebl-devel", "p-cpe:/a:fermilab:scientific_linux:nss-sysinit", "p-cpe:/a:fermilab:scientific_linux:nss-tools", "p-cpe:/a:fermilab:scientific_linux:nss-util", "p-cpe:/a:fermilab:scientific_linux:nss-util-debuginfo", "p-cpe:/a:fermilab:scientific_linux:nss-util-devel", "x-cpe:/o:fermilab:scientific_linux"], "id": "SL_20201001_NSS_AND_NSPR_ON_SL7_X.NASL", "href": "https://www.tenable.com/plugins/nessus/141689", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text is (C) Scientific Linux.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(141689);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/10/28\");\n\n script_cve_id(\"CVE-2019-11719\", \"CVE-2019-11727\", \"CVE-2019-11756\", \"CVE-2019-17006\", \"CVE-2019-17023\", \"CVE-2020-12400\", \"CVE-2020-12401\", \"CVE-2020-12402\", \"CVE-2020-12403\", \"CVE-2020-6829\");\n\n script_name(english:\"Scientific Linux Security Update : nss and nspr on SL7.x x86_64 (20201001)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote Scientific Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Security Fix(es) :\n\n - nss: Out-of-bounds read when importing curve25519\n private key (CVE-2019-11719)\n\n - nss: Use-after-free in sftk_FreeSession due to improper\n refcounting (CVE-2019-11756)\n\n - nss: Check length of inputs for cryptographic primitives\n (CVE-2019-17006)\n\n - nss: Side channel attack on ECDSA signature generation\n (CVE-2020-6829)\n\n - nss: P-384 and P-521 implementation uses a side-channel\n vulnerable modular inversion function (CVE-2020-12400)\n\n - nss: ECDSA timing attack mitigation bypass\n (CVE-2020-12401)\n\n - nss: Side channel vulnerabilities during RSA key\n generation (CVE-2020-12402)\n\n - nss: CHACHA20-POLY1305 decryption with undersized tag\n leads to out-of-bounds read (CVE-2020-12403)\n\n - nss: PKCS#1 v1.5 signatures can be used for TLS 1.3\n (CVE-2019-11727)\n\n - nss: TLS 1.3 HelloRetryRequest downgrade request sets\n client into invalid state (CVE-2019-17023)\"\n );\n # https://listserv.fnal.gov/scripts/wa.exe?A2=ind2010&L=SCIENTIFIC-LINUX-ERRATA&P=14301\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?d878e66a\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-17006\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:nspr\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:nspr-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:nspr-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:nss\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:nss-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:nss-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:nss-pkcs11-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:nss-softokn\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:nss-softokn-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:nss-softokn-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:nss-softokn-freebl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:nss-softokn-freebl-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:nss-sysinit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:nss-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:nss-util\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:nss-util-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:nss-util-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/o:fermilab:scientific_linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/07/23\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/10/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/10/21\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Scientific Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Scientific Linux \" >!< release) audit(AUDIT_HOST_NOT, \"running Scientific Linux\");\nos_ver = pregmatch(pattern: \"Scientific Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Scientific Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Scientific Linux 7.x\", \"Scientific Linux \" + os_ver);\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Scientific Linux\", cpu);\nif (\"x86_64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"nspr-4.25.0-2.el7_9\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"nspr-debuginfo-4.25.0-2.el7_9\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"nspr-devel-4.25.0-2.el7_9\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"nss-3.53.1-3.el7_9\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"nss-debuginfo-3.53.1-3.el7_9\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"nss-devel-3.53.1-3.el7_9\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"nss-pkcs11-devel-3.53.1-3.el7_9\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"nss-softokn-3.53.1-6.el7_9\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"nss-softokn-debuginfo-3.53.1-6.el7_9\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"nss-softokn-devel-3.53.1-6.el7_9\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"nss-softokn-freebl-3.53.1-6.el7_9\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"nss-softokn-freebl-devel-3.53.1-6.el7_9\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"nss-sysinit-3.53.1-3.el7_9\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"nss-tools-3.53.1-3.el7_9\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"nss-util-3.53.1-1.el7_9\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"nss-util-debuginfo-3.53.1-1.el7_9\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"nss-util-devel-3.53.1-1.el7_9\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"nspr / nspr-debuginfo / nspr-devel / nss / nss-debuginfo / etc\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-23T14:21:49", "description": "The version of tested product installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2020-1559 advisory.\n\n - When importing a curve25519 private key in PKCS#8format with leading 0x00 bytes, it is possible to trigger an out-of-bounds read in the Network Security Services (NSS) library. This could lead to information disclosure. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8.\n (CVE-2019-11719)\n\n - A vulnerability exists where it possible to force Network Security Services (NSS) to sign CertificateVerify with PKCS#1 v1.5 signatures when those are the only ones advertised by server in CertificateRequest in TLS 1.3. PKCS#1 v1.5 signatures should not be used for TLS 1.3 messages. This vulnerability affects Firefox < 68. (CVE-2019-11727)\n\n - Improper refcounting of soft token session objects could cause a use-after-free and crash (likely limited to a denial of service). This vulnerability affects Firefox < 71. (CVE-2019-11756)\n\n - In Network Security Services (NSS) before 3.46, several cryptographic primitives had missing length checks. In cases where the application calling the library did not perform a sanity check on the inputs it could result in a crash due to a buffer overflow. (CVE-2019-17006)\n\n - After a HelloRetryRequest has been sent, the client may negotiate a lower protocol that TLS 1.3, resulting in an invalid state transition in the TLS State Machine. If the client gets into this state, incoming Application Data records will be ignored. This vulnerability affects Firefox < 72. (CVE-2019-17023)\n\n - When converting coordinates from projective to affine, the modular inversion was not performed in constant time, resulting in a possible timing-based side channel attack. This vulnerability affects Firefox < 80 and Firefox for Android < 80. (CVE-2020-12400)\n\n - During ECDSA signature generation, padding applied in the nonce designed to ensure constant-time scalar multiplication was removed, resulting in variable-time execution dependent on secret data. This vulnerability affects Firefox < 80 and Firefox for Android < 80. (CVE-2020-12401)\n\n - During RSA key generation, bignum implementations used a variation of the Binary Extended Euclidean Algorithm which entailed significantly input-dependent flow. This allowed an attacker able to perform electromagnetic-based side channel attacks to record traces leading to the recovery of the secret primes.\n *Note:* An unmodified Firefox browser does not generate RSA keys in normal operation and is not affected, but products built on top of it might. This vulnerability affects Firefox < 78. (CVE-2020-12402)\n\n - When performing EC scalar point multiplication, the wNAF point multiplication algorithm was used; which leaked partial information about the nonce used during signature generation. Given an electro-magnetic trace of a few signature generations, the private key could have been computed. This vulnerability affects Firefox < 80 and Firefox for Android < 80. (CVE-2020-6829)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2020-11-11T00:00:00", "type": "nessus", "title": "Amazon Linux 2 : nspr (ALAS-2020-1559)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-11719", "CVE-2019-11727", "CVE-2019-11756", "CVE-2019-17006", "CVE-2019-17023", "CVE-2020-12400", "CVE-2020-12401", "CVE-2020-12402", "CVE-2020-12403", "CVE-2020-6829"], "modified": "2020-11-11T00:00:00", "cpe": ["p-cpe:/a:amazon:linux:nspr", "p-cpe:/a:amazon:linux:nspr-debuginfo", "p-cpe:/a:amazon:linux:nspr-devel", "p-cpe:/a:amazon:linux:nss", "p-cpe:/a:amazon:linux:nss-debuginfo", "p-cpe:/a:amazon:linux:nss-devel", "p-cpe:/a:amazon:linux:nss-pkcs11-devel", "p-cpe:/a:amazon:linux:nss-softokn", "p-cpe:/a:amazon:linux:nss-softokn-debuginfo", "p-cpe:/a:amazon:linux:nss-softokn-devel", "p-cpe:/a:amazon:linux:nss-util", "p-cpe:/a:amazon:linux:nss-util-debuginfo", "p-cpe:/a:amazon:linux:nss-util-devel", "cpe:/o:amazon:linux:2", "p-cpe:/a:amazon:linux:nss-softokn-freebl", "p-cpe:/a:amazon:linux:nss-softokn-freebl-devel", "p-cpe:/a:amazon:linux:nss-sysinit", "p-cpe:/a:amazon:linux:nss-tools"], "id": "AL2_ALAS-2020-1559.NASL", "href": "https://www.tenable.com/plugins/nessus/142720", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n# \n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux 2 Security Advisory ALAS-2020-1559.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(142720);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/11/11\");\n\n script_cve_id(\n \"CVE-2019-11719\",\n \"CVE-2019-11727\",\n \"CVE-2019-11756\",\n \"CVE-2019-17006\",\n \"CVE-2019-17023\",\n \"CVE-2020-6829\",\n \"CVE-2020-12400\",\n \"CVE-2020-12401\",\n \"CVE-2020-12402\",\n \"CVE-2020-12403\"\n );\n script_bugtraq_id(109086, 109085);\n script_xref(name:\"ALAS\", value:\"2020-1559\");\n\n script_name(english:\"Amazon Linux 2 : nspr (ALAS-2020-1559)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Amazon Linux 2 host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of tested product installed on the remote host is prior to tested version. It is, therefore, affected by\nmultiple vulnerabilities as referenced in the ALAS2-2020-1559 advisory.\n\n - When importing a curve25519 private key in PKCS#8format with leading 0x00 bytes, it is possible to trigger\n an out-of-bounds read in the Network Security Services (NSS) library. This could lead to information\n disclosure. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8.\n (CVE-2019-11719)\n\n - A vulnerability exists where it possible to force Network Security Services (NSS) to sign\n CertificateVerify with PKCS#1 v1.5 signatures when those are the only ones advertised by server in\n CertificateRequest in TLS 1.3. PKCS#1 v1.5 signatures should not be used for TLS 1.3 messages. This\n vulnerability affects Firefox < 68. (CVE-2019-11727)\n\n - Improper refcounting of soft token session objects could cause a use-after-free and crash (likely limited\n to a denial of service). This vulnerability affects Firefox < 71. (CVE-2019-11756)\n\n - In Network Security Services (NSS) before 3.46, several cryptographic primitives had missing length\n checks. In cases where the application calling the library did not perform a sanity check on the inputs it\n could result in a crash due to a buffer overflow. (CVE-2019-17006)\n\n - After a HelloRetryRequest has been sent, the client may negotiate a lower protocol that TLS 1.3, resulting\n in an invalid state transition in the TLS State Machine. If the client gets into this state, incoming\n Application Data records will be ignored. This vulnerability affects Firefox < 72. (CVE-2019-17023)\n\n - When converting coordinates from projective to affine, the modular inversion was not performed in constant\n time, resulting in a possible timing-based side channel attack. This vulnerability affects Firefox < 80\n and Firefox for Android < 80. (CVE-2020-12400)\n\n - During ECDSA signature generation, padding applied in the nonce designed to ensure constant-time scalar\n multiplication was removed, resulting in variable-time execution dependent on secret data. This\n vulnerability affects Firefox < 80 and Firefox for Android < 80. (CVE-2020-12401)\n\n - During RSA key generation, bignum implementations used a variation of the Binary Extended Euclidean\n Algorithm which entailed significantly input-dependent flow. This allowed an attacker able to perform\n electromagnetic-based side channel attacks to record traces leading to the recovery of the secret primes.\n *Note:* An unmodified Firefox browser does not generate RSA keys in normal operation and is not affected,\n but products built on top of it might. This vulnerability affects Firefox < 78. (CVE-2020-12402)\n\n - When performing EC scalar point multiplication, the wNAF point multiplication algorithm was used; which\n leaked partial information about the nonce used during signature generation. Given an electro-magnetic\n trace of a few signature generations, the private key could have been computed. This vulnerability affects\n Firefox < 80 and Firefox for Android < 80. (CVE-2020-6829)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/AL2/ALAS-2020-1559.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-11719\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-11727\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-11756\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-17006\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-17023\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-12400\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-12401\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-12402\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-12403\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-6829\");\n script_set_attribute(attribute:\"solution\", value:\n\"Run 'yum update nspr' to update your system.\n Run 'yum update nss-softokn' to update your system.\n Run 'yum update nss-util' to update your system.\n Run 'yum update nss' to update your system.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-17006\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/07/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/11/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/11/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:nspr\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:nspr-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:nspr-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:nss\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:nss-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:nss-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:nss-pkcs11-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:nss-softokn\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:nss-softokn-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:nss-softokn-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:nss-softokn-freebl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:nss-softokn-freebl-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:nss-sysinit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:nss-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:nss-util\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:nss-util-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:nss-util-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux:2\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nos_ver = pregmatch(pattern: \"^AL(A|\\d)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nos_ver = os_ver[1];\nif (os_ver != \"2\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux 2\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\npkgs = [\n {'reference':'nspr-4.25.0-2.amzn2', 'cpu':'aarch64', 'release':'AL2'},\n {'reference':'nspr-4.25.0-2.amzn2', 'cpu':'i686', 'release':'AL2'},\n {'reference':'nspr-4.25.0-2.amzn2', 'cpu':'x86_64', 'release':'AL2'},\n {'reference':'nspr-debuginfo-4.25.0-2.amzn2', 'cpu':'aarch64', 'release':'AL2'},\n {'reference':'nspr-debuginfo-4.25.0-2.amzn2', 'cpu':'i686', 'release':'AL2'},\n {'reference':'nspr-debuginfo-4.25.0-2.amzn2', 'cpu':'x86_64', 'release':'AL2'},\n {'reference':'nspr-devel-4.25.0-2.amzn2', 'cpu':'aarch64', 'release':'AL2'},\n {'reference':'nspr-devel-4.25.0-2.amzn2', 'cpu':'i686', 'release':'AL2'},\n {'reference':'nspr-devel-4.25.0-2.amzn2', 'cpu':'x86_64', 'release':'AL2'},\n {'reference':'nss-3.53.1-3.amzn2', 'cpu':'aarch64', 'release':'AL2'},\n {'reference':'nss-3.53.1-3.amzn2', 'cpu':'i686', 'release':'AL2'},\n {'reference':'nss-3.53.1-3.amzn2', 'cpu':'x86_64', 'release':'AL2'},\n {'reference':'nss-debuginfo-3.53.1-3.amzn2', 'cpu':'aarch64', 'release':'AL2'},\n {'reference':'nss-debuginfo-3.53.1-3.amzn2', 'cpu':'i686', 'release':'AL2'},\n {'reference':'nss-debuginfo-3.53.1-3.amzn2', 'cpu':'x86_64', 'release':'AL2'},\n {'reference':'nss-devel-3.53.1-3.amzn2', 'cpu':'aarch64', 'release':'AL2'},\n {'reference':'nss-devel-3.53.1-3.amzn2', 'cpu':'i686', 'release':'AL2'},\n {'reference':'nss-devel-3.53.1-3.amzn2', 'cpu':'x86_64', 'release':'AL2'},\n {'reference':'nss-pkcs11-devel-3.53.1-3.amzn2', 'cpu':'aarch64', 'release':'AL2'},\n {'reference':'nss-pkcs11-devel-3.53.1-3.amzn2', 'cpu':'i686', 'release':'AL2'},\n {'reference':'nss-pkcs11-devel-3.53.1-3.amzn2', 'cpu':'x86_64', 'release':'AL2'},\n {'reference':'nss-softokn-3.53.1-6.amzn2', 'cpu':'aarch64', 'release':'AL2'},\n {'reference':'nss-softokn-3.53.1-6.amzn2', 'cpu':'i686', 'release':'AL2'},\n {'reference':'nss-softokn-3.53.1-6.amzn2', 'cpu':'x86_64', 'release':'AL2'},\n {'reference':'nss-softokn-debuginfo-3.53.1-6.amzn2', 'cpu':'aarch64', 'release':'AL2'},\n {'reference':'nss-softokn-debuginfo-3.53.1-6.amzn2', 'cpu':'i686', 'release':'AL2'},\n {'reference':'nss-softokn-debuginfo-3.53.1-6.amzn2', 'cpu':'x86_64', 'release':'AL2'},\n {'reference':'nss-softokn-devel-3.53.1-6.amzn2', 'cpu':'aarch64', 'release':'AL2'},\n {'reference':'nss-softokn-devel-3.53.1-6.amzn2', 'cpu':'i686', 'release':'AL2'},\n {'reference':'nss-softokn-devel-3.53.1-6.amzn2', 'cpu':'x86_64', 'release':'AL2'},\n {'reference':'nss-softokn-freebl-3.53.1-6.amzn2', 'cpu':'aarch64', 'release':'AL2'},\n {'reference':'nss-softokn-freebl-3.53.1-6.amzn2', 'cpu':'i686', 'release':'AL2'},\n {'reference':'nss-softokn-freebl-3.53.1-6.amzn2', 'cpu':'x86_64', 'release':'AL2'},\n {'reference':'nss-softokn-freebl-devel-3.53.1-6.amzn2', 'cpu':'aarch64', 'release':'AL2'},\n {'reference':'nss-softokn-freebl-devel-3.53.1-6.amzn2', 'cpu':'i686', 'release':'AL2'},\n {'reference':'nss-softokn-freebl-devel-3.53.1-6.amzn2', 'cpu':'x86_64', 'release':'AL2'},\n {'reference':'nss-sysinit-3.53.1-3.amzn2', 'cpu':'aarch64', 'release':'AL2'},\n {'reference':'nss-sysinit-3.53.1-3.amzn2', 'cpu':'i686', 'release':'AL2'},\n {'reference':'nss-sysinit-3.53.1-3.amzn2', 'cpu':'x86_64', 'release':'AL2'},\n {'reference':'nss-tools-3.53.1-3.amzn2', 'cpu':'aarch64', 'release':'AL2'},\n {'reference':'nss-tools-3.53.1-3.amzn2', 'cpu':'i686', 'release':'AL2'},\n {'reference':'nss-tools-3.53.1-3.amzn2', 'cpu':'x86_64', 'release':'AL2'},\n {'reference':'nss-util-3.53.1-1.amzn2', 'cpu':'aarch64', 'release':'AL2'},\n {'reference':'nss-util-3.53.1-1.amzn2', 'cpu':'i686', 'release':'AL2'},\n {'reference':'nss-util-3.53.1-1.amzn2', 'cpu':'x86_64', 'release':'AL2'},\n {'reference':'nss-util-debuginfo-3.53.1-1.amzn2', 'cpu':'aarch64', 'release':'AL2'},\n {'reference':'nss-util-debuginfo-3.53.1-1.amzn2', 'cpu':'i686', 'release':'AL2'},\n {'reference':'nss-util-debuginfo-3.53.1-1.amzn2', 'cpu':'x86_64', 'release':'AL2'},\n {'reference':'nss-util-devel-3.53.1-1.amzn2', 'cpu':'aarch64', 'release':'AL2'},\n {'reference':'nss-util-devel-3.53.1-1.amzn2', 'cpu':'i686', 'release':'AL2'},\n {'reference':'nss-util-devel-3.53.1-1.amzn2', 'cpu':'x86_64', 'release':'AL2'}\n];\n\nflag = 0;\nforeach package_array ( pkgs ) {\n reference = NULL;\n release = NULL;\n cpu = NULL;\n el_string = NULL;\n rpm_spec_vers_cmp = NULL;\n allowmaj = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = package_array['release'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (reference && release) {\n if (rpm_check(release:release, cpu:cpu, reference:reference, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"nspr / nspr-debuginfo / nspr-devel / etc\");\n}", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:24:38", "description": "The remote CentOS Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the CESA-2020:4076 advisory.\n\n - nss: Out-of-bounds read when importing curve25519 private key (CVE-2019-11719)\n\n - nss: PKCS#1 v1.5 signatures can be used for TLS 1.3 (CVE-2019-11727)\n\n - nss: Use-after-free in sftk_FreeSession due to improper refcounting (CVE-2019-11756)\n\n - nss: Check length of inputs for cryptographic primitives (CVE-2019-17006)\n\n - nss: TLS 1.3 HelloRetryRequest downgrade request sets client into invalid state (CVE-2019-17023)\n\n - nss: P-384 and P-521 implementation uses a side-channel vulnerable modular inversion function (CVE-2020-12400)\n\n - nss: ECDSA timing attack mitigation bypass (CVE-2020-12401)\n\n - nss: Side channel vulnerabilities during RSA key generation (CVE-2020-12402)\n\n - nss: CHACHA20-POLY1305 decryption with undersized tag leads to out-of-bounds read (CVE-2020-12403)\n\n - nss: Side channel attack on ECDSA signature generation (CVE-2020-6829)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2020-11-06T00:00:00", "type": "nessus", "title": "CentOS 7 : nss and nspr (CESA-2020:4076)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-11719", "CVE-2019-11727", "CVE-2019-11756", "CVE-2019-17006", "CVE-2019-17023", "CVE-2020-12400", "CVE-2020-12401", "CVE-2020-12402", "CVE-2020-12403", "CVE-2020-6829"], "modified": "2020-11-30T00:00:00", "cpe": ["p-cpe:/a:centos:centos:nspr", "p-cpe:/a:centos:centos:nspr-devel", "p-cpe:/a:centos:centos:nss", "p-cpe:/a:centos:centos:nss-devel", "p-cpe:/a:centos:centos:nss-pkcs11-devel", "p-cpe:/a:centos:centos:nss-softokn", "p-cpe:/a:centos:centos:nss-softokn-devel", "p-cpe:/a:centos:centos:nss-softokn-freebl", "p-cpe:/a:centos:centos:nss-softokn-freebl-devel", "p-cpe:/a:centos:centos:nss-sysinit", "p-cpe:/a:centos:centos:nss-tools", "p-cpe:/a:centos:centos:nss-util", "p-cpe:/a:centos:centos:nss-util-devel", "cpe:/o:centos:centos:7"], "id": "CENTOS_RHSA-2020-4076.NASL", "href": "https://www.tenable.com/plugins/nessus/142600", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2020:4076 and\n# CentOS Errata and Security Advisory 2020:4076 respectively.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(142600);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/11/30\");\n\n script_cve_id(\n \"CVE-2019-11719\",\n \"CVE-2019-11727\",\n \"CVE-2019-11756\",\n \"CVE-2019-17006\",\n \"CVE-2019-17023\",\n \"CVE-2020-6829\",\n \"CVE-2020-12400\",\n \"CVE-2020-12401\",\n \"CVE-2020-12402\",\n \"CVE-2020-12403\"\n );\n script_bugtraq_id(109085, 109086);\n script_xref(name:\"RHSA\", value:\"2020:4076\");\n\n script_name(english:\"CentOS 7 : nss and nspr (CESA-2020:4076)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote CentOS Linux host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote CentOS Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the\nCESA-2020:4076 advisory.\n\n - nss: Out-of-bounds read when importing curve25519 private key (CVE-2019-11719)\n\n - nss: PKCS#1 v1.5 signatures can be used for TLS 1.3 (CVE-2019-11727)\n\n - nss: Use-after-free in sftk_FreeSession due to improper refcounting (CVE-2019-11756)\n\n - nss: Check length of inputs for cryptographic primitives (CVE-2019-17006)\n\n - nss: TLS 1.3 HelloRetryRequest downgrade request sets client into invalid state (CVE-2019-17023)\n\n - nss: P-384 and P-521 implementation uses a side-channel vulnerable modular inversion function\n (CVE-2020-12400)\n\n - nss: ECDSA timing attack mitigation bypass (CVE-2020-12401)\n\n - nss: Side channel vulnerabilities during RSA key generation (CVE-2020-12402)\n\n - nss: CHACHA20-POLY1305 decryption with undersized tag leads to out-of-bounds read (CVE-2020-12403)\n\n - nss: Side channel attack on ECDSA signature generation (CVE-2020-6829)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n # https://lists.centos.org/pipermail/centos-cr-announce/2020-November/012876.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?5c6405af\");\n # https://lists.centos.org/pipermail/centos-cr-announce/2020-November/012877.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?1352d2d8\");\n # https://lists.centos.org/pipermail/centos-cr-announce/2020-November/012878.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?68abfba7\");\n # https://lists.centos.org/pipermail/centos-cr-announce/2020-November/012879.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?e4a2823e\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/122.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/125.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/327.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwe.mitre.org/data/definitions/416.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-17006\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_cwe_id(122, 125, 327, 416);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/07/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/11/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/11/06\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:nspr\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:nspr-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:nss\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:nss-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:nss-pkcs11-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:nss-softokn\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:nss-softokn-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:nss-softokn-freebl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:nss-softokn-freebl-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:nss-sysinit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:nss-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:nss-util\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:nss-util-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:7\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CentOS Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item('Host/CentOS/release');\nif (isnull(release) || 'CentOS' >!< release) audit(AUDIT_OS_NOT, 'CentOS');\nos_ver = pregmatch(pattern: \"CentOS(?: Linux)? release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'CentOS');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, 'CentOS 7.x', 'CentOS ' + os_ver);\n\nif (!get_kb_item('Host/CentOS/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'CentOS', cpu);\n\npkgs = [\n {'reference':'nspr-4.25.0-2.el7_9', 'sp':'9', 'cpu':'i686', 'release':'CentOS-7'},\n {'reference':'nspr-4.25.0-2.el7_9', 'sp':'9', 'cpu':'x86_64', 'release':'CentOS-7'},\n {'reference':'nspr-devel-4.25.0-2.el7_9', 'sp':'9', 'cpu':'i686', 'release':'CentOS-7'},\n {'reference':'nspr-devel-4.25.0-2.el7_9', 'sp':'9', 'cpu':'x86_64', 'release':'CentOS-7'},\n {'reference':'nss-3.53.1-3.el7_9', 'sp':'9', 'cpu':'i686', 'release':'CentOS-7'},\n {'reference':'nss-3.53.1-3.el7_9', 'sp':'9', 'cpu':'x86_64', 'release':'CentOS-7'},\n {'reference':'nss-devel-3.53.1-3.el7_9', 'sp':'9', 'cpu':'i686', 'release':'CentOS-7'},\n {'reference':'nss-devel-3.53.1-3.el7_9', 'sp':'9', 'cpu':'x86_64', 'release':'CentOS-7'},\n {'reference':'nss-pkcs11-devel-3.53.1-3.el7_9', 'sp':'9', 'cpu':'i686', 'release':'CentOS-7'},\n {'reference':'nss-pkcs11-devel-3.53.1-3.el7_9', 'sp':'9', 'cpu':'x86_64', 'release':'CentOS-7'},\n {'reference':'nss-softokn-3.53.1-6.el7_9', 'sp':'9', 'cpu':'i686', 'release':'CentOS-7'},\n {'reference':'nss-softokn-3.53.1-6.el7_9', 'sp':'9', 'cpu':'x86_64', 'release':'CentOS-7'},\n {'reference':'nss-softokn-devel-3.53.1-6.el7_9', 'sp':'9', 'cpu':'i686', 'release':'CentOS-7'},\n {'reference':'nss-softokn-devel-3.53.1-6.el7_9', 'sp':'9', 'cpu':'x86_64', 'release':'CentOS-7'},\n {'reference':'nss-softokn-freebl-3.53.1-6.el7_9', 'sp':'9', 'cpu':'i686', 'release':'CentOS-7'},\n {'reference':'nss-softokn-freebl-3.53.1-6.el7_9', 'sp':'9', 'cpu':'x86_64', 'release':'CentOS-7'},\n {'reference':'nss-softokn-freebl-devel-3.53.1-6.el7_9', 'sp':'9', 'cpu':'i686', 'release':'CentOS-7'},\n {'reference':'nss-softokn-freebl-devel-3.53.1-6.el7_9', 'sp':'9', 'cpu':'x86_64', 'release':'CentOS-7'},\n {'reference':'nss-sysinit-3.53.1-3.el7_9', 'sp':'9', 'cpu':'x86_64', 'release':'CentOS-7'},\n {'reference':'nss-tools-3.53.1-3.el7_9', 'sp':'9', 'cpu':'x86_64', 'release':'CentOS-7'},\n {'reference':'nss-util-3.53.1-1.el7_9', 'sp':'9', 'cpu':'i686', 'release':'CentOS-7'},\n {'reference':'nss-util-3.53.1-1.el7_9', 'sp':'9', 'cpu':'x86_64', 'release':'CentOS-7'},\n {'reference':'nss-util-devel-3.53.1-1.el7_9', 'sp':'9', 'cpu':'i686', 'release':'CentOS-7'},\n {'reference':'nss-util-devel-3.53.1-1.el7_9', 'sp':'9', 'cpu':'x86_64', 'release':'CentOS-7'}\n];\n\nflag = 0;\nforeach package_array ( pkgs ) {\n reference = NULL;\n release = NULL;\n sp = NULL;\n cpu = NULL;\n el_string = NULL;\n rpm_spec_vers_cmp = NULL;\n epoch = NULL;\n allowmaj = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (reference && release) {\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n cr_plugin_caveat = '\\n' +\n 'NOTE: The security advisory associated with this vulnerability has a\\n' +\n 'fixed package version that may only be available in the continuous\\n' +\n 'release (CR) repository for CentOS, until it is present in the next\\n' +\n 'point release of CentOS.\\n\\n' +\n 'If an equal or higher package level does not exist in the baseline\\n' +\n 'repository for your major version of CentOS, then updates from the CR\\n' +\n 'repository will need to be applied in order to address the\\n' +\n 'vulnerability.\\n';\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + cr_plugin_caveat\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'nspr / nspr-devel / nss / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-19T14:02:03", "description": "The version of Firefox installed on the remote Windows host is prior to 72.0. It is, therefore, affected by multiple vulnerabilities as referenced in the mfsa2020-01 advisory, including the following:\n\n - During the initialization of a new content process, a pointer offset can be manipulated leading to memory corruption and a potentially exploitable crash in the parent process. (CVE-2019-17015)\n\n - When pasting a <style> tag from the clipboard into a rich text editor, the CSS sanitizer incorrectly rewrites a @namespace rule. This could allow for injection into certain types of websites resulting in data exfiltration. (CVE-2019-17016)\n\n - Due to a missing case handling object types, a type confusion vulnerability could occur, resulting in a crash. We presume that with enough effort that it could be exploited to run arbitrary code.\n (CVE-2019-17017)\n\n - When in Private Browsing Mode on Windows 10, the Windows keyboard may retain word suggestions to improve the accuracy of the keyboard. (CVE-2019-17018)\n\n - When Python was installed on Windows, a python file being served with the MIME type of text/plain could be executed by Python instead of being opened as a text file when the Open option was selected upon download. (CVE-2019-17019)\n\n - If an XML file is served with a Content Security Policy and the XML file includes an XSL stylesheet, the Content Security Policy will not be applied to the contents of the XSL stylesheet. If the XSL sheet e.g.\n includes JavaScript, it would bypass any of the restrictions of the Content Security Policy applied to the XML document. (CVE-2019-17020)\n\n - During the initialization of a new content process, a race condition occurs that can allow a content process to disclose heap addresses from the parent process. (CVE-2019-17021)\n\n - When pasting a <style> tag from the clipboard into a rich text editor, the CSS sanitizer does not escape < and > characters. Because the resulting string is pasted directly into the text node of the element this does not result in a direct injection into the webpage; however, if a webpage subsequently copies the node's innerHTML, assigning it to another innerHTML, this would result in an XSS vulnerability. Two WYSIWYG editors were identified with this behavior, more may exist. (CVE-2019-17022) \n - After a HelloRetryRequest has been sent, the client may negotiate a lower protocol that TLS 1.3, resulting in an invalid state transition in the TLS State Machine. If the client gets into this state, incoming Application Data records will be ignored. (CVE-2019-17023)\n\n - Mozilla developers Jason Kratzer, Christian Holler, and Bob Clary reported memory safety bugs present in Firefox 71 and Firefox ESR 68.3. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. (CVE-2019-17024)\n\n - Mozilla developers Karl Tomlinson, Jason Kratzer, Tyson Smith, Jon Coppeard, and Christian Holler reported memory safety bugs present in Firefox 71. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code. (CVE-2019-17025)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2020-01-08T00:00:00", "type": "nessus", "title": "Mozilla Firefox < 72.0 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-17015", "CVE-2019-17016", "CVE-2019-17017", "CVE-2019-17018", "CVE-2019-17019", "CVE-2019-17020", "CVE-2019-17021", "CVE-2019-17022", "CVE-2019-17023", "CVE-2019-17024", "CVE-2019-17025"], "modified": "2020-02-14T00:00:00", "cpe": ["cpe:/a:mozilla:firefox"], "id": "MOZILLA_FIREFOX_72_0.NASL", "href": "https://www.tenable.com/plugins/nessus/132709", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n\n# The descriptive text and package checks in this plugin were\n# extracted from Mozilla Foundation Security Advisory mfsa2020-01.\n# The text itself is copyright (C) Mozilla Foundation.\n\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(132709);\n script_version(\"1.5\");\n script_cvs_date(\"Date: 2020/02/14\");\n\n script_cve_id(\n \"CVE-2019-17015\",\n \"CVE-2019-17016\",\n \"CVE-2019-17017\",\n \"CVE-2019-17018\",\n \"CVE-2019-17019\",\n \"CVE-2019-17020\",\n \"CVE-2019-17021\",\n \"CVE-2019-17022\",\n \"CVE-2019-17023\",\n \"CVE-2019-17024\",\n \"CVE-2019-17025\"\n );\n script_xref(name:\"MFSA\", value:\"2020-01\");\n\n script_name(english:\"Mozilla Firefox < 72.0 Multiple Vulnerabilities\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web browser installed on the remote Windows host is affected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Firefox installed on the remote Windows host is prior to 72.0. It is, therefore, affected by multiple\nvulnerabilities as referenced in the mfsa2020-01 advisory, including the following:\n\n - During the initialization of a new content process, a pointer offset can be manipulated leading to\n memory corruption and a potentially exploitable crash in the parent process. (CVE-2019-17015)\n\n - When pasting a <style> tag from the clipboard into a rich text editor, the CSS sanitizer incorrectly\n rewrites a @namespace rule. This could allow for injection into certain types of websites resulting in\n data exfiltration. (CVE-2019-17016)\n\n - Due to a missing case handling object types, a type confusion vulnerability could occur, resulting in a\n crash. We presume that with enough effort that it could be exploited to run arbitrary code.\n (CVE-2019-17017)\n\n - When in Private Browsing Mode on Windows 10, the Windows keyboard may retain word suggestions to improve\n the accuracy of the keyboard. (CVE-2019-17018)\n\n - When Python was installed on Windows, a python file being served with the MIME type of text/plain could\n be executed by Python instead of being opened as a text file when the Open option was selected upon\n download. (CVE-2019-17019)\n\n - If an XML file is served with a Content Security Policy and the XML file includes an XSL stylesheet, the\n Content Security Policy will not be applied to the contents of the XSL stylesheet. If the XSL sheet e.g.\n includes JavaScript, it would bypass any of the restrictions of the Content Security Policy applied to\n the XML document. (CVE-2019-17020)\n\n - During the initialization of a new content process, a race condition occurs that can allow a content\n process to disclose heap addresses from the parent process. (CVE-2019-17021)\n\n - When pasting a <style> tag from the clipboard into a rich text editor, the CSS sanitizer does not escape\n < and > characters. Because the resulting string is pasted directly into the text node of the element\n this does not result in a direct injection into the webpage; however, if a webpage subsequently copies\n the node's innerHTML, assigning it to another innerHTML, this would result in an XSS vulnerability. Two\n WYSIWYG editors were identified with this behavior, more may exist. (CVE-2019-17022)\n \n - After a HelloRetryRequest has been sent, the client may negotiate a lower protocol that TLS 1.3,\n resulting in an invalid state transition in the TLS State Machine. If the client gets into this state,\n incoming Application Data records will be ignored. (CVE-2019-17023)\n\n - Mozilla developers Jason Kratzer, Christian Holler, and Bob Clary reported memory safety bugs present in\n Firefox 71 and Firefox ESR 68.3. Some of these bugs showed evidence of memory corruption and we presume\n that with enough effort some of these could have been exploited to run arbitrary code. (CVE-2019-17024)\n\n - Mozilla developers Karl Tomlinson, Jason Kratzer, Tyson Smith, Jon Coppeard, and Christian Holler\n reported memory safety bugs present in Firefox 71. Some of these bugs showed evidence of memory\n corruption and we presume that with enough effort some of these could have been exploited to run\n arbitrary code. (CVE-2019-17025)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.mozilla.org/en-US/security/advisories/mfsa2020-01/\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Mozilla Firefox version 72.0 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-17025\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/01/07\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/01/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/01/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:mozilla:firefox\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"mozilla_org_installed.nasl\");\n script_require_keys(\"Mozilla/Firefox/Version\");\n\n exit(0);\n}\n\ninclude('mozilla_version.inc');\n\nport = get_kb_item(\"SMB/transport\");\nif (!port) port = 445;\n\ninstalls = get_kb_list(\"SMB/Mozilla/Firefox/*\");\nif (isnull(installs)) audit(AUDIT_NOT_INST, \"Firefox\");\n\nmozilla_check_version(installs:installs, product:'firefox', esr:FALSE, fix:'72.0', xss:TRUE, severity:SECURITY_WARNING);\n\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-09-24T16:02:30", "description": "The version of AHV installed on the remote host is prior to 20201105.1021. It is, therefore, affected by multiple vulnerabilities as referenced in the NXSA-AHV-20201105.1021 advisory.\n\n - libpng before 1.6.32 does not properly check the length of chunks against the user limit. (CVE-2017-12652)\n\n - In libexpat in Expat before 2.2.7, XML input including XML names that contain a large number of colons could make the XML parser consume a high amount of RAM and CPU resources while processing (enough to be usable for denial-of-service attacks). (CVE-2018-20843)\n\n - When importing a curve25519 private key in PKCS#8format with leading 0x00 bytes, it is possible to trigger an out-of-bounds read in the Network Security Services (NSS) library. This could lead to information disclosure. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8.\n (CVE-2019-11719)\n\n - A vulnerability exists where it possible to force Network Security Services (NSS) to sign CertificateVerify with PKCS#1 v1.5 signatures when those are the only ones advertised by server in CertificateRequest in TLS 1.3. PKCS#1 v1.5 signatures should not be used for TLS 1.3 messages. This vulnerability affects Firefox < 68. (CVE-2019-11727)\n\n - Improper refcounting of soft token session objects could cause a use-after-free and crash (likely limited to a denial of service). This vulnerability affects Firefox < 71. (CVE-2019-11756)\n\n - file_copy_fallback in gio/gfile.c in GNOME GLib 2.15.0 through 2.61.1 does not properly restrict file permissions while a copy operation is in progress. Instead, default permissions are used. (CVE-2019-12450)\n\n - dbus before 1.10.28, 1.12.x before 1.12.16, and 1.13.x before 1.13.12, as used in DBusServer in Canonical Upstart in Ubuntu 14.04 (and in some, less common, uses of dbus-daemon), allows cookie spoofing because of symlink mishandling in the reference implementation of DBUS_COOKIE_SHA1 in the libdbus library. (This only affects the DBUS_COOKIE_SHA1 authentication mechanism.) A malicious client with write access to its own home directory could manipulate a ~/.dbus-keyrings symlink to cause a DBusServer with a different uid to read and write in unintended locations. In the worst case, this could result in the DBusServer reusing a cookie that is known to the malicious client, and treating that cookie as evidence that a subsequent client connection came from an attacker-chosen uid, allowing authentication bypass. (CVE-2019-12749)\n\n - A flaw was discovered in ibus in versions before 1.5.22 that allows any unprivileged user to monitor and send method calls to the ibus bus of another user due to a misconfiguration in the DBus server setup. A local attacker may use this flaw to intercept all keystrokes of a victim user who is using the graphical interface, change the input method engine, or modify other input related configurations of the victim user. (CVE-2019-14822)\n\n - In all versions of cpio before 2.13 does not properly validate input files when generating TAR archives.\n When cpio is used to create TAR archives from paths an attacker can write to, the resulting archive may contain files with permissions the attacker did not have or in paths he did not have access to. Extracting those archives from a high-privilege user without carefully reviewing them may lead to the compromise of the system. (CVE-2019-14866)\n\n - In libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to document parsing too early; a consecutive call to XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber) then resulted in a heap-based buffer over-read. (CVE-2019-15903)\n\n - The documentation XML-RPC server in Python through 2.7.16, 3.x through 3.6.9, and 3.7.x through 3.7.4 has XSS via the server_title field. This occurs in Lib/DocXMLRPCServer.py in Python 2.x, and in Lib/xmlrpc/server.py in Python 3.x. If set_server_title is called with untrusted input, arbitrary JavaScript can be delivered to clients that visit the http URL for this server. (CVE-2019-16935)\n\n - In Network Security Services (NSS) before 3.46, several cryptographic primitives had missing length checks. In cases where the application calling the library did not perform a sanity check on the inputs it could result in a crash due to a buffer overflow. (CVE-2019-17006)\n\n - After a HelloRetryRequest has been sent, the client may negotiate a lower protocol that TLS 1.3, resulting in an invalid state transition in the TLS State Machine. If the client gets into this state, incoming Application Data records will be ignored. This vulnerability affects Firefox < 72. (CVE-2019-17023)\n\n - In libssh2 v1.9.0 and earlier versions, the SSH_MSG_DISCONNECT logic in packet.c has an integer overflow in a bounds check, enabling an attacker to specify an arbitrary (out-of-bounds) offset for a subsequent memory read. A crafted SSH server may be able to disclose sensitive information or cause a denial of service condition on the client system when a user connects to the server. (CVE-2019-17498)\n\n - On the x86-64 architecture, the GNU C Library (aka glibc) before 2.31 fails to ignore the LD_PREFER_MAP_32BIT_EXEC environment variable during program execution after a security transition, allowing local attackers to restrict the possible mapping addresses for loaded libraries and thus bypass ASLR for a setuid program. (CVE-2019-19126)\n\n - xmlParseBalancedChunkMemoryRecover in parser.c in libxml2 before 2.9.10 has a memory leak related to newDoc->oldNs. (CVE-2019-19956)\n\n - An issue was discovered in button_open in login/logind-button.c in systemd before 243. When executing the udevadm trigger command, a memory leak may occur. (CVE-2019-20386)\n\n - xmlSchemaPreRun in xmlschemas.c in libxml2 2.9.10 allows an xmlSchemaValidateStream memory leak.\n (CVE-2019-20388)\n\n - qemu/qemu_driver.c in libvirt before 6.0.0 mishandles the holding of a monitor job during a query to a guest agent, which allows attackers to cause a denial of service (API blockage). (CVE-2019-20485)\n\n - In Lib/tarfile.py in Python through 3.8.3, an attacker is able to craft a TAR archive leading to an infinite loop when opened by tarfile.open, because _proc_pax lacks header validation. (CVE-2019-20907)\n\n - Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 5.6.45 and prior, 5.7.27 and prior and 8.0.17 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. (CVE-2019-2974)\n\n - An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability. (CVE-2019-5094)\n\n - A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4.\n A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability. (CVE-2019-5188)\n\n - Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3. (CVE-2019-5482)\n\n - A NULL pointer dereference was found in the libvirt API responsible introduced in upstream version 3.10.0, and fixed in libvirt 6.0.0, for fetching a storage pool based on its target path. In more detail, this flaw affects storage pools created without a target path such as network-based pools like gluster and RBD.\n Unprivileged users with a read-only connection could abuse this flaw to crash the libvirt daemon, resulting in a potential denial of service. (CVE-2020-10703)\n\n - In filter.c in slapd in OpenLDAP before 2.4.50, LDAP search filters with nested boolean expressions can result in denial of service (daemon crash). (CVE-2020-12243)\n\n - When converting coordinates from projective to affine, the modular inversion was not performed in constant time, resulting in a possible timing-based side channel attack. This vulnerability affects Firefox < 80 and Firefox for Android < 80. (CVE-2020-12400)\n\n - During ECDSA signature generation, padding applied in the nonce designed to ensure constant-time scalar multiplication was removed, resulting in variable-time execution dependent on secret data. This vulnerability affects Firefox < 80 and Firefox for Android < 80. (CVE-2020-12401)\n\n - During RSA key generation, bignum implementations used a variation of the Binary Extended Euclidean Algorithm which entailed significantly input-dependent flow. This allowed an attacker able to perform electromagnetic-based side channel attacks to record traces leading to the recovery of the secret primes.\n *Note:* An unmodified Firefox browser does not generate RSA keys in normal operation and is not affected, but products built on top of it might. This vulnerability affects Firefox < 78. (CVE-2020-12402)\n\n - A flaw was found in the way CHACHA20-POLY1305 was implemented in NSS in versions before 3.55. When using multi-part Chacha20, it could cause out-of-bounds reads. This issue was fixed by explicitly disabling multi-part ChaCha20 (which was not functioning correctly) and strictly enforcing tag length. The highest threat from this vulnerability is to confidentiality and system availability. (CVE-2020-12403)\n\n - libcroco through 0.6.13 has excessive recursion in cr_parser_parse_any_core in cr-parser.c, leading to stack consumption. (CVE-2020-12825)\n\n - Lib/ipaddress.py in Python through 3.8.3 improperly computes hash values in the IPv4Interface and IPv6Interface classes, which might allow a remote attacker to cause a denial of service if an application is affected by the performance of a dictionary containing IPv4Interface or IPv6Interface objects, and this attacker can cause many dictionary entries to be created. This is fixed in: v3.5.10, v3.5.10rc1; v3.6.12;\n v3.7.9; v3.8.4, v3.8.4rc1, v3.8.5, v3.8.6, v3.8.6rc1; v3.9.0, v3.9.0b4, v3.9.0b5, v3.9.0rc1, v3.9.0rc2.\n (CVE-2020-14422)\n\n - Heap buffer overflow in Freetype in Google Chrome prior to 86.0.4240.111 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (CVE-2020-15999)\n\n - A double free memory issue was found to occur in the libvirt API, in versions before 6.8.0, responsible for requesting information about network interfaces of a running QEMU domain. This flaw affects the polkit access control driver. Specifically, clients connecting to the read-write socket with limited ACL permissions could use this flaw to crash the libvirt daemon, resulting in a denial of service, or potentially escalate their privileges on the system. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. (CVE-2020-25637)\n\n - Vulnerability in the MySQL Client product of Oracle MySQL (component: C API). Supported versions that are affected are 5.6.46 and prior, 5.7.28 and prior and 8.0.18 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Client.\n Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Client. (CVE-2020-2574)\n\n - Vulnerability in the MySQL Client product of Oracle MySQL (component: C API). Supported versions that are affected are 5.6.47 and prior, 5.7.27 and prior and 8.0.17 and prior. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Client.\n Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Client. (CVE-2020-2752)\n\n - Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). Supported versions that are affected are 5.6.47 and prior, 5.7.29 and prior and 8.0.19 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. (CVE-2020-2780)\n\n - Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Stored Procedure). Supported versions that are affected are 5.6.47 and prior, 5.7.29 and prior and 8.0.19 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. (CVE-2020-2812)\n\n - When performing EC scalar point multiplication, the wNAF point multiplication algorithm was used; which leaked partial information about the nonce used during signature generation. Given an electro-magnetic trace of a few signature generations, the private key could have been computed. This vulnerability affects Firefox < 80 and Firefox for Android < 80. (CVE-2020-6829)\n\n - xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite loop in a certain end-of-file situation. (CVE-2020-7595)\n\n - curl 7.20.0 through 7.70.0 is vulnerable to improper restriction of names for files and other resources that can lead too overwriting a local file when the -J flag is used. (CVE-2020-8177)\n\n - Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking. (CVE-2020-8492)\n\n - In BIND 9.0.0 -> 9.11.21, 9.12.0 -> 9.16.5, 9.17.0 -> 9.17.3, also affects 9.9.3-S1 -> 9.11.21-S1 of the BIND 9 Supported Preview Edition, An attacker on the network path for a TSIG-signed request, or operating the server receiving the TSIG-signed request, could send a truncated response to that request, triggering an assertion failure, causing the server to exit. Alternately, an off-path attacker would have to correctly guess when a TSIG-signed request was sent, along with other characteristics of the packet and message, and spoof a truncated response to trigger an assertion failure, causing the server to exit.\n (CVE-2020-8622)\n\n - In BIND 9.10.0 -> 9.11.21, 9.12.0 -> 9.16.5, 9.17.0 -> 9.17.3, also affects 9.10.5-S1 -> 9.11.21-S1 of the BIND 9 Supported Preview Edition, An attacker that can reach a vulnerable system with a specially crafted query packet can trigger a crash. To be vulnerable, the system must: * be running BIND that was built with\n --enable-native-pkcs11 * be signing one or more zones with an RSA key * be able to receive queries from a possible attacker (CVE-2020-8623)\n\n - In BIND 9.9.12 -> 9.9.13, 9.10.7 -> 9.10.8, 9.11.3 -> 9.11.21, 9.12.1 -> 9.16.5, 9.17.0 -> 9.17.3, also affects 9.9.12-S1 -> 9.9.13-S1, 9.11.3-S1 -> 9.11.21-S1 of the BIND 9 Supported Preview Edition, An attacker who has been granted privileges to change a specific subset of the zone's content could abuse these unintended additional privileges to update other contents of the zone. (CVE-2020-8624)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-09-01T00:00:00", "type": "nessus", "title": "Nutanix AHV : Multiple Vulnerabilities (NXSA-AHV-20201105.1021)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-12652", "CVE-2018-20843", "CVE-2019-11719", "CVE-2019-11727", "CVE-2019-11756", "CVE-2019-12450", "CVE-2019-12749", "CVE-2019-14822", "CVE-2019-14866", "CVE-2019-15903", "CVE-2019-16935", "CVE-2019-17006", "CVE-2019-17023", "CVE-2019-17498", "CVE-2019-19126", "CVE-2019-19956", "CVE-2019-20386", "CVE-2019-20388", "CVE-2019-20485", "CVE-2019-20907", "CVE-2019-2974", "CVE-2019-5094", "CVE-2019-5188", "CVE-2019-5482", "CVE-2020-10703", "CVE-2020-12243", "CVE-2020-12400", "CVE-2020-12401", "CVE-2020-12402", "CVE-2020-12403", "CVE-2020-12825", "CVE-2020-14422", "CVE-2020-15999", "CVE-2020-25637", "CVE-2020-2574", "CVE-2020-2752", "CVE-2020-2780", "CVE-2020-2812", "CVE-2020-6829", "CVE-2020-7595", "CVE-2020-8177", "CVE-2020-8492", "CVE-2020-8622", "CVE-2020-8623", "CVE-2020-8624"], "modified": "2023-02-23T00:00:00", "cpe": ["cpe:/o:nutanix:ahv"], "id": "NUTANIX_NXSA-AHV-20201105_1021.NASL", "href": "https://www.tenable.com/plugins/nessus/164552", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(164552);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/02/23\");\n\n script_cve_id(\n \"CVE-2017-12652\",\n \"CVE-2018-20843\",\n \"CVE-2019-2974\",\n \"CVE-2019-5094\",\n \"CVE-2019-5188\",\n \"CVE-2019-5482\",\n \"CVE-2019-11719\",\n \"CVE-2019-11727\",\n \"CVE-2019-11756\",\n \"CVE-2019-12450\",\n \"CVE-2019-12749\",\n \"CVE-2019-14822\",\n \"CVE-2019-14866\",\n \"CVE-2019-15903\",\n \"CVE-2019-16935\",\n \"CVE-2019-17006\",\n \"CVE-2019-17023\",\n \"CVE-2019-17498\",\n \"CVE-2019-19126\",\n \"CVE-2019-19956\",\n \"CVE-2019-20386\",\n \"CVE-2019-20388\",\n \"CVE-2019-20485\",\n \"CVE-2019-20907\",\n \"CVE-2020-2574\",\n \"CVE-2020-2752\",\n \"CVE-2020-2780\",\n \"CVE-2020-2812\",\n \"CVE-2020-6829\",\n \"CVE-2020-7595\",\n \"CVE-2020-8177\",\n \"CVE-2020-8492\",\n \"CVE-2020-8622\",\n \"CVE-2020-8623\",\n \"CVE-2020-8624\",\n \"CVE-2020-10703\",\n \"CVE-2020-12243\",\n \"CVE-2020-12400\",\n \"CVE-2020-12401\",\n \"CVE-2020-12402\",\n \"CVE-2020-12403\",\n \"CVE-2020-12825\",\n \"CVE-2020-14422\",\n \"CVE-2020-15999\",\n \"CVE-2020-25637\"\n );\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0025\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0124\");\n\n script_name(english:\"Nutanix AHV : Multiple Vulnerabilities (NXSA-AHV-20201105.1021)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The Nutanix AHV host is affected by multiple vulnerabilities .\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of AHV installed on the remote host is prior to 20201105.1021. It is, therefore, affected by multiple\nvulnerabilities as referenced in the NXSA-AHV-20201105.1021 advisory.\n\n - libpng before 1.6.32 does not properly check the length of chunks against the user limit. (CVE-2017-12652)\n\n - In libexpat in Expat before 2.2.7, XML input including XML names that contain a large number of colons\n could make the XML parser consume a high amount of RAM and CPU resources while processing (enough to be\n usable for denial-of-service attacks). (CVE-2018-20843)\n\n - When importing a curve25519 private key in PKCS#8format with leading 0x00 bytes, it is possible to trigger\n an out-of-bounds read in the Network Security Services (NSS) library. This could lead to information\n disclosure. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8.\n (CVE-2019-11719)\n\n - A vulnerability exists where it possible to force Network Security Services (NSS) to sign\n CertificateVerify with PKCS#1 v1.5 signatures when those are the only ones advertised by server in\n CertificateRequest in TLS 1.3. PKCS#1 v1.5 signatures should not be used for TLS 1.3 messages. This\n vulnerability affects Firefox < 68. (CVE-2019-11727)\n\n - Improper refcounting of soft token session objects could cause a use-after-free and crash (likely limited\n to a denial of service). This vulnerability affects Firefox < 71. (CVE-2019-11756)\n\n - file_copy_fallback in gio/gfile.c in GNOME GLib 2.15.0 through 2.61.1 does not properly restrict file\n permissions while a copy operation is in progress. Instead, default permissions are used. (CVE-2019-12450)\n\n - dbus before 1.10.28, 1.12.x before 1.12.16, and 1.13.x before 1.13.12, as used in DBusServer in Canonical\n Upstart in Ubuntu 14.04 (and in some, less common, uses of dbus-daemon), allows cookie spoofing because of\n symlink mishandling in the reference implementation of DBUS_COOKIE_SHA1 in the libdbus library. (This only\n affects the DBUS_COOKIE_SHA1 authentication mechanism.) A malicious client with write access to its own\n home directory could manipulate a ~/.dbus-keyrings symlink to cause a DBusServer with a different uid to\n read and write in unintended locations. In the worst case, this could result in the DBusServer reusing a\n cookie that is known to the malicious client, and treating that cookie as evidence that a subsequent\n client connection came from an attacker-chosen uid, allowing authentication bypass. (CVE-2019-12749)\n\n - A flaw was discovered in ibus in versions before 1.5.22 that allows any unprivileged user to monitor and\n send method calls to the ibus bus of another user due to a misconfiguration in the DBus server setup. A\n local attacker may use this flaw to intercept all keystrokes of a victim user who is using the graphical\n interface, change the input method engine, or modify other input related configurations of the victim\n user. (CVE-2019-14822)\n\n - In all versions of cpio before 2.13 does not properly validate input files when generating TAR archives.\n When cpio is used to create TAR archives from paths an attacker can write to, the resulting archive may\n contain files with permissions the attacker did not have or in paths he did not have access to. Extracting\n those archives from a high-privilege user without carefully reviewing them may lead to the compromise of\n the system. (CVE-2019-14866)\n\n - In libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to\n document parsing too early; a consecutive call to XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber)\n then resulted in a heap-based buffer over-read. (CVE-2019-15903)\n\n - The documentation XML-RPC server in Python through 2.7.16, 3.x through 3.6.9, and 3.7.x through 3.7.4 has\n XSS via the server_title field. This occurs in Lib/DocXMLRPCServer.py in Python 2.x, and in\n Lib/xmlrpc/server.py in Python 3.x. If set_server_title is called with untrusted input, arbitrary\n JavaScript can be delivered to clients that visit the http URL for this server. (CVE-2019-16935)\n\n - In Network Security Services (NSS) before 3.46, several cryptographic primitives had missing length\n checks. In cases where the application calling the library did not perform a sanity check on the inputs it\n could result in a crash due to a buffer overflow. (CVE-2019-17006)\n\n - After a HelloRetryRequest has been sent, the client may negotiate a lower protocol that TLS 1.3, resulting\n in an invalid state transition in the TLS State Machine. If the client gets into this state, incoming\n Application Data records will be ignored. This vulnerability affects Firefox < 72. (CVE-2019-17023)\n\n - In libssh2 v1.9.0 and earlier versions, the SSH_MSG_DISCONNECT logic in packet.c has an integer overflow\n in a bounds check, enabling an attacker to specify an arbitrary (out-of-bounds) offset for a subsequent\n memory read. A crafted SSH server may be able to disclose sensitive information or cause a denial of\n service condition on the client system when a user connects to the server. (CVE-2019-17498)\n\n - On the x86-64 architecture, the GNU C Library (aka glibc) before 2.31 fails to ignore the\n LD_PREFER_MAP_32BIT_EXEC environment variable during program execution after a security transition,\n allowing local attackers to restrict the possible mapping addresses for loaded libraries and thus bypass\n ASLR for a setuid program. (CVE-2019-19126)\n\n - xmlParseBalancedChunkMemoryRecover in parser.c in libxml2 before 2.9.10 has a memory leak related to\n newDoc->oldNs. (CVE-2019-19956)\n\n - An issue was discovered in button_open in login/logind-button.c in systemd before 243. When executing the\n udevadm trigger command, a memory leak may occur. (CVE-2019-20386)\n\n - xmlSchemaPreRun in xmlschemas.c in libxml2 2.9.10 allows an xmlSchemaValidateStream memory leak.\n (CVE-2019-20388)\n\n - qemu/qemu_driver.c in libvirt before 6.0.0 mishandles the holding of a monitor job during a query to a\n guest agent, which allows attackers to cause a denial of service (API blockage). (CVE-2019-20485)\n\n - In Lib/tarfile.py in Python through 3.8.3, an attacker is able to craft a TAR archive leading to an\n infinite loop when opened by tarfile.open, because _proc_pax lacks header validation. (CVE-2019-20907)\n\n - Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported\n versions that are affected are 5.6.45 and prior, 5.7.27 and prior and 8.0.17 and prior. Easily exploitable\n vulnerability allows low privileged attacker with network access via multiple protocols to compromise\n MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang\n or frequently repeatable crash (complete DOS) of MySQL Server. (CVE-2019-2974)\n\n - An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A\n specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code\n execution. An attacker can corrupt a partition to trigger this vulnerability. (CVE-2019-5094)\n\n - A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4.\n A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code\n execution. An attacker can corrupt a partition to trigger this vulnerability. (CVE-2019-5188)\n\n - Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3. (CVE-2019-5482)\n\n - A NULL pointer dereference was found in the libvirt API responsible introduced in upstream version 3.10.0,\n and fixed in libvirt 6.0.0, for fetching a storage pool based on its target path. In more detail, this\n flaw affects storage pools created without a target path such as network-based pools like gluster and RBD.\n Unprivileged users with a read-only connection could abuse this flaw to crash the libvirt daemon,\n resulting in a potential denial of service. (CVE-2020-10703)\n\n - In filter.c in slapd in OpenLDAP before 2.4.50, LDAP search filters with nested boolean expressions can\n result in denial of service (daemon crash). (CVE-2020-12243)\n\n - When converting coordinates from projective to affine, the modular inversion was not performed in constant\n time, resulting in a possible timing-based side channel attack. This vulnerability affects Firefox < 80\n and Firefox for Android < 80. (CVE-2020-12400)\n\n - During ECDSA signature generation, padding applied in the nonce designed to ensure constant-time scalar\n multiplication was removed, resulting in variable-time execution dependent on secret data. This\n vulnerability affects Firefox < 80 and Firefox for Android < 80. (CVE-2020-12401)\n\n - During RSA key generation, bignum implementations used a variation of the Binary Extended Euclidean\n Algorithm which entailed significantly input-dependent flow. This allowed an attacker able to perform\n electromagnetic-based side channel attacks to record traces leading to the recovery of the secret primes.\n *Note:* An unmodified Firefox browser does not generate RSA keys in normal operation and is not affected,\n but products built on top of it might. This vulnerability affects Firefox < 78. (CVE-2020-12402)\n\n - A flaw was found in the way CHACHA20-POLY1305 was implemented in NSS in versions before 3.55. When using\n multi-part Chacha20, it could cause out-of-bounds reads. This issue was fixed by explicitly disabling\n multi-part ChaCha20 (which was not functioning correctly) and strictly enforcing tag length. The highest\n threat from this vulnerability is to confidentiality and system availability. (CVE-2020-12403)\n\n - libcroco through 0.6.13 has excessive recursion in cr_parser_parse_any_core in cr-parser.c, leading to\n stack consumption. (CVE-2020-12825)\n\n - Lib/ipaddress.py in Python through 3.8.3 improperly computes hash values in the IPv4Interface and\n IPv6Interface classes, which might allow a remote attacker to cause a denial of service if an application\n is affected by the performance of a dictionary containing IPv4Interface or IPv6Interface objects, and this\n attacker can cause many dictionary entries to be created. This is fixed in: v3.5.10, v3.5.10rc1; v3.6.12;\n v3.7.9; v3.8.4, v3.8.4rc1, v3.8.5, v3.8.6, v3.8.6rc1; v3.9.0, v3.9.0b4, v3.9.0b5, v3.9.0rc1, v3.9.0rc2.\n (CVE-2020-14422)\n\n - Heap buffer overflow in Freetype in Google Chrome prior to 86.0.4240.111 allowed a remote attacker to\n potentially exploit heap corruption via a crafted HTML page. (CVE-2020-15999)\n\n - A double free memory issue was found to occur in the libvirt API, in versions before 6.8.0, responsible\n for requesting information about network interfaces of a running QEMU domain. This flaw affects the polkit\n access control driver. Specifically, clients connecting to the read-write socket with limited ACL\n permissions could use this flaw to crash the libvirt daemon, resulting in a denial of service, or\n potentially escalate their privileges on the system. The highest threat from this vulnerability is to data\n confidentiality and integrity as well as system availability. (CVE-2020-25637)\n\n - Vulnerability in the MySQL Client product of Oracle MySQL (component: C API). Supported versions that are\n affected are 5.6.46 and prior, 5.7.28 and prior and 8.0.18 and prior. Difficult to exploit vulnerability\n allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Client.\n Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently\n repeatable crash (complete DOS) of MySQL Client. (CVE-2020-2574)\n\n - Vulnerability in the MySQL Client product of Oracle MySQL (component: C API). Supported versions that are\n affected are 5.6.47 and prior, 5.7.27 and prior and 8.0.17 and prior. Difficult to exploit vulnerability\n allows low privileged attacker with network access via multiple protocols to compromise MySQL Client.\n Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently\n repeatable crash (complete DOS) of MySQL Client. (CVE-2020-2752)\n\n - Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). Supported versions\n that are affected are 5.6.47 and prior, 5.7.29 and prior and 8.0.19 and prior. Easily exploitable\n vulnerability allows low privileged attacker with network access via multiple protocols to compromise\n MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang\n or frequently repeatable crash (complete DOS) of MySQL Server. (CVE-2020-2780)\n\n - Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Stored Procedure). Supported\n versions that are affected are 5.6.47 and prior, 5.7.29 and prior and 8.0.19 and prior. Easily exploitable\n vulnerability allows high privileged attacker with network access via multiple protocols to compromise\n MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang\n or frequently repeatable crash (complete DOS) of MySQL Server. (CVE-2020-2812)\n\n - When performing EC scalar point multiplication, the wNAF point multiplication algorithm was used; which\n leaked partial information about the nonce used during signature generation. Given an electro-magnetic\n trace of a few signature generations, the private key could have been computed. This vulnerability affects\n Firefox < 80 and Firefox for Android < 80. (CVE-2020-6829)\n\n - xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite loop in a certain end-of-file\n situation. (CVE-2020-7595)\n\n - curl 7.20.0 through 7.70.0 is vulnerable to improper restriction of names for files and other resources\n that can lead too overwriting a local file when the -J flag is used. (CVE-2020-8177)\n\n - Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1\n allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client\n because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking. (CVE-2020-8492)\n\n - In BIND 9.0.0 -> 9.11.21, 9.12.0 -> 9.16.5, 9.17.0 -> 9.17.3, also affects 9.9.3-S1 -> 9.11.21-S1 of the\n BIND 9 Supported Preview Edition, An attacker on the network path for a TSIG-signed request, or operating\n the server receiving the TSIG-signed request, could send a truncated response to that request, triggering\n an assertion failure, causing the server to exit. Alternately, an off-path attacker would have to\n correctly guess when a TSIG-signed request was sent, along with other characteristics of the packet and\n message, and spoof a truncated response to trigger an assertion failure, causing the server to exit.\n (CVE-2020-8622)\n\n - In BIND 9.10.0 -> 9.11.21, 9.12.0 -> 9.16.5, 9.17.0 -> 9.17.3, also affects 9.10.5-S1 -> 9.11.21-S1 of the\n BIND 9 Supported Preview Edition, An attacker that can reach a vulnerable system with a specially crafted\n query packet can trigger a crash. To be vulnerable, the system must: * be running BIND that was built with\n --enable-native-pkcs11 * be signing one or more zones with an RSA key * be able to receive queries from\n a possible attacker (CVE-2020-8623)\n\n - In BIND 9.9.12 -> 9.9.13, 9.10.7 -> 9.10.8, 9.11.3 -> 9.11.21, 9.12.1 -> 9.16.5, 9.17.0 -> 9.17.3, also\n affects 9.9.12-S1 -> 9.9.13-S1, 9.11.3-S1 -> 9.11.21-S1 of the BIND 9 Supported Preview Edition, An\n attacker who has been granted privileges to change a specific subset of the zone's content could abuse\n these unintended additional privileges to update other contents of the zone. (CVE-2020-8624)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n # https://portal.nutanix.com/page/documents/security-advisories/release-advisories/details?id=NXSA-AHV-20201105.1021\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?085dcec0\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the Nutanix AHV software to recommended version.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-17006\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2019-5482\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/05/29\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/09/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/09/01\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:nutanix:ahv\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"nutanix_collect.nasl\");\n script_require_keys(\"Host/Nutanix/Data/Node/Version\", \"Host/Nutanix/Data/Node/Type\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('vcf_extras.inc');\n\nvar app_info = vcf::nutanix::get_app_info(node:TRUE);\n\nvar constraints = [\n { 'fixed_version' : '20201105.1021', 'product' : 'AHV', 'fixed_display' : 'Upgrade the AHV install to 20201105.1021 or higher.' }\n];\n\nvcf::nutanix::check_version_and_report(\n app_info:app_info,\n constraints:constraints,\n severity:SECURITY_HOLE,\n flags:{'xss':TRUE}\n);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-09-24T16:06:39", "description": "The version of AOS installed on the remote host is prior to 5.19.0.5. It is, therefore, affected by multiple vulnerabilities as referenced in the NXSA-AOS-5.19.0.5 advisory.\n\n - libpng before 1.6.32 does not properly check the length of chunks against the user limit. (CVE-2017-12652)\n\n - In Apache httpd 2.4.0 to 2.4.29, the expression specified in <FilesMatch> could match '$' to a newline character in a malicious filename, rather than matching only the end of the filename. This could be exploited in environments where uploads of some files are are externally blocked, but only by matching the trailing portion of the filename. (CVE-2017-15715)\n\n - A localhost.localdomain whitelist entry in valid_host() in scheduler/client.c in CUPS before 2.2.2 allows remote attackers to execute arbitrary IPP commands by sending POST requests to the CUPS daemon in conjunction with DNS rebinding. The localhost.localdomain name is often resolved via a DNS server (neither the OS nor the web browser is responsible for ensuring that localhost.localdomain is 127.0.0.1).\n (CVE-2017-18190)\n\n - An issue was discovered in drivers/i2c/i2c-core-smbus.c in the Linux kernel before 4.14.15. There is an out of bounds write in the function i2c_smbus_xfer_emulated. (CVE-2017-18551)\n\n - The default cloud-init configuration, in cloud-init 0.6.2 and newer, included ssh_deletekeys: 0, disabling cloud-init's deletion of ssh host keys. In some environments, this could lead to instances created by cloning a golden master or template system, sharing ssh host keys, and being able to impersonate one another or conduct man-in-the-middle attacks. (CVE-2018-10896)\n\n - In Apache httpd 2.4.0 to 2.4.29, when mod_session is configured to forward its session data to CGI applications (SessionEnv on, not the default), a remote user may influence their content by using a Session header. This comes from the HTTP_SESSION variable name used by mod_session to forward its data to CGIs, since the prefix HTTP_ is also used by the Apache HTTP Server to pass HTTP header fields, per CGI specifications. (CVE-2018-1283)\n\n - A specially crafted HTTP request header could have crashed the Apache HTTP Server prior to version 2.4.30 due to an out of bound read while preparing data to be cached in shared memory. It could be used as a Denial of Service attack against users of mod_cache_socache. The vulnerability is considered as low risk since mod_cache_socache is not widely used, mod_cache_disk is not concerned by this vulnerability.\n (CVE-2018-1303)\n\n - An issue was discovered in the Linux kernel before 4.20. There is a race condition in smp_task_timedout() and smp_task_done() in drivers/scsi/libsas/sas_expander.c, leading to a use-after-free. (CVE-2018-20836)\n\n - In libexpat in Expat before 2.2.7, XML input including XML names that contain a large number of colons could make the XML parser consume a high amount of RAM and CPU resources while processing (enough to be usable for denial-of-service attacks). (CVE-2018-20843)\n\n - In Apache HTTP server 2.4.0 to 2.4.39, Redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an unexpected URL within the request URL. (CVE-2019-10098)\n\n - libmspack 0.9.1alpha is affected by: Buffer Overflow. The impact is: Information Disclosure. The component is: function chmd_read_headers() in libmspack(file libmspack/mspack/chmd.c). The attack vector is: the victim must open a specially crafted chm file. The fixed version is: after commit 2f084136cfe0d05e5bf5703f3e83c6d955234b4d. (CVE-2019-1010305)\n\n - libxslt through 1.1.33 allows bypass of a protection mechanism because callers of xsltCheckRead and xsltCheckWrite permit access even upon receiving a -1 error code. xsltCheckRead can return -1 for a crafted URL that is not actually invalid and is subsequently loaded. (CVE-2019-11068)\n\n - When importing a curve25519 private key in PKCS#8format with leading 0x00 bytes, it is possible to trigger an out-of-bounds read in the Network Security Services (NSS) library. This could lead to information disclosure. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8.\n (CVE-2019-11719)\n\n - A vulnerability exists where it possible to force Network Security Services (NSS) to sign CertificateVerify with PKCS#1 v1.5 signatures when those are the only ones advertised by server in CertificateRequest in TLS 1.3. PKCS#1 v1.5 signatures should not be used for TLS 1.3 messages. This vulnerability affects Firefox < 68. (CVE-2019-11727)\n\n - Improper refcounting of soft token session objects could cause a use-after-free and crash (likely limited to a denial of service). This vulnerability affects Firefox < 71. (CVE-2019-11756)\n\n - file_copy_fallback in gio/gfile.c in GNOME GLib 2.15.0 through 2.61.1 does not properly restrict file permissions while a copy operation is in progress. Instead, default permissions are used. (CVE-2019-12450)\n\n - An issue was discovered in dlpar_parse_cc_property in arch/powerpc/platforms/pseries/dlpar.c in the Linux kernel through 5.1.6. There is an unchecked kstrdup of prop->name, which might allow an attacker to cause a denial of service (NULL pointer dereference and system crash). (CVE-2019-12614)\n\n - dbus before 1.10.28, 1.12.x before 1.12.16, and 1.13.x before 1.13.12, as used in DBusServer in Canonical Upstart in Ubuntu 14.04 (and in some, less common, uses of dbus-daemon), allows cookie spoofing because of symlink mishandling in the reference implementation of DBUS_COOKIE_SHA1 in the libdbus library. (This only affects the DBUS_COOKIE_SHA1 authentication mechanism.) A malicious client with write access to its own home directory could manipulate a ~/.dbus-keyrings symlink to cause a DBusServer with a different uid to read and write in unintended locations. In the worst case, this could result in the DBusServer reusing a cookie that is known to the malicious client, and treating that cookie as evidence that a subsequent client connection came from an attacker-chosen uid, allowing authentication bypass. (CVE-2019-12749)\n\n - A flaw was discovered in ibus in versions before 1.5.22 that allows any unprivileged user to monitor and send method calls to the ibus bus of another user due to a misconfiguration in the DBus server setup. A local attacker may use this flaw to intercept all keystrokes of a victim user who is using the graphical interface, change the input method engine, or modify other input related configurations of the victim user. (CVE-2019-14822)\n\n - In all versions of cpio before 2.13 does not properly validate input files when generating TAR archives.\n When cpio is used to create TAR archives from paths an attacker can write to, the resulting archive may contain files with permissions the attacker did not have or in paths he did not have access to. Extracting those archives from a high-privilege user without carefully reviewing them may lead to the compromise of the system. (CVE-2019-14866)\n\n - An issue was discovered in the Linux kernel before 5.2.3. There is a NULL pointer dereference caused by a malicious USB device in the drivers/media/usb/zr364xx/zr364xx.c driver. (CVE-2019-15217)\n\n - In the Linux kernel before 5.1.13, there is a memory leak in drivers/scsi/libsas/sas_expander.c when SAS expander discovery fails. This will cause a BUG and denial of service. (CVE-2019-15807)\n\n - In libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to document parsing too early; a consecutive call to XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber) then resulted in a heap-based buffer over-read. (CVE-2019-15903)\n\n - An issue was discovered in the Linux kernel before 5.0.5. There is a use-after-free issue when hci_uart_register_dev() fails in hci_uart_set_proto() in drivers/bluetooth/hci_ldisc.c. (CVE-2019-15917)\n\n - drivers/net/fjes/fjes_main.c in the Linux kernel 5.2.14 does not check the alloc_workqueue return value, leading to a NULL pointer dereference. (CVE-2019-16231)\n\n - drivers/scsi/qla2xxx/qla_os.c in the Linux kernel 5.2.14 does not check the alloc_workqueue return value, leading to a NULL pointer dereference. (CVE-2019-16233)\n\n - The documentation XML-RPC server in Python through 2.7.16, 3.x through 3.6.9, and 3.7.x through 3.7.4 has XSS via the server_title field. This occurs in Lib/DocXMLRPCServer.py in Python 2.x, and in Lib/xmlrpc/server.py in Python 3.x. If set_server_title is called with untrusted input, arbitrary JavaScript can be delivered to clients that visit the http URL for this server. (CVE-2019-16935)\n\n - In the Linux kernel before 5.0, a memory leak exists in sit_init_net() in net/ipv6/sit.c when register_netdev() fails to register sitn->fb_tunnel_dev, which may cause denial of service, aka CID-07f12b26e21a. (CVE-2019-16994)\n\n - In Network Security Services (NSS) before 3.46, several cryptographic primitives had missing length checks. In cases where the application calling the library did not perform a sanity check on the inputs it could result in a crash due to a buffer overflow. (CVE-2019-17006)\n\n - After a HelloRetryRequest has been sent, the client may negotiate a lower protocol that TLS 1.3, resulting in an invalid state transition in the TLS State Machine. If the client gets into this state, incoming Application Data records will be ignored. This vulnerability affects Firefox < 72. (CVE-2019-17023)\n\n - ieee802154_create in net/ieee802154/socket.c in the AF_IEEE802154 network module in the Linux kernel through 5.3.2 does not enforce CAP_NET_RAW, which means that unprivileged users can create a raw socket, aka CID-e69dbd4619e7. (CVE-2019-17053)\n\n - base_sock_create in drivers/isdn/mISDN/socket.c in the AF_ISDN network module in the Linux kernel through 5.3.2 does not enforce CAP_NET_RAW, which means that unprivileged users can create a raw socket, aka CID-b91ee4aa2a21. (CVE-2019-17055)\n\n - In libssh2 v1.9.0 and earlier versions, the SSH_MSG_DISCONNECT logic in packet.c has an integer overflow in a bounds check, enabling an attacker to specify an arbitrary (out-of-bounds) offset for a subsequent memory read. A crafted SSH server may be able to disclose sensitive information or cause a denial of service condition on the client system when a user connects to the server. (CVE-2019-17498)\n\n - In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable isn't reset under certain circumstances. If the relevant memory area happened to be freed and reused in a certain way, a bounds check could fail and memory outside a buffer could be written to, or uninitialized data could be disclosed. (CVE-2019-18197)\n\n - A memory leak in the ccp_run_sha_cmd() function in drivers/crypto/ccp/ccp-ops.c in the Linux kernel through 5.3.9 allows attackers to cause a denial of service (memory consumption), aka CID-128c66429247.\n (CVE-2019-18808)\n\n - ** DISPUTED ** A memory leak in the __ipmi_bmc_register() function in drivers/char/ipmi/ipmi_msghandler.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering ida_simple_get() failure, aka CID-4aa7afb0ee20. NOTE: third parties dispute the relevance of this because an attacker cannot realistically control this failure at probe time. (CVE-2019-19046)\n\n - ** DISPUTED ** A memory leak in the nl80211_get_ftm_responder_stats() function in net/wireless/nl80211.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering nl80211hdr_put() failures, aka CID-1399c59fa929. NOTE: third parties dispute the relevance of this because it occurs on a code path where a successful allocation has already occurred. (CVE-2019-19055)\n\n - A memory leak in the alloc_sgtable() function in drivers/net/wireless/intel/iwlwifi/fw/dbg.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering alloc_page() failures, aka CID-b4b814fec1a5. (CVE-2019-19058)\n\n - Multiple memory leaks in the iwl_pcie_ctxt_info_gen3_init() function in drivers/net/wireless/intel/iwlwifi/pcie/ctxt-info-gen3.c in the Linux kernel through 5.3.11 allow attackers to cause a denial of service (memory consumption) by triggering iwl_pcie_init_fw_sec() or dma_alloc_coherent() failures, aka CID-0f4f199443fa. (CVE-2019-19059)\n\n - A memory leak in the crypto_report() function in crypto/crypto_user_base.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering crypto_report_alg() failures, aka CID-ffdde5932042. (CVE-2019-19062)\n\n - Two memory leaks in the rtl_usb_probe() function in drivers/net/wireless/realtek/rtlwifi/usb.c in the Linux kernel through 5.3.11 allow attackers to cause a denial of service (memory consumption), aka CID-3f9361695113. (CVE-2019-19063)\n\n - On the x86-64 architecture, the GNU C Library (aka glibc) before 2.31 fails to ignore the LD_PREFER_MAP_32BIT_EXEC environment variable during program execution after a security transition, allowing local attackers to restrict the possible mapping addresses for loaded libraries and thus bypass ASLR for a setuid program. (CVE-2019-19126)\n\n - An out-of-bounds memory write issue was found in the Linux Kernel, version 3.13 through 5.4, in the way the Linux kernel's KVM hypervisor handled the 'KVM_GET_EMULATED_CPUID' ioctl(2) request to get CPUID features emulated by the KVM hypervisor. A user or process able to access the '/dev/kvm' device could use this flaw to crash the system, resulting in a denial of service. (CVE-2019-19332)\n\n - In the Linux kernel 5.0.21, mounting a crafted ext4 filesystem image, performing some operations, and unmounting can lead to a use-after-free in ext4_put_super in fs/ext4/super.c, related to dump_orphan_list in fs/ext4/super.c. (CVE-2019-19447)\n\n - In the Linux kernel before 5.3.7, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/usb/misc/adutux.c driver, aka CID-44efc269db79. (CVE-2019-19523)\n\n - In the Linux kernel before 5.3.12, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/input/ff-memless.c driver, aka CID-fa3a5a1880c9. (CVE-2019-19524)\n\n - In the Linux kernel before 5.2.10, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/usb/class/cdc-acm.c driver, aka CID-c52873e5a1ef. (CVE-2019-19530)\n\n - In the Linux kernel before 5.3.11, there is an info-leak bug that can be caused by a malicious USB device in the drivers/net/can/usb/peak_usb/pcan_usb_core.c driver, aka CID-f7a1337f0d29. (CVE-2019-19534)\n\n - In the Linux kernel before 5.2.10, there is a race condition bug that can be caused by a malicious USB device in the USB character device driver layer, aka CID-303911cfc5b9. This affects drivers/usb/core/file.c. (CVE-2019-19537)\n\n - The Linux kernel before 5.4.2 mishandles ext4_expand_extra_isize, as demonstrated by use-after-free errors in __ext4_expand_extra_isize and ext4_xattr_set_entry, related to fs/ext4/inode.c and fs/ext4/super.c, aka CID-4ea99936a163. (CVE-2019-19767)\n\n - In the Linux kernel before 5.3.11, sound/core/timer.c has a use-after-free caused by erroneous code refactoring, aka CID-e7af6307a8a5. This is related to snd_timer_open and snd_timer_close_locked. The timeri variable was originally intended to be for a newly created timer instance, but was used for a different purpose after refactoring. (CVE-2019-19807)\n\n - xmlParseBalancedChunkMemoryRecover in parser.c in libxml2 before 2.9.10 has a memory leak related to newDoc->oldNs. (CVE-2019-19956)\n\n - In the Linux kernel before 5.0.6, there is a NULL pointer dereference in drop_sysctl_table() in fs/proc/proc_sysctl.c, related to put_links, aka CID-23da9588037e. (CVE-2019-20054)\n\n - mwifiex_tm_cmd in drivers/net/wireless/marvell/mwifiex/cfg80211.c in the Linux kernel before 5.1.6 has some error-handling cases that did not free allocated hostcmd memory, aka CID-003b686ace82. This will cause a memory leak and denial of service. (CVE-2019-20095)\n\n - An issue was discovered in button_open in login/logind-button.c in systemd before 243. When executing the udevadm trigger command, a memory leak may occur. (CVE-2019-20386)\n\n - xmlSchemaPreRun in xmlschemas.c in libxml2 2.9.10 allows an xmlSchemaValidateStream memory leak.\n (CVE-2019-20388)\n\n - In the Linux kernel before 5.4.12, drivers/input/input.c has out-of-bounds writes via a crafted keycode table, as demonstrated by input_set_keycode, aka CID-cb222aed03d7. (CVE-2019-20636)\n\n - An issue was discovered in the Linux kernel before 5.0.6. In rx_queue_add_kobject() and netdev_queue_add_kobject() in net/core/net-sysfs.c, a reference count is mishandled, aka CID-a3e23f719f5c.\n (CVE-2019-20811)\n\n - In Lib/tarfile.py in Python through 3.8.3, an attacker is able to craft a TAR archive leading to an infinite loop when opened by tarfile.open, because _proc_pax lacks header validation. (CVE-2019-20907)\n\n - Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 5.6.45 and prior, 5.7.27 and prior and 8.0.17 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. (CVE-2019-2974)\n\n - An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability. (CVE-2019-5094)\n\n - A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4.\n A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability. (CVE-2019-5188)\n\n - Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3. (CVE-2019-5482)\n\n - A buffer overflow issue was addressed with improved memory handling. This issue is fixed in macOS Mojave 10.14.6, Security Update 2019-004 High Sierra, Security Update 2019-004 Sierra. An attacker in a privileged network position may be able to execute arbitrary code. (CVE-2019-8675, CVE-2019-8696)\n\n - In the Android kernel in i2c driver there is a possible out of bounds write due to memory corruption. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. (CVE-2019-9454)\n\n - In the Android kernel in the video driver there is a use after free due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. (CVE-2019-9458)\n\n - There is a use-after-free in kernel versions before 5.5 due to a race condition between the release of ptp_clock and cdev while resource deallocation. When a (high privileged) process allocates a ptp device file (like /dev/ptpX) and voluntarily goes to sleep. During this time if the underlying device is removed, it can cause an exploitable condition as the process wakes up to terminate and clean all attached files.\n The system crashes due to the cdev structure being invalid (as already freed) which is pointed to by the inode. (CVE-2020-10690)\n\n - A flaw was found in the Linux kernel's implementation of Userspace core dumps. This flaw allows an attacker with a local account to crash a trivial program and exfiltrate private kernel data.\n (CVE-2020-10732)\n\n - A flaw was found in the Linux kernel. An index buffer overflow during Direct IO write leading to the NFS client to crash. In some cases, a reach out of the index after one memory allocation by kmalloc will cause a kernel panic. The highest threat from this vulnerability is to data confidentiality and system availability. (CVE-2020-10742)\n\n - A flaw was found in the Linux kernels SELinux LSM hook implementation before version 5.7, where it incorrectly assumed that an skb would only contain a single netlink message. The hook would incorrectly only validate the first netlink message in the skb and allow or deny the rest of the messages within the skb with the granted permission without further processing. (CVE-2020-10751)\n\n - In the Linux kernel before 5.5.8, get_raw_socket in drivers/vhost/net.c lacks validation of an sk_family field, which might allow attackers to trigger kernel stack corruption via crafted system calls.\n (CVE-2020-10942)\n\n - ** DISPUTED ** An issue was discovered in the Linux kernel through 5.6.2. mpol_parse_str in mm/mempolicy.c has a stack-based out-of-bounds write because an empty nodelist is mishandled during mount option parsing, aka CID-aa9f7d5172fa. NOTE: Someone in the security community disagrees that this is a vulnerability because the issue is a bug in parsing mount options which can only be specified by a privileged user, so triggering the bug does not grant any powers not already held.. (CVE-2020-11565)\n\n - In filter.c in slapd in OpenLDAP before 2.4.50, LDAP search filters with nested boolean expressions can result in denial of service (daemon crash). (CVE-2020-12243)\n\n - When converting coordinates from projective to affine, the modular inversion was not performed in constant time, resulting in a possible timing-based side channel attack. This vulnerability affects Firefox < 80 and Firefox for Android < 80. (CVE-2020-12400)\n\n - During ECDSA signature generation, padding applied in the nonce designed to ensure constant-time scalar multiplication was removed, resulting in variable-time execution dependent on secret data. This vulnerability affects Firefox < 80 and Firefox for Android < 80. (CVE-2020-12401)\n\n - During RSA key generation, bignum implementations used a variation of the Binary Extended Euclidean Algorithm which entailed significantly input-dependent flow. This allowed an attacker able to perform electromagnetic-based side channel attacks to record traces leading to the recovery of the secret primes.\n *Note:* An unmodified Firefox browser does not generate RSA keys in normal operation and is not affected, but products built on top of it might. This vulnerability affects Firefox < 78. (CVE-2020-12402)\n\n - A flaw was found in the way CHACHA20-POLY1305 was implemented in NSS in versions before 3.55. When using multi-part Chacha20, it could cause out-of-bounds reads. This issue was fixed by explicitly disabling multi-part ChaCha20 (which was not functioning correctly) and strictly enforcing tag length. The highest threat from this vulnerability is to confidentiality and system availability. (CVE-2020-12403)\n\n - An issue was discovered in the Linux kernel through 5.6.11. sg_write lacks an sg_remove_request call in a certain failure case, aka CID-83c6f2390040. (CVE-2020-12770)\n\n - A signal access-control issue was discovered in the Linux kernel before 5.6.5, aka CID-7395ea4e65c2.\n Because exec_id in include/linux/sched.h is only 32 bits, an integer overflow can interfere with a do_notify_parent protection mechanism. A child process can send an arbitrary signal to a parent process in a different security domain. Exploitation limitations include the amount of elapsed time before an integer overflow occurs, and the lack of scenarios where signals to a parent process present a substantial operational threat. (CVE-2020-12826)\n\n - If an HTTP/2 client connecting to Apache Tomcat 10.0.0-M1 to 10.0.0-M7, 9.0.0.M1 to 9.0.37 or 8.5.0 to 8.5.57 exceeded the agreed maximum number of concurrent streams for a connection (in violation of the HTTP/2 protocol), it was possible that a subsequent request made on that connection could contain HTTP headers - including HTTP/2 pseudo headers - from a previous request rather than the intended headers. This could lead to users seeing responses for unexpected resources. (CVE-2020-13943)\n\n - An out-of-bounds memory write flaw was found in how the Linux kernel's Voice Over IP H.323 connection tracking functionality handled connections on ipv6 port 1720. This flaw allows an unauthenticated remote user to crash the system, causing a denial of service. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. (CVE-2020-14305)\n\n - A flaw was found in the Linux kernel's implementation of the invert video code on VGA consoles when a local attacker attempts to resize the console, calling an ioctl VT_RESIZE, which causes an out-of-bounds write to occur. This flaw allows a local user with access to the VGA console to crash the system, potentially escalating their privileges on the system. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. (CVE-2020-14331)\n\n - Lib/ipaddress.py in Python through 3.8.3 improperly computes hash values in the IPv4Interface and IPv6Interface classes, which might allow a remote attacker to cause a denial of service if an application is affected by the performance of a dictionary containing IPv4Interface or IPv6Interface objects, and this attacker can cause many dictionary entries to be created. This is fixed in: v3.5.10, v3.5.10rc1; v3.6.12;\n v3.7.9; v3.8.4, v3.8.4rc1, v3.8.5, v3.8.6, v3.8.6rc1; v3.9.0, v3.9.0b4, v3.9.0b5, v3.9.0rc1, v3.9.0rc2.\n (CVE-2020-14422)\n\n - Heap buffer overflow in Freetype in Google Chrome prior to 86.0.4240.111 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (CVE-2020-15999)\n\n - A flaw was found in the Linux kernel's implementation of some networking protocols in IPsec, such as VXLAN and GENEVE tunnels over IPv6. When an encrypted tunnel is created between two hosts, the kernel isn't correctly routing tunneled data over the encrypted link; rather sending the data unencrypted. This would allow anyone in between the two endpoints to read the traffic unencrypted. The main threat from this vulnerability is to data confidentiality. (CVE-2020-1749)\n\n - While investigating bug 64830 it was discovered that Apache Tomcat 10.0.0-M1 to 10.0.0-M9, 9.0.0-M1 to 9.0.39 and 8.5.0 to 8.5.59 could re-use an HTTP request header value from the previous stream received on an HTTP/2 connection for the request associated with the subsequent stream. While this would most likely lead to an error and the closure of the HTTP/2 connection, it is possible that information could leak between requests. (CVE-2020-17527)\n\n - In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL. (CVE-2020-1927)\n\n - In Apache HTTP Server 2.4.0 to 2.4.41, mod_proxy_ftp may use uninitialized memory when proxying to a malicious FTP server. (CVE-2020-1934)\n\n - Vulnerability in the MySQL Client product of Oracle MySQL (component: C API). Supported versions that are affected are 5.6.46 and prior, 5.7.28 and prior and 8.0.18 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Client.\n Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Client. (CVE-2020-2574)\n\n - A flaw was discovered in the way that the KVM hypervisor handled instruction emulation for an L2 guest when nested virtualisation is enabled. Under some circumstances, an L2 guest may trick the L0 guest into accessing sensitive L1 resources that should be inaccessible to the L2 guest. (CVE-2020-2732)\n\n - Vulnerability in the MySQL Client product of Oracle MySQL (component: C API). Supported versions that are affected are 5.6.47 and prior, 5.7.27 and prior and 8.0.17 and prior. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Client.\n Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Client. (CVE-2020-2752)\n\n - Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). Supported versions that are affected are 5.6.47 and prior, 5.7.29 and prior and 8.0.19 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. (CVE-2020-2780)\n\n - Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Stored Procedure). Supported versions that are affected are 5.6.47 and prior, 5.7.29 and prior and 8.0.19 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. (CVE-2020-2812)\n\n - When performing EC scalar point multiplication, the wNAF point multiplication algorithm was used; which leaked partial information about the nonce used during signature generation. Given an electro-magnetic trace of a few signature generations, the private key could have been computed. This vulnerability affects Firefox < 80 and Firefox for Android < 80. (CVE-2020-6829)\n\n - xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite loop in a certain end-of-file situation. (CVE-2020-7595)\n\n - curl 7.20.0 through 7.70.0 is vulnerable to improper restriction of names for files and other resources that can lead too overwriting a local file when the -J flag is used. (CVE-2020-8177)\n\n - Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking. (CVE-2020-8492)\n\n - In BIND 9.0.0 -> 9.11.21, 9.12.0 -> 9.16.5, 9.17.0 -> 9.17.3, also affects 9.9.3-S1 -> 9.11.21-S1 of the BIND 9 Supported Preview Edition, An attacker on the network path for a TSIG-signed request, or operating the server receiving the TSIG-signed request, could send a truncated response to that request, triggering an assertion failure, causing the server to exit. Alternately, an off-path attacker would have to correctly guess when a TSIG-signed request was sent, along with other characteristics of the packet and message, and spoof a truncated response to trigger an assertion failure, causing the server to exit.\n (CVE-2020-8622)\n\n - In BIND 9.10.0 -> 9.11.21, 9.12.0 -> 9.16.5, 9.17.0 -> 9.17.3, also affects 9.10.5-S1 -> 9.11.21-S1 of the BIND 9 Supported Preview Edition, An attacker that can reach a vulnerable system with a specially crafted query packet can trigger a crash. To be vulnerable, the system must: * be running BIND that was built with\n --enable-native-pkcs11 * be signing one or more zones with an RSA key * be able to receive queries from a possible attacker (CVE-2020-8623)\n\n - In BIND 9.9.12 -> 9.9.13, 9.10.7 -> 9.10.8, 9.11.3 -> 9.11.21, 9.12.1 -> 9.16.5, 9.17.0 -> 9.17.3, also affects 9.9.12-S1 -> 9.9.13-S1, 9.11.3-S1 -> 9.11.21-S1 of the BIND 9 Supported Preview Edition, An attacker who has been granted privileges to change a specific subset of the zone's content could abuse these unintended additional privileges to update other contents of the zone. (CVE-2020-8624)\n\n - cloud-init through 19.4 relies on Mersenne Twister for a random password, which makes it easier for attackers to predict passwords, because rand_str in cloudinit/util.py calls the random.choice function.\n (CVE-2020-8631)\n\n - In cloud-init through 19.4, rand_user_password in cloudinit/config/cc_set_passwords.py has a small default pwlen value, which makes it easier for attackers to guess passwords. (CVE-2020-8632)\n\n - There is a use-after-free vulnerability in the Linux kernel through 5.5.2 in the vc_do_resize function in drivers/tty/vt/vt.c. (CVE-2020-8647)\n\n - There is a use-after-free vulnerability in the Linux kernel through 5.5.2 in the vgacon_invert_region function in drivers/video/console/vgacon.c. (CVE-2020-8649)\n\n - An issue was discovered in the Linux kernel 3.16 through 5.5.6. set_fdc in drivers/block/floppy.c leads to a wait_til_ready out-of-bounds read because the FDC index is not checked for errors before assigning it, aka CID-2e90ca68b0d2. (CVE-2020-9383)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-09-01T00:00:00", "type": "nessus", "title": "Nutanix AOS : Multiple Vulnerabilities (NXSA-AOS-5.19.0.5)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-12652", "CVE-2017-15715", "CVE-2017-18190", "CVE-2017-18551", "CVE-2018-10896", "CVE-2018-1283", "CVE-2018-1303", "CVE-2018-20836", "CVE-2018-20843", "CVE-2019-10098", "CVE-2019-1010305", "CVE-2019-11068", "CVE-2019-11719", "CVE-2019-11727", "CVE-2019-11756", "CVE-2019-12450", "CVE-2019-12614", "CVE-2019-12749", "CVE-2019-14822", "CVE-2019-14866", "CVE-2019-15217", "CVE-2019-15807", "CVE-2019-15903", "CVE-2019-15917", "CVE-2019-16231", "CVE-2019-16233", "CVE-2019-16935", "CVE-2019-16994", "CVE-2019-17006", "CVE-2019-17023", "CVE-2019-17053", "CVE-2019-17055", "CVE-2019-17498", "CVE-2019-18197", "CVE-2019-18808", "CVE-2019-19046", "CVE-2019-19055", "CVE-2019-19058", "CVE-2019-19059", "CVE-2019-19062", "CVE-2019-19063", "CVE-2019-19126", "CVE-2019-19332", "CVE-2019-19447", "CVE-2019-19523", "CVE-2019-19524", "CVE-2019-19530", "CVE-2019-19534", "CVE-2019-19537", "CVE-2019-19767", "CVE-2019-19807", "CVE-2019-19956", "CVE-2019-20054", "CVE-2019-20095", "CVE-2019-20386", "CVE-2019-20388", "CVE-2019-20636", "CVE-2019-20811", "CVE-2019-20907", "CVE-2019-2974", "CVE-2019-5094", "CVE-2019-5188", "CVE-2019-5482", "CVE-2019-8675", "CVE-2019-8696", "CVE-2019-9454", "CVE-2019-9458", "CVE-2020-10690", "CVE-2020-10732", "CVE-2020-10742", "CVE-2020-10751", "CVE-2020-10942", "CVE-2020-11565", "CVE-2020-12243", "CVE-2020-12400", "CVE-2020-12401", "CVE-2020-12402", "CVE-2020-12403", "CVE-2020-12770", "CVE-2020-12826", "CVE-2020-13943", "CVE-2020-14305", "CVE-2020-14331", "CVE-2020-14422", "CVE-2020-15999", "CVE-2020-1749", "CVE-2020-17527", "CVE-2020-1927", "CVE-2020-1934", "CVE-2020-2574", "CVE-2020-2732", "CVE-2020-2752", "CVE-2020-2780", "CVE-2020-2812", "CVE-2020-6829", "CVE-2020-7595", "CVE-2020-8177", "CVE-2020-8492", "CVE-2020-8622", "CVE-2020-8623", "CVE-2020-8624", "CVE-2020-8631", "CVE-2020-8632", "CVE-2020-8647", "CVE-2020-8649", "CVE-2020-9383"], "modified": "2023-02-23T00:00:00", "cpe": ["cpe:/o:nutanix:aos"], "id": "NUTANIX_NXSA-AOS-5_19_0_5.NASL", "href": "https://www.tenable.com/plugins/nessus/164556", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(164556);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/02/23\");\n\n script_cve_id(\n \"CVE-2017-12652\",\n \"CVE-2017-15715\",\n \"CVE-2017-18190\",\n \"CVE-2017-18551\",\n \"CVE-2018-1283\",\n \"CVE-2018-1303\",\n \"CVE-2018-10896\",\n \"CVE-2018-20836\",\n \"CVE-2018-20843\",\n \"CVE-2019-2974\",\n \"CVE-2019-5094\",\n \"CVE-2019-5188\",\n \"CVE-2019-5482\",\n \"CVE-2019-8675\",\n \"CVE-2019-8696\",\n \"CVE-2019-9454\",\n \"CVE-2019-9458\",\n \"CVE-2019-10098\",\n \"CVE-2019-11068\",\n \"CVE-2019-11719\",\n \"CVE-2019-11727\",\n \"CVE-2019-11756\",\n \"CVE-2019-12450\",\n \"CVE-2019-12614\",\n \"CVE-2019-12749\",\n \"CVE-2019-14822\",\n \"CVE-2019-14866\",\n \"CVE-2019-15217\",\n \"CVE-2019-15807\",\n \"CVE-2019-15903\",\n \"CVE-2019-15917\",\n \"CVE-2019-16231\",\n \"CVE-2019-16233\",\n \"CVE-2019-16935\",\n \"CVE-2019-16994\",\n \"CVE-2019-17006\",\n \"CVE-2019-17023\",\n \"CVE-2019-17053\",\n \"CVE-2019-17055\",\n \"CVE-2019-17498\",\n \"CVE-2019-18197\",\n \"CVE-2019-18808\",\n \"CVE-2019-19046\",\n \"CVE-2019-19055\",\n \"CVE-2019-19058\",\n \"CVE-2019-19059\",\n \"CVE-2019-19062\",\n \"CVE-2019-19063\",\n \"CVE-2019-19126\",\n \"CVE-2019-19332\",\n \"CVE-2019-19447\",\n \"CVE-2019-19523\",\n \"CVE-2019-19524\",\n \"CVE-2019-19530\",\n \"CVE-2019-19534\",\n \"CVE-2019-19537\",\n \"CVE-2019-19767\",\n \"CVE-2019-19807\",\n \"CVE-2019-19956\",\n \"CVE-2019-20054\",\n \"CVE-2019-20095\",\n \"CVE-2019-20386\",\n \"CVE-2019-20388\",\n \"CVE-2019-20636\",\n \"CVE-2019-20811\",\n \"CVE-2019-20907\",\n \"CVE-2019-1010305\",\n \"CVE-2020-1749\",\n \"CVE-2020-1927\",\n \"CVE-2020-1934\",\n \"CVE-2020-2574\",\n \"CVE-2020-2732\",\n \"CVE-2020-2752\",\n \"CVE-2020-2780\",\n \"CVE-2020-2812\",\n \"CVE-2020-6829\",\n \"CVE-2020-7595\",\n \"CVE-2020-8177\",\n \"CVE-2020-8492\",\n \"CVE-2020-8622\",\n \"CVE-2020-8623\",\n \"CVE-2020-8624\",\n \"CVE-2020-8631\",\n \"CVE-2020-8632\",\n \"CVE-2020-8647\",\n \"CVE-2020-8649\",\n \"CVE-2020-9383\",\n \"CVE-2020-10690\",\n \"CVE-2020-10732\",\n \"CVE-2020-10742\",\n \"CVE-2020-10751\",\n \"CVE-2020-10942\",\n \"CVE-2020-11565\",\n \"CVE-2020-12243\",\n \"CVE-2020-12400\",\n \"CVE-2020-12401\",\n \"CVE-2020-12402\",\n \"CVE-2020-12403\",\n \"CVE-2020-12770\",\n \"CVE-2020-12826\",\n \"CVE-2020-13943\",\n \"CVE-2020-14305\",\n \"CVE-2020-14331\",\n \"CVE-2020-14422\",\n \"CVE-2020-15999\",\n \"CVE-2020-17527\"\n );\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0025\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0124\");\n\n script_name(english:\"Nutanix AOS : Multiple Vulnerabilities (NXSA-AOS-5.19.0.5)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The Nutanix AOS host is affected by multiple vulnerabilities .\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of AOS installed on the remote host is prior to 5.19.0.5. It is, therefore, affected by multiple\nvulnerabilities as referenced in the NXSA-AOS-5.19.0.5 advisory.\n\n - libpng before 1.6.32 does not properly check the length of chunks against the user limit. (CVE-2017-12652)\n\n - In Apache httpd 2.4.0 to 2.4.29, the expression specified in <FilesMatch> could match '$' to a newline\n character in a malicious filename, rather than matching only the end of the filename. This could be\n exploited in environments where uploads of some files are are externally blocked, but only by matching the\n trailing portion of the filename. (CVE-2017-15715)\n\n - A localhost.localdomain whitelist entry in valid_host() in scheduler/client.c in CUPS before 2.2.2 allows\n remote attackers to execute arbitrary IPP commands by sending POST requests to the CUPS daemon in\n conjunction with DNS rebinding. The localhost.localdomain name is often resolved via a DNS server (neither\n the OS nor the web browser is responsible for ensuring that localhost.localdomain is 127.0.0.1).\n (CVE-2017-18190)\n\n - An issue was discovered in drivers/i2c/i2c-core-smbus.c in the Linux kernel before 4.14.15. There is an\n out of bounds write in the function i2c_smbus_xfer_emulated. (CVE-2017-18551)\n\n - The default cloud-init configuration, in cloud-init 0.6.2 and newer, included ssh_deletekeys: 0,\n disabling cloud-init's deletion of ssh host keys. In some environments, this could lead to instances\n created by cloning a golden master or template system, sharing ssh host keys, and being able to\n impersonate one another or conduct man-in-the-middle attacks. (CVE-2018-10896)\n\n - In Apache httpd 2.4.0 to 2.4.29, when mod_session is configured to forward its session data to CGI\n applications (SessionEnv on, not the default), a remote user may influence their content by using a\n Session header. This comes from the HTTP_SESSION variable name used by mod_session to forward its data\n to CGIs, since the prefix HTTP_ is also used by the Apache HTTP Server to pass HTTP header fields, per\n CGI specifications. (CVE-2018-1283)\n\n - A specially crafted HTTP request header could have crashed the Apache HTTP Server prior to version 2.4.30\n due to an out of bound read while preparing data to be cached in shared memory. It could be used as a\n Denial of Service attack against users of mod_cache_socache. The vulnerability is considered as low risk\n since mod_cache_socache is not widely used, mod_cache_disk is not concerned by this vulnerability.\n (CVE-2018-1303)\n\n - An issue was discovered in the Linux kernel before 4.20. There is a race condition in smp_task_timedout()\n and smp_task_done() in drivers/scsi/libsas/sas_expander.c, leading to a use-after-free. (CVE-2018-20836)\n\n - In libexpat in Expat before 2.2.7, XML input including XML names that contain a large number of colons\n could make the XML parser consume a high amount of RAM and CPU resources while processing (enough to be\n usable for denial-of-service attacks). (CVE-2018-20843)\n\n - In Apache HTTP server 2.4.0 to 2.4.39, Redirects configured with mod_rewrite that were intended to be\n self-referential might be fooled by encoded newlines and redirect instead to an unexpected URL within the\n request URL. (CVE-2019-10098)\n\n - libmspack 0.9.1alpha is affected by: Buffer Overflow. The impact is: Information Disclosure. The component\n is: function chmd_read_headers() in libmspack(file libmspack/mspack/chmd.c). The attack vector is: the\n victim must open a specially crafted chm file. The fixed version is: after commit\n 2f084136cfe0d05e5bf5703f3e83c6d955234b4d. (CVE-2019-1010305)\n\n - libxslt through 1.1.33 allows bypass of a protection mechanism because callers of xsltCheckRead and\n xsltCheckWrite permit access even upon receiving a -1 error code. xsltCheckRead can return -1 for a\n crafted URL that is not actually invalid and is subsequently loaded. (CVE-2019-11068)\n\n - When importing a curve25519 private key in PKCS#8format with leading 0x00 bytes, it is possible to trigger\n an out-of-bounds read in the Network Security Services (NSS) library. This could lead to information\n disclosure. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8.\n (CVE-2019-11719)\n\n - A vulnerability exists where it possible to force Network Security Services (NSS) to sign\n CertificateVerify with PKCS#1 v1.5 signatures when those are the only ones advertised by server in\n CertificateRequest in TLS 1.3. PKCS#1 v1.5 signatures should not be used for TLS 1.3 messages. This\n vulnerability affects Firefox < 68. (CVE-2019-11727)\n\n - Improper refcounting of soft token session objects could cause a use-after-free and crash (likely limited\n to a denial of service). This vulnerability affects Firefox < 71. (CVE-2019-11756)\n\n - file_copy_fallback in gio/gfile.c in GNOME GLib 2.15.0 through 2.61.1 does not properly restrict file\n permissions while a copy operation is in progress. Instead, default permissions are used. (CVE-2019-12450)\n\n - An issue was discovered in dlpar_parse_cc_property in arch/powerpc/platforms/pseries/dlpar.c in the Linux\n kernel through 5.1.6. There is an unchecked kstrdup of prop->name, which might allow an attacker to cause\n a denial of service (NULL pointer dereference and system crash). (CVE-2019-12614)\n\n - dbus before 1.10.28, 1.12.x before 1.12.16, and 1.13.x before 1.13.12, as used in DBusServer in Canonical\n Upstart in Ubuntu 14.04 (and in some, less common, uses of dbus-daemon), allows cookie spoofing because of\n symlink mishandling in the reference implementation of DBUS_COOKIE_SHA1 in the libdbus library. (This only\n affects the DBUS_COOKIE_SHA1 authentication mechanism.) A malicious client with write access to its own\n home directory could manipulate a ~/.dbus-keyrings symlink to cause a DBusServer with a different uid to\n read and write in unintended locations. In the worst case, this could result in the DBusServer reusing a\n cookie that is known to the malicious client, and treating that cookie as evidence that a subsequent\n client connection came from an attacker-chosen uid, allowing authentication bypass. (CVE-2019-12749)\n\n - A flaw was discovered in ibus in versions before 1.5.22 that allows any unprivileged user to monitor and\n send method calls to the ibus bus of another user due to a misconfiguration in the DBus server setup. A\n local attacker may use this flaw to intercept all keystrokes of a victim user who is using the graphical\n interface, change the input method engine, or modify other input related configurations of the victim\n user. (CVE-2019-14822)\n\n - In all versions of cpio before 2.13 does not properly validate input files when generating TAR archives.\n When cpio is used to create TAR archives from paths an attacker can write to, the resulting archive may\n contain files with permissions the attacker did not have or in paths he did not have access to. Extracting\n those archives from a high-privilege user without carefully reviewing them may lead to the compromise of\n the system. (CVE-2019-14866)\n\n - An issue was discovered in the Linux kernel before 5.2.3. There is a NULL pointer dereference caused by a\n malicious USB device in the drivers/media/usb/zr364xx/zr364xx.c driver. (CVE-2019-15217)\n\n - In the Linux kernel before 5.1.13, there is a memory leak in drivers/scsi/libsas/sas_expander.c when SAS\n expander discovery fails. This will cause a BUG and denial of service. (CVE-2019-15807)\n\n - In libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to\n document parsing too early; a consecutive call to XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber)\n then resulted in a heap-based buffer over-read. (CVE-2019-15903)\n\n - An issue was discovered in the Linux kernel before 5.0.5. There is a use-after-free issue when\n hci_uart_register_dev() fails in hci_uart_set_proto() in drivers/bluetooth/hci_ldisc.c. (CVE-2019-15917)\n\n - drivers/net/fjes/fjes_main.c in the Linux kernel 5.2.14 does not check the alloc_workqueue return value,\n leading to a NULL pointer dereference. (CVE-2019-16231)\n\n - drivers/scsi/qla2xxx/qla_os.c in the Linux kernel 5.2.14 does not check the alloc_workqueue return value,\n leading to a NULL pointer dereference. (CVE-2019-16233)\n\n - The documentation XML-RPC server in Python through 2.7.16, 3.x through 3.6.9, and 3.7.x through 3.7.4 has\n XSS via the server_title field. This occurs in Lib/DocXMLRPCServer.py in Python 2.x, and in\n Lib/xmlrpc/server.py in Python 3.x. If set_server_title is called with untrusted input, arbitrary\n JavaScript can be delivered to clients that visit the http URL for this server. (CVE-2019-16935)\n\n - In the Linux kernel before 5.0, a memory leak exists in sit_init_net() in net/ipv6/sit.c when\n register_netdev() fails to register sitn->fb_tunnel_dev, which may cause denial of service, aka\n CID-07f12b26e21a. (CVE-2019-16994)\n\n - In Network Security Services (NSS) before 3.46, several cryptographic primitives had missing length\n checks. In cases where the application calling the library did not perform a sanity check on the inputs it\n could result in a crash due to a buffer overflow. (CVE-2019-17006)\n\n - After a HelloRetryRequest has been sent, the client may negotiate a lower protocol that TLS 1.3, resulting\n in an invalid state transition in the TLS State Machine. If the client gets into this state, incoming\n Application Data records will be ignored. This vulnerability affects Firefox < 72. (CVE-2019-17023)\n\n - ieee802154_create in net/ieee802154/socket.c in the AF_IEEE802154 network module in the Linux kernel\n through 5.3.2 does not enforce CAP_NET_RAW, which means that unprivileged users can create a raw socket,\n aka CID-e69dbd4619e7. (CVE-2019-17053)\n\n - base_sock_create in drivers/isdn/mISDN/socket.c in the AF_ISDN network module in the Linux kernel through\n 5.3.2 does not enforce CAP_NET_RAW, which means that unprivileged users can create a raw socket, aka\n CID-b91ee4aa2a21. (CVE-2019-17055)\n\n - In libssh2 v1.9.0 and earlier versions, the SSH_MSG_DISCONNECT logic in packet.c has an integer overflow\n in a bounds check, enabling an attacker to specify an arbitrary (out-of-bounds) offset for a subsequent\n memory read. A crafted SSH server may be able to disclose sensitive information or cause a denial of\n service condition on the client system when a user connects to the server. (CVE-2019-17498)\n\n - In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable isn't reset under certain\n circumstances. If the relevant memory area happened to be freed and reused in a certain way, a bounds\n check could fail and memory outside a buffer could be written to, or uninitialized data could be\n disclosed. (CVE-2019-18197)\n\n - A memory leak in the ccp_run_sha_cmd() function in drivers/crypto/ccp/ccp-ops.c in the Linux kernel\n through 5.3.9 allows attackers to cause a denial of service (memory consumption), aka CID-128c66429247.\n (CVE-2019-18808)\n\n - ** DISPUTED ** A memory leak in the __ipmi_bmc_register() function in drivers/char/ipmi/ipmi_msghandler.c\n in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by\n triggering ida_simple_get() failure, aka CID-4aa7afb0ee20. NOTE: third parties dispute the relevance of\n this because an attacker cannot realistically control this failure at probe time. (CVE-2019-19046)\n\n - ** DISPUTED ** A memory leak in the nl80211_get_ftm_responder_stats() function in net/wireless/nl80211.c\n in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by\n triggering nl80211hdr_put() failures, aka CID-1399c59fa929. NOTE: third parties dispute the relevance of\n this because it occurs on a code path where a successful allocation has already occurred. (CVE-2019-19055)\n\n - A memory leak in the alloc_sgtable() function in drivers/net/wireless/intel/iwlwifi/fw/dbg.c in the Linux\n kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering\n alloc_page() failures, aka CID-b4b814fec1a5. (CVE-2019-19058)\n\n - Multiple memory leaks in the iwl_pcie_ctxt_info_gen3_init() function in\n drivers/net/wireless/intel/iwlwifi/pcie/ctxt-info-gen3.c in the Linux kernel through 5.3.11 allow\n attackers to cause a denial of service (memory consumption) by triggering iwl_pcie_init_fw_sec() or\n dma_alloc_coherent() failures, aka CID-0f4f199443fa. (CVE-2019-19059)\n\n - A memory leak in the crypto_report() function in crypto/crypto_user_base.c in the Linux kernel through\n 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering\n crypto_report_alg() failures, aka CID-ffdde5932042. (CVE-2019-19062)\n\n - Two memory leaks in the rtl_usb_probe() function in drivers/net/wireless/realtek/rtlwifi/usb.c in the\n Linux kernel through 5.3.11 allow attackers to cause a denial of service (memory consumption), aka\n CID-3f9361695113. (CVE-2019-19063)\n\n - On the x86-64 architecture, the GNU C Library (aka glibc) before 2.31 fails to ignore the\n LD_PREFER_MAP_32BIT_EXEC environment variable during program execution after a security transition,\n allowing local attackers to restrict the possible mapping addresses for loaded libraries and thus bypass\n ASLR for a setuid program. (CVE-2019-19126)\n\n - An out-of-bounds memory write issue was found in the Linux Kernel, version 3.13 through 5.4, in the way\n the Linux kernel's KVM hypervisor handled the 'KVM_GET_EMULATED_CPUID' ioctl(2) request to get CPUID\n features emulated by the KVM hypervisor. A user or process able to access the '/dev/kvm' device could use\n this flaw to crash the system, resulting in a denial of service. (CVE-2019-19332)\n\n - In the Linux kernel 5.0.21, mounting a crafted ext4 filesystem image, performing some operations, and\n unmounting can lead to a use-after-free in ext4_put_super in fs/ext4/super.c, related to dump_orphan_list\n in fs/ext4/super.c. (CVE-2019-19447)\n\n - In the Linux kernel before 5.3.7, there is a use-after-free bug that can be caused by a malicious USB\n device in the drivers/usb/misc/adutux.c driver, aka CID-44efc269db79. (CVE-2019-19523)\n\n - In the Linux kernel before 5.3.12, there is a use-after-free bug that can be caused by a malicious USB\n device in the drivers/input/ff-memless.c driver, aka CID-fa3a5a1880c9. (CVE-2019-19524)\n\n - In the Linux kernel before 5.2.10, there is a use-after-free bug that can be caused by a malicious USB\n device in the drivers/usb/class/cdc-acm.c driver, aka CID-c52873e5a1ef. (CVE-2019-19530)\n\n - In the Linux kernel before 5.3.11, there is an info-leak bug that can be caused by a malicious USB device\n in the drivers/net/can/usb/peak_usb/pcan_usb_core.c driver, aka CID-f7a1337f0d29. (CVE-2019-19534)\n\n - In the Linux kernel before 5.2.10, there is a race condition bug that can be caused by a malicious USB\n device in the USB character device driver layer, aka CID-303911cfc5b9. This affects\n drivers/usb/core/file.c. (CVE-2019-19537)\n\n - The Linux kernel before 5.4.2 mishandles ext4_expand_extra_isize, as demonstrated by use-after-free errors\n in __ext4_expand_extra_isize and ext4_xattr_set_entry, related to fs/ext4/inode.c and fs/ext4/super.c, aka\n CID-4ea99936a163. (CVE-2019-19767)\n\n - In the Linux kernel before 5.3.11, sound/core/timer.c has a use-after-free caused by erroneous code\n refactoring, aka CID-e7af6307a8a5. This is related to snd_timer_open and snd_timer_close_locked. The\n timeri variable was originally intended to be for a newly created timer instance, but was used for a\n different purpose after refactoring. (CVE-2019-19807)\n\n - xmlParseBalancedChunkMemoryRecover in parser.c in libxml2 before 2.9.10 has a memory leak related to\n newDoc->oldNs. (CVE-2019-19956)\n\n - In the Linux kernel before 5.0.6, there is a NULL pointer dereference in drop_sysctl_table() in\n fs/proc/proc_sysctl.c, related to put_links, aka CID-23da9588037e. (CVE-2019-20054)\n\n - mwifiex_tm_cmd in drivers/net/wireless/marvell/mwifiex/cfg80211.c in the Linux kernel before 5.1.6 has\n some error-handling cases that did not free allocated hostcmd memory, aka CID-003b686ace82. This will\n cause a memory leak and denial of service. (CVE-2019-20095)\n\n - An issue was discovered in button_open in login/logind-button.c in systemd before 243. When executing the\n udevadm trigger command, a memory leak may occur. (CVE-2019-20386)\n\n - xmlSchemaPreRun in xmlschemas.c in libxml2 2.9.10 allows an xmlSchemaValidateStream memory leak.\n (CVE-2019-20388)\n\n - In the Linux kernel before 5.4.12, drivers/input/input.c has out-of-bounds writes via a crafted keycode\n table, as demonstrated by input_set_keycode, aka CID-cb222aed03d7. (CVE-2019-20636)\n\n - An issue was discovered in the Linux kernel before 5.0.6. In rx_queue_add_kobject() and\n netdev_queue_add_kobject() in net/core/net-sysfs.c, a reference count is mishandled, aka CID-a3e23f719f5c.\n (CVE-2019-20811)\n\n - In Lib/tarfile.py in Python through 3.8.3, an attacker is able to craft a TAR archive leading to an\n infinite loop when opened by tarfile.open, because _proc_pax lacks header validation. (CVE-2019-20907)\n\n - Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported\n versions that are affected are 5.6.45 and prior, 5.7.27 and prior and 8.0.17 and prior. Easily exploitable\n vulnerability allows low privileged attacker with network access via multiple protocols to compromise\n MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang\n or frequently repeatable crash (complete DOS) of MySQL Server. (CVE-2019-2974)\n\n - An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A\n specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code\n execution. An attacker can corrupt a partition to trigger this vulnerability. (CVE-2019-5094)\n\n - A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4.\n A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code\n execution. An attacker can corrupt a partition to trigger this vulnerability. (CVE-2019-5188)\n\n - Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3. (CVE-2019-5482)\n\n - A buffer overflow issue was addressed with improved memory handling. This issue is fixed in macOS Mojave\n 10.14.6, Security Update 2019-004 High Sierra, Security Update 2019-004 Sierra. An attacker in a\n privileged network position may be able to execute arbitrary code. (CVE-2019-8675, CVE-2019-8696)\n\n - In the Android kernel in i2c driver there is a possible out of bounds write due to memory corruption. This\n could lead to local escalation of privilege with System execution privileges needed. User interaction is\n not needed for exploitation. (CVE-2019-9454)\n\n - In the Android kernel in the video driver there is a use after free due to a race condition. This could\n lead to local escalation of privilege with no additional execution privileges needed. User interaction is\n not needed for exploitation. (CVE-2019-9458)\n\n - There is a use-after-free in kernel versions before 5.5 due to a race condition between the release of\n ptp_clock and cdev while resource deallocation. When a (high privileged) process allocates a ptp device\n file (like /dev/ptpX) and voluntarily goes to sleep. During this time if the underlying device is removed,\n it can cause an exploitable condition as the process wakes up to terminate and clean all attached files.\n The system crashes due to the cdev structure being invalid (as already freed) which is pointed to by the\n inode. (CVE-2020-10690)\n\n - A flaw was found in the Linux kernel's implementation of Userspace core dumps. This flaw allows an\n attacker with a local account to crash a trivial program and exfiltrate private kernel data.\n (CVE-2020-10732)\n\n - A flaw was found in the Linux kernel. An index buffer overflow during Direct IO write leading to the NFS\n client to crash. In some cases, a reach out of the index after one memory allocation by kmalloc will cause\n a kernel panic. The highest threat from this vulnerability is to data confidentiality and system\n availability. (CVE-2020-10742)\n\n - A flaw was found in the Linux kernels SELinux LSM hook implementation before version 5.7, where it\n incorrectly assumed that an skb would only contain a single netlink message. The hook would incorrectly\n only validate the first netlink message in the skb and allow or deny the rest of the messages within the\n skb with the granted permission without further processing. (CVE-2020-10751)\n\n - In the Linux kernel before 5.5.8, get_raw_socket in drivers/vhost/net.c lacks validation of an sk_family\n field, which might allow attackers to trigger kernel stack corruption via crafted system calls.\n (CVE-2020-10942)\n\n - ** DISPUTED ** An issue was discovered in the Linux kernel through 5.6.2. mpol_parse_str in mm/mempolicy.c\n has a stack-based out-of-bounds write because an empty nodelist is mishandled during mount option parsing,\n aka CID-aa9f7d5172fa. NOTE: Someone in the security community disagrees that this is a vulnerability\n because the issue is a bug in parsing mount options which can only be specified by a privileged user, so\n triggering the bug does not grant any powers not already held.. (CVE-2020-11565)\n\n - In filter.c in slapd in OpenLDAP before 2.4.50, LDAP search filters with nested boolean expressions can\n result in denial of service (daemon crash). (CVE-2020-12243)\n\n - When converting coordinates from projective to affine, the modular inversion was not performed in constant\n time, resulting in a possible timing-based side channel attack. This vulnerability affects Firefox < 80\n and Firefox for Android < 80. (CVE-2020-12400)\n\n - During ECDSA signature generation, padding applied in the nonce designed to ensure constant-time scalar\n multiplication was removed, resulting in variable-time execution dependent on secret data. This\n vulnerability affects Firefox < 80 and Firefox for Android < 80. (CVE-2020-12401)\n\n - During RSA key generation, bignum implementations used a variation of the Binary Extended Euclidean\n Algorithm which entailed significantly input-dependent flow. This allowed an attacker able to perform\n electromagnetic-based side channel attacks to record traces leading to the recovery of the secret primes.\n *Note:* An unmodified Firefox browser does not generate RSA keys in normal operation and is not affected,\n but products built on top of it might. This vulnerability affects Firefox < 78. (CVE-2020-12402)\n\n - A flaw was found in the way CHACHA20-POLY1305 was implemented in NSS in versions before 3.55. When using\n multi-part Chacha20, it could cause out-of-bounds reads. This issue was fixed by explicitly disabling\n multi-part ChaCha20 (which was not functioning correctly) and strictly enforcing tag length. The highest\n threat from this vulnerability is to confidentiality and system availability. (CVE-2020-12403)\n\n - An issue was discovered in the Linux kernel through 5.6.11. sg_write lacks an sg_remove_request call in a\n certain failure case, aka CID-83c6f2390040. (CVE-2020-12770)\n\n - A signal access-control issue was discovered in the Linux kernel before 5.6.5, aka CID-7395ea4e65c2.\n Because exec_id in include/linux/sched.h is only 32 bits, an integer overflow can interfere with a\n do_notify_parent protection mechanism. A child process can send an arbitrary signal to a parent process in\n a different security domain. Exploitation limitations include the amount of elapsed time before an integer\n overflow occurs, and the lack of scenarios where signals to a parent process present a substantial\n operational threat. (CVE-2020-12826)\n\n - If an HTTP/2 client connecting to Apache Tomcat 10.0.0-M1 to 10.0.0-M7, 9.0.0.M1 to 9.0.37 or 8.5.0 to\n 8.5.57 exceeded the agreed maximum number of concurrent streams for a connection (in violation of the\n HTTP/2 protocol), it was possible that a subsequent request made on that connection could contain HTTP\n headers - including HTTP/2 pseudo headers - from a previous request rather than the intended headers. This\n could lead to users seeing responses for unexpected resources. (CVE-2020-13943)\n\n - An out-of-bounds memory write flaw was found in how the Linux kernel's Voice Over IP H.323 connection\n tracking functionality handled connections on ipv6 port 1720. This flaw allows an unauthenticated remote\n user to crash the system, causing a denial of service. The highest threat from this vulnerability is to\n confidentiality, integrity, as well as system availability. (CVE-2020-14305)\n\n - A flaw was found in the Linux kernel's implementation of the invert video code on VGA consoles when a\n local attacker attempts to resize the console, calling an ioctl VT_RESIZE, which causes an out-of-bounds\n write to occur. This flaw allows a local user with access to the VGA console to crash the system,\n potentially escalating their privileges on the system. The highest threat from this vulnerability is to\n data confidentiality and integrity as well as system availability. (CVE-2020-14331)\n\n - Lib/ipaddress.py in Python through 3.8.3 improperly computes hash values in the IPv4Interface and\n IPv6Interface classes, which might allow a remote attacker to cause a denial of service if an application\n is affected by the performance of a dictionary containing IPv4Interface or IPv6Interface objects, and this\n attacker can cause many dictionary entries to be created. This is fixed in: v3.5.10, v3.5.10rc1; v3.6.12;\n v3.7.9; v3.8.4, v3.8.4rc1, v3.8.5, v3.8.6, v3.8.6rc1; v3.9.0, v3.9.0b4, v3.9.0b5, v3.9.0rc1, v3.9.0rc2.\n (CVE-2020-14422)\n\n - Heap buffer overflow in Freetype in Google Chrome prior to 86.0.4240.111 allowed a remote attacker to\n potentially exploit heap corruption via a crafted HTML page. (CVE-2020-15999)\n\n - A flaw was found in the Linux kernel's implementation of some networking protocols in IPsec, such as VXLAN\n and GENEVE tunnels over IPv6. When an encrypted tunnel is created between two hosts, the kernel isn't\n correctly routing tunneled data over the encrypted link; rather sending the data unencrypted. This would\n allow anyone in between the two endpoints to read the traffic unencrypted. The main threat from this\n vulnerability is to data confidentiality. (CVE-2020-1749)\n\n - While investigating bug 64830 it was discovered that Apache Tomcat 10.0.0-M1 to 10.0.0-M9, 9.0.0-M1 to\n 9.0.39 and 8.5.0 to 8.5.59 could re-use an HTTP request header value from the previous stream received on\n an HTTP/2 connection for the request associated with the subsequent stream. While this would most likely\n lead to an error and the closure of the HTTP/2 connection, it is possible that information could leak\n between requests. (CVE-2020-17527)\n\n - In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be\n self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within\n the request URL. (CVE-2020-1927)\n\n - In Apache HTTP Server 2.4.0 to 2.4.41, mod_proxy_ftp may use uninitialized memory when proxying to a\n malicious FTP server. (CVE-2020-1934)\n\n - Vulnerability in the MySQL Client product of Oracle MySQL (component: C API). Supported versions that are\n affected are 5.6.46 and prior, 5.7.28 and prior and 8.0.18 and prior. Difficult to exploit vulnerability\n allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Client.\n Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently\n repeatable crash (complete DOS) of MySQL Client. (CVE-2020-2574)\n\n - A flaw was discovered in the way that the KVM hypervisor handled instruction emulation for an L2 guest\n when nested virtualisation is enabled. Under some circumstances, an L2 guest may trick the L0 guest into\n accessing sensitive L1 resources that should be inaccessible to the L2 guest. (CVE-2020-2732)\n\n - Vulnerability in the MySQL Client product of Oracle MySQL (component: C API). Supported versions that are\n affected are 5.6.47 and prior, 5.7.27 and prior and 8.0.17 and prior. Difficult to exploit vulnerability\n allows low privileged attacker with network access via multiple protocols to compromise MySQL Client.\n Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently\n repeatable crash (complete DOS) of MySQL Client. (CVE-2020-2752)\n\n - Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). Supported versions\n that are affected are 5.6.47 and prior, 5.7.29 and prior and 8.0.19 and prior. Easily exploitable\n vulnerability allows low privileged attacker with network access via multiple protocols to compromise\n MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang\n or frequently repeatable crash (complete DOS) of MySQL Server. (CVE-2020-2780)\n\n - Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Stored Procedure). Supported\n versions that are affected are 5.6.47 and prior, 5.7.29 and prior and 8.0.19 and prior. Easily exploitable\n vulnerability allows high privileged attacker with network access via multiple protocols to compromise\n MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang\n or frequently repeatable crash (complete DOS) of MySQL Server. (CVE-2020-2812)\n\n - When performing EC scalar point multiplication, the wNAF point multiplication algorithm was used; which\n leaked partial information about the nonce used during signature generation. Given an electro-magnetic\n trace of a few signature generations, the private key could have been computed. This vulnerability affects\n Firefox < 80 and Firefox for Android < 80. (CVE-2020-6829)\n\n - xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite loop in a certain end-of-file\n situation. (CVE-2020-7595)\n\n - curl 7.20.0 through 7.70.0 is vulnerable to improper restriction of names for files and other resources\n that can lead too overwriting a local file when the -J flag is used. (CVE-2020-8177)\n\n - Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1\n allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client\n because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking. (CVE-2020-8492)\n\n - In BIND 9.0.0 -> 9.11.21, 9.12.0 -> 9.16.5, 9.17.0 -> 9.17.3, also affects 9.9.3-S1 -> 9.11.21-S1 of the\n BIND 9 Supported Preview Edition, An attacker on the network path for a TSIG-signed request, or operating\n the server receiving the TSIG-signed request, could send a truncated response to that request, triggering\n an assertion failure, causing the server to exit. Alternately, an off-path attacker would have to\n correctly guess when a TSIG-signed request was sent, along with other characteristics of the packet and\n message, and spoof a truncated response to trigger an assertion failure, causing the server to exit.\n (CVE-2020-8622)\n\n - In BIND 9.10.0 -> 9.11.21, 9.12.0 -> 9.16.5, 9.17.0 -> 9.17.3, also affects 9.10.5-S1 -> 9.11.21-S1 of the\n BIND 9 Supported Preview Edition, An attacker that can reach a vulnerable system with a specially crafted\n query packet can trigger a crash. To be vulnerable, the system must: * be running BIND that was built with\n --enable-native-pkcs11 * be signing one or more zones with an RSA key * be able to receive queries from\n a possible attacker (CVE-2020-8623)\n\n - In BIND 9.9.12 -> 9.9.13, 9.10.7 -> 9.10.8, 9.11.3 -> 9.11.21, 9.12.1 -> 9.16.5, 9.17.0 -> 9.17.3, also\n affects 9.9.12-S1 -> 9.9.13-S1, 9.11.3-S1 -> 9.11.21-S1 of the BIND 9 Supported Preview Edition, An\n attacker who has been granted privileges to change a specific subset of the zone's content could abuse\n these unintended additional privileges to update other contents of the zone. (CVE-2020-8624)\n\n - cloud-init through 19.4 relies on Mersenne Twister for a random password, which makes it easier for\n attackers to predict passwords, because rand_str in cloudinit/util.py calls the random.choice function.\n (CVE-2020-8631)\n\n - In cloud-init through 19.4, rand_user_password in cloudinit/config/cc_set_passwords.py has a small default\n pwlen value, which makes it easier for attackers to guess passwords. (CVE-2020-8632)\n\n - There is a use-after-free vulnerability in the Linux kernel through 5.5.2 in the vc_do_resize function in\n drivers/tty/vt/vt.c. (CVE-2020-8647)\n\n - There is a use-after-free vulnerability in the Linux kernel through 5.5.2 in the vgacon_invert_region\n function in drivers/video/console/vgacon.c. (CVE-2020-8649)\n\n - An issue was discovered in the Linux kernel 3.16 through 5.5.6. set_fdc in drivers/block/floppy.c leads to\n a wait_til_ready out-of-bounds read because the FDC index is not checked for errors before assigning it,\n aka CID-2e90ca68b0d2. (CVE-2020-9383)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n # https://portal.nutanix.com/page/documents/security-advisories/release-advisories/details?id=NXSA-AOS-5.19.0.5\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?fb66440b\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the Nutanix AOS software to recommended version.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-17006\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2019-5482\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/02/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/08/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/09/01\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:nutanix:aos\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"nutanix_collect.nasl\");\n script_require_keys(\"Host/Nutanix/Data/lts\", \"Host/Nutanix/Data/Service\", \"Host/Nutanix/Data/Version\", \"Host/Nutanix/Data/arch\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('vcf_extras.inc');\n\nvar app_info = vcf::nutanix::get_app_info();\n\nvar constraints = [\n { 'fixed_version' : '5.19.0.5', 'product' : 'AOS', 'fixed_display' : 'Upgrade the AOS install to 5.19.0.5 or higher.', 'lts' : FALSE },\n { 'fixed_version' : '5.19.0.5', 'product' : 'NDFS', 'fixed_display' : 'Upgrade the AOS install to 5.19.0.5 or higher.', 'lts' : FALSE }\n];\n\nvcf::nutanix::check_version_and_report(\n app_info:app_info,\n constraints:constraints,\n severity:SECURITY_HOLE,\n flags:{'xss':TRUE}\n);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-17T16:34:37", "description": "The version of AOS installed on the remote host is prior to 5.15.5. It is, therefore, affected by multiple vulnerabilities as referenced in the NXSA-AOS-5.15.5 advisory.\n\n - libpng before 1.6.32 does not properly check the length of chunks against the user limit. (CVE-2017-12652)\n\n - In Apache httpd 2.4.0 to 2.4.29, the expression specified in <FilesMatch> could match '$' to a newline character in a malicious filename, rather than matching only the end of the filename. This could be exploited in environments where uploads of some files are are externally blocked, but only by matching the trailing portion of the filename. (CVE-2017-15715)\n\n - A localhost.localdomain whitelist entry in valid_host() in scheduler/client.c in CUPS before 2.2.2 allows remote attackers to execute arbitrary IPP commands by sending POST requests to the CUPS daemon in conjunction with DNS rebinding. The localhost.localdomain name is often resolved via a DNS server (neither the OS nor the web browser is responsible for ensuring that localhost.localdomain is 127.0.0.1).\n (CVE-2017-18190)\n\n - An issue was discovered in drivers/i2c/i2c-core-smbus.c in the Linux kernel before 4.14.15. There is an out of bounds write in the function i2c_smbus_xfer_emulated. (CVE-2017-18551)\n\n - The default cloud-init configuration, in cloud-init 0.6.2 and newer, included ssh_deletekeys: 0, disabling cloud-init's deletion of ssh host keys. In some environments, this could lead to instances created by cloning a golden master or template system, sharing ssh host keys, and being able to impersonate one another or conduct man-in-the-middle attacks. (CVE-2018-10896)\n\n - In Apache httpd 2.4.0 to 2.4.29, when mod_session is configured to forward its session data to CGI applications (SessionEnv on, not the default), a remote user may influence their content by using a Session header. This comes from the HTTP_SESSION variable name used by mod_session to forward its data to CGIs, since the prefix HTTP_ is also used by the Apache HTTP Server to pass HTTP header fields, per CGI specifications. (CVE-2018-1283)\n\n - A specially crafted HTTP request header could have crashed the Apache HTTP Server prior to version 2.4.30 due to an out of bound read while preparing data to be cached in shared memory. It could be used as a Denial of Service attack against users of mod_cache_socache. The vulnerability is considered as low risk since mod_cache_socache is not widely used, mod_cache_disk is not concerned by this vulnerability.\n (CVE-2018-1303)\n\n - An issue was discovered in the Linux kernel before 4.20. There is a race condition in smp_task_timedout() and smp_task_done() in drivers/scsi/libsas/sas_expander.c, leading to a use-after-free. (CVE-2018-20836)\n\n - In libexpat in Expat before 2.2.7, XML input including XML names that contain a large number of colons could make the XML parser consume a high amount of RAM and CPU resources while processing (enough to be usable for denial-of-service attacks). (CVE-2018-20843)\n\n - In Apache HTTP server 2.4.0 to 2.4.39, Redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an unexpected URL within the request URL. (CVE-2019-10098)\n\n - libmspack 0.9.1alpha is affected by: Buffer Overflow. The impact is: Information Disclosure. The component is: function chmd_read_headers() in libmspack(file libmspack/mspack/chmd.c). The attack vector is: the victim must open a specially crafted chm file. The fixed version is: after commit 2f084136cfe0d05e5bf5703f3e83c6d955234b4d. (CVE-2019-1010305)\n\n - libxslt through 1.1.33 allows bypass of a protection mechanism because callers of xsltCheckRead and xsltCheckWrite permit access even upon receiving a -1 error code. xsltCheckRead can return -1 for a crafted URL that is not actually invalid and is subsequently loaded. (CVE-2019-11068)\n\n - When importing a curve25519 private key in PKCS#8format with leading 0x00 bytes, it is possible to trigger an out-of-bounds read in the Network Security Services (NSS) library. This could lead to information disclosure. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8.\n (CVE-2019-11719)\n\n - A vulnerability exists where it possible to force Network Security Services (NSS) to sign CertificateVerify with PKCS#1 v1.5 signatures when those are the only ones advertised by server in CertificateRequest in TLS 1.3. PKCS#1 v1.5 signatures should not be used for TLS 1.3 messages. This vulnerability affects Firefox < 68. (CVE-2019-11727)\n\n - Improper refcounting of soft token session objects could cause a use-after-free and crash (likely limited to a denial of service). This vulnerability affects Firefox < 71. (CVE-2019-11756)\n\n - file_copy_fallback in gio/gfile.c in GNOME GLib 2.15.0 through 2.61.1 does not properly restrict file permissions while a copy operation is in progress. Instead, default permissions are used. (CVE-2019-12450)\n\n - An issue was discovered in dlpar_parse_cc_property in arch/powerpc/platforms/pseries/dlpar.c in the Linux kernel through 5.1.6. There is an unchecked kstrdup of prop->name, which might allow an attacker to cause a denial of service (NULL pointer dereference and system crash). (CVE-2019-12614)\n\n - dbus before 1.10.28, 1.12.x before 1.12.16, and 1.13.x before 1.13.12, as used in DBusServer in Canonical Upstart in Ubuntu 14.04 (and in some, less common, uses of dbus-daemon), allows cookie spoofing because of symlink mishandling in the reference implementation of DBUS_COOKIE_SHA1 in the libdbus library. (This only affects the DBUS_COOKIE_SHA1 authentication mechanism.) A malicious client with write access to its own home directory could manipulate a ~/.dbus-keyrings symlink to cause a DBusServer with a different uid to read and write in unintended locations. In the worst case, this could result in the DBusServer reusing a cookie that is known to the malicious client, and treating that cookie as evidence that a subsequent client connection came from an attacker-chosen uid, allowing authentication bypass. (CVE-2019-12749)\n\n - A flaw was discovered in ibus in versions before 1.5.22 that allows any unprivileged user to monitor and send method calls to the ibus bus of another user due to a misconfiguration in the DBus server setup. A local attacker may use this flaw to intercept all keystrokes of a victim user who is using the graphical interface, change the input method engine, or modify other input related configurations of the victim user. (CVE-2019-14822)\n\n - In all versions of cpio before 2.13 does not properly validate input files when generating TAR archives.\n When cpio is used to create TAR archives from paths an attacker can write to, the resulting archive may contain files with permissions the attacker did not have or in paths he did not have access to. Extracting those archives from a high-privilege user without carefully reviewing them may lead to the compromise of the system. (CVE-2019-14866)\n\n - An issue was discovered in the Linux kernel before 5.2.3. There is a NULL pointer dereference caused by a malicious USB device in the drivers/media/usb/zr364xx/zr364xx.c driver. (CVE-2019-15217)\n\n - In the Linux kernel before 5.1.13, there is a memory leak in drivers/scsi/libsas/sas_expander.c when SAS expander discovery fails. This will cause a BUG and denial of service. (CVE-2019-15807)\n\n - In libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to document parsing too early; a consecutive call to XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber) then resulted in a heap-based buffer over-read. (CVE-2019-15903)\n\n - An issue was discovered in the Linux kernel before 5.0.5. There is a use-after-free issue when hci_uart_register_dev() fails in hci_uart_set_proto() in drivers/bluetooth/hci_ldisc.c. (CVE-2019-15917)\n\n - drivers/net/fjes/fjes_main.c in the Linux kernel 5.2.14 does not check the alloc_workqueue return value, leading to a NULL pointer dereference. (CVE-2019-16231)\n\n - drivers/scsi/qla2xxx/qla_os.c in the Linux kernel 5.2.14 does not check the alloc_workqueue return value, leading to a NULL pointer dereference. (CVE-2019-16233)\n\n - The documentation XML-RPC server in Python through 2.7.16, 3.x through 3.6.9, and 3.7.x through 3.7.4 has XSS via the server_title field. This occurs in Lib/DocXMLRPCServer.py in Python 2.x, and in Lib/xmlrpc/server.py in Python 3.x. If set_server_title is called with untrusted input, arbitrary JavaScript can be delivered to clients that visit the http URL for this server. (CVE-2019-16935)\n\n - In the Linux kernel before 5.0, a memory leak exists in sit_init_net() in net/ipv6/sit.c when register_netdev() fails to register sitn->fb_tunnel_dev, which may cause denial of service, aka CID-07f12b26e21a. (CVE-2019-16994)\n\n - In Network Security Services (NSS) before 3.46, several cryptographic primitives had missing length checks. In cases where the application calling the library did not perform a sanity check on the inputs it could result in a crash due to a buffer overflow. (CVE-2019-17006)\n\n - After a HelloRetryRequest has been sent, the client may negotiate a lower protocol that TLS 1.3, resulting in an invalid state transition in the TLS State Machine. If the client gets into this state, incoming Application Data records will be ignored. This vulnerability affects Firefox < 72. (CVE-2019-17023)\n\n - ieee802154_create in net/ieee802154/socket.c in the AF_IEEE802154 network module in the Linux kernel through 5.3.2 does not enforce CAP_NET_RAW, which means that unprivileged users can create a raw socket, aka CID-e69dbd4619e7. (CVE-2019-17053)\n\n - base_sock_create in drivers/isdn/mISDN/socket.c in the AF_ISDN network module in the Linux kernel through 5.3.2 does not enforce CAP_NET_RAW, which means that unprivileged users can create a raw socket, aka CID-b91ee4aa2a21. (CVE-2019-17055)\n\n - In libssh2 v1.9.0 and earlier versions, the SSH_MSG_DISCONNECT logic in packet.c has an integer overflow in a bounds check, enabling an attacker to specify an arbitrary (out-of-bounds) offset for a subsequent memory read. A crafted SSH server may be able to disclose sensitive information or cause a denial of service condition on the client system when a user connects to the server. (CVE-2019-17498)\n\n - In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable isn't reset under certain circumstances. If the relevant memory area happened to be freed and reused in a certain way, a bounds check could fail and memory outside a buffer could be written to, or uninitialized data could be disclosed. (CVE-2019-18197)\n\n - The flow_dissector feature in the Linux kernel 4.3 through 5.x before 5.3.10 has a device tracking vulnerability, aka CID-55667441c84f. This occurs because the auto flowlabel of a UDP IPv6 packet relies on a 32-bit hashrnd value as a secret, and because jhash (instead of siphash) is used. The hashrnd value remains the same starting from boot time, and can be inferred by an attacker. This affects net/core/flow_dissector.c and related code. (CVE-2019-18282)\n\n - A memory leak in the ccp_run_sha_cmd() function in drivers/crypto/ccp/ccp-ops.c in the Linux kernel through 5.3.9 allows attackers to cause a denial of service (memory consumption), aka CID-128c66429247.\n (CVE-2019-18808)\n\n - ** DISPUTED ** A memory leak in the __ipmi_bmc_register() function in drivers/char/ipmi/ipmi_msghandler.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering ida_simple_get() failure, aka CID-4aa7afb0ee20. NOTE: third parties dispute the relevance of this because an attacker cannot realistically control this failure at probe time. (CVE-2019-19046)\n\n - ** DISPUTED ** A memory leak in the nl80211_get_ftm_responder_stats() function in net/wireless/nl80211.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering nl80211hdr_put() failures, aka CID-1399c59fa929. NOTE: third parties dispute the relevance of this because it occurs on a code path where a successful allocation has already occurred. (CVE-2019-19055)\n\n - A memory leak in the alloc_sgtable() function in drivers/net/wireless/intel/iwlwifi/fw/dbg.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering alloc_page() failures, aka CID-b4b814fec1a5. (CVE-2019-19058)\n\n - Multiple memory leaks in the iwl_pcie_ctxt_info_gen3_init() function in drivers/net/wireless/intel/iwlwifi/pcie/ctxt-info-gen3.c in the Linux kernel through 5.3.11 allow attackers to cause a denial of service (memory consumption) by triggering iwl_pcie_init_fw_sec() or dma_alloc_coherent() failures, aka CID-0f4f199443fa. (CVE-2019-19059)\n\n - A memory leak in the crypto_report() function in crypto/crypto_user_base.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering crypto_report_alg() failures, aka CID-ffdde5932042. (CVE-2019-19062)\n\n - Two memory leaks in the rtl_usb_probe() function in drivers/net/wireless/realtek/rtlwifi/usb.c in the Linux kernel through 5.3.11 allow attackers to cause a denial of service (memory consumption), aka CID-3f9361695113. (CVE-2019-19063)\n\n - On the x86-64 architecture, the GNU C Library (aka glibc) before 2.31 fails to ignore the LD_PREFER_MAP_32BIT_EXEC environment variable during program execution after a security transition, allowing local attackers to restrict the possible mapping addresses for loaded libraries and thus bypass ASLR for a setuid program. (CVE-2019-19126)\n\n - An out-of-bounds memory write issue was found in the Linux Kernel, version 3.13 through 5.4, in the way the Linux kernel's KVM hypervisor handled the 'KVM_GET_EMULATED_CPUID' ioctl(2) request to get CPUID features emulated by the KVM hypervisor. A user or process able to access the '/dev/kvm' device could use this flaw to crash the system, resulting in a denial of service. (CVE-2019-19332)\n\n - In the Linux kernel 5.0.21, mounting a crafted ext4 filesystem image, performing some operations, and unmounting can lead to a use-after-free in ext4_put_super in fs/ext4/super.c, related to dump_orphan_list in fs/ext4/super.c. (CVE-2019-19447)\n\n - In the Linux kernel before 5.3.7, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/usb/misc/adutux.c driver, aka CID-44efc269db79. (CVE-2019-19523)\n\n - In the Linux kernel before 5.3.12, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/input/ff-memless.c driver, aka CID-fa3a5a1880c9. (CVE-2019-19524)\n\n - In the Linux kernel before 5.2.10, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/usb/class/cdc-acm.c driver, aka CID-c52873e5a1ef. (CVE-2019-19530)\n\n - In the Linux kernel before 5.3.11, there is an info-leak bug that can be caused by a malicious USB device in the drivers/net/can/usb/peak_usb/pcan_usb_core.c driver, aka CID-f7a1337f0d29. (CVE-2019-19534)\n\n - In the Linux kernel before 5.2.10, there is a race condition bug that can be caused by a malicious USB device in the USB character device driver layer, aka CID-303911cfc5b9. This affects drivers/usb/core/file.c. (CVE-2019-19537)\n\n - The Linux kernel before 5.4.2 mishandles ext4_expand_extra_isize, as demonstrated by use-after-free errors in __ext4_expand_extra_isize and ext4_xattr_set_entry, related to fs/ext4/inode.c and fs/ext4/super.c, aka CID-4ea99936a163. (CVE-2019-19767)\n\n - In the Linux kernel before 5.3.11, sound/core/timer.c has a use-after-free caused by erroneous code refactoring, aka CID-e7af6307a8a5. This is related to snd_timer_open and snd_timer_close_locked. The timeri variable was originally intended to be for a newly created timer instance, but was used for a different purpose after refactoring. (CVE-2019-19807)\n\n - xmlParseBalancedChunkMemoryRecover in parser.c in libxml2 before 2.9.10 has a memory leak related to newDoc->oldNs. (CVE-2019-19956)\n\n - In the Linux kernel before 5.0.6, there is a NULL pointer dereference in drop_sysctl_table() in fs/proc/proc_sysctl.c, related to put_links, aka CID-23da9588037e. (CVE-2019-20054)\n\n - mwifiex_tm_cmd in drivers/net/wireless/marvell/mwifiex/cfg80211.c in the Linux kernel before 5.1.6 has some error-handling cases that did not free allocated hostcmd memory, aka CID-003b686ace82. This will cause a memory leak and denial of service. (CVE-2019-20095)\n\n - An issue was discovered in button_open in login/logind-button.c in systemd before 243. When executing the udevadm trigger command, a memory leak may occur. (CVE-2019-20386)\n\n - xmlSchemaPreRun in xmlschemas.c in libxml2 2.9.10 allows an xmlSchemaValidateStream memory leak.\n (CVE-2019-20388)\n\n - In the Linux kernel before 5.4.12, drivers/input/input.c has out-of-bounds writes via a crafted keycode table, as demonstrated by input_set_keycode, aka CID-cb222aed03d7. (CVE-2019-20636)\n\n - An issue was discovered in the Linux kernel before 5.0.6. In rx_queue_add_kobject() and netdev_queue_add_kobject() in net/core/net-sysfs.c, a reference count is mishandled, aka CID-a3e23f719f5c.\n (CVE-2019-20811)\n\n - In Lib/tarfile.py in Python through 3.8.3, an attacker is able to craft a TAR archive leading to an infinite loop when opened by tarfile.open, because _proc_pax lacks header validation. (CVE-2019-20907)\n\n - Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 5.6.45 and prior, 5.7.27 and prior and 8.0.17 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. (CVE-2019-2974)\n\n - An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability. (CVE-2019-5094)\n\n - A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4.\n A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability. (CVE-2019-5188)\n\n - Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3. (CVE-2019-5482)\n\n - A buffer overflow issue was addressed with improved memory handling. This issue is fixed in macOS Mojave 10.14.6, Security Update 2019-004 High Sierra, Security Update 2019-004 Sierra. An attacker in a privileged network position may be able to execute arbitrary code. (CVE-2019-8675, CVE-2019-8696)\n\n - In the Android kernel in i2c driver there is a possible out of bounds write due to memory corruption. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. (CVE-2019-9454)\n\n - In the Android kernel in the video driver there is a use after free due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. (CVE-2019-9458)\n\n - There is a use-after-free in kernel versions before 5.5 due to a race condition between the release of ptp_clock and cdev while resource deallocation. When a (high privileged) process allocates a ptp device file (like /dev/ptpX) and voluntarily goes to sleep. During this time if the underlying device is removed, it can cause an exploitable condition as the process wakes up to terminate and clean all attached files.\n The system crashes due to the cdev structure being invalid (as already freed) which is pointed to by the inode. (CVE-2020-10690)\n\n - A flaw was found in the Linux kernel's implementation of Userspace core dumps. This flaw allows an attacker with a local account to crash a trivial program and exfiltrate private kernel data.\n (CVE-2020-10732)\n\n - A flaw was found in the Linux kernel. An index buffer overflow during Direct IO write leading to the NFS client to crash. In some cases, a reach out of the index after one memory allocation by kmalloc will cause a kernel panic. The highest threat from this vulnerability is to data confidentiality and system availability. (CVE-2020-10742)\n\n - A flaw was found in the Linux kernels SELinux LSM hook implementation before version 5.7, where it incorrectly assumed that an skb would only contain a single netlink message. The hook would incorrectly only validate the first netlink message in the skb and allow or deny the rest of the messages within the skb with the granted permission without further processing. (CVE-2020-10751)\n\n - A buffer over-read flaw was found in RH kernel versions before 5.0 in crypto_authenc_extractkeys in crypto/authenc.c in the IPsec Cryptographic algorithm's module, authenc. When a payload longer than 4 bytes, and is not following 4-byte alignment boundary guidelines, it causes a buffer over-read threat, leading to a system crash. This flaw allows a local attacker with user privileges to cause a denial of service. (CVE-2020-10769)\n\n - In the Linux kernel before 5.5.8, get_raw_socket in drivers/vhost/net.c lacks validation of an sk_family field, which might allow attackers to trigger kernel stack corruption via crafted system calls.\n (CVE-2020-10942)\n\n - ** DISPUTED ** An issue was discovered in the Linux kernel through 5.6.2. mpol_parse_str in mm/mempolicy.c has a stack-based out-of-bounds write because an empty nodelist is mishandled during mount option parsing, aka CID-aa9f7d5172fa. NOTE: Someone in the security community disagrees that this is a vulnerability because the issue is a bug in parsing mount options which can only be specified by a privileged user, so triggering the bug does not grant any powers not already held.. (CVE-2020-11565)\n\n - In filter.c in slapd in OpenLDAP before 2.4.50, LDAP search filters with nested boolean expressions can result in denial of service (daemon crash). (CVE-2020-12243)\n\n - When converting coordinates from projective to affine, the modular inversion was not performed in constant time, resulting in a possible timing-based side channel attack. This vulnerability affects Firefox < 80 and Firefox for Android < 80. (CVE-2020-12400)\n\n - During ECDSA signature generation, padding applied in the nonce designed to ensure constant-time scalar multiplication was removed, resulting in variable-time execution dependent on secret data. This vulnerability affects Firefox < 80 and Firefox for Android < 80. (CVE-2020-12401)\n\n - During RSA key generation, bignum implementations used a variation of the Binary Extended Euclidean Algorithm which entailed significantly input-dependent flow. This allowed an attacker able to perform electromagnetic-based side channel attacks to record traces leading to the recovery of the secret primes.\n *Note:* An unmodified Firefox browser does not generate RSA keys in normal operation and is not affected, but products built on top of it might. This vulnerability affects Firefox < 78. (CVE-2020-12402)\n\n - A flaw was found in the way CHACHA20-POLY1305 was implemented in NSS in versions before 3.55. When using multi-part Chacha20, it could cause out-of-bounds reads. This issue was fixed by explicitly disabling multi-part ChaCha20 (which was not functioning correctly) and strictly enforcing tag length. The highest threat from this vulnerability is to confidentiality and system availability. (CVE-2020-12403)\n\n - An issue was discovered in the Linux kernel through 5.6.11. sg_write lacks an sg_remove_request call in a certain failure case, aka CID-83c6f2390040. (CVE-2020-12770)\n\n - A signal access-control issue was discovered in the Linux kernel before 5.6.5, aka CID-7395ea4e65c2.\n Because exec_id in include/linux/sched.h is only 32 bits, an integer overflow can interfere with a do_notify_parent protection mechanism. A child process can send an arbitrary signal to a parent process in a different security domain. Exploitation limitations include the amount of elapsed time before an integer overflow occurs, and the lack of scenarios where signals to a parent process present a substantial operational threat. (CVE-2020-12826)\n\n - If an HTTP/2 client connecting to Apache Tomcat 10.0.0-M1 to 10.0.0-M7, 9.0.0.M1 to 9.0.37 or 8.5.0 to 8.5.57 exceeded the agreed maximum number of concurrent streams for a connection (in violation of the HTTP/2 protocol), it was possible that a subsequent request made on that connection could contain HTTP headers - including HTTP/2 pseudo headers - from a previous request rather than the intended headers. This could lead to users seeing responses for unexpected resources. (CVE-2020-13943)\n\n - An out-of-bounds memory write flaw was found in how the Linux kernel's Voice Over IP H.323 connection tracking functionality handled connections on ipv6 port 1720. This flaw allows an unauthenticated remote user to crash the system, causing a denial of service. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. (CVE-2020-14305)\n\n - A memory out-of-bounds read flaw was found in the Linux kernel before 5.9-rc2 with the ext3/ext4 file system, in the way it accesses a directory with broken indexing. This flaw allows a local user to crash the system if the directory exists. The highest threat from this vulnerability is to system availability.\n (CVE-2020-14314)\n\n - A flaw was found in the Linux kernel's implementation of the invert video code on VGA consoles when a local attacker attempts to resize the console, calling an ioctl VT_RESIZE, which causes an out-of-bounds write to occur. This flaw allows a local user with access to the VGA console to crash the system, potentially escalating their privileges on the system. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. (CVE-2020-14331)\n\n - A flaw was found in the Linux kernel before 5.9-rc4. A failure of the file system metadata validator in XFS can cause an inode with a valid, user-creatable extended attribute to be flagged as corrupt. This can lead to the filesystem being shutdown, or otherwise rendered inaccessible until it is remounted, leading to a denial of service. The highest threat from this vulnerability is to system availability.\n (CVE-2020-14385)\n\n - Lib/ipaddress.py in Python through 3.8.3 improperly computes hash values in the IPv4Interface and IPv6Interface classes, which might allow a remote attacker to cause a denial of service if an application is affected by the performance of a dictionary containing IPv4Interface or IPv6Interface objects, and this attacker can cause many dictionary entries to be created. This is fixed in: v3.5.10, v3.5.10rc1; v3.6.12;\n v3.7.9; v3.8.4, v3.8.4rc1, v3.8.5, v3.8.6, v3.8.6rc1; v3.9.0, v3.9.0b4, v3.9.0b5, v3.9.0rc1, v3.9.0rc2.\n (CVE-2020-14422)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Serialization).\n Supported versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261.\n Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded.\n Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. (CVE-2020-14779)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: JNDI). Supported versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. (CVE-2020-14781)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. (CVE-2020-14782, CVE-2020-14797)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data as well as unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service.\n (CVE-2020-14792)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). (CVE-2020-14796)\n\n - Vulnerability in the Java SE product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 11.0.8 and 15. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). (CVE-2020-14803)\n\n - Net-SNMP through 5.7.3 has Improper Privilege Management because SNMP WRITE access to the EXTEND MIB provides the ability to run arbitrary commands as root. (CVE-2020-15862)\n\n - Heap buffer overflow in Freetype in Google Chrome prior to 86.0.4240.111 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (CVE-2020-15999)\n\n - A flaw was found in the Linux kernel's implementation of some networking protocols in IPsec, such as VXLAN and GENEVE tunnels over IPv6. When an encrypted tunnel is created between two hosts, the kernel isn't correctly routing tunneled data over the encrypted link; rather sending the data unencrypted. This would allow anyone in between the two endpoints to read the traffic unencrypted. The main threat from this vulnerability is to data confidentiality. (CVE-2020-1749)\n\n - While investigating bug 64830 it was discovered that Apache Tomcat 10.0.0-M1 to 10.0.0-M9, 9.0.0-M1 to 9.0.39 and 8.5.0 to 8.5.59 could re-use an HTTP request header value from the previous stream received on an HTTP/2 connection for the request associated with the subsequent stream. While this would most likely lead to an error and the closure of the HTTP/2 connection, it is possible that information could leak between requests. (CVE-2020-17527)\n\n - In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL. (CVE-2020-1927)\n\n - In Apache HTTP Server 2.4.0 to 2.4.41, mod_proxy_ftp may use uninitialized memory when proxying to a malicious FTP server. (CVE-2020-1934)\n\n - The X.509 GeneralName type is a generic type for representing different types of names. One of those name types is known as EDIPartyName. OpenSSL provides a function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME to see if they are equal or not. This function behaves incorrectly when both GENERAL_NAMEs contain an EDIPARTYNAME. A NULL pointer dereference and a crash may occur leading to a possible denial of service attack. OpenSSL itself uses the GENERAL_NAME_cmp function for two purposes: 1) Comparing CRL distribution point names between an available CRL and a CRL distribution point embedded in an X509 certificate 2) When verifying that a timestamp response token signer matches the timestamp authority name (exposed via the API functions TS_RESP_verify_response and TS_RESP_verify_token) If an attacker can control both items being compared then that attacker could trigger a crash. For example if the attacker can trick a client or server into checking a malicious certificate against a malicious CRL then this may occur. Note that some applications automatically download CRLs based on a URL embedded in a certificate. This checking happens prior to the signatures on the certificate and CRL being verified.\n OpenSSL's s_server, s_client and verify tools have support for the -crl_download option which implements automatic CRL downloading and this attack has been demonstrated to work against those tools. Note that an unrelated bug means that affected versions of OpenSSL cannot parse or construct correct encodings of EDIPARTYNAME. However it is possible to construct a malformed EDIPARTYNAME that OpenSSL's parser will accept and hence trigger this attack. All OpenSSL 1.1.1 and 1.0.2 versions are affected by this issue.\n Other OpenSSL releases are out of support and have not been checked. Fixed in OpenSSL 1.1.1i (Affected 1.1.1-1.1.1h). Fixed in OpenSSL 1.0.2x (Affected 1.0.2-1.0.2w). (CVE-2020-1971)\n\n - In the Linux kernel before 5.7.8, fs/nfsd/vfs.c (in the NFS server) can set incorrect permissions on new filesystem objects when the filesystem lacks ACL support, aka CID-22cf8419f131. This occurs because the current umask is not considered. (CVE-2020-24394)\n\n - A TOCTOU mismatch in the NFS client code in the Linux kernel before 5.8.3 could be used by local attackers to corrupt memory or possibly have unspecified other impact because a size check is in fs/nfs/nfs4proc.c instead of fs/nfs/nfs4xdr.c, aka CID-b4487b935452. (CVE-2020-25212)\n\n - A flaw was found in the HDLC_PPP module of the Linux kernel in versions before 5.9-rc7. Memory corruption and a read overflow is caused by improper input validation in the ppp_cp_parse_cr function which can cause the system to crash or cause a denial of service. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. (CVE-2020-25643)\n\n - Vulnerability in the MySQL Client product of Oracle MySQL (component: C API). Supported versions that are affected are 5.6.46 and prior, 5.7.28 and prior and 8.0.18 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Client.\n Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Client. (CVE-2020-2574)\n\n - A flaw was discovered in the way that the KVM hypervisor handled instruction emulation for an L2 guest when nested virtualisation is enabled. Under some circumstances, an L2 guest may trick the L0 guest into accessing sensitive L1 resources that should be inaccessible to the L2 guest. (CVE-2020-2732)\n\n - Vulnerability in the MySQL Client product of Oracle MySQL (component: C API). Supported versions that are affected are 5.6.47 and prior, 5.7.27 and prior and 8.0.17 and prior. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Client.\n Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Client. (CVE-2020-2752)\n\n - Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). Supported versions that are affected are 5.6.47 and prior, 5.7.29 and prior and 8.0.19 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. (CVE-2020-2780)\n\n - Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Stored Procedure). Supported versions that are affected are 5.6.47 and prior, 5.7.29 and prior and 8.0.19 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. (CVE-2020-2812)\n\n - When performing EC scalar point multiplication, the wNAF point multiplication algorithm was used; which leaked partial information about the nonce used during signature generation. Given an electro-magnetic trace of a few signature generations, the private key could have been computed. This vulnerability affects Firefox < 80 and Firefox for Android < 80. (CVE-2020-6829)\n\n - xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite loop in a certain end-of-file situation. (CVE-2020-7595)\n\n - curl 7.20.0 through 7.70.0 is vulnerable to improper restriction of names for files and other resources that can lead too overwriting a local file when the -J flag is used. (CVE-2020-8177)\n\n - Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking. (CVE-2020-8492)\n\n - In BIND 9.0.0 -> 9.11.21, 9.12.0 -> 9.16.5, 9.17.0 -> 9.17.3, also affects 9.9.3-S1 -> 9.11.21-S1 of the BIND 9 Supported Preview Edition, An attacker on the network path for a TSIG-signed request, or operating the server receiving the TSIG-signed request, could send a truncated response to that request, triggering an assertion failure, causing the server to exit. Alternately, an off-path attacker would have to correctly guess when a TSIG-signed request was sent, along with other characteristics of the packet and message, and spoof a truncated response to trigger an assertion failure, causing the server to exit.\n (CVE-2020-8622)\n\n - In BIND 9.10.0 -> 9.11.21, 9.12.0 -> 9.16.5, 9.17.0 -> 9.17.3, also affects 9.10.5-S1 -> 9.11.21-S1 of the BIND 9 Supported Preview Edition, An attacker that can reach a vulnerable system with a specially crafted query packet can trigger a crash. To be vulnerable, the system must: * be running BIND that was built with\n --enable-native-pkcs11 * be signing one or more zones with an RSA key * be able to receive queries from a possible attacker (CVE-2020-8623)\n\n - In BIND 9.9.12 -> 9.9.13, 9.10.7 -> 9.10.8, 9.11.3 -> 9.11.21, 9.12.1 -> 9.16.5, 9.17.0 -> 9.17.3, also affects 9.9.12-S1 -> 9.9.13-S1, 9.11.3-S1 -> 9.11.21-S1 of the BIND 9 Supported Preview Edition, An attacker who has been granted privileges to change a specific subset of the zone's content could abuse these unintended additional privileges to update other contents of the zone. (CVE-2020-8624)\n\n - cloud-init through 19.4 relies on Mersenne Twister for a random password, which makes it easier for attackers to predict passwords, because rand_str in cloudinit/util.py calls the random.choice function.\n (CVE-2020-8631)\n\n - In cloud-init through 19.4, rand_user_password in cloudinit/config/cc_set_passwords.py has a small default pwlen value, which makes it easier for attackers to guess passwords. (CVE-2020-8632)\n\n - There is a use-after-free vulnerability in the Linux kernel through 5.5.2 in the vc_do_resize function in drivers/tty/vt/vt.c. (CVE-2020-8647)\n\n - There is a use-after-free vulnerability in the Linux kernel through 5.5.2 in the vgacon_invert_region function in drivers/video/console/vgacon.c. (CVE-2020-8649)\n\n - An issue was discovered in the Linux kernel 3.16 through 5.5.6. set_fdc in drivers/block/floppy.c leads to a wait_til_ready out-of-bounds read because the FDC index is not checked for errors before assigning it, aka CID-2e90ca68b0d2. (CVE-2020-9383)\n\n - Sudo before 1.9.5p2 contains an off-by-one error that can result in a heap-based buffer overflow, which allows privilege escalation to root via sudoedit -s and a command-line argument that ends with a single backslash character. (CVE-2021-3156)\n\n - A heap-based buffer overflow was found in the way sudo parses command line arguments. This flaw is exploitable by any local user who can execute the sudo command without authentication. Successful exploitation of this flaw could lead to privilege escalation. (CVE-2021-3156)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-09-01T00:00:00", "type": "nessus", "title": "Nutanix AOS : Multiple Vulnerabilities (NXSA-AOS-5.15.5)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-12652", "CVE-2017-15715", "CVE-2017-18190", "CVE-2017-18551", "CVE-2018-10896", "CVE-2018-1283", "CVE-2018-1303", "CVE-2018-20836", "CVE-2018-20843", "CVE-2019-10098", "CVE-2019-1010305", "CVE-2019-11068", "CVE-2019-11719", "CVE-2019-11727", "CVE-2019-11756", "CVE-2019-12450", "CVE-2019-12614", "CVE-2019-12749", "CVE-2019-14822", "CVE-2019-14866", "CVE-2019-15217", "CVE-2019-15807", "CVE-2019-15903", "CVE-2019-15917", "CVE-2019-16231", "CVE-2019-16233", "CVE-2019-16935", "CVE-2019-16994", "CVE-2019-17006", "CVE-2019-17023", "CVE-2019-17053", "CVE-2019-17055", "CVE-2019-17498", "CVE-2019-18197", "CVE-2019-18282", "CVE-2019-18808", "CVE-2019-19046", "CVE-2019-19055", "CVE-2019-19058", "CVE-2019-19059", "CVE-2019-19062", "CVE-2019-19063", "CVE-2019-19126", "CVE-2019-19332", "CVE-2019-19447", "CVE-2019-19523", "CVE-2019-19524", "CVE-2019-19530", "CVE-2019-19534", "CVE-2019-19537", "CVE-2019-19767", "CVE-2019-19807", "CVE-2019-19956", "CVE-2019-20054", "CVE-2019-20095", "CVE-2019-20386", "CVE-2019-20388", "CVE-2019-20636", "CVE-2019-20811", "CVE-2019-20907", "CVE-2019-2974", "CVE-2019-5094", "CVE-2019-5188", "CVE-2019-5482", "CVE-2019-8675", "CVE-2019-8696", "CVE-2019-9454", "CVE-2019-9458", "CVE-2020-10690", "CVE-2020-10732", "CVE-2020-10742", "CVE-2020-10751", "CVE-2020-10769", "CVE-2020-10942", "CVE-2020-11565", "CVE-2020-12243", "CVE-2020-12400", "CVE-2020-12401", "CVE-2020-12402", "CVE-2020-12403", "CVE-2020-12770", "CVE-2020-12826", "CVE-2020-13943", "CVE-2020-14305", "CVE-2020-14314", "CVE-2020-14331", "CVE-2020-14385", "CVE-2020-14422", "CVE-2020-14779", "CVE-2020-14781", "CVE-2020-14782", "CVE-2020-14792", "CVE-2020-14796", "CVE-2020-14797", "CVE-2020-14803", "CVE-2020-15862", "CVE-2020-15999", "CVE-2020-1749", "CVE-2020-17527", "CVE-2020-1927", "CVE-2020-1934", "CVE-2020-1971", "CVE-2020-24394", "CVE-2020-25212", "CVE-2020-25643", "CVE-2020-2574", "CVE-2020-2732", "CVE-2020-2752", "CVE-2020-2780", "CVE-2020-2812", "CVE-2020-6829", "CVE-2020-7595", "CVE-2020-8177", "CVE-2020-8492", "CVE-2020-8622", "CVE-2020-8623", "CVE-2020-8624", "CVE-2020-8631", "CVE-2020-8632", "CVE-2020-8647", "CVE-2020-8649", "CVE-2020-9383", "CVE-2021-3156"], "modified": "2023-02-23T00:00:00", "cpe": ["cpe:/o:nutanix:aos"], "id": "NUTANIX_NXSA-AOS-5_15_5.NASL", "href": "https://www.tenable.com/plugins/nessus/164599", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(164599);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/02/23\");\n\n script_cve_id(\n \"CVE-2017-12652\",\n \"CVE-2017-15715\",\n \"CVE-2017-18190\",\n \"CVE-2017-18551\",\n \"CVE-2018-1283\",\n \"CVE-2018-1303\",\n \"CVE-2018-10896\",\n \"CVE-2018-20836\",\n \"CVE-2018-20843\",\n \"CVE-2019-2974\",\n \"CVE-2019-5094\",\n \"CVE-2019-5188\",\n \"CVE-2019-5482\",\n \"CVE-2019-8675\",\n \"CVE-2019-8696\",\n \"CVE-2019-9454\",\n \"CVE-2019-9458\",\n \"CVE-2019-10098\",\n \"CVE-2019-11068\",\n \"CVE-2019-11719\",\n \"CVE-2019-11727\",\n \"CVE-2019-11756\",\n \"CVE-2019-12450\",\n \"CVE-2019-12614\",\n \"CVE-2019-12749\",\n \"CVE-2019-14822\",\n \"CVE-2019-14866\",\n \"CVE-2019-15217\",\n \"CVE-2019-15807\",\n \"CVE-2019-15903\",\n \"CVE-2019-15917\",\n \"CVE-2019-16231\",\n \"CVE-2019-16233\",\n \"CVE-2019-16935\",\n \"CVE-2019-16994\",\n \"CVE-2019-17006\",\n \"CVE-2019-17023\",\n \"CVE-2019-17053\",\n \"CVE-2019-17055\",\n \"CVE-2019-17498\",\n \"CVE-2019-18197\",\n \"CVE-2019-18282\",\n \"CVE-2019-18808\",\n \"CVE-2019-19046\",\n \"CVE-2019-19055\",\n \"CVE-2019-19058\",\n \"CVE-2019-19059\",\n \"CVE-2019-19062\",\n \"CVE-2019-19063\",\n \"CVE-2019-19126\",\n \"CVE-2019-19332\",\n \"CVE-2019-19447\",\n \"CVE-2019-19523\",\n \"CVE-2019-19524\",\n \"CVE-2019-19530\",\n \"CVE-2019-19534\",\n \"CVE-2019-19537\",\n \"CVE-2019-19767\",\n \"CVE-2019-19807\",\n \"CVE-2019-19956\",\n \"CVE-2019-20054\",\n \"CVE-2019-20095\",\n \"CVE-2019-20386\",\n \"CVE-2019-20388\",\n \"CVE-2019-20636\",\n \"CVE-2019-20811\",\n \"CVE-2019-20907\",\n \"CVE-2019-1010305\",\n \"CVE-2020-1749\",\n \"CVE-2020-1927\",\n \"CVE-2020-1934\",\n \"CVE-2020-1971\",\n \"CVE-2020-2574\",\n \"CVE-2020-2732\",\n \"CVE-2020-2752\",\n \"CVE-2020-2780\",\n \"CVE-2020-2812\",\n \"CVE-2020-6829\",\n \"CVE-2020-7595\",\n \"CVE-2020-8177\",\n \"CVE-2020-8492\",\n \"CVE-2020-8622\",\n \"CVE-2020-8623\",\n \"CVE-2020-8624\",\n \"CVE-2020-8631\",\n \"CVE-2020-8632\",\n \"CVE-2020-8647\",\n \"CVE-2020-8649\",\n \"CVE-2020-9383\",\n \"CVE-2020-10690\",\n \"CVE-2020-10732\",\n \"CVE-2020-10742\",\n \"CVE-2020-10751\",\n \"CVE-2020-10769\",\n \"CVE-2020-10942\",\n \"CVE-2020-11565\",\n \"CVE-2020-12243\",\n \"CVE-2020-12400\",\n \"CVE-2020-12401\",\n \"CVE-2020-12402\",\n \"CVE-2020-12403\",\n \"CVE-2020-12770\",\n \"CVE-2020-12826\",\n \"CVE-2020-13943\",\n \"CVE-2020-14305\",\n \"CVE-2020-14314\",\n \"CVE-2020-14331\",\n \"CVE-2020-14385\",\n \"CVE-2020-14422\",\n \"CVE-2020-14779\",\n \"CVE-2020-14781\",\n \"CVE-2020-14782\",\n \"CVE-2020-14792\",\n \"CVE-2020-14796\",\n \"CVE-2020-14797\",\n \"CVE-2020-14803\",\n \"CVE-2020-15862\",\n \"CVE-2020-15999\",\n \"CVE-2020-17527\",\n \"CVE-2020-24394\",\n \"CVE-2020-25212\",\n \"CVE-2020-25643\",\n \"CVE-2021-3156\"\n );\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/04/27\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0004\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0025\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0124\");\n\n script_name(english:\"Nutanix AOS : Multiple Vulnerabilities (NXSA-AOS-5.15.5)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The Nutanix AOS host is affected by multiple vulnerabilities .\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of AOS installed on the remote host is prior to 5.15.5. It is, therefore, affected by multiple\nvulnerabilities as referenced in the NXSA-AOS-5.15.5 advisory.\n\n - libpng before 1.6.32 does not properly check the length of chunks against the user limit. (CVE-2017-12652)\n\n - In Apache httpd 2.4.0 to 2.4.29, the expression specified in <FilesMatch> could match '$' to a newline\n character in a malicious filename, rather than matching only the end of the filename. This could be\n exploited in environments where uploads of some files are are externally blocked, but only by matching the\n trailing portion of the filename. (CVE-2017-15715)\n\n - A localhost.localdomain whitelist entry in valid_host() in scheduler/client.c in CUPS before 2.2.2 allows\n remote attackers to execute arbitrary IPP commands by sending POST requests to the CUPS daemon in\n conjunction with DNS rebinding. The localhost.localdomain name is often resolved via a DNS server (neither\n the OS nor the web browser is responsible for ensuring that localhost.localdomain is 127.0.0.1).\n (CVE-2017-18190)\n\n - An issue was discovered in drivers/i2c/i2c-core-smbus.c in the Linux kernel before 4.14.15. There is an\n out of bounds write in the function i2c_smbus_xfer_emulated. (CVE-2017-18551)\n\n - The default cloud-init configuration, in cloud-init 0.6.2 and newer, included ssh_deletekeys: 0,\n disabling cloud-init's deletion of ssh host keys. In some environments, this could lead to instances\n created by cloning a golden master or template system, sharing ssh host keys, and being able to\n impersonate one another or conduct man-in-the-middle attacks. (CVE-2018-10896)\n\n - In Apache httpd 2.4.0 to 2.4.29, when mod_session is configured to forward its session data to CGI\n applications (SessionEnv on, not the default), a remote user may influence their content by using a\n Session header. This comes from the HTTP_SESSION variable name used by mod_session to forward its data\n to CGIs, since the prefix HTTP_ is also used by the Apache HTTP Server to pass HTTP header fields, per\n CGI specifications. (CVE-2018-1283)\n\n - A specially crafted HTTP request header could have crashed the Apache HTTP Server prior to version 2.4.30\n due to an out of bound read while preparing data to be cached in shared memory. It could be used as a\n Denial of Service attack against users of mod_cache_socache. The vulnerability is considered as low risk\n since mod_cache_socache is not widely used, mod_cache_disk is not concerned by this vulnerability.\n (CVE-2018-1303)\n\n - An issue was discovered in the Linux kernel before 4.20. There is a race condition in smp_task_timedout()\n and smp_task_done() in drivers/scsi/libsas/sas_expander.c, leading to a use-after-free. (CVE-2018-20836)\n\n - In libexpat in Expat before 2.2.7, XML input including XML names that contain a large number of colons\n could make the XML parser consume a high amount of RAM and CPU resources while processing (enough to be\n usable for denial-of-service attacks). (CVE-2018-20843)\n\n - In Apache HTTP server 2.4.0 to 2.4.39, Redirects configured with mod_rewrite that were intended to be\n self-referential might be fooled by encoded newlines and redirect instead to an unexpected URL within the\n request URL. (CVE-2019-10098)\n\n - libmspack 0.9.1alpha is affected by: Buffer Overflow. The impact is: Information Disclosure. The component\n is: function chmd_read_headers() in libmspack(file libmspack/mspack/chmd.c). The attack vector is: the\n victim must open a specially crafted chm file. The fixed version is: after commit\n 2f084136cfe0d05e5bf5703f3e83c6d955234b4d. (CVE-2019-1010305)\n\n - libxslt through 1.1.33 allows bypass of a protection mechanism because callers of xsltCheckRead and\n xsltCheckWrite permit access even upon receiving a -1 error code. xsltCheckRead can return -1 for a\n crafted URL that is not actually invalid and is subsequently loaded. (CVE-2019-11068)\n\n - When importing a curve25519 private key in PKCS#8format with leading 0x00 bytes, it is possible to trigger\n an out-of-bounds read in the Network Security Services (NSS) library. This could lead to information\n disclosure. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8.\n (CVE-2019-11719)\n\n - A vulnerability exists where it possible to force Network Security Services (NSS) to sign\n CertificateVerify with PKCS#1 v1.5 signatures when those are the only ones advertised by server in\n CertificateRequest in TLS 1.3. PKCS#1 v1.5 signatures should not be used for TLS 1.3 messages. This\n vulnerability affects Firefox < 68. (CVE-2019-11727)\n\n - Improper refcounting of soft token session objects could cause a use-after-free and crash (likely limited\n to a denial of service). This vulnerability affects Firefox < 71. (CVE-2019-11756)\n\n - file_copy_fallback in gio/gfile.c in GNOME GLib 2.15.0 through 2.61.1 does not properly restrict file\n permissions while a copy operation is in progress. Instead, default permissions are used. (CVE-2019-12450)\n\n - An issue was discovered in dlpar_parse_cc_property in arch/powerpc/platforms/pseries/dlpar.c in the Linux\n kernel through 5.1.6. There is an unchecked kstrdup of prop->name, which might allow an attacker to cause\n a denial of service (NULL pointer dereference and system crash). (CVE-2019-12614)\n\n - dbus before 1.10.28, 1.12.x before 1.12.16, and 1.13.x before 1.13.12, as used in DBusServer in Canonical\n Upstart in Ubuntu 14.04 (and in some, less common, uses of dbus-daemon), allows cookie spoofing because of\n symlink mishandling in the reference implementation of DBUS_COOKIE_SHA1 in the libdbus library. (This only\n affects the DBUS_COOKIE_SHA1 authentication mechanism.) A malicious client with write access to its own\n home directory could manipulate a ~/.dbus-keyrings symlink to cause a DBusServer with a different uid to\n read and write in unintended locations. In the worst case, this could result in the DBusServer reusing a\n cookie that is known to the malicious client, and treating that cookie as evidence that a subsequent\n client connection came from an attacker-chosen uid, allowing authentication bypass. (CVE-2019-12749)\n\n - A flaw was discovered in ibus in versions before 1.5.22 that allows any unprivileged user to monitor and\n send method calls to the ibus bus of another user due to a misconfiguration in the DBus server setup. A\n local attacker may use this flaw to intercept all keystrokes of a victim user who is using the graphical\n interface, change the input method engine, or modify other input related configurations of the victim\n user. (CVE-2019-14822)\n\n - In all versions of cpio before 2.13 does not properly validate input files when generating TAR archives.\n When cpio is used to create TAR archives from paths an attacker can write to, the resulting archive may\n contain files with permissions the attacker did not have or in paths he did not have access to. Extracting\n those archives from a high-privilege user without carefully reviewing them may lead to the compromise of\n the system. (CVE-2019-14866)\n\n - An issue was discovered in the Linux kernel before 5.2.3. There is a NULL pointer dereference caused by a\n malicious USB device in the drivers/media/usb/zr364xx/zr364xx.c driver. (CVE-2019-15217)\n\n - In the Linux kernel before 5.1.13, there is a memory leak in drivers/scsi/libsas/sas_expander.c when SAS\n expander discovery fails. This will cause a BUG and denial of service. (CVE-2019-15807)\n\n - In libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to\n document parsing too early; a consecutive call to XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber)\n then resulted in a heap-based buffer over-read. (CVE-2019-15903)\n\n - An issue was discovered in the Linux kernel before 5.0.5. There is a use-after-free issue when\n hci_uart_register_dev() fails in hci_uart_set_proto() in drivers/bluetooth/hci_ldisc.c. (CVE-2019-15917)\n\n - drivers/net/fjes/fjes_main.c in the Linux kernel 5.2.14 does not check the alloc_workqueue return value,\n leading to a NULL pointer dereference. (CVE-2019-16231)\n\n - drivers/scsi/qla2xxx/qla_os.c in the Linux kernel 5.2.14 does not check the alloc_workqueue return value,\n leading to a NULL pointer dereference. (CVE-2019-16233)\n\n - The documentation XML-RPC server in Python through 2.7.16, 3.x through 3.6.9, and 3.7.x through 3.7.4 has\n XSS via the server_title field. This occurs in Lib/DocXMLRPCServer.py in Python 2.x, and in\n Lib/xmlrpc/server.py in Python 3.x. If set_server_title is called with untrusted input, arbitrary\n JavaScript can be delivered to clients that visit the http URL for this server. (CVE-2019-16935)\n\n - In the Linux kernel before 5.0, a memory leak exists in sit_init_net() in net/ipv6/sit.c when\n register_netdev() fails to register sitn->fb_tunnel_dev, which may cause denial of service, aka\n CID-07f12b26e21a. (CVE-2019-16994)\n\n - In Network Security Services (NSS) before 3.46, several cryptographic primitives had missing length\n checks. In cases where the application calling the library did not perform a sanity check on the inputs it\n could result in a crash due to a buffer overflow. (CVE-2019-17006)\n\n - After a HelloRetryRequest has been sent, the client may negotiate a lower protocol that TLS 1.3, resulting\n in an invalid state transition in the TLS State Machine. If the client gets into this state, incoming\n Application Data records will be ignored. This vulnerability affects Firefox < 72. (CVE-2019-17023)\n\n - ieee802154_create in net/ieee802154/socket.c in the AF_IEEE802154 network module in the Linux kernel\n through 5.3.2 does not enforce CAP_NET_RAW, which means that unprivileged users can create a raw socket,\n aka CID-e69dbd4619e7. (CVE-2019-17053)\n\n - base_sock_create in drivers/isdn/mISDN/socket.c in the AF_ISDN network module in the Linux kernel through\n 5.3.2 does not enforce CAP_NET_RAW, which means that unprivileged users can create a raw socket, aka\n CID-b91ee4aa2a21. (CVE-2019-17055)\n\n - In libssh2 v1.9.0 and earlier versions, the SSH_MSG_DISCONNECT logic in packet.c has an integer overflow\n in a bounds check, enabling an attacker to specify an arbitrary (out-of-bounds) offset for a subsequent\n memory read. A crafted SSH server may be able to disclose sensitive information or cause a denial of\n service condition on the client system when a user connects to the server. (CVE-2019-17498)\n\n - In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable isn't reset under certain\n circumstances. If the relevant memory area happened to be freed and reused in a certain way, a bounds\n check could fail and memory outside a buffer could be written to, or uninitialized data could be\n disclosed. (CVE-2019-18197)\n\n - The flow_dissector feature in the Linux kernel 4.3 through 5.x before 5.3.10 has a device tracking\n vulnerability, aka CID-55667441c84f. This occurs because the auto flowlabel of a UDP IPv6 packet relies on\n a 32-bit hashrnd value as a secret, and because jhash (instead of siphash) is used. The hashrnd value\n remains the same starting from boot time, and can be inferred by an attacker. This affects\n net/core/flow_dissector.c and related code. (CVE-2019-18282)\n\n - A memory leak in the ccp_run_sha_cmd() function in drivers/crypto/ccp/ccp-ops.c in the Linux kernel\n through 5.3.9 allows attackers to cause a denial of service (memory consumption), aka CID-128c66429247.\n (CVE-2019-18808)\n\n - ** DISPUTED ** A memory leak in the __ipmi_bmc_register() function in drivers/char/ipmi/ipmi_msghandler.c\n in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by\n triggering ida_simple_get() failure, aka CID-4aa7afb0ee20. NOTE: third parties dispute the relevance of\n this because an attacker cannot realistically control this failure at probe time. (CVE-2019-19046)\n\n - ** DISPUTED ** A memory leak in the nl80211_get_ftm_responder_stats() function in net/wireless/nl80211.c\n in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by\n triggering nl80211hdr_put() failures, aka CID-1399c59fa929. NOTE: third parties dispute the relevance of\n this because it occurs on a code path where a successful allocation has already occurred. (CVE-2019-19055)\n\n - A memory leak in the alloc_sgtable() function in drivers/net/wireless/intel/iwlwifi/fw/dbg.c in the Linux\n kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering\n alloc_page() failures, aka CID-b4b814fec1a5. (CVE-2019-19058)\n\n - Multiple memory leaks in the iwl_pcie_ctxt_info_gen3_init() function in\n drivers/net/wireless/intel/iwlwifi/pcie/ctxt-info-gen3.c in the Linux kernel through 5.3.11 allow\n attackers to cause a denial of service (memory consumption) by triggering iwl_pcie_init_fw_sec() or\n dma_alloc_coherent() failures, aka CID-0f4f199443fa. (CVE-2019-19059)\n\n - A memory leak in the crypto_report() function in crypto/crypto_user_base.c in the Linux kernel through\n 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering\n crypto_report_alg() failures, aka CID-ffdde5932042. (CVE-2019-19062)\n\n - Two memory leaks in the rtl_usb_probe() function in drivers/net/wireless/realtek/rtlwifi/usb.c in the\n Linux kernel through 5.3.11 allow attackers to cause a denial of service (memory consumption), aka\n CID-3f9361695113. (CVE-2019-19063)\n\n - On the x86-64 architecture, the GNU C Library (aka glibc) before 2.31 fails to ignore the\n LD_PREFER_MAP_32BIT_EXEC environment variable during program execution after a security transition,\n allowing local attackers to restrict the possible mapping addresses for loaded libraries and thus bypass\n ASLR for a setuid program. (CVE-2019-19126)\n\n - An out-of-bounds memory write issue was found in the Linux Kernel, version 3.13 through 5.4, in the way\n the Linux kernel's KVM hypervisor handled the 'KVM_GET_EMULATED_CPUID' ioctl(2) request to get CPUID\n features emulated by the KVM hypervisor. A user or process able to access the '/dev/kvm' device could use\n this flaw to crash the system, resulting in a denial of service. (CVE-2019-19332)\n\n - In the Linux kernel 5.0.21, mounting a crafted ext4 filesystem image, performing some operations, and\n unmounting can lead to a use-after-free in ext4_put_super in fs/ext4/super.c, related to dump_orphan_list\n in fs/ext4/super.c. (CVE-2019-19447)\n\n - In the Linux kernel before 5.3.7, there is a use-after-free bug that can be caused by a malicious USB\n device in the drivers/usb/misc/adutux.c driver, aka CID-44efc269db79. (CVE-2019-19523)\n\n - In the Linux kernel before 5.3.12, there is a use-after-free bug that can be caused by a malicious USB\n device in the drivers/input/ff-memless.c driver, aka CID-fa3a5a1880c9. (CVE-2019-19524)\n\n - In the Linux kernel before 5.2.10, there is a use-after-free bug that can be caused by a malicious USB\n device in the drivers/usb/class/cdc-acm.c driver, aka CID-c52873e5a1ef. (CVE-2019-19530)\n\n - In the Linux kernel before 5.3.11, there is an info-leak bug that can be caused by a malicious USB device\n in the drivers/net/can/usb/peak_usb/pcan_usb_core.c driver, aka CID-f7a1337f0d29. (CVE-2019-19534)\n\n - In the Linux kernel before 5.2.10, there is a race condition bug that can be caused by a malicious USB\n device in the USB character device driver layer, aka CID-303911cfc5b9. This affects\n drivers/usb/core/file.c. (CVE-2019-19537)\n\n - The Linux kernel before 5.4.2 mishandles ext4_expand_extra_isize, as demonstrated by use-after-free errors\n in __ext4_expand_extra_isize and ext4_xattr_set_entry, related to fs/ext4/inode.c and fs/ext4/super.c, aka\n CID-4ea99936a163. (CVE-2019-19767)\n\n - In the Linux kernel before 5.3.11, sound/core/timer.c has a use-after-free caused by erroneous code\n refactoring, aka CID-e7af6307a8a5. This is related to snd_timer_open and snd_timer_close_locked. The\n timeri variable was originally intended to be for a newly created timer instance, but was used for a\n different purpose after refactoring. (CVE-2019-19807)\n\n - xmlParseBalancedChunkMemoryRecover in parser.c in libxml2 before 2.9.10 has a memory leak related to\n newDoc->oldNs. (CVE-2019-19956)\n\n - In the Linux kernel before 5.0.6, there is a NULL pointer dereference in drop_sysctl_table() in\n fs/proc/proc_sysctl.c, related to put_links, aka CID-23da9588037e. (CVE-2019-20054)\n\n - mwifiex_tm_cmd in drivers/net/wireless/marvell/mwifiex/cfg80211.c in the Linux kernel before 5.1.6 has\n some error-handling cases that did not free allocated hostcmd memory, aka CID-003b686ace82. This will\n cause a memory leak and denial of service. (CVE-2019-20095)\n\n - An issue was discovered in button_open in login/logind-button.c in systemd before 243. When executing the\n udevadm trigger command, a memory leak may occur. (CVE-2019-20386)\n\n - xmlSchemaPreRun in xmlschemas.c in libxml2 2.9.10 allows an xmlSchemaValidateStream memory leak.\n (CVE-2019-20388)\n\n - In the Linux kernel before 5.4.12, drivers/input/input.c has out-of-bounds writes via a crafted keycode\n table, as demonstrated by input_set_keycode, aka CID-cb222aed03d7. (CVE-2019-20636)\n\n - An issue was discovered in the Linux kernel before 5.0.6. In rx_queue_add_kobject() and\n netdev_queue_add_kobject() in net/core/net-sysfs.c, a reference count is mishandled, aka CID-a3e23f719f5c.\n (CVE-2019-20811)\n\n - In Lib/tarfile.py in Python through 3.8.3, an attacker is able to craft a TAR archive leading to an\n infinite loop when opened by tarfile.open, because _proc_pax lacks header validation. (CVE-2019-20907)\n\n - Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported\n versions that are affected are 5.6.45 and prior, 5.7.27 and prior and 8.0.17 and prior. Easily exploitable\n vulnerability allows low privileged attacker with network access via multiple protocols to compromise\n MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang\n or frequently repeatable crash (complete DOS) of MySQL Server. (CVE-2019-2974)\n\n - An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A\n specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code\n execution. An attacker can corrupt a partition to trigger this vulnerability. (CVE-2019-5094)\n\n - A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4.\n A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code\n execution. An attacker can corrupt a partition to trigger this vulnerability. (CVE-2019-5188)\n\n - Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3. (CVE-2019-5482)\n\n - A buffer overflow issue was addressed with improved memory handling. This issue is fixed in macOS Mojave\n 10.14.6, Security Update 2019-004 High Sierra, Security Update 2019-004 Sierra. An attacker in a\n privileged network position may be able to execute arbitrary code. (CVE-2019-8675, CVE-2019-8696)\n\n - In the Android kernel in i2c driver there is a possible out of bounds write due to memory corruption. This\n could lead to local escalation of privilege with System execution privileges needed. User interaction is\n not needed for exploitation. (CVE-2019-9454)\n\n - In the Android kernel in the video driver there is a use after free due to a race condition. This could\n lead to local escalation of privilege with no additional execution privileges needed. User interaction is\n not needed for exploitation. (CVE-2019-9458)\n\n - There is a use-after-free in kernel versions before 5.5 due to a race condition between the release of\n ptp_clock and cdev while resource deallocation. When a (high privileged) process allocates a ptp device\n file (like /dev/ptpX) and voluntarily goes to sleep. During this time if the underlying device is removed,\n it can cause an exploitable condition as the process wakes up to terminate and clean all attached files.\n The system crashes due to the cdev structure being invalid (as already freed) which is pointed to by the\n inode. (CVE-2020-10690)\n\n - A flaw was found in the Linux kernel's implementation of Userspace core dumps. This flaw allows an\n attacker with a local account to crash a trivial program and exfiltrate private kernel data.\n (CVE-2020-10732)\n\n - A flaw was found in the Linux kernel. An index buffer overflow during Direct IO write leading to the NFS\n client to crash. In some cases, a reach out of the index after one memory allocation by kmalloc will cause\n a kernel panic. The highest threat from this vulnerability is to data confidentiality and system\n availability. (CVE-2020-10742)\n\n - A flaw was found in the Linux kernels SELinux LSM hook implementation before version 5.7, where it\n incorrectly assumed that an skb would only contain a single netlink message. The hook would incorrectly\n only validate the first netlink message in the skb and allow or deny the rest of the messages within the\n skb with the granted permission without further processing. (CVE-2020-10751)\n\n - A buffer over-read flaw was found in RH kernel versions before 5.0 in crypto_authenc_extractkeys in\n crypto/authenc.c in the IPsec Cryptographic algorithm's module, authenc. When a payload longer than 4\n bytes, and is not following 4-byte alignment boundary guidelines, it causes a buffer over-read threat,\n leading to a system crash. This flaw allows a local attacker with user privileges to cause a denial of\n service. (CVE-2020-10769)\n\n - In the Linux kernel before 5.5.8, get_raw_socket in drivers/vhost/net.c lacks validation of an sk_family\n field, which might allow attackers to trigger kernel stack corruption via crafted system calls.\n (CVE-2020-10942)\n\n - ** DISPUTED ** An issue was discovered in the Linux kernel through 5.6.2. mpol_parse_str in mm/mempolicy.c\n has a stack-based out-of-bounds write because an empty nodelist is mishandled during mount option parsing,\n aka CID-aa9f7d5172fa. NOTE: Someone in the security community disagrees that this is a vulnerability\n because the issue is a bug in parsing mount options which can only be specified by a privileged user, so\n triggering the bug does not grant any powers not already held.. (CVE-2020-11565)\n\n - In filter.c in slapd in OpenLDAP before 2.4.50, LDAP search filters with nested boolean expressions can\n result in denial of service (daemon crash). (CVE-2020-12243)\n\n - When converting coordinates from projective to affine, the modular inversion was not performed in constant\n time, resulting in a possible timing-based side channel attack. This vulnerability affects Firefox < 80\n and Firefox for Android < 80. (CVE-2020-12400)\n\n - During ECDSA signature generation, padding applied in the nonce designed to ensure constant-time scalar\n multiplication was removed, resulting in variable-time execution dependent on secret data. This\n vulnerability affects Firefox < 80 and Firefox for Android < 80. (CVE-2020-12401)\n\n - During RSA key generation, bignum implementations used a variation of the Binary Extended Euclidean\n Algorithm which entailed significantly input-dependent flow. This allowed an attacker able to perform\n electromagnetic-based side channel attacks to record traces leading to the recovery of the secret primes.\n *Note:* An unmodified Firefox browser does not generate RSA keys in normal operation and is not affected,\n but products built on top of it might. This vulnerability affects Firefox < 78. (CVE-2020-12402)\n\n - A flaw was found in the way CHACHA20-POLY1305 was implemented in NSS in versions before 3.55. When using\n multi-part Chacha20, it could cause out-of-bounds reads. This issue was fixed by explicitly disabling\n multi-part ChaCha20 (which was not functioning correctly) and strictly enforcing tag length. The highest\n threat from this vulnerability is to confidentiality and system availability. (CVE-2020-12403)\n\n - An issue was discovered in the Linux kernel through 5.6.11. sg_write lacks an sg_remove_request call in a\n certain failure case, aka CID-83c6f2390040. (CVE-2020-12770)\n\n - A signal access-control issue was discovered in the Linux kernel before 5.6.5, aka CID-7395ea4e65c2.\n Because exec_id in include/linux/sched.h is only 32 bits, an integer overflow can interfere with a\n do_notify_parent protection mechanism. A child process can send an arbitrary signal to a parent process in\n a different security domain. Exploitation limitations include the amount of elapsed time before an integer\n overflow occurs, and the lack of scenarios where signals to a parent process present a substantial\n operational threat. (CVE-2020-12826)\n\n - If an HTTP/2 client connecting to Apache Tomcat 10.0.0-M1 to 10.0.0-M7, 9.0.0.M1 to 9.0.37 or 8.5.0 to\n 8.5.57 exceeded the agreed maximum number of concurrent streams for a connection (in violation of the\n HTTP/2 protocol), it was possible that a subsequent request made on that connection could contain HTTP\n headers - including HTTP/2 pseudo headers - from a previous request rather than the intended headers. This\n could lead to users seeing responses for unexpected resources. (CVE-2020-13943)\n\n - An out-of-bounds memory write flaw was found in how the Linux kernel's Voice Over IP H.323 connection\n tracking functionality handled connections on ipv6 port 1720. This flaw allows an unauthenticated remote\n user to crash the system, causing a denial of service. The highest threat from this vulnerability is to\n confidentiality, integrity, as well as system availability. (CVE-2020-14305)\n\n - A memory out-of-bounds read flaw was found in the Linux kernel before 5.9-rc2 with the ext3/ext4 file\n system, in the way it accesses a directory with broken indexing. This flaw allows a local user to crash\n the system if the directory exists. The highest threat from this vulnerability is to system availability.\n (CVE-2020-14314)\n\n - A flaw was found in the Linux kernel's implementation of the invert video code on VGA consoles when a\n local attacker attempts to resize the console, calling an ioctl VT_RESIZE, which causes an out-of-bounds\n write to occur. This flaw allows a local user with access to the VGA console to crash the system,\n potentially escalating their privileges on the system. The highest threat from this vulnerability is to\n data confidentiality and integrity as well as system availability. (CVE-2020-14331)\n\n - A flaw was found in the Linux kernel before 5.9-rc4. A failure of the file system metadata validator in\n XFS can cause an inode with a valid, user-creatable extended attribute to be flagged as corrupt. This can\n lead to the filesystem being shutdown, or otherwise rendered inaccessible until it is remounted, leading\n to a denial of service. The highest threat from this vulnerability is to system availability.\n (CVE-2020-14385)\n\n - Lib/ipaddress.py in Python through 3.8.3 improperly computes hash values in the IPv4Interface and\n IPv6Interface classes, which might allow a remote attacker to cause a denial of service if an application\n is affected by the performance of a dictionary containing IPv4Interface or IPv6Interface objects, and this\n attacker can cause many dictionary entries to be created. This is fixed in: v3.5.10, v3.5.10rc1; v3.6.12;\n v3.7.9; v3.8.4, v3.8.4rc1, v3.8.5, v3.8.6, v3.8.6rc1; v3.9.0, v3.9.0b4, v3.9.0b5, v3.9.0rc1, v3.9.0rc2.\n (CVE-2020-14422)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Serialization).\n Supported versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261.\n Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple\n protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in\n unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded.\n Note: Applies to client and server deployment of Java. This vulnerability can be exploited through\n sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying\n data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed\n Java applets, such as through a web service. (CVE-2020-14779)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: JNDI). Supported\n versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261. Difficult to\n exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to\n compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized\n read access to a subset of Java SE, Java SE Embedded accessible data. Note: Applies to client and server\n deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and\n sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component\n without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web\n service. (CVE-2020-14781)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported\n versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261. Difficult to\n exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to\n compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized\n update, insert or delete access to some of Java SE, Java SE Embedded accessible data. Note: Applies to\n client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start\n applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the\n specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as\n through a web service. (CVE-2020-14782, CVE-2020-14797)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Hotspot). Supported\n versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261. Difficult to\n exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to\n compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other\n than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or\n delete access to some of Java SE, Java SE Embedded accessible data as well as unauthorized read access to\n a subset of Java SE, Java SE Embedded accessible data. Note: Applies to client and server deployment of\n Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java\n applets. It can also be exploited by supplying data to APIs in the specified Component without using\n sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service.\n (CVE-2020-14792)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported\n versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261. Difficult to\n exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to\n compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other\n than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a\n subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments,\n typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load\n and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for\n security. This vulnerability does not apply to Java deployments, typically in servers, that load and run\n only trusted code (e.g., code installed by an administrator). (CVE-2020-14796)\n\n - Vulnerability in the Java SE product of Oracle Java SE (component: Libraries). Supported versions that are\n affected are Java SE: 11.0.8 and 15. Easily exploitable vulnerability allows unauthenticated attacker with\n network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can\n result in unauthorized read access to a subset of Java SE accessible data. Note: This vulnerability\n applies to Java deployments, typically in clients running sandboxed Java Web Start applications or\n sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and\n rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in\n servers, that load and run only trusted code (e.g., code installed by an administrator). (CVE-2020-14803)\n\n - Net-SNMP through 5.7.3 has Improper Privilege Management because SNMP WRITE access to the EXTEND MIB\n provides the ability to run arbitrary commands as root. (CVE-2020-15862)\n\n - Heap buffer overflow in Freetype in Google Chrome prior to 86.0.4240.111 allowed a remote attacker to\n potentially exploit heap corruption via a crafted HTML page. (CVE-2020-15999)\n\n - A flaw was found in the Linux kernel's implementation of some networking protocols in IPsec, such as VXLAN\n and GENEVE tunnels over IPv6. When an encrypted tunnel is created between two hosts, the kernel isn't\n correctly routing tunneled data over the encrypted link; rather sending the data unencrypted. This would\n allow anyone in between the two endpoints to read the traffic unencrypted. The main threat from this\n vulnerability is to data confidentiality. (CVE-2020-1749)\n\n - While investigating bug 64830 it was discovered that Apache Tomcat 10.0.0-M1 to 10.0.0-M9, 9.0.0-M1 to\n 9.0.39 and 8.5.0 to 8.5.59 could re-use an HTTP request header value from the previous stream received on\n an HTTP/2 connection for the request associated with the subsequent stream. While this would most likely\n lead to an error and the closure of the HTTP/2 connection, it is possible that information could leak\n between requests. (CVE-2020-17527)\n\n - In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be\n self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within\n the request URL. (CVE-2020-1927)\n\n - In Apache HTTP Server 2.4.0 to 2.4.41, mod_proxy_ftp may use uninitialized memory when proxying to a\n malicious FTP server. (CVE-2020-1934)\n\n - The X.509 GeneralName type is a generic type for representing different types of names. One of those name\n types is known as EDIPartyName. OpenSSL provides a function GENERAL_NAME_cmp which compares different\n instances of a GENERAL_NAME to see if they are equal or not. This function behaves incorrectly when both\n GENERAL_NAMEs contain an EDIPARTYNAME. A NULL pointer dereference and a crash may occur leading to a\n possible denial of service attack. OpenSSL itself uses the GENERAL_NAME_cmp function for two purposes: 1)\n Comparing CRL distribution point names between an available CRL and a CRL distribution point embedded in\n an X509 certificate 2) When verifying that a timestamp response token signer matches the timestamp\n authority name (exposed via the API functions TS_RESP_verify_response and TS_RESP_verify_token) If an\n attacker can control both items being compared then that attacker could trigger a crash. For example if\n the attacker can trick a client or server into checking a malicious certificate against a malicious CRL\n then this may occur. Note that some applications automatically download CRLs based on a URL embedded in a\n certificate. This checking happens prior to the signatures on the certificate and CRL being verified.\n OpenSSL's s_server, s_client and verify tools have support for the -crl_download option which implements\n automatic CRL downloading and this attack has been demonstrated to work against those tools. Note that an\n unrelated bug means that affected versions of OpenSSL cannot parse or construct correct encodings of\n EDIPARTYNAME. However it is possible to construct a malformed EDIPARTYNAME that OpenSSL's parser will\n accept and hence trigger this attack. All OpenSSL 1.1.1 and 1.0.2 versions are affected by this issue.\n Other OpenSSL releases are out of support and have not been checked. Fixed in OpenSSL 1.1.1i (Affected\n 1.1.1-1.1.1h). Fixed in OpenSSL 1.0.2x (Affected 1.0.2-1.0.2w). (CVE-2020-1971)\n\n - In the Linux kernel before 5.7.8, fs/nfsd/vfs.c (in the NFS server) can set incorrect permissions on new\n filesystem objects when the filesystem lacks ACL support, aka CID-22cf8419f131. This occurs because the\n current umask is not considered. (CVE-2020-24394)\n\n - A TOCTOU mismatch in the NFS client code in the Linux kernel before 5.8.3 could be used by local attackers\n to corrupt memory or possibly have unspecified other impact because a size check is in fs/nfs/nfs4proc.c\n instead of fs/nfs/nfs4xdr.c, aka CID-b4487b935452. (CVE-2020-25212)\n\n - A flaw was found in the HDLC_PPP module of the Linux kernel in versions before 5.9-rc7. Memory corruption\n and a read overflow is caused by improper input validation in the ppp_cp_parse_cr function which can cause\n the system to crash or cause a denial of service. The highest threat from this vulnerability is to data\n confidentiality and integrity as well as system availability. (CVE-2020-25643)\n\n - Vulnerability in the MySQL Client product of Oracle MySQL (component: C API). Supported versions that are\n affected are 5.6.46 and prior, 5.7.28 and prior and 8.0.18 and prior. Difficult to exploit vulnerability\n allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Client.\n Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently\n repeatable crash (complete DOS) of MySQL Client. (CVE-2020-2574)\n\n - A flaw was discovered in the way that the KVM hypervisor handled instruction emulation for an L2 guest\n when nested virtualisation is enabled. Under some circumstances, an L2 guest may trick the L0 guest into\n accessing sensitive L1 resources that should be inaccessible to the L2 guest. (CVE-2020-2732)\n\n - Vulnerability in the MySQL Client product of Oracle MySQL (component: C API). Supported versions that are\n affected are 5.6.47 and prior, 5.7.27 and prior and 8.0.17 and prior. Difficult to exploit vulnerability\n allows low privileged attacker with network access via multiple protocols to compromise MySQL Client.\n Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently\n repeatable crash (complete DOS) of MySQL Client. (CVE-2020-2752)\n\n - Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). Supported versions\n that are affected are 5.6.47 and prior, 5.7.29 and prior and 8.0.19 and prior. Easily exploitable\n vulnerability allows low privileged attacker with network access via multiple protocols to compromise\n MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang\n or frequently repeatable crash (complete DOS) of MySQL Server. (CVE-2020-2780)\n\n - Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Stored Procedure). Supported\n versions that are affected are 5.6.47 and prior, 5.7.29 and prior and 8.0.19 and prior. Easily exploitable\n vulnerability allows high privileged attacker with network access via multiple protocols to compromise\n MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang\n or frequently repeatable crash (complete DOS) of MySQL Server. (CVE-2020-2812)\n\n - When performing EC scalar point multiplication, the wNAF point multiplication algorithm was used; which\n leaked partial information about the nonce used during signature generation. Given an electro-magnetic\n trace of a few signature generations, the private key could have been computed. This vulnerability affects\n Firefox < 80 and Firefox for Android < 80. (CVE-2020-6829)\n\n - xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite loop in a certain end-of-file\n situation. (CVE-2020-7595)\n\n - curl 7.20.0 through 7.70.0 is vulnerable to improper restriction of names for files and other resources\n that can lead too overwriting a local file when the -J flag is used. (CVE-2020-8177)\n\n - Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1\n allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client\n because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking. (CVE-2020-8492)\n\n - In BIND 9.0.0 -> 9.11.21, 9.12.0 -> 9.16.5, 9.17.0 -> 9.17.3, also affects 9.9.3-S1 -> 9.11.21-S1 of the\n BIND 9 Supported Preview Edition, An attacker on the network path for a TSIG-signed request, or operating\n the server receiving the TSIG-signed request, could send a truncated response to that request, triggering\n an assertion failure, causing the server to exit. Alternately, an off-path attacker would have to\n correctly guess when a TSIG-signed request was sent, along with other characteristics of the packet and\n message, and spoof a truncated response to trigger an assertion failure, causing the server to exit.\n (CVE-2020-8622)\n\n - In BIND 9.10.0 -> 9.11.21, 9.12.0 -> 9.16.5, 9.17.0 -> 9.17.3, also affects 9.10.5-S1 -> 9.11.21-S1 of the\n BIND 9 Supported Preview Edition, An attacker that can reach a vulnerable system with a specially crafted\n query packet can trigger a crash. To be vulnerable, the system must: * be running BIND that was built with\n --enable-native-pkcs11 * be signing one or more zones with an RSA key * be able to receive queries from\n a possible attacker (CVE-2020-8623)\n\n - In BIND 9.9.12 -> 9.9.13, 9.10.7 -> 9.10.8, 9.11.3 -> 9.11.21, 9.12.1 -> 9.16.5, 9.17.0 -> 9.17.3, also\n affects 9.9.12-S1 -> 9.9.13-S1, 9.11.3-S1 -> 9.11.21-S1 of the BIND 9 Supported Preview Edition, An\n attacker who has been granted privileges to change a specific subset of the zone's content could abuse\n these unintended additional privileges to update other contents of the zone. (CVE-2020-8624)\n\n - cloud-init through 19.4 relies on Mersenne Twister for a random password, which makes it easier for\n attackers to predict passwords, because rand_str in cloudinit/util.py calls the random.choice function.\n (CVE-2020-8631)\n\n - In cloud-init through 19.4, rand_user_password in cloudinit/config/cc_set_passwords.py has a small default\n pwlen value, which makes it easier for attackers to guess passwords. (CVE-2020-8632)\n\n - There is a use-after-free vulnerability in the Linux kernel through 5.5.2 in the vc_do_resize function in\n drivers/tty/vt/vt.c. (CVE-2020-8647)\n\n - There is a use-after-free vulnerability in the Linux kernel through 5.5.2 in the vgacon_invert_region\n function in drivers/video/console/vgacon.c. (CVE-2020-8649)\n\n - An issue was discovered in the Linux kernel 3.16 through 5.5.6. set_fdc in drivers/block/floppy.c leads to\n a wait_til_ready out-of-bounds read because the FDC index is not checked for errors before assigning it,\n aka CID-2e90ca68b0d2. (CVE-2020-9383)\n\n - Sudo before 1.9.5p2 contains an off-by-one error that can result in a heap-based buffer overflow, which\n allows privilege escalation to root via sudoedit -s and a command-line argument that ends with a single\n backslash character. (CVE-2021-3156)\n\n - A heap-based buffer overflow was found in the way sudo parses command line arguments. This flaw is\n exploitable by any local user who can execute the sudo command without authentication. Successful\n exploitation of this flaw could lead to privilege escalation. (CVE-2021-3156)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n # https://portal.nutanix.com/page/documents/security-advisories/release-advisories/details?id=NXSA-AOS-5.15.5\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?3d45c0ac\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the Nutanix AOS software to recommended version.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-17006\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2019-5482\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Sudo Heap-Based Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/02/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/08/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/09/01\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:nutanix:aos\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"nutanix_collect.nasl\");\n script_require_keys(\"Host/Nutanix/Data/lts\", \"Host/Nutanix/Data/Service\", \"Host/Nutanix/Data/Version\", \"Host/Nutanix/Data/arch\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('vcf_extras.inc');\n\nvar app_info = vcf::nutanix::get_app_info();\n\nvar constraints = [\n { 'fixed_version' : '5.15.5', 'product' : 'AOS', 'fixed_display' : 'Upgrade the AOS install to 5.15.5 or higher.', 'lts' : TRUE },\n { 'fixed_version' : '5.15.5', 'product' : 'NDFS', 'fixed_display' : 'Upgrade the AOS install to 5.15.5 or higher.', 'lts' : TRUE }\n];\n\nvcf::nutanix::check_version_and_report(\n app_info:app_info,\n constraints:constraints,\n severity:SECURITY_HOLE,\n flags:{'xss':TRUE}\n);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-17T16:34:12", "description": "The version of AOS installed on the remote host is prior to 5.19.1. It is, therefore, affected by multiple vulnerabilities as referenced in the NXSA-AOS-5.19.1 advisory.\n\n - libpng before 1.6.32 does not properly check the length of chunks against the user limit. (CVE-2017-12652)\n\n - In Apache httpd 2.4.0 to 2.4.29, the expression specified in <FilesMatch> could match '$' to a newline character in a malicious filename, rather than matching only the end of the filename. This could be exploited in environments where uploads of some files are are externally blocked, but only by matching the trailing portion of the filename. (CVE-2017-15715)\n\n - A localhost.localdomain whitelist entry in valid_host() in scheduler/client.c in CUPS before 2.2.2 allows remote attackers to execute arbitrary IPP commands by sending POST requests to the CUPS daemon in conjunction with DNS rebinding. The localhost.localdomain name is often resolved via a DNS server (neither the OS nor the web browser is responsible for ensuring that localhost.localdomain is 127.0.0.1).\n (CVE-2017-18190)\n\n - An issue was discovered in drivers/i2c/i2c-core-smbus.c in the Linux kernel before 4.14.15. There is an out of bounds write in the function i2c_smbus_xfer_emulated. (CVE-2017-18551)\n\n - The default cloud-init configuration, in cloud-init 0.6.2 and newer, included ssh_deletekeys: 0, disabling cloud-init's deletion of ssh host keys. In some environments, this could lead to instances created by cloning a golden master or template system, sharing ssh host keys, and being able to impersonate one another or conduct man-in-the-middle attacks. (CVE-2018-10896)\n\n - In Apache httpd 2.4.0 to 2.4.29, when mod_session is configured to forward its session data to CGI applications (SessionEnv on, not the default), a remote user may influence their content by using a Session header. This comes from the HTTP_SESSION variable name used by mod_session to forward its data to CGIs, since the prefix HTTP_ is also used by the Apache HTTP Server to pass HTTP header fields, per CGI specifications. (CVE-2018-1283)\n\n - A specially crafted HTTP request header could have crashed the Apache HTTP Server prior to version 2.4.30 due to an out of bound read while preparing data to be cached in shared memory. It could be used as a Denial of Service attack against users of mod_cache_socache. The vulnerability is considered as low risk since mod_cache_socache is not widely used, mod_cache_disk is not concerned by this vulnerability.\n (CVE-2018-1303)\n\n - An issue was discovered in the Linux kernel before 4.20. There is a race condition in smp_task_timedout() and smp_task_done() in drivers/scsi/libsas/sas_expander.c, leading to a use-after-free. (CVE-2018-20836)\n\n - In libexpat in Expat before 2.2.7, XML input including XML names that contain a large number of colons could make the XML parser consume a high amount of RAM and CPU resources while processing (enough to be usable for denial-of-service attacks). (CVE-2018-20843)\n\n - In Apache HTTP server 2.4.0 to 2.4.39, Redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an unexpected URL within the request URL. (CVE-2019-10098)\n\n - libmspack 0.9.1alpha is affected by: Buffer Overflow. The impact is: Information Disclosure. The component is: function chmd_read_headers() in libmspack(file libmspack/mspack/chmd.c). The attack vector is: the victim must open a specially crafted chm file. The fixed version is: after commit 2f084136cfe0d05e5bf5703f3e83c6d955234b4d. (CVE-2019-1010305)\n\n - libxslt through 1.1.33 allows bypass of a protection mechanism because callers of xsltCheckRead and xsltCheckWrite permit access even upon receiving a -1 error code. xsltCheckRead can return -1 for a crafted URL that is not actually invalid and is subsequently loaded. (CVE-2019-11068)\n\n - When importing a curve25519 private key in PKCS#8format with leading 0x00 bytes, it is possible to trigger an out-of-bounds read in the Network Security Services (NSS) library. This could lead to information disclosure. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8.\n (CVE-2019-11719)\n\n - A vulnerability exists where it possible to force Network Security Services (NSS) to sign CertificateVerify with PKCS#1 v1.5 signatures when those are the only ones advertised by server in CertificateRequest in TLS 1.3. PKCS#1 v1.5 signatures should not be used for TLS 1.3 messages. This vulnerability affects Firefox < 68. (CVE-2019-11727)\n\n - Improper refcounting of soft token session objects could cause a use-after-free and crash (likely limited to a denial of service). This vulnerability affects Firefox < 71. (CVE-2019-11756)\n\n - file_copy_fallback in gio/gfile.c in GNOME GLib 2.15.0 through 2.61.1 does not properly restrict file permissions while a copy operation is in progress. Instead, default permissions are used. (CVE-2019-12450)\n\n - An issue was discovered in dlpar_parse_cc_property in arch/powerpc/platforms/pseries/dlpar.c in the Linux kernel through 5.1.6. There is an unchecked kstrdup of prop->name, which might allow an attacker to cause a denial of service (NULL pointer dereference and system crash). (CVE-2019-12614)\n\n - dbus before 1.10.28, 1.12.x before 1.12.16, and 1.13.x before 1.13.12, as used in DBusServer in Canonical Upstart in Ubuntu 14.04 (and in some, less common, uses of dbus-daemon), allows cookie spoofing because of symlink mishandling in the reference implementation of DBUS_COOKIE_SHA1 in the libdbus library. (This only affects the DBUS_COOKIE_SHA1 authentication mechanism.) A malicious client with write access to its own home directory could manipulate a ~/.dbus-keyrings symlink to cause a DBusServer with a different uid to read and write in unintended locations. In the worst case, this could result in the DBusServer reusing a cookie that is known to the malicious client, and treating that cookie as evidence that a subsequent client connection came from an attacker-chosen uid, allowing authentication bypass. (CVE-2019-12749)\n\n - A flaw was discovered in ibus in versions before 1.5.22 that allows any unprivileged user to monitor and send method calls to the ibus bus of another user due to a misconfiguration in the DBus server setup. A local attacker may use this flaw to intercept all keystrokes of a victim user who is using the graphical interface, change the input method engine, or modify other input related configurations of the victim user. (CVE-2019-14822)\n\n - In all versions of cpio before 2.13 does not properly validate input files when generating TAR archives.\n When cpio is used to create TAR archives from paths an attacker can write to, the resulting archive may contain files with permissions the attacker did not have or in paths he did not have access to. Extracting those archives from a high-privilege user without carefully reviewing them may lead to the compromise of the system. (CVE-2019-14866)\n\n - An issue was discovered in the Linux kernel before 5.2.3. There is a NULL pointer dereference caused by a malicious USB device in the drivers/media/usb/zr364xx/zr364xx.c driver. (CVE-2019-15217)\n\n - In the Linux kernel before 5.1.13, there is a memory leak in drivers/scsi/libsas/sas_expander.c when SAS expander discovery fails. This will cause a BUG and denial of service. (CVE-2019-15807)\n\n - In libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to document parsing too early; a consecutive call to XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber) then resulted in a heap-based buffer over-read. (CVE-2019-15903)\n\n - An issue was discovered in the Linux kernel before 5.0.5. There is a use-after-free issue when hci_uart_register_dev() fails in hci_uart_set_proto() in drivers/bluetooth/hci_ldisc.c. (CVE-2019-15917)\n\n - drivers/net/fjes/fjes_main.c in the Linux kernel 5.2.14 does not check the alloc_workqueue return value, leading to a NULL pointer dereference. (CVE-2019-16231)\n\n - drivers/scsi/qla2xxx/qla_os.c in the Linux kernel 5.2.14 does not check the alloc_workqueue return value, leading to a NULL pointer dereference. (CVE-2019-16233)\n\n - The documentation XML-RPC server in Python through 2.7.16, 3.x through 3.6.9, and 3.7.x through 3.7.4 has XSS via the server_title field. This occurs in Lib/DocXMLRPCServer.py in Python 2.x, and in Lib/xmlrpc/server.py in Python 3.x. If set_server_title is called with untrusted input, arbitrary JavaScript can be delivered to clients that visit the http URL for this server. (CVE-2019-16935)\n\n - In the Linux kernel before 5.0, a memory leak exists in sit_init_net() in net/ipv6/sit.c when register_netdev() fails to register sitn->fb_tunnel_dev, which may cause denial of service, aka CID-07f12b26e21a. (CVE-2019-16994)\n\n - In Network Security Services (NSS) before 3.46, several cryptographic primitives had missing length checks. In cases where the application calling the library did not perform a sanity check on the inputs it could result in a crash due to a buffer overflow. (CVE-2019-17006)\n\n - After a HelloRetryRequest has been sent, the client may negotiate a lower protocol that TLS 1.3, resulting in an invalid state transition in the TLS State Machine. If the client gets into this state, incoming Application Data records will be ignored. This vulnerability affects Firefox < 72. (CVE-2019-17023)\n\n - ieee802154_create in net/ieee802154/socket.c in the AF_IEEE802154 network module in the Linux kernel through 5.3.2 does not enforce CAP_NET_RAW, which means that unprivileged users can create a raw socket, aka CID-e69dbd4619e7. (CVE-2019-17053)\n\n - base_sock_create in drivers/isdn/mISDN/socket.c in the AF_ISDN network module in the Linux kernel through 5.3.2 does not enforce CAP_NET_RAW, which means that unprivileged users can create a raw socket, aka CID-b91ee4aa2a21. (CVE-2019-17055)\n\n - In libssh2 v1.9.0 and earlier versions, the SSH_MSG_DISCONNECT logic in packet.c has an integer overflow in a bounds check, enabling an attacker to specify an arbitrary (out-of-bounds) offset for a subsequent memory read. A crafted SSH server may be able to disclose sensitive information or cause a denial of service condition on the client system when a user connects to the server. (CVE-2019-17498)\n\n - In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable isn't reset under certain circumstances. If the relevant memory area happened to be freed and reused in a certain way, a bounds check could fail and memory outside a buffer could be written to, or uninitialized data could be disclosed. (CVE-2019-18197)\n\n - The flow_dissector feature in the Linux kernel 4.3 through 5.x before 5.3.10 has a device tracking vulnerability, aka CID-55667441c84f. This occurs because the auto flowlabel of a UDP IPv6 packet relies on a 32-bit hashrnd value as a secret, and because jhash (instead of siphash) is used. The hashrnd value remains the same starting from boot time, and can be inferred by an attacker. This affects net/core/flow_dissector.c and related code. (CVE-2019-18282)\n\n - A memory leak in the ccp_run_sha_cmd() function in drivers/crypto/ccp/ccp-ops.c in the Linux kernel through 5.3.9 allows attackers to cause a denial of service (memory consumption), aka CID-128c66429247.\n (CVE-2019-18808)\n\n - ** DISPUTED ** A memory leak in the __ipmi_bmc_register() function in drivers/char/ipmi/ipmi_msghandler.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering ida_simple_get() failure, aka CID-4aa7afb0ee20. NOTE: third parties dispute the relevance of this because an attacker cannot realistically control this failure at probe time. (CVE-2019-19046)\n\n - ** DISPUTED ** A memory leak in the nl80211_get_ftm_responder_stats() function in net/wireless/nl80211.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering nl80211hdr_put() failures, aka CID-1399c59fa929. NOTE: third parties dispute the relevance of this because it occurs on a code path where a successful allocation has already occurred. (CVE-2019-19055)\n\n - A memory leak in the alloc_sgtable() function in drivers/net/wireless/intel/iwlwifi/fw/dbg.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering alloc_page() failures, aka CID-b4b814fec1a5. (CVE-2019-19058)\n\n - Multiple memory leaks in the iwl_pcie_ctxt_info_gen3_init() function in drivers/net/wireless/intel/iwlwifi/pcie/ctxt-info-gen3.c in the Linux kernel through 5.3.11 allow attackers to cause a denial of service (memory consumption) by triggering iwl_pcie_init_fw_sec() or dma_alloc_coherent() failures, aka CID-0f4f199443fa. (CVE-2019-19059)\n\n - A memory leak in the crypto_report() function in crypto/crypto_user_base.c in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering crypto_report_alg() failures, aka CID-ffdde5932042. (CVE-2019-19062)\n\n - Two memory leaks in the rtl_usb_probe() function in drivers/net/wireless/realtek/rtlwifi/usb.c in the Linux kernel through 5.3.11 allow attackers to cause a denial of service (memory consumption), aka CID-3f9361695113. (CVE-2019-19063)\n\n - On the x86-64 architecture, the GNU C Library (aka glibc) before 2.31 fails to ignore the LD_PREFER_MAP_32BIT_EXEC environment variable during program execution after a security transition, allowing local attackers to restrict the possible mapping addresses for loaded libraries and thus bypass ASLR for a setuid program. (CVE-2019-19126)\n\n - An out-of-bounds memory write issue was found in the Linux Kernel, version 3.13 through 5.4, in the way the Linux kernel's KVM hypervisor handled the 'KVM_GET_EMULATED_CPUID' ioctl(2) request to get CPUID features emulated by the KVM hypervisor. A user or process able to access the '/dev/kvm' device could use this flaw to crash the system, resulting in a denial of service. (CVE-2019-19332)\n\n - In the Linux kernel 5.0.21, mounting a crafted ext4 filesystem image, performing some operations, and unmounting can lead to a use-after-free in ext4_put_super in fs/ext4/super.c, related to dump_orphan_list in fs/ext4/super.c. (CVE-2019-19447)\n\n - In the Linux kernel before 5.3.7, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/usb/misc/adutux.c driver, aka CID-44efc269db79. (CVE-2019-19523)\n\n - In the Linux kernel before 5.3.12, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/input/ff-memless.c driver, aka CID-fa3a5a1880c9. (CVE-2019-19524)\n\n - In the Linux kernel before 5.2.10, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/usb/class/cdc-acm.c driver, aka CID-c52873e5a1ef. (CVE-2019-19530)\n\n - In the Linux kernel before 5.3.11, there is an info-leak bug that can be caused by a malicious USB device in the drivers/net/can/usb/peak_usb/pcan_usb_core.c driver, aka CID-f7a1337f0d29. (CVE-2019-19534)\n\n - In the Linux kernel before 5.2.10, there is a race condition bug that can be caused by a malicious USB device in the USB character device driver layer, aka CID-303911cfc5b9. This affects drivers/usb/core/file.c. (CVE-2019-19537)\n\n - The Linux kernel before 5.4.2 mishandles ext4_expand_extra_isize, as demonstrated by use-after-free errors in __ext4_expand_extra_isize and ext4_xattr_set_entry, related to fs/ext4/inode.c and fs/ext4/super.c, aka CID-4ea99936a163. (CVE-2019-19767)\n\n - In the Linux kernel before 5.3.11, sound/core/timer.c has a use-after-free caused by erroneous code refactoring, aka CID-e7af6307a8a5. This is related to snd_timer_open and snd_timer_close_locked. The timeri variable was originally intended to be for a newly created timer instance, but was used for a different purpose after refactoring. (CVE-2019-19807)\n\n - xmlParseBalancedChunkMemoryRecover in parser.c in libxml2 before 2.9.10 has a memory leak related to newDoc->oldNs. (CVE-2019-19956)\n\n - In the Linux kernel before 5.0.6, there is a NULL pointer dereference in drop_sysctl_table() in fs/proc/proc_sysctl.c, related to put_links, aka CID-23da9588037e. (CVE-2019-20054)\n\n - mwifiex_tm_cmd in drivers/net/wireless/marvell/mwifiex/cfg80211.c in the Linux kernel before 5.1.6 has some error-handling cases that did not free allocated hostcmd memory, aka CID-003b686ace82. This will cause a memory leak and denial of service. (CVE-2019-20095)\n\n - An issue was discovered in button_open in login/logind-button.c in systemd before 243. When executing the udevadm trigger command, a memory leak may occur. (CVE-2019-20386)\n\n - xmlSchemaPreRun in xmlschemas.c in libxml2 2.9.10 allows an xmlSchemaValidateStream memory leak.\n (CVE-2019-20388)\n\n - In the Linux kernel before 5.4.12, drivers/input/input.c has out-of-bounds writes via a crafted keycode table, as demonstrated by input_set_keycode, aka CID-cb222aed03d7. (CVE-2019-20636)\n\n - An issue was discovered in the Linux kernel before 5.0.6. In rx_queue_add_kobject() and netdev_queue_add_kobject() in net/core/net-sysfs.c, a reference count is mishandled, aka CID-a3e23f719f5c.\n (CVE-2019-20811)\n\n - In Lib/tarfile.py in Python through 3.8.3, an attacker is able to craft a TAR archive leading to an infinite loop when opened by tarfile.open, because _proc_pax lacks header validation. (CVE-2019-20907)\n\n - Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported versions that are affected are 5.6.45 and prior, 5.7.27 and prior and 8.0.17 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. (CVE-2019-2974)\n\n - An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability. (CVE-2019-5094)\n\n - A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4.\n A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code execution. An attacker can corrupt a partition to trigger this vulnerability. (CVE-2019-5188)\n\n - Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3. (CVE-2019-5482)\n\n - A buffer overflow issue was addressed with improved memory handling. This issue is fixed in macOS Mojave 10.14.6, Security Update 2019-004 High Sierra, Security Update 2019-004 Sierra. An attacker in a privileged network position may be able to execute arbitrary code. (CVE-2019-8675, CVE-2019-8696)\n\n - In the Android kernel in i2c driver there is a possible out of bounds write due to memory corruption. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation. (CVE-2019-9454)\n\n - In the Android kernel in the video driver there is a use after free due to a race condition. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. (CVE-2019-9458)\n\n - There is a use-after-free in kernel versions before 5.5 due to a race condition between the release of ptp_clock and cdev while resource deallocation. When a (high privileged) process allocates a ptp device file (like /dev/ptpX) and voluntarily goes to sleep. During this time if the underlying device is removed, it can cause an exploitable condition as the process wakes up to terminate and clean all attached files.\n The system crashes due to the cdev structure being invalid (as already freed) which is pointed to by the inode. (CVE-2020-10690)\n\n - A flaw was found in the Linux kernel's implementation of Userspace core dumps. This flaw allows an attacker with a local account to crash a trivial program and exfiltrate private kernel data.\n (CVE-2020-10732)\n\n - A flaw was found in the Linux kernel. An index buffer overflow during Direct IO write leading to the NFS client to crash. In some cases, a reach out of the index after one memory allocation by kmalloc will cause a kernel panic. The highest threat from this vulnerability is to data confidentiality and system availability. (CVE-2020-10742)\n\n - A flaw was found in the Linux kernels SELinux LSM hook implementation before version 5.7, where it incorrectly assumed that an skb would only contain a single netlink message. The hook would incorrectly only validate the first netlink message in the skb and allow or deny the rest of the messages within the skb with the granted permission without further processing. (CVE-2020-10751)\n\n - A buffer over-read flaw was found in RH kernel versions before 5.0 in crypto_authenc_extractkeys in crypto/authenc.c in the IPsec Cryptographic algorithm's module, authenc. When a payload longer than 4 bytes, and is not following 4-byte alignment boundary guidelines, it causes a buffer over-read threat, leading to a system crash. This flaw allows a local attacker with user privileges to cause a denial of service. (CVE-2020-10769)\n\n - In the Linux kernel before 5.5.8, get_raw_socket in drivers/vhost/net.c lacks validation of an sk_family field, which might allow attackers to trigger kernel stack corruption via crafted system calls.\n (CVE-2020-10942)\n\n - ** DISPUTED ** An issue was discovered in the Linux kernel through 5.6.2. mpol_parse_str in mm/mempolicy.c has a stack-based out-of-bounds write because an empty nodelist is mishandled during mount option parsing, aka CID-aa9f7d5172fa. NOTE: Someone in the security community disagrees that this is a vulnerability because the issue is a bug in parsing mount options which can only be specified by a privileged user, so triggering the bug does not grant any powers not already held.. (CVE-2020-11565)\n\n - In filter.c in slapd in OpenLDAP before 2.4.50, LDAP search filters with nested boolean expressions can result in denial of service (daemon crash). (CVE-2020-12243)\n\n - When converting coordinates from projective to affine, the modular inversion was not performed in constant time, resulting in a possible timing-based side channel attack. This vulnerability affects Firefox < 80 and Firefox for Android < 80. (CVE-2020-12400)\n\n - During ECDSA signature generation, padding applied in the nonce designed to ensure constant-time scalar multiplication was removed, resulting in variable-time execution dependent on secret data. This vulnerability affects Firefox < 80 and Firefox for Android < 80. (CVE-2020-12401)\n\n - During RSA key generation, bignum implementations used a variation of the Binary Extended Euclidean Algorithm which entailed significantly input-dependent flow. This allowed an attacker able to perform electromagnetic-based side channel attacks to record traces leading to the recovery of the secret primes.\n *Note:* An unmodified Firefox browser does not generate RSA keys in normal operation and is not affected, but products built on top of it might. This vulnerability affects Firefox < 78. (CVE-2020-12402)\n\n - A flaw was found in the way CHACHA20-POLY1305 was implemented in NSS in versions before 3.55. When using multi-part Chacha20, it could cause out-of-bounds reads. This issue was fixed by explicitly disabling multi-part ChaCha20 (which was not functioning correctly) and strictly enforcing tag length. The highest threat from this vulnerability is to confidentiality and system availability. (CVE-2020-12403)\n\n - An issue was discovered in the Linux kernel through 5.6.11. sg_write lacks an sg_remove_request call in a certain failure case, aka CID-83c6f2390040. (CVE-2020-12770)\n\n - A signal access-control issue was discovered in the Linux kernel before 5.6.5, aka CID-7395ea4e65c2.\n Because exec_id in include/linux/sched.h is only 32 bits, an integer overflow can interfere with a do_notify_parent protection mechanism. A child process can send an arbitrary signal to a parent process in a different security domain. Exploitation limitations include the amount of elapsed time before an integer overflow occurs, and the lack of scenarios where signals to a parent process present a substantial operational threat. (CVE-2020-12826)\n\n - If an HTTP/2 client connecting to Apache Tomcat 10.0.0-M1 to 10.0.0-M7, 9.0.0.M1 to 9.0.37 or 8.5.0 to 8.5.57 exceeded the agreed maximum number of concurrent streams for a connection (in violation of the HTTP/2 protocol), it was possible that a subsequent request made on that connection could contain HTTP headers - including HTTP/2 pseudo headers - from a previous request rather than the intended headers. This could lead to users seeing responses for unexpected resources. (CVE-2020-13943)\n\n - An out-of-bounds memory write flaw was found in how the Linux kernel's Voice Over IP H.323 connection tracking functionality handled connections on ipv6 port 1720. This flaw allows an unauthenticated remote user to crash the system, causing a denial of service. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability. (CVE-2020-14305)\n\n - A memory out-of-bounds read flaw was found in the Linux kernel before 5.9-rc2 with the ext3/ext4 file system, in the way it accesses a directory with broken indexing. This flaw allows a local user to crash the system if the directory exists. The highest threat from this vulnerability is to system availability.\n (CVE-2020-14314)\n\n - A flaw was found in the Linux kernel's implementation of the invert video code on VGA consoles when a local attacker attempts to resize the console, calling an ioctl VT_RESIZE, which causes an out-of-bounds write to occur. This flaw allows a local user with access to the VGA console to crash the system, potentially escalating their privileges on the system. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. (CVE-2020-14331)\n\n - A flaw was found in the Linux kernel before 5.9-rc4. A failure of the file system metadata validator in XFS can cause an inode with a valid, user-creatable extended attribute to be flagged as corrupt. This can lead to the filesystem being shutdown, or otherwise rendered inaccessible until it is remounted, leading to a denial of service. The highest threat from this vulnerability is to system availability.\n (CVE-2020-14385)\n\n - Lib/ipaddress.py in Python through 3.8.3 improperly computes hash values in the IPv4Interface and IPv6Interface classes, which might allow a remote attacker to cause a denial of service if an application is affected by the performance of a dictionary containing IPv4Interface or IPv6Interface objects, and this attacker can cause many dictionary entries to be created. This is fixed in: v3.5.10, v3.5.10rc1; v3.6.12;\n v3.7.9; v3.8.4, v3.8.4rc1, v3.8.5, v3.8.6, v3.8.6rc1; v3.9.0, v3.9.0b4, v3.9.0b5, v3.9.0rc1, v3.9.0rc2.\n (CVE-2020-14422)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Serialization).\n Supported versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261.\n Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded.\n Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. (CVE-2020-14779)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: JNDI). Supported versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. (CVE-2020-14781)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. (CVE-2020-14782, CVE-2020-14797)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data as well as unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service.\n (CVE-2020-14792)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). (CVE-2020-14796)\n\n - Vulnerability in the Java SE product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 11.0.8 and 15. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Java SE accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). (CVE-2020-14803)\n\n - Net-SNMP through 5.7.3 has Improper Privilege Management because SNMP WRITE access to the EXTEND MIB provides the ability to run arbitrary commands as root. (CVE-2020-15862)\n\n - Heap buffer overflow in Freetype in Google Chrome prior to 86.0.4240.111 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (CVE-2020-15999)\n\n - A flaw was found in the Linux kernel's implementation of some networking protocols in IPsec, such as VXLAN and GENEVE tunnels over IPv6. When an encrypted tunnel is created between two hosts, the kernel isn't correctly routing tunneled data over the encrypted link; rather sending the data unencrypted. This would allow anyone in between the two endpoints to read the traffic unencrypted. The main threat from this vulnerability is to data confidentiality. (CVE-2020-1749)\n\n - While investigating bug 64830 it was discovered that Apache Tomcat 10.0.0-M1 to 10.0.0-M9, 9.0.0-M1 to 9.0.39 and 8.5.0 to 8.5.59 could re-use an HTTP request header value from the previous stream received on an HTTP/2 connection for the request associated with the subsequent stream. While this would most likely lead to an error and the closure of the HTTP/2 connection, it is possible that information could leak between requests. (CVE-2020-17527)\n\n - In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within the request URL. (CVE-2020-1927)\n\n - In Apache HTTP Server 2.4.0 to 2.4.41, mod_proxy_ftp may use uninitialized memory when proxying to a malicious FTP server. (CVE-2020-1934)\n\n - The X.509 GeneralName type is a generic type for representing different types of names. One of those name types is known as EDIPartyName. OpenSSL provides a function GENERAL_NAME_cmp which compares different instances of a GENERAL_NAME to see if they are equal or not. This function behaves incorrectly when both GENERAL_NAMEs contain an EDIPARTYNAME. A NULL pointer dereference and a crash may occur leading to a possible denial of service attack. OpenSSL itself uses the GENERAL_NAME_cmp function for two purposes: 1) Comparing CRL distribution point names between an available CRL and a CRL distribution point embedded in an X509 certificate 2) When verifying that a timestamp response token signer matches the timestamp authority name (exposed via the API functions TS_RESP_verify_response and TS_RESP_verify_token) If an attacker can control both items being compared then that attacker could trigger a crash. For example if the attacker can trick a client or server into checking a malicious certificate against a malicious CRL then this may occur. Note that some applications automatically download CRLs based on a URL embedded in a certificate. This checking happens prior to the signatures on the certificate and CRL being verified.\n OpenSSL's s_server, s_client and verify tools have support for the -crl_download option which implements automatic CRL downloading and this attack has been demonstrated to work against those tools. Note that an unrelated bug means that affected versions of OpenSSL cannot parse or construct correct encodings of EDIPARTYNAME. However it is possible to construct a malformed EDIPARTYNAME that OpenSSL's parser will accept and hence trigger this attack. All OpenSSL 1.1.1 and 1.0.2 versions are affected by this issue.\n Other OpenSSL releases are out of support and have not been checked. Fixed in OpenSSL 1.1.1i (Affected 1.1.1-1.1.1h). Fixed in OpenSSL 1.0.2x (Affected 1.0.2-1.0.2w). (CVE-2020-1971)\n\n - In the Linux kernel before 5.7.8, fs/nfsd/vfs.c (in the NFS server) can set incorrect permissions on new filesystem objects when the filesystem lacks ACL support, aka CID-22cf8419f131. This occurs because the current umask is not considered. (CVE-2020-24394)\n\n - A TOCTOU mismatch in the NFS client code in the Linux kernel before 5.8.3 could be used by local attackers to corrupt memory or possibly have unspecified other impact because a size check is in fs/nfs/nfs4proc.c instead of fs/nfs/nfs4xdr.c, aka CID-b4487b935452. (CVE-2020-25212)\n\n - A flaw was found in the HDLC_PPP module of the Linux kernel in versions before 5.9-rc7. Memory corruption and a read overflow is caused by improper input validation in the ppp_cp_parse_cr function which can cause the system to crash or cause a denial of service. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. (CVE-2020-25643)\n\n - Vulnerability in the MySQL Client product of Oracle MySQL (component: C API). Supported versions that are affected are 5.6.46 and prior, 5.7.28 and prior and 8.0.18 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Client.\n Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Client. (CVE-2020-2574)\n\n - A flaw was discovered in the way that the KVM hypervisor handled instruction emulation for an L2 guest when nested virtualisation is enabled. Under some circumstances, an L2 guest may trick the L0 guest into accessing sensitive L1 resources that should be inaccessible to the L2 guest. (CVE-2020-2732)\n\n - Vulnerability in the MySQL Client product of Oracle MySQL (component: C API). Supported versions that are affected are 5.6.47 and prior, 5.7.27 and prior and 8.0.17 and prior. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Client.\n Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Client. (CVE-2020-2752)\n\n - Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). Supported versions that are affected are 5.6.47 and prior, 5.7.29 and prior and 8.0.19 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. (CVE-2020-2780)\n\n - Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Stored Procedure). Supported versions that are affected are 5.6.47 and prior, 5.7.29 and prior and 8.0.19 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. (CVE-2020-2812)\n\n - When performing EC scalar point multiplication, the wNAF point multiplication algorithm was used; which leaked partial information about the nonce used during signature generation. Given an electro-magnetic trace of a few signature generations, the private key could have been computed. This vulnerability affects Firefox < 80 and Firefox for Android < 80. (CVE-2020-6829)\n\n - xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite loop in a certain end-of-file situation. (CVE-2020-7595)\n\n - curl 7.20.0 through 7.70.0 is vulnerable to improper restriction of names for files and other resources that can lead too overwriting a local file when the -J flag is used. (CVE-2020-8177)\n\n - Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking. (CVE-2020-8492)\n\n - In BIND 9.0.0 -> 9.11.21, 9.12.0 -> 9.16.5, 9.17.0 -> 9.17.3, also affects 9.9.3-S1 -> 9.11.21-S1 of the BIND 9 Supported Preview Edition, An attacker on the network path for a TSIG-signed request, or operating the server receiving the TSIG-signed request, could send a truncated response to that request, triggering an assertion failure, causing the server to exit. Alternately, an off-path attacker would have to correctly guess when a TSIG-signed request was sent, along with other characteristics of the packet and message, and spoof a truncated response to trigger an assertion failure, causing the server to exit.\n (CVE-2020-8622)\n\n - In BIND 9.10.0 -> 9.11.21, 9.12.0 -> 9.16.5, 9.17.0 -> 9.17.3, also affects 9.10.5-S1 -> 9.11.21-S1 of the BIND 9 Supported Preview Edition, An attacker that can reach a vulnerable system with a specially crafted query packet can trigger a crash. To be vulnerable, the system must: * be running BIND that was built with\n --enable-native-pkcs11 * be signing one or more zones with an RSA key * be able to receive queries from a possible attacker (CVE-2020-8623)\n\n - In BIND 9.9.12 -> 9.9.13, 9.10.7 -> 9.10.8, 9.11.3 -> 9.11.21, 9.12.1 -> 9.16.5, 9.17.0 -> 9.17.3, also affects 9.9.12-S1 -> 9.9.13-S1, 9.11.3-S1 -> 9.11.21-S1 of the BIND 9 Supported Preview Edition, An attacker who has been granted privileges to change a specific subset of the zone's content could abuse these unintended additional privileges to update other contents of the zone. (CVE-2020-8624)\n\n - cloud-init through 19.4 relies on Mersenne Twister for a random password, which makes it easier for attackers to predict passwords, because rand_str in cloudinit/util.py calls the random.choice function.\n (CVE-2020-8631)\n\n - In cloud-init through 19.4, rand_user_password in cloudinit/config/cc_set_passwords.py has a small default pwlen value, which makes it easier for attackers to guess passwords. (CVE-2020-8632)\n\n - There is a use-after-free vulnerability in the Linux kernel through 5.5.2 in the vc_do_resize function in drivers/tty/vt/vt.c. (CVE-2020-8647)\n\n - There is a use-after-free vulnerability in the Linux kernel through 5.5.2 in the vgacon_invert_region function in drivers/video/console/vgacon.c. (CVE-2020-8649)\n\n - An issue was discovered in the Linux kernel 3.16 through 5.5.6. set_fdc in drivers/block/floppy.c leads to a wait_til_ready out-of-bounds read because the FDC index is not checked for errors before assigning it, aka CID-2e90ca68b0d2. (CVE-2020-9383)\n\n - Sudo before 1.9.5p2 contains an off-by-one error that can result in a heap-based buffer overflow, which allows privilege escalation to root via sudoedit -s and a command-line argument that ends with a single backslash character. (CVE-2021-3156)\n\n - A heap-based buffer overflow was found in the way sudo parses command line arguments. This flaw is exploitable by any local user who can execute the sudo command without authentication. Successful exploitation of this flaw could lead to privilege escalation. (CVE-2021-3156)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2022-09-01T00:00:00", "type": "nessus", "title": "Nutanix AOS : Multiple Vulnerabilities (NXSA-AOS-5.19.1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-12652", "CVE-2017-15715", "CVE-2017-18190", "CVE-2017-18551", "CVE-2018-10896", "CVE-2018-1283", "CVE-2018-1303", "CVE-2018-20836", "CVE-2018-20843", "CVE-2019-10098", "CVE-2019-1010305", "CVE-2019-11068", "CVE-2019-11719", "CVE-2019-11727", "CVE-2019-11756", "CVE-2019-12450", "CVE-2019-12614", "CVE-2019-12749", "CVE-2019-14822", "CVE-2019-14866", "CVE-2019-15217", "CVE-2019-15807", "CVE-2019-15903", "CVE-2019-15917", "CVE-2019-16231", "CVE-2019-16233", "CVE-2019-16935", "CVE-2019-16994", "CVE-2019-17006", "CVE-2019-17023", "CVE-2019-17053", "CVE-2019-17055", "CVE-2019-17498", "CVE-2019-18197", "CVE-2019-18282", "CVE-2019-18808", "CVE-2019-19046", "CVE-2019-19055", "CVE-2019-19058", "CVE-2019-19059", "CVE-2019-19062", "CVE-2019-19063", "CVE-2019-19126", "CVE-2019-19332", "CVE-2019-19447", "CVE-2019-19523", "CVE-2019-19524", "CVE-2019-19530", "CVE-2019-19534", "CVE-2019-19537", "CVE-2019-19767", "CVE-2019-19807", "CVE-2019-19956", "CVE-2019-20054", "CVE-2019-20095", "CVE-2019-20386", "CVE-2019-20388", "CVE-2019-20636", "CVE-2019-20811", "CVE-2019-20907", "CVE-2019-2974", "CVE-2019-5094", "CVE-2019-5188", "CVE-2019-5482", "CVE-2019-8675", "CVE-2019-8696", "CVE-2019-9454", "CVE-2019-9458", "CVE-2020-10690", "CVE-2020-10732", "CVE-2020-10742", "CVE-2020-10751", "CVE-2020-10769", "CVE-2020-10942", "CVE-2020-11565", "CVE-2020-12243", "CVE-2020-12400", "CVE-2020-12401", "CVE-2020-12402", "CVE-2020-12403", "CVE-2020-12770", "CVE-2020-12826", "CVE-2020-13943", "CVE-2020-14305", "CVE-2020-14314", "CVE-2020-14331", "CVE-2020-14385", "CVE-2020-14422", "CVE-2020-14779", "CVE-2020-14781", "CVE-2020-14782", "CVE-2020-14792", "CVE-2020-14796", "CVE-2020-14797", "CVE-2020-14803", "CVE-2020-15862", "CVE-2020-15999", "CVE-2020-1749", "CVE-2020-17527", "CVE-2020-1927", "CVE-2020-1934", "CVE-2020-1971", "CVE-2020-24394", "CVE-2020-25212", "CVE-2020-25643", "CVE-2020-2574", "CVE-2020-2732", "CVE-2020-2752", "CVE-2020-2780", "CVE-2020-2812", "CVE-2020-6829", "CVE-2020-7595", "CVE-2020-8177", "CVE-2020-8492", "CVE-2020-8622", "CVE-2020-8623", "CVE-2020-8624", "CVE-2020-8631", "CVE-2020-8632", "CVE-2020-8647", "CVE-2020-8649", "CVE-2020-9383", "CVE-2021-3156"], "modified": "2023-02-23T00:00:00", "cpe": ["cpe:/o:nutanix:aos"], "id": "NUTANIX_NXSA-AOS-5_19_1.NASL", "href": "https://www.tenable.com/plugins/nessus/164584", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(164584);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/02/23\");\n\n script_cve_id(\n \"CVE-2017-12652\",\n \"CVE-2017-15715\",\n \"CVE-2017-18190\",\n \"CVE-2017-18551\",\n \"CVE-2018-1283\",\n \"CVE-2018-1303\",\n \"CVE-2018-10896\",\n \"CVE-2018-20836\",\n \"CVE-2018-20843\",\n \"CVE-2019-2974\",\n \"CVE-2019-5094\",\n \"CVE-2019-5188\",\n \"CVE-2019-5482\",\n \"CVE-2019-8675\",\n \"CVE-2019-8696\",\n \"CVE-2019-9454\",\n \"CVE-2019-9458\",\n \"CVE-2019-10098\",\n \"CVE-2019-11068\",\n \"CVE-2019-11719\",\n \"CVE-2019-11727\",\n \"CVE-2019-11756\",\n \"CVE-2019-12450\",\n \"CVE-2019-12614\",\n \"CVE-2019-12749\",\n \"CVE-2019-14822\",\n \"CVE-2019-14866\",\n \"CVE-2019-15217\",\n \"CVE-2019-15807\",\n \"CVE-2019-15903\",\n \"CVE-2019-15917\",\n \"CVE-2019-16231\",\n \"CVE-2019-16233\",\n \"CVE-2019-16935\",\n \"CVE-2019-16994\",\n \"CVE-2019-17006\",\n \"CVE-2019-17023\",\n \"CVE-2019-17053\",\n \"CVE-2019-17055\",\n \"CVE-2019-17498\",\n \"CVE-2019-18197\",\n \"CVE-2019-18282\",\n \"CVE-2019-18808\",\n \"CVE-2019-19046\",\n \"CVE-2019-19055\",\n \"CVE-2019-19058\",\n \"CVE-2019-19059\",\n \"CVE-2019-19062\",\n \"CVE-2019-19063\",\n \"CVE-2019-19126\",\n \"CVE-2019-19332\",\n \"CVE-2019-19447\",\n \"CVE-2019-19523\",\n \"CVE-2019-19524\",\n \"CVE-2019-19530\",\n \"CVE-2019-19534\",\n \"CVE-2019-19537\",\n \"CVE-2019-19767\",\n \"CVE-2019-19807\",\n \"CVE-2019-19956\",\n \"CVE-2019-20054\",\n \"CVE-2019-20095\",\n \"CVE-2019-20386\",\n \"CVE-2019-20388\",\n \"CVE-2019-20636\",\n \"CVE-2019-20811\",\n \"CVE-2019-20907\",\n \"CVE-2019-1010305\",\n \"CVE-2020-1749\",\n \"CVE-2020-1927\",\n \"CVE-2020-1934\",\n \"CVE-2020-1971\",\n \"CVE-2020-2574\",\n \"CVE-2020-2732\",\n \"CVE-2020-2752\",\n \"CVE-2020-2780\",\n \"CVE-2020-2812\",\n \"CVE-2020-6829\",\n \"CVE-2020-7595\",\n \"CVE-2020-8177\",\n \"CVE-2020-8492\",\n \"CVE-2020-8622\",\n \"CVE-2020-8623\",\n \"CVE-2020-8624\",\n \"CVE-2020-8631\",\n \"CVE-2020-8632\",\n \"CVE-2020-8647\",\n \"CVE-2020-8649\",\n \"CVE-2020-9383\",\n \"CVE-2020-10690\",\n \"CVE-2020-10732\",\n \"CVE-2020-10742\",\n \"CVE-2020-10751\",\n \"CVE-2020-10769\",\n \"CVE-2020-10942\",\n \"CVE-2020-11565\",\n \"CVE-2020-12243\",\n \"CVE-2020-12400\",\n \"CVE-2020-12401\",\n \"CVE-2020-12402\",\n \"CVE-2020-12403\",\n \"CVE-2020-12770\",\n \"CVE-2020-12826\",\n \"CVE-2020-13943\",\n \"CVE-2020-14305\",\n \"CVE-2020-14314\",\n \"CVE-2020-14331\",\n \"CVE-2020-14385\",\n \"CVE-2020-14422\",\n \"CVE-2020-14779\",\n \"CVE-2020-14781\",\n \"CVE-2020-14782\",\n \"CVE-2020-14792\",\n \"CVE-2020-14796\",\n \"CVE-2020-14797\",\n \"CVE-2020-14803\",\n \"CVE-2020-15862\",\n \"CVE-2020-15999\",\n \"CVE-2020-17527\",\n \"CVE-2020-24394\",\n \"CVE-2020-25212\",\n \"CVE-2020-25643\",\n \"CVE-2021-3156\"\n );\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2021/11/17\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/04/27\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0004\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0025\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0124\");\n\n script_name(english:\"Nutanix AOS : Multiple Vulnerabilities (NXSA-AOS-5.19.1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The Nutanix AOS host is affected by multiple vulnerabilities .\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of AOS installed on the remote host is prior to 5.19.1. It is, therefore, affected by multiple\nvulnerabilities as referenced in the NXSA-AOS-5.19.1 advisory.\n\n - libpng before 1.6.32 does not properly check the length of chunks against the user limit. (CVE-2017-12652)\n\n - In Apache httpd 2.4.0 to 2.4.29, the expression specified in <FilesMatch> could match '$' to a newline\n character in a malicious filename, rather than matching only the end of the filename. This could be\n exploited in environments where uploads of some files are are externally blocked, but only by matching the\n trailing portion of the filename. (CVE-2017-15715)\n\n - A localhost.localdomain whitelist entry in valid_host() in scheduler/client.c in CUPS before 2.2.2 allows\n remote attackers to execute arbitrary IPP commands by sending POST requests to the CUPS daemon in\n conjunction with DNS rebinding. The localhost.localdomain name is often resolved via a DNS server (neither\n the OS nor the web browser is responsible for ensuring that localhost.localdomain is 127.0.0.1).\n (CVE-2017-18190)\n\n - An issue was discovered in drivers/i2c/i2c-core-smbus.c in the Linux kernel before 4.14.15. There is an\n out of bounds write in the function i2c_smbus_xfer_emulated. (CVE-2017-18551)\n\n - The default cloud-init configuration, in cloud-init 0.6.2 and newer, included ssh_deletekeys: 0,\n disabling cloud-init's deletion of ssh host keys. In some environments, this could lead to instances\n created by cloning a golden master or template system, sharing ssh host keys, and being able to\n impersonate one another or conduct man-in-the-middle attacks. (CVE-2018-10896)\n\n - In Apache httpd 2.4.0 to 2.4.29, when mod_session is configured to forward its session data to CGI\n applications (SessionEnv on, not the default), a remote user may influence their content by using a\n Session header. This comes from the HTTP_SESSION variable name used by mod_session to forward its data\n to CGIs, since the prefix HTTP_ is also used by the Apache HTTP Server to pass HTTP header fields, per\n CGI specifications. (CVE-2018-1283)\n\n - A specially crafted HTTP request header could have crashed the Apache HTTP Server prior to version 2.4.30\n due to an out of bound read while preparing data to be cached in shared memory. It could be used as a\n Denial of Service attack against users of mod_cache_socache. The vulnerability is considered as low risk\n since mod_cache_socache is not widely used, mod_cache_disk is not concerned by this vulnerability.\n (CVE-2018-1303)\n\n - An issue was discovered in the Linux kernel before 4.20. There is a race condition in smp_task_timedout()\n and smp_task_done() in drivers/scsi/libsas/sas_expander.c, leading to a use-after-free. (CVE-2018-20836)\n\n - In libexpat in Expat before 2.2.7, XML input including XML names that contain a large number of colons\n could make the XML parser consume a high amount of RAM and CPU resources while processing (enough to be\n usable for denial-of-service attacks). (CVE-2018-20843)\n\n - In Apache HTTP server 2.4.0 to 2.4.39, Redirects configured with mod_rewrite that were intended to be\n self-referential might be fooled by encoded newlines and redirect instead to an unexpected URL within the\n request URL. (CVE-2019-10098)\n\n - libmspack 0.9.1alpha is affected by: Buffer Overflow. The impact is: Information Disclosure. The component\n is: function chmd_read_headers() in libmspack(file libmspack/mspack/chmd.c). The attack vector is: the\n victim must open a specially crafted chm file. The fixed version is: after commit\n 2f084136cfe0d05e5bf5703f3e83c6d955234b4d. (CVE-2019-1010305)\n\n - libxslt through 1.1.33 allows bypass of a protection mechanism because callers of xsltCheckRead and\n xsltCheckWrite permit access even upon receiving a -1 error code. xsltCheckRead can return -1 for a\n crafted URL that is not actually invalid and is subsequently loaded. (CVE-2019-11068)\n\n - When importing a curve25519 private key in PKCS#8format with leading 0x00 bytes, it is possible to trigger\n an out-of-bounds read in the Network Security Services (NSS) library. This could lead to information\n disclosure. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8.\n (CVE-2019-11719)\n\n - A vulnerability exists where it possible to force Network Security Services (NSS) to sign\n CertificateVerify with PKCS#1 v1.5 signatures when those are the only ones advertised by server in\n CertificateRequest in TLS 1.3. PKCS#1 v1.5 signatures should not be used for TLS 1.3 messages. This\n vulnerability affects Firefox < 68. (CVE-2019-11727)\n\n - Improper refcounting of soft token session objects could cause a use-after-free and crash (likely limited\n to a denial of service). This vulnerability affects Firefox < 71. (CVE-2019-11756)\n\n - file_copy_fallback in gio/gfile.c in GNOME GLib 2.15.0 through 2.61.1 does not properly restrict file\n permissions while a copy operation is in progress. Instead, default permissions are used. (CVE-2019-12450)\n\n - An issue was discovered in dlpar_parse_cc_property in arch/powerpc/platforms/pseries/dlpar.c in the Linux\n kernel through 5.1.6. There is an unchecked kstrdup of prop->name, which might allow an attacker to cause\n a denial of service (NULL pointer dereference and system crash). (CVE-2019-12614)\n\n - dbus before 1.10.28, 1.12.x before 1.12.16, and 1.13.x before 1.13.12, as used in DBusServer in Canonical\n Upstart in Ubuntu 14.04 (and in some, less common, uses of dbus-daemon), allows cookie spoofing because of\n symlink mishandling in the reference implementation of DBUS_COOKIE_SHA1 in the libdbus library. (This only\n affects the DBUS_COOKIE_SHA1 authentication mechanism.) A malicious client with write access to its own\n home directory could manipulate a ~/.dbus-keyrings symlink to cause a DBusServer with a different uid to\n read and write in unintended locations. In the worst case, this could result in the DBusServer reusing a\n cookie that is known to the malicious client, and treating that cookie as evidence that a subsequent\n client connection came from an attacker-chosen uid, allowing authentication bypass. (CVE-2019-12749)\n\n - A flaw was discovered in ibus in versions before 1.5.22 that allows any unprivileged user to monitor and\n send method calls to the ibus bus of another user due to a misconfiguration in the DBus server setup. A\n local attacker may use this flaw to intercept all keystrokes of a victim user who is using the graphical\n interface, change the input method engine, or modify other input related configurations of the victim\n user. (CVE-2019-14822)\n\n - In all versions of cpio before 2.13 does not properly validate input files when generating TAR archives.\n When cpio is used to create TAR archives from paths an attacker can write to, the resulting archive may\n contain files with permissions the attacker did not have or in paths he did not have access to. Extracting\n those archives from a high-privilege user without carefully reviewing them may lead to the compromise of\n the system. (CVE-2019-14866)\n\n - An issue was discovered in the Linux kernel before 5.2.3. There is a NULL pointer dereference caused by a\n malicious USB device in the drivers/media/usb/zr364xx/zr364xx.c driver. (CVE-2019-15217)\n\n - In the Linux kernel before 5.1.13, there is a memory leak in drivers/scsi/libsas/sas_expander.c when SAS\n expander discovery fails. This will cause a BUG and denial of service. (CVE-2019-15807)\n\n - In libexpat before 2.2.8, crafted XML input could fool the parser into changing from DTD parsing to\n document parsing too early; a consecutive call to XML_GetCurrentLineNumber (or XML_GetCurrentColumnNumber)\n then resulted in a heap-based buffer over-read. (CVE-2019-15903)\n\n - An issue was discovered in the Linux kernel before 5.0.5. There is a use-after-free issue when\n hci_uart_register_dev() fails in hci_uart_set_proto() in drivers/bluetooth/hci_ldisc.c. (CVE-2019-15917)\n\n - drivers/net/fjes/fjes_main.c in the Linux kernel 5.2.14 does not check the alloc_workqueue return value,\n leading to a NULL pointer dereference. (CVE-2019-16231)\n\n - drivers/scsi/qla2xxx/qla_os.c in the Linux kernel 5.2.14 does not check the alloc_workqueue return value,\n leading to a NULL pointer dereference. (CVE-2019-16233)\n\n - The documentation XML-RPC server in Python through 2.7.16, 3.x through 3.6.9, and 3.7.x through 3.7.4 has\n XSS via the server_title field. This occurs in Lib/DocXMLRPCServer.py in Python 2.x, and in\n Lib/xmlrpc/server.py in Python 3.x. If set_server_title is called with untrusted input, arbitrary\n JavaScript can be delivered to clients that visit the http URL for this server. (CVE-2019-16935)\n\n - In the Linux kernel before 5.0, a memory leak exists in sit_init_net() in net/ipv6/sit.c when\n register_netdev() fails to register sitn->fb_tunnel_dev, which may cause denial of service, aka\n CID-07f12b26e21a. (CVE-2019-16994)\n\n - In Network Security Services (NSS) before 3.46, several cryptographic primitives had missing length\n checks. In cases where the application calling the library did not perform a sanity check on the inputs it\n could result in a crash due to a buffer overflow. (CVE-2019-17006)\n\n - After a HelloRetryRequest has been sent, the client may negotiate a lower protocol that TLS 1.3, resulting\n in an invalid state transition in the TLS State Machine. If the client gets into this state, incoming\n Application Data records will be ignored. This vulnerability affects Firefox < 72. (CVE-2019-17023)\n\n - ieee802154_create in net/ieee802154/socket.c in the AF_IEEE802154 network module in the Linux kernel\n through 5.3.2 does not enforce CAP_NET_RAW, which means that unprivileged users can create a raw socket,\n aka CID-e69dbd4619e7. (CVE-2019-17053)\n\n - base_sock_create in drivers/isdn/mISDN/socket.c in the AF_ISDN network module in the Linux kernel through\n 5.3.2 does not enforce CAP_NET_RAW, which means that unprivileged users can create a raw socket, aka\n CID-b91ee4aa2a21. (CVE-2019-17055)\n\n - In libssh2 v1.9.0 and earlier versions, the SSH_MSG_DISCONNECT logic in packet.c has an integer overflow\n in a bounds check, enabling an attacker to specify an arbitrary (out-of-bounds) offset for a subsequent\n memory read. A crafted SSH server may be able to disclose sensitive information or cause a denial of\n service condition on the client system when a user connects to the server. (CVE-2019-17498)\n\n - In xsltCopyText in transform.c in libxslt 1.1.33, a pointer variable isn't reset under certain\n circumstances. If the relevant memory area happened to be freed and reused in a certain way, a bounds\n check could fail and memory outside a buffer could be written to, or uninitialized data could be\n disclosed. (CVE-2019-18197)\n\n - The flow_dissector feature in the Linux kernel 4.3 through 5.x before 5.3.10 has a device tracking\n vulnerability, aka CID-55667441c84f. This occurs because the auto flowlabel of a UDP IPv6 packet relies on\n a 32-bit hashrnd value as a secret, and because jhash (instead of siphash) is used. The hashrnd value\n remains the same starting from boot time, and can be inferred by an attacker. This affects\n net/core/flow_dissector.c and related code. (CVE-2019-18282)\n\n - A memory leak in the ccp_run_sha_cmd() function in drivers/crypto/ccp/ccp-ops.c in the Linux kernel\n through 5.3.9 allows attackers to cause a denial of service (memory consumption), aka CID-128c66429247.\n (CVE-2019-18808)\n\n - ** DISPUTED ** A memory leak in the __ipmi_bmc_register() function in drivers/char/ipmi/ipmi_msghandler.c\n in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by\n triggering ida_simple_get() failure, aka CID-4aa7afb0ee20. NOTE: third parties dispute the relevance of\n this because an attacker cannot realistically control this failure at probe time. (CVE-2019-19046)\n\n - ** DISPUTED ** A memory leak in the nl80211_get_ftm_responder_stats() function in net/wireless/nl80211.c\n in the Linux kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by\n triggering nl80211hdr_put() failures, aka CID-1399c59fa929. NOTE: third parties dispute the relevance of\n this because it occurs on a code path where a successful allocation has already occurred. (CVE-2019-19055)\n\n - A memory leak in the alloc_sgtable() function in drivers/net/wireless/intel/iwlwifi/fw/dbg.c in the Linux\n kernel through 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering\n alloc_page() failures, aka CID-b4b814fec1a5. (CVE-2019-19058)\n\n - Multiple memory leaks in the iwl_pcie_ctxt_info_gen3_init() function in\n drivers/net/wireless/intel/iwlwifi/pcie/ctxt-info-gen3.c in the Linux kernel through 5.3.11 allow\n attackers to cause a denial of service (memory consumption) by triggering iwl_pcie_init_fw_sec() or\n dma_alloc_coherent() failures, aka CID-0f4f199443fa. (CVE-2019-19059)\n\n - A memory leak in the crypto_report() function in crypto/crypto_user_base.c in the Linux kernel through\n 5.3.11 allows attackers to cause a denial of service (memory consumption) by triggering\n crypto_report_alg() failures, aka CID-ffdde5932042. (CVE-2019-19062)\n\n - Two memory leaks in the rtl_usb_probe() function in drivers/net/wireless/realtek/rtlwifi/usb.c in the\n Linux kernel through 5.3.11 allow attackers to cause a denial of service (memory consumption), aka\n CID-3f9361695113. (CVE-2019-19063)\n\n - On the x86-64 architecture, the GNU C Library (aka glibc) before 2.31 fails to ignore the\n LD_PREFER_MAP_32BIT_EXEC environment variable during program execution after a security transition,\n allowing local attackers to restrict the possible mapping addresses for loaded libraries and thus bypass\n ASLR for a setuid program. (CVE-2019-19126)\n\n - An out-of-bounds memory write issue was found in the Linux Kernel, version 3.13 through 5.4, in the way\n the Linux kernel's KVM hypervisor handled the 'KVM_GET_EMULATED_CPUID' ioctl(2) request to get CPUID\n features emulated by the KVM hypervisor. A user or process able to access the '/dev/kvm' device could use\n this flaw to crash the system, resulting in a denial of service. (CVE-2019-19332)\n\n - In the Linux kernel 5.0.21, mounting a crafted ext4 filesystem image, performing some operations, and\n unmounting can lead to a use-after-free in ext4_put_super in fs/ext4/super.c, related to dump_orphan_list\n in fs/ext4/super.c. (CVE-2019-19447)\n\n - In the Linux kernel before 5.3.7, there is a use-after-free bug that can be caused by a malicious USB\n device in the drivers/usb/misc/adutux.c driver, aka CID-44efc269db79. (CVE-2019-19523)\n\n - In the Linux kernel before 5.3.12, there is a use-after-free bug that can be caused by a malicious USB\n device in the drivers/input/ff-memless.c driver, aka CID-fa3a5a1880c9. (CVE-2019-19524)\n\n - In the Linux kernel before 5.2.10, there is a use-after-free bug that can be caused by a malicious USB\n device in the drivers/usb/class/cdc-acm.c driver, aka CID-c52873e5a1ef. (CVE-2019-19530)\n\n - In the Linux kernel before 5.3.11, there is an info-leak bug that can be caused by a malicious USB device\n in the drivers/net/can/usb/peak_usb/pcan_usb_core.c driver, aka CID-f7a1337f0d29. (CVE-2019-19534)\n\n - In the Linux kernel before 5.2.10, there is a race condition bug that can be caused by a malicious USB\n device in the USB character device driver layer, aka CID-303911cfc5b9. This affects\n drivers/usb/core/file.c. (CVE-2019-19537)\n\n - The Linux kernel before 5.4.2 mishandles ext4_expand_extra_isize, as demonstrated by use-after-free errors\n in __ext4_expand_extra_isize and ext4_xattr_set_entry, related to fs/ext4/inode.c and fs/ext4/super.c, aka\n CID-4ea99936a163. (CVE-2019-19767)\n\n - In the Linux kernel before 5.3.11, sound/core/timer.c has a use-after-free caused by erroneous code\n refactoring, aka CID-e7af6307a8a5. This is related to snd_timer_open and snd_timer_close_locked. The\n timeri variable was originally intended to be for a newly created timer instance, but was used for a\n different purpose after refactoring. (CVE-2019-19807)\n\n - xmlParseBalancedChunkMemoryRecover in parser.c in libxml2 before 2.9.10 has a memory leak related to\n newDoc->oldNs. (CVE-2019-19956)\n\n - In the Linux kernel before 5.0.6, there is a NULL pointer dereference in drop_sysctl_table() in\n fs/proc/proc_sysctl.c, related to put_links, aka CID-23da9588037e. (CVE-2019-20054)\n\n - mwifiex_tm_cmd in drivers/net/wireless/marvell/mwifiex/cfg80211.c in the Linux kernel before 5.1.6 has\n some error-handling cases that did not free allocated hostcmd memory, aka CID-003b686ace82. This will\n cause a memory leak and denial of service. (CVE-2019-20095)\n\n - An issue was discovered in button_open in login/logind-button.c in systemd before 243. When executing the\n udevadm trigger command, a memory leak may occur. (CVE-2019-20386)\n\n - xmlSchemaPreRun in xmlschemas.c in libxml2 2.9.10 allows an xmlSchemaValidateStream memory leak.\n (CVE-2019-20388)\n\n - In the Linux kernel before 5.4.12, drivers/input/input.c has out-of-bounds writes via a crafted keycode\n table, as demonstrated by input_set_keycode, aka CID-cb222aed03d7. (CVE-2019-20636)\n\n - An issue was discovered in the Linux kernel before 5.0.6. In rx_queue_add_kobject() and\n netdev_queue_add_kobject() in net/core/net-sysfs.c, a reference count is mishandled, aka CID-a3e23f719f5c.\n (CVE-2019-20811)\n\n - In Lib/tarfile.py in Python through 3.8.3, an attacker is able to craft a TAR archive leading to an\n infinite loop when opened by tarfile.open, because _proc_pax lacks header validation. (CVE-2019-20907)\n\n - Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Optimizer). Supported\n versions that are affected are 5.6.45 and prior, 5.7.27 and prior and 8.0.17 and prior. Easily exploitable\n vulnerability allows low privileged attacker with network access via multiple protocols to compromise\n MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang\n or frequently repeatable crash (complete DOS) of MySQL Server. (CVE-2019-2974)\n\n - An exploitable code execution vulnerability exists in the quota file functionality of E2fsprogs 1.45.3. A\n specially crafted ext4 partition can cause an out-of-bounds write on the heap, resulting in code\n execution. An attacker can corrupt a partition to trigger this vulnerability. (CVE-2019-5094)\n\n - A code execution vulnerability exists in the directory rehashing functionality of E2fsprogs e2fsck 1.45.4.\n A specially crafted ext4 directory can cause an out-of-bounds write on the stack, resulting in code\n execution. An attacker can corrupt a partition to trigger this vulnerability. (CVE-2019-5188)\n\n - Heap buffer overflow in the TFTP protocol handler in cURL 7.19.4 to 7.65.3. (CVE-2019-5482)\n\n - A buffer overflow issue was addressed with improved memory handling. This issue is fixed in macOS Mojave\n 10.14.6, Security Update 2019-004 High Sierra, Security Update 2019-004 Sierra. An attacker in a\n privileged network position may be able to execute arbitrary code. (CVE-2019-8675, CVE-2019-8696)\n\n - In the Android kernel in i2c driver there is a possible out of bounds write due to memory corruption. This\n could lead to local escalation of privilege with System execution privileges needed. User interaction is\n not needed for exploitation. (CVE-2019-9454)\n\n - In the Android kernel in the video driver there is a use after free due to a race condition. This could\n lead to local escalation of privilege with no additional execution privileges needed. User interaction is\n not needed for exploitation. (CVE-2019-9458)\n\n - There is a use-after-free in kernel versions before 5.5 due to a race condition between the release of\n ptp_clock and cdev while resource deallocation. When a (high privileged) process allocates a ptp device\n file (like /dev/ptpX) and voluntarily goes to sleep. During this time if the underlying device is removed,\n it can cause an exploitable condition as the process wakes up to terminate and clean all attached files.\n The system crashes due to the cdev structure being invalid (as already freed) which is pointed to by the\n inode. (CVE-2020-10690)\n\n - A flaw was found in the Linux kernel's implementation of Userspace core dumps. This flaw allows an\n attacker with a local account to crash a trivial program and exfiltrate private kernel data.\n (CVE-2020-10732)\n\n - A flaw was found in the Linux kernel. An index buffer overflow during Direct IO write leading to the NFS\n client to crash. In some cases, a reach out of the index after one memory allocation by kmalloc will cause\n a kernel panic. The highest threat from this vulnerability is to data confidentiality and system\n availability. (CVE-2020-10742)\n\n - A flaw was found in the Linux kernels SELinux LSM hook implementation before version 5.7, where it\n incorrectly assumed that an skb would only contain a single netlink message. The hook would incorrectly\n only validate the first netlink message in the skb and allow or deny the rest of the messages within the\n skb with the granted permission without further processing. (CVE-2020-10751)\n\n - A buffer over-read flaw was found in RH kernel versions before 5.0 in crypto_authenc_extractkeys in\n crypto/authenc.c in the IPsec Cryptographic algorithm's module, authenc. When a payload longer than 4\n bytes, and is not following 4-byte alignment boundary guidelines, it causes a buffer over-read threat,\n leading to a system crash. This flaw allows a local attacker with user privileges to cause a denial of\n service. (CVE-2020-10769)\n\n - In the Linux kernel before 5.5.8, get_raw_socket in drivers/vhost/net.c lacks validation of an sk_family\n field, which might allow attackers to trigger kernel stack corruption via crafted system calls.\n (CVE-2020-10942)\n\n - ** DISPUTED ** An issue was discovered in the Linux kernel through 5.6.2. mpol_parse_str in mm/mempolicy.c\n has a stack-based out-of-bounds write because an empty nodelist is mishandled during mount option parsing,\n aka CID-aa9f7d5172fa. NOTE: Someone in the security community disagrees that this is a vulnerability\n because the issue is a bug in parsing mount options which can only be specified by a privileged user, so\n triggering the bug does not grant any powers not already held.. (CVE-2020-11565)\n\n - In filter.c in slapd in OpenLDAP before 2.4.50, LDAP search filters with nested boolean expressions can\n result in denial of service (daemon crash). (CVE-2020-12243)\n\n - When converting coordinates from projective to affine, the modular inversion was not performed in constant\n time, resulting in a possible timing-based side channel attack. This vulnerability affects Firefox < 80\n and Firefox for Android < 80. (CVE-2020-12400)\n\n - During ECDSA signature generation, padding applied in the nonce designed to ensure constant-time scalar\n multiplication was removed, resulting in variable-time execution dependent on secret data. This\n vulnerability affects Firefox < 80 and Firefox for Android < 80. (CVE-2020-12401)\n\n - During RSA key generation, bignum implementations used a variation of the Binary Extended Euclidean\n Algorithm which entailed significantly input-dependent flow. This allowed an attacker able to perform\n electromagnetic-based side channel attacks to record traces leading to the recovery of the secret primes.\n *Note:* An unmodified Firefox browser does not generate RSA keys in normal operation and is not affected,\n but products built on top of it might. This vulnerability affects Firefox < 78. (CVE-2020-12402)\n\n - A flaw was found in the way CHACHA20-POLY1305 was implemented in NSS in versions before 3.55. When using\n multi-part Chacha20, it could cause out-of-bounds reads. This issue was fixed by explicitly disabling\n multi-part ChaCha20 (which was not functioning correctly) and strictly enforcing tag length. The highest\n threat from this vulnerability is to confidentiality and system availability. (CVE-2020-12403)\n\n - An issue was discovered in the Linux kernel through 5.6.11. sg_write lacks an sg_remove_request call in a\n certain failure case, aka CID-83c6f2390040. (CVE-2020-12770)\n\n - A signal access-control issue was discovered in the Linux kernel before 5.6.5, aka CID-7395ea4e65c2.\n Because exec_id in include/linux/sched.h is only 32 bits, an integer overflow can interfere with a\n do_notify_parent protection mechanism. A child process can send an arbitrary signal to a parent process in\n a different security domain. Exploitation limitations include the amount of elapsed time before an integer\n overflow occurs, and the lack of scenarios where signals to a parent process present a substantial\n operational threat. (CVE-2020-12826)\n\n - If an HTTP/2 client connecting to Apache Tomcat 10.0.0-M1 to 10.0.0-M7, 9.0.0.M1 to 9.0.37 or 8.5.0 to\n 8.5.57 exceeded the agreed maximum number of concurrent streams for a connection (in violation of the\n HTTP/2 protocol), it was possible that a subsequent request made on that connection could contain HTTP\n headers - including HTTP/2 pseudo headers - from a previous request rather than the intended headers. This\n could lead to users seeing responses for unexpected resources. (CVE-2020-13943)\n\n - An out-of-bounds memory write flaw was found in how the Linux kernel's Voice Over IP H.323 connection\n tracking functionality handled connections on ipv6 port 1720. This flaw allows an unauthenticated remote\n user to crash the system, causing a denial of service. The highest threat from this vulnerability is to\n confidentiality, integrity, as well as system availability. (CVE-2020-14305)\n\n - A memory out-of-bounds read flaw was found in the Linux kernel before 5.9-rc2 with the ext3/ext4 file\n system, in the way it accesses a directory with broken indexing. This flaw allows a local user to crash\n the system if the directory exists. The highest threat from this vulnerability is to system availability.\n (CVE-2020-14314)\n\n - A flaw was found in the Linux kernel's implementation of the invert video code on VGA consoles when a\n local attacker attempts to resize the console, calling an ioctl VT_RESIZE, which causes an out-of-bounds\n write to occur. This flaw allows a local user with access to the VGA console to crash the system,\n potentially escalating their privileges on the system. The highest threat from this vulnerability is to\n data confidentiality and integrity as well as system availability. (CVE-2020-14331)\n\n - A flaw was found in the Linux kernel before 5.9-rc4. A failure of the file system metadata validator in\n XFS can cause an inode with a valid, user-creatable extended attribute to be flagged as corrupt. This can\n lead to the filesystem being shutdown, or otherwise rendered inaccessible until it is remounted, leading\n to a denial of service. The highest threat from this vulnerability is to system availability.\n (CVE-2020-14385)\n\n - Lib/ipaddress.py in Python through 3.8.3 improperly computes hash values in the IPv4Interface and\n IPv6Interface classes, which might allow a remote attacker to cause a denial of service if an application\n is affected by the performance of a dictionary containing IPv4Interface or IPv6Interface objects, and this\n attacker can cause many dictionary entries to be created. This is fixed in: v3.5.10, v3.5.10rc1; v3.6.12;\n v3.7.9; v3.8.4, v3.8.4rc1, v3.8.5, v3.8.6, v3.8.6rc1; v3.9.0, v3.9.0b4, v3.9.0b5, v3.9.0rc1, v3.9.0rc2.\n (CVE-2020-14422)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Serialization).\n Supported versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261.\n Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple\n protocols to compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in\n unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded.\n Note: Applies to client and server deployment of Java. This vulnerability can be exploited through\n sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying\n data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed\n Java applets, such as through a web service. (CVE-2020-14779)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: JNDI). Supported\n versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261. Difficult to\n exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to\n compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized\n read access to a subset of Java SE, Java SE Embedded accessible data. Note: Applies to client and server\n deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and\n sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component\n without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web\n service. (CVE-2020-14781)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported\n versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261. Difficult to\n exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to\n compromise Java SE, Java SE Embedded. Successful attacks of this vulnerability can result in unauthorized\n update, insert or delete access to some of Java SE, Java SE Embedded accessible data. Note: Applies to\n client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start\n applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the\n specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as\n through a web service. (CVE-2020-14782, CVE-2020-14797)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Hotspot). Supported\n versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261. Difficult to\n exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to\n compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other\n than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or\n delete access to some of Java SE, Java SE Embedded accessible data as well as unauthorized read access to\n a subset of Java SE, Java SE Embedded accessible data. Note: Applies to client and server deployment of\n Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java\n applets. It can also be exploited by supplying data to APIs in the specified Component without using\n sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service.\n (CVE-2020-14792)\n\n - Vulnerability in the Java SE, Java SE Embedded product of Oracle Java SE (component: Libraries). Supported\n versions that are affected are Java SE: 7u271, 8u261, 11.0.8 and 15; Java SE Embedded: 8u261. Difficult to\n exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to\n compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other\n than the attacker. Successful attacks of this vulnerability can result in unauthorized read access to a\n subset of Java SE, Java SE Embedded accessible data. Note: This vulnerability applies to Java deployments,\n typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load\n and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for\n security. This vulnerability does not apply to Java deployments, typically in servers, that load and run\n only trusted code (e.g., code installed by an administrator). (CVE-2020-14796)\n\n - Vulnerability in the Java SE product of Oracle Java SE (component: Libraries). Supported versions that are\n affected are Java SE: 11.0.8 and 15. Easily exploitable vulnerability allows unauthenticated attacker with\n network access via multiple protocols to compromise Java SE. Successful attacks of this vulnerability can\n result in unauthorized read access to a subset of Java SE accessible data. Note: This vulnerability\n applies to Java deployments, typically in clients running sandboxed Java Web Start applications or\n sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and\n rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in\n servers, that load and run only trusted code (e.g., code installed by an administrator). (CVE-2020-14803)\n\n - Net-SNMP through 5.7.3 has Improper Privilege Management because SNMP WRITE access to the EXTEND MIB\n provides the ability to run arbitrary commands as root. (CVE-2020-15862)\n\n - Heap buffer overflow in Freetype in Google Chrome prior to 86.0.4240.111 allowed a remote attacker to\n potentially exploit heap corruption via a crafted HTML page. (CVE-2020-15999)\n\n - A flaw was found in the Linux kernel's implementation of some networking protocols in IPsec, such as VXLAN\n and GENEVE tunnels over IPv6. When an encrypted tunnel is created between two hosts, the kernel isn't\n correctly routing tunneled data over the encrypted link; rather sending the data unencrypted. This would\n allow anyone in between the two endpoints to read the traffic unencrypted. The main threat from this\n vulnerability is to data confidentiality. (CVE-2020-1749)\n\n - While investigating bug 64830 it was discovered that Apache Tomcat 10.0.0-M1 to 10.0.0-M9, 9.0.0-M1 to\n 9.0.39 and 8.5.0 to 8.5.59 could re-use an HTTP request header value from the previous stream received on\n an HTTP/2 connection for the request associated with the subsequent stream. While this would most likely\n lead to an error and the closure of the HTTP/2 connection, it is possible that information could leak\n between requests. (CVE-2020-17527)\n\n - In Apache HTTP Server 2.4.0 to 2.4.41, redirects configured with mod_rewrite that were intended to be\n self-referential might be fooled by encoded newlines and redirect instead to an an unexpected URL within\n the request URL. (CVE-2020-1927)\n\n - In Apache HTTP Server 2.4.0 to 2.4.41, mod_proxy_ftp may use uninitialized memory when proxying to a\n malicious FTP server. (CVE-2020-1934)\n\n - The X.509 GeneralName type is a generic type for representing different types of names. One of those name\n types is known as EDIPartyName. OpenSSL provides a function GENERAL_NAME_cmp which compares different\n instances of a GENERAL_NAME to see if they are equal or not. This function behaves incorrectly when both\n GENERAL_NAMEs contain an EDIPARTYNAME. A NULL pointer dereference and a crash may occur leading to a\n possible denial of service attack. OpenSSL itself uses the GENERAL_NAME_cmp function for two purposes: 1)\n Comparing CRL distribution point names between an available CRL and a CRL distribution point embedded in\n an X509 certificate 2) When verifying that a timestamp response token signer matches the timestamp\n authority name (exposed via the API functions TS_RESP_verify_response and TS_RESP_verify_token) If an\n attacker can control both items being compared then that attacker could trigger a crash. For example if\n the attacker can trick a client or server into checking a malicious certificate against a malicious CRL\n then this may occur. Note that some applications automatically download CRLs based on a URL embedded in a\n certificate. This checking happens prior to the signatures on the certificate and CRL being verified.\n OpenSSL's s_server, s_client and verify tools have support for the -crl_download option which implements\n automatic CRL downloading and this attack has been demonstrated to work against those tools. Note that an\n unrelated bug means that affected versions of OpenSSL cannot parse or construct correct encodings of\n EDIPARTYNAME. However it is possible to construct a malformed EDIPARTYNAME that OpenSSL's parser will\n accept and hence trigger this attack. All OpenSSL 1.1.1 and 1.0.2 versions are affected by this issue.\n Other OpenSSL releases are out of support and have not been checked. Fixed in OpenSSL 1.1.1i (Affected\n 1.1.1-1.1.1h). Fixed in OpenSSL 1.0.2x (Affected 1.0.2-1.0.2w). (CVE-2020-1971)\n\n - In the Linux kernel before 5.7.8, fs/nfsd/vfs.c (in the NFS server) can set incorrect permissions on new\n filesystem objects when the filesystem lacks ACL support, aka CID-22cf8419f131. This occurs because the\n current umask is not considered. (CVE-2020-24394)\n\n - A TOCTOU mismatch in the NFS client code in the Linux kernel before 5.8.3 could be used by local attackers\n to corrupt memory or possibly have unspecified other impact because a size check is in fs/nfs/nfs4proc.c\n instead of fs/nfs/nfs4xdr.c, aka CID-b4487b935452. (CVE-2020-25212)\n\n - A flaw was found in the HDLC_PPP module of the Linux kernel in versions before 5.9-rc7. Memory corruption\n and a read overflow is caused by improper input validation in the ppp_cp_parse_cr function which can cause\n the system to crash or cause a denial of service. The highest threat from this vulnerability is to data\n confidentiality and integrity as well as system availability. (CVE-2020-25643)\n\n - Vulnerability in the MySQL Client product of Oracle MySQL (component: C API). Supported versions that are\n affected are 5.6.46 and prior, 5.7.28 and prior and 8.0.18 and prior. Difficult to exploit vulnerability\n allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Client.\n Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently\n repeatable crash (complete DOS) of MySQL Client. (CVE-2020-2574)\n\n - A flaw was discovered in the way that the KVM hypervisor handled instruction emulation for an L2 guest\n when nested virtualisation is enabled. Under some circumstances, an L2 guest may trick the L0 guest into\n accessing sensitive L1 resources that should be inaccessible to the L2 guest. (CVE-2020-2732)\n\n - Vulnerability in the MySQL Client product of Oracle MySQL (component: C API). Supported versions that are\n affected are 5.6.47 and prior, 5.7.27 and prior and 8.0.17 and prior. Difficult to exploit vulnerability\n allows low privileged attacker with network access via multiple protocols to compromise MySQL Client.\n Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently\n repeatable crash (complete DOS) of MySQL Client. (CVE-2020-2752)\n\n - Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). Supported versions\n that are affected are 5.6.47 and prior, 5.7.29 and prior and 8.0.19 and prior. Easily exploitable\n vulnerability allows low privileged attacker with network access via multiple protocols to compromise\n MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang\n or frequently repeatable crash (complete DOS) of MySQL Server. (CVE-2020-2780)\n\n - Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Stored Procedure). Supported\n versions that are affected are 5.6.47 and prior, 5.7.29 and prior and 8.0.19 and prior. Easily exploitable\n vulnerability allows high privileged attacker with network access via multiple protocols to compromise\n MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang\n or frequently repeatable crash (complete DOS) of MySQL Server. (CVE-2020-2812)\n\n - When performing EC scalar point multiplication, the wNAF point multiplication algorithm was used; which\n leaked partial information about the nonce used during signature generation. Given an electro-magnetic\n trace of a few signature generations, the private key could have been computed. This vulnerability affects\n Firefox < 80 and Firefox for Android < 80. (CVE-2020-6829)\n\n - xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite loop in a certain end-of-file\n situation. (CVE-2020-7595)\n\n - curl 7.20.0 through 7.70.0 is vulnerable to improper restriction of names for files and other resources\n that can lead too overwriting a local file when the -J flag is used. (CVE-2020-8177)\n\n - Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1\n allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client\n because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking. (CVE-2020-8492)\n\n - In BIND 9.0.0 -> 9.11.21, 9.12.0 -> 9.16.5, 9.17.0 -> 9.17.3, also affects 9.9.3-S1 -> 9.11.21-S1 of the\n BIND 9 Supported Preview Edition, An attacker on the network path for a TSIG-signed request, or operating\n the server receiving the TSIG-signed request, could send a truncated response to that request, triggering\n an assertion failure, causing the server to exit. Alternately, an off-path attacker would have to\n correctly guess when a TSIG-signed request was sent, along with other characteristics of the packet and\n message, and spoof a truncated response to trigger an assertion failure, causing the server to exit.\n (CVE-2020-8622)\n\n - In BIND 9.10.0 -> 9.11.21, 9.12.0 -> 9.16.5, 9.17.0 -> 9.17.3, also affects 9.10.5-S1 -> 9.11.21-S1 of the\n BIND 9 Supported Preview Edition, An attacker that can reach a vulnerable system with a specially crafted\n query packet can trigger a crash. To be vulnerable, the system must: * be running BIND that was built with\n --enable-native-pkcs11 * be signing one or more zones with an RSA key * be able to receive queries from\n a possible attacker (CVE-2020-8623)\n\n - In BIND 9.9.12 -> 9.9.13, 9.10.7 -> 9.10.8, 9.11.3 -> 9.11.21, 9.12.1 -> 9.16.5, 9.17.0 -> 9.17.3, also\n affects 9.9.12-S1 -> 9.9.13-S1, 9.11.3-S1 -> 9.11.21-S1 of the BIND 9 Supported Preview Edition, An\n attacker who has been granted privileges to change a specific subset of the zone's content could abuse\n these unintended additional privileges to update other contents of the zone. (CVE-2020-8624)\n\n - cloud-init through 19.4 relies on Mersenne Twister for a random password, which makes it easier for\n attackers to predict passwords, because rand_str in cloudinit/util.py calls the random.choice function.\n (CVE-2020-8631)\n\n - In cloud-init through 19.4, rand_user_password in cloudinit/config/cc_set_passwords.py has a small default\n pwlen value, which makes it easier for attackers to guess passwords. (CVE-2020-8632)\n\n - There is a use-after-free vulnerability in the Linux kernel through 5.5.2 in the vc_do_resize function in\n drivers/tty/vt/vt.c. (CVE-2020-8647)\n\n - There is a use-after-free vulnerability in the Linux kernel through 5.5.2 in the vgacon_invert_region\n function in drivers/video/console/vgacon.c. (CVE-2020-8649)\n\n - An issue was discovered in the Linux kernel 3.16 through 5.5.6. set_fdc in drivers/block/floppy.c leads to\n a wait_til_ready out-of-bounds read because the FDC index is not checked for errors before assigning it,\n aka CID-2e90ca68b0d2. (CVE-2020-9383)\n\n - Sudo before 1.9.5p2 contains an off-by-one error that can result in a heap-based buffer overflow, which\n allows privilege escalation to root via sudoedit -s and a command-line argument that ends with a single\n backslash character. (CVE-2021-3156)\n\n - A heap-based buffer overflow was found in the way sudo parses command line arguments. This flaw is\n exploitable by any local user who can execute the sudo command without authentication. Successful\n exploitation of this flaw could lead to privilege escalation. (CVE-2021-3156)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n # https://portal.nutanix.com/page/documents/security-advisories/release-advisories/details?id=NXSA-AOS-5.19.1\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?c6af7891\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the Nutanix AOS software to recommended version.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-17006\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2019-5482\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Sudo Heap-Based Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:\"CANVAS\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/02/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2022/08/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2022/09/01\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:nutanix:aos\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"nutanix_collect.nasl\");\n script_require_keys(\"Host/Nutanix/Data/lts\", \"Host/Nutanix/Data/Service\", \"Host/Nutanix/Data/Version\", \"Host/Nutanix/Data/arch\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('vcf_extras.inc');\n\nvar app_info = vcf::nutanix::get_app_info();\n\nvar constraints = [\n { 'fixed_version' : '5.19.1', 'product' : 'AOS', 'fixed_display' : 'Upgrade the AOS install to 5.19.1 or higher.', 'lts' : FALSE },\n { 'fixed_version' : '5.19.1', 'product' : 'NDFS', 'fixed_display' : 'Upgrade the AOS install to 5.19.1 or higher.', 'lts' : FALSE }\n];\n\nvcf::nutanix::check_version_and_report(\n app_info:app_info,\n constraints:constraints,\n severity:SECURITY_HOLE,\n flags:{'xss':TRUE}\n);\n", "cvss": {"score": 0.0, "vector": "NONE"}}], "ubuntu": [{"lastseen": "2023-06-13T15:23:36", "description": "## Releases\n\n * Ubuntu 20.04 LTS\n * Ubuntu 19.10 \n * Ubuntu 18.04 ESM\n * Ubuntu 16.04 ESM\n\n## Packages\n\n * nss \\- Network Security Service library\n\nIt was discovered that NSS incorrectly handled the TLS State Machine. A \nremote attacker could possibly use this issue to cause NSS to hang, \nresulting in a denial of service. This issue only affected Ubuntu 18.04 LTS \nand Ubuntu 19.10. (CVE-2019-17023)\n\nCesar Pereida Garcia discovered that NSS incorrectly handled DSA key \ngeneration. A local attacker could possibly use this issue to perform a \ntiming attack and recover DSA keys. (CVE-2020-12399)\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 3.6}, "published": "2020-06-16T00:00:00", "type": "ubuntu", "title": "NSS vulnerabilities", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-17023", "CVE-2020-12399"], "modified": "2020-06-16T00:00:00", "id": "USN-4397-1", "href": "https://ubuntu.com/security/notices/USN-4397-1", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-06-13T15:29:48", "description": "## Releases\n\n * Ubuntu 19.10 \n * Ubuntu 19.04 \n * Ubuntu 18.04 ESM\n * Ubuntu 16.04 ESM\n\n## Packages\n\n * firefox \\- Mozilla Open Source web browser\n\nMultiple security issues were discovered in Firefox. If a user were \ntricked in to opening a specially crafted website, an attacker could \npotentially exploit these to cause a denial of service, obtain sensitive \ninformation, bypass Content Security Policy (CSP) restrictions, conduct \ncross-site scripting (XSS) attacks, or execute arbitrary code.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-01-09T00:00:00", "type": "ubuntu", "title": "Firefox vulnerabilities", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-17016", "CVE-2019-17017", "CVE-2019-17020", "CVE-2019-17022", "CVE-2019-17023", "CVE-2019-17024", "CVE-2019-17025", "CVE-2019-17026"], "modified": "2020-01-09T00:00:00", "id": "USN-4234-1", "href": "https://ubuntu.com/security/notices/USN-4234-1", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "ibm": [{"lastseen": "2023-06-07T22:07:20", "description": "## Summary\n\nIBM has announced a release for IBM Security Identity Governance and Intelligence (IGI) in response to security vulnerability. The vulnerability concerns Open Source - 2 issues for nss and one additional issue.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2019-17006](<https://vulners.com/cve/CVE-2019-17006>) \n** DESCRIPTION: **Mozilla Network Security Services (NSS), as used in Mozilla Firefox is vulnerable to a heap-based buffer overflow, caused by improper bounds checking when using certain cryptographic primitives. By sending an overly long argument, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause a denial of service. \nCVSS Base score: 8.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/174125](<https://exchange.xforce.ibmcloud.com/vulnerabilities/174125>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2019-17023](<https://vulners.com/cve/CVE-2019-17023>) \n** DESCRIPTION: **Mozilla Firefox could allow a remote attacker to bypass security restrictions, caused by the negotiaition of a lower protocol after a HelloRetryRequest is sent. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to trigger an invalid state transition in the TLS State Machine to ignore incoming Application Data records. \nCVSS Base score: 6.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/174062](<https://exchange.xforce.ibmcloud.com/vulnerabilities/174062>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N) \n \n** CVEID: **[CVE-2020-12403](<https://vulners.com/cve/CVE-2020-12403>) \n** DESCRIPTION: **Mozilla Network Security Services (NSS), as used in Mozilla Firefox could allow a remote attacker to obtain sensitive information, caused by the implementation of CHACHA20-POLY1305 decryption with undersized tag. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability using multi-part Chacha20 to trigger an out-of-bounds read and obtain sensitive information. \nCVSS Base score: 6.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/187746](<https://exchange.xforce.ibmcloud.com/vulnerabilities/187746>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)\n\n| \n\nVersion(s) \n \n---|--- \n \nIBM Security Identity Governance and Intelligence\n\n| \n\n5.2.5 \n \nIBM Security Identity Governance and Intelligence\n\n| \n\n5.2.4 \n \nIBM Security Identity Governance and Intelligence\n\n| \n\n5.2.6 \n \n## Remediation/Fixes\n\nAffected Product(s)\n\n| \n\nVersion(s)\n\n| \n\nFirst Fix \n \n---|---|--- \n \nIBM Security Identity Governance and Intelligence\n\n| \n\n5.2.5\n\n| \n\n[5.2.5.0-ISS-SIGI-FP0002](<https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=IBM%20Security&product=ibm/Tivoli/IBM+Security+Identity+Governance&release=5.2.5.0&platform=All&function=fixId&fixids=5.2.5.0-ISS-SIGI-FP0002&includeRequisites=1&includeSupersedes=0&downloadMethod=http> \"https://www.ibm.com/support/fixcentral/swg/downloadfixes?parent=ibm%20security&product=ibm/tivoli/ibm+security+identity+governance&release=5.2.5.0&platform=all&function=fixid&fixids=5.2.5.0-iss-sigi-fp0002&includerequisites=1&includesupersedes=0&downloadm\" ) \n \nIBM Security Identity Governance and Intelligence\n\n| \n\n5.2.4\n\n| \n\n[5.2.4.0-ISS-SIGI-FP0002](<https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=IBM%20Security&product=ibm/Tivoli/IBM+Security+Identity+Governance&release=5.2.4.0&platform=All&function=fixId&fixids=5.2.4.0-ISS-SIGI-FP0002&includeRequisites=1&includeSupersedes=0&downloadMethod=http>) \n \nIBM Security Identity Governance and Intelligence\n\n| \n\n5.2.6\n\n| \n\n[5.2.6.0-ISS-SIGI-FP0003](<https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=IBM%20Security&product=ibm/Tivoli/IBM+Security+Identity+Governance&release=5.2.6.0&platform=All&function=fixId&fixids=5.2.6.0-ISS-SIGI-FP0003&includeRequisites=1&includeSupersedes=0&downloadMethod=http&login=true> \"https://www.ibm.com/support/fixcentral/swg/downloadfixes?parent=ibm%20security&product=ibm/tivoli/ibm+security+identity+governance&release=5.2.5.0&platform=all&function=fixid&fixids=5.2.5.0-iss-sigi-fp0002&includerequisites=1&includesupersedes=0&downloadm\" ) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-08T17:59:28", "type": "ibm", "title": "Security Bulletin: IBM has announced a release for IBM Security Identity Governance and Intelligence in response to a security vulnerability (CVE-2019-17006, CVE-2019-17023, CVE-2020-12403)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-17006", "CVE-2019-17023", "CVE-2020-12403"], "modified": "2021-07-08T17:59:28", "id": "71B326DA1818D1C755649BEC7DF6788BEB9DB87F212A5DE7C63619B1FBF2FE69", "href": "https://www.ibm.com/support/pages/node/6457719", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-27T21:47:36", "description": "## Summary\n\nIBM Security Privileged Identity Manager has addressed multiple issue for NSS and NSPR as follows.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2019-17006](<https://vulners.com/cve/CVE-2019-17006>) \n** DESCRIPTION: **Mozilla Network Security Services (NSS), as used in Mozilla Firefox is vulnerable to a heap-based buffer overflow, caused by improper bounds checking when using certain cryptographic primitives. By sending an overly long argument, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause a denial of service. \nCVSS Base score: 8.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/174125](<https://exchange.xforce.ibmcloud.com/vulnerabilities/174125>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2019-17023](<https://vulners.com/cve/CVE-2019-17023>) \n** DESCRIPTION: **Mozilla Firefox could allow a remote attacker to bypass security restrictions, caused by the negotiaition of a lower protocol after a HelloRetryRequest is sent. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to trigger an invalid state transition in the TLS State Machine to ignore incoming Application Data records. \nCVSS Base score: 6.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/174062](<https://exchange.xforce.ibmcloud.com/vulnerabilities/174062>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N) \n \n** CVEID: **[CVE-2020-12403](<https://vulners.com/cve/CVE-2020-12403>) \n** DESCRIPTION: **Mozilla Network Security Services (NSS), as used in Mozilla Firefox could allow a remote attacker to obtain sensitive information, caused by the implementation of CHACHA20-POLY1305 decryption with undersized tag. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability using multi-part Chacha20 to trigger an out-of-bounds read and obtain sensitive information. \nCVSS Base score: 6.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/187746](<https://exchange.xforce.ibmcloud.com/vulnerabilities/187746>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nISPIM| 2.1.1 \n \n\n\n## Remediation/Fixes\n\nAffected Product(s)| Version(s) | Remediation \n---|---|--- \nISPIM| 2.1.1| [2.1.1-ISS-ISPIM-VA-FP0006](<https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=IBM%20Security&product=ibm/Tivoli/IBM+Security+Privileged+Identity+Manager&release=2.1.1&platform=All&function=fixId&fixids=2.1.1-ISS-ISPIM-VA-FP0006> \"2.1.1-ISS-ISPIM-VA-FP0006\" ) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-01-12T10:59:54", "type": "ibm", "title": "Security Bulletin: IBM Security Privileged Identity Manager is affected by security vulnerabilities", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-17006", "CVE-2019-17023", "CVE-2020-12403"], "modified": "2021-01-12T10:59:54", "id": "18350C8CFDA428FFE8D03D8AF52B480419325DE4650723C8EB99383D1C4F7938", "href": "https://www.ibm.com/support/pages/node/6403279", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-27T21:47:23", "description": "## Summary\n\nIBM MQ Appliance has resolved multiple nss and nspr vulnerabilities.\n\n## Vulnerability Details\n\n**CVEID: **[CVE-2019-11719](<https://vulners.com/cve/CVE-2019-11719>) \n**DESCRIPTION: **Mozilla Firefox could allow a remote attacker to obtain sensitive information, caused by an out-of-bounds read when importing a curve25519 private key in PKCS#8format. By persuading a victim to visit a specially-crafted website, a remote attacker could exploit this vulnerability using unknown attack vectors to obtain sensitive information. \nCVSS Base score: 6.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/163512](<https://exchange.xforce.ibmcloud.com/vulnerabilities/163512>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) \n \n**CVEID: **[CVE-2019-11727](<https://vulners.com/cve/CVE-2019-11727>) \n**DESCRIPTION: **Mozilla Firefox could allow a remote attacker to bypass security restrictions. By persuading a victim to visit a specially-crafted website, an attacker could exploit this vulnerability to force Network Security Services (NSS) to sign PKCS#1 v1.5 signatures to be used for TLS 1.3 messages. \nCVSS Base score: 6.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/163519](<https://exchange.xforce.ibmcloud.com/vulnerabilities/163519>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N) \n \n**CVEID: **[CVE-2019-11756](<https://vulners.com/cve/CVE-2019-11756>) \n**DESCRIPTION: **Mozilla Firefox could allow a remote attacker to execute arbitrary code on the system, caused by a use-after-free of SFTKSession object. By persuading a victim to visit a specially-crafted website, a remote attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the vulnerable system or cause a denial of service. \nCVSS Base score: 8.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/172454](<https://exchange.xforce.ibmcloud.com/vulnerabilities/172454>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) \n \n**CVEID: **[CVE-2019-17006](<https://vulners.com/cve/CVE-2019-17006>) \n**DESCRIPTION: **Mozilla Network Security Services (NSS), as used in Mozilla Firefox is vulnerable to a heap-based buffer overflow, caused by improper bounds checking when using certain cryptographic primitives. By sending an overly long argument, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause a denial of service. \nCVSS Base score: 8.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/174125](<https://exchange.xforce.ibmcloud.com/vulnerabilities/174125>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n**CVEID: **[CVE-2019-17023](<https://vulners.com/cve/CVE-2019-17023>) \n**DESCRIPTION: **Mozilla Firefox could allow a remote attacker to bypass security restrictions, caused by the negotiation of a lower protocol after a HelloRetryRequest is sent. By persuading a victim to visit a specially-crafted website, a remote attacker could exploit this vulnerability to trigger an invalid state transition in the TLS State Machine to ignore incoming Application Data records. \nCVSS Base score: 6.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/174062](<https://exchange.xforce.ibmcloud.com/vulnerabilities/174062>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N) \n \n**CVEID: **[CVE-2020-12403](<https://vulners.com/cve/CVE-2020-12403>) \n**DESCRIPTION: **Mozilla Network Security Services (NSS), as used in Mozilla Firefox could allow a remote attacker to obtain sensitive information, caused by the implementation of CHACHA20-POLY1305 decryption with undersized tag. By persuading a victim to visit a specially-crafted website, a remote attacker could exploit this vulnerability using multi-part Chacha20 to trigger an out-of-bounds read and obtain sensitive information. \nCVSS Base score: 6.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/187746](<https://exchange.xforce.ibmcloud.com/vulnerabilities/187746>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s) | Version(s) \n---|--- \nIBM MQ Appliance | 9.1 LTS \nIBM MQ Appliance | 9.2 LTS \nIBM MQ Appliance | 9.1 CD \n \n## Remediation/Fixes\n\n**IBM MQ Appliance 9.1 LTS**\n\nApply [fixpack 9.1.0.7](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/IBM+MQ+Appliance+M2000&function=fixId&fixids=9.1.0.7-IBM-MQ-Appliance-U0000+&includeSupersedes=1> \"fixpack 9.1.0.7\" ), or later maintenance.\n\n**IBM MQ Appliance 9.1 CD**\n\nUpgrade to [9.2.1 CD](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/IBM+MQ+Appliance+M2000&function=fixId&fixids=9.2.1-IBM-MQ-Appliance-U0000+&includeSupersedes=1> \"9.2.1 CD\" ), or later.\n\n**IBM MQ Appliance 9.2 LTS**\n\nApply iFix [IT34570](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/IBM+MQ+Appliance+M2000&function=fixId&fixids=9.2.0.1-IBM-MQ-Appliance-IT34570%3A92774672000&includeSupersedes=1>), or later maintenance.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-01-21T09:32:12", "type": "ibm", "title": "Security Bulletin: IBM MQ Appliance is affected by multiple nss and nspr vulnerabilities", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11719", "CVE-2019-11727", "CVE-2019-11756", "CVE-2019-17006", "CVE-2019-17023", "CVE-2020-12403"], "modified": "2021-01-21T09:32:12", "id": "FD39A731E3BFE5F8DE4A120F1ED300B4BC52F7B3B3FDDCEE6A7C56B4F2DEB7C3", "href": "https://www.ibm.com/support/pages/node/6403293", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "almalinux": [{"lastseen": "2021-08-11T15:48:28", "description": "Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications.\n\nNetscape Portable Runtime (NSPR) provides platform independence for non-GUI operating system facilities.\n\nThe following packages have been upgraded to a later upstream version: nss (3.53.1), nspr (4.25.0). (BZ#1809549, BZ#1809550)\n\nSecurity Fix(es):\n\n* nss: UAF in sftk_FreeSession due to improper refcounting (CVE-2019-11756)\n\n* nss: Check length of inputs for cryptographic primitives (CVE-2019-17006)\n\n* nss: Side channel vulnerabilities during RSA key generation (CVE-2020-12402)\n\n* nss: TLS 1.3 HelloRetryRequest downgrade request sets client into invalid state (CVE-2019-17023)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nBug Fix(es):\n\n* Install of update of nss.x86_64 adds i686 into transaction (BZ#1663187)\n\n* NSS does not set downgrade sentinel in ServerHello.random for TLS 1.0 and TLS 1.1 (BZ#1691409)\n\n* TLS Keying Material Exporter is unsupported by command line tools (BZ#1691454)\n\n* TLS_AES_256_GCM_SHA384 is not marked as FIPS compatible (BZ#1711375)\n\n* Make TLS 1.3 work in FIPS mode (BZ#1724250)\n\n* NSS rejects records with large padding with SHA384 HMAC (BZ#1750921)\n\n* NSS missing IKEv1 Quick Mode KDF (BZ#1809637)\n\n* Name Constraints validation: CN treated as DNS name even when syntactically invalid as DNS name (BZ#1825270)\n\n* FIPS needs nss to restrict valid dh primes to those primes that are approved. (BZ#1854564)\n\n* nss needs to comply to the new SP800-56A rev 3 requirements (BZ#1855825)\n\nEnhancement(s):\n\n* [RFE] nss should use AES for storage of keys (BZ#1723819)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-08-03T12:45:28", "type": "almalinux", "title": "Moderate: nss and nspr security, bug fix, and enhancement update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11756", "CVE-2019-17006", "CVE-2019-17023", "CVE-2020-12402"], "modified": "2021-08-11T13:42:14", "id": "ALSA-2020:3280", "href": "https://errata.almalinux.org/8/ALSA-2020-3280.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "oraclelinux": [{"lastseen": "2021-07-28T14:24:59", "description": "nspr\n[4.25.0-2]\n- Rebuild\n[4.25.0-1]\n- Update to NSPR 4.25\nnss\n[3.53.1-11]\n- Fix issue with upgradedb where upgradedb expects standard to\n generate dbm databases, not sql databases (default in RHEL8)\n[3.53.1-10]\n- Disable dh timing test because it's unreliable on s390\n[3.53.1-9]\n- Explicitly enable upgradedb/sharedb test cycles\n[3.53.1-8]\n- Disable Delegated Credentials for TLS\n[3.53.1-7]\n- Fix attribute decryption issue where the private key components\n integrity check on private attributes where not being checked.\n[3.53.1-6]\n- Update nss-rsa-pkcs1-sigalgs.patch to the upstream version\n[3.53.1-5]\n- Include required checks for dh and ecdh key generation in FIPS mode.\n[3.53.1-4]\n- Add better checks for dh derive operations in FIPS mode.\n[3.53.1-3]\n- Disable NSS_HASH_ALG_SUPPORT as well for MD5 (#1849938)\n- Adjust for update-crypto-policies packaging change (#1848649)\n- Fix compilation with -Werror=strict-prototypes (#1843417)\n[3.53.1-2]\n- Fix regression in MD5 disablement (#1849938)\n- Include rsa_pkcs1_* in signature_algorithms extension (#1847945)\n[3.53.1-1]\n- Update to NSS 3.53.1\n[3.53.0-1]\n- Update to NSS 3.53", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-08-04T00:00:00", "type": "oraclelinux", "title": "nss and nspr security, bug fix, and enhancement update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11756", "CVE-2019-17006", "CVE-2019-17023", "CVE-2020-12402"], "modified": "2020-08-04T00:00:00", "id": "ELSA-2020-3280", "href": "http://linux.oracle.com/errata/ELSA-2020-3280.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-07-28T14:24:45", "description": "nspr\n[4.25.0-2]\n- Rebuild to fix wrong dist tag\n[4.25.0-1]\n- Rebase to NSPR 4.25\nnss\n[3.53.1-3]\n- Disable dh timing test because it's unreliable on s390 (from Bob Relyea)\n- Explicitly enable upgradedb/sharedb test cycles\n[3.53.1-2]\n- Disable TLS 1.3 by default\n[3.53.1-1]\n- Rebase to NSS 3.53.1\n[3.44.0-8]\n- Increase timeout on ssl_gtest so that slow platforms can complete when\n running on a busy system.\nnss-softokn\n[3.53.1-6.0.1]\n- Add fips140-2 DSA Known Answer Test fix [Orabug: 26679337]\n- Add fips140-2 ECDSA/RSA/DSA Pairwise Consistency Test fix [Orabug: 26617814],\n [Orabug: 26617879], [Orabug: 26617849]\n[3.53.1-6]\n- turn of ALTIVEC instruction for powerpc because they require\n power8 and we need to support power7 on RHEL7 still.\n- Fix typo in measure.\n- Make sure only 2048 and greater primes are used in FIPS mode\n for dh.\n[3.53.1-5]\n- Fix the patch application in the previous change\n[3.53.1-4]\n- Fix glibc regression in the rebase; run RNG self-tests only if NSPR is linked\n[3.53.1-3]\n- include patches for CVE-2020-6829, CVE-2020-12400,\n and CVE-2020-12401 from upstream (ECC constant time issues).\n- include patches for CVE-2020-12403 from upstream\n (CHACHA issues).\n- include self-tests for kdfs and cmac.\n[3.53.1-2]\n- Install cmac.h required by blapi.h (#1764513)\n[3.53.1-1]\n- Rebase to NSS 3.53.1\nnss-util\n[3.53.1-1]\n- Rebase to NSS 3.53.1", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-10-08T00:00:00", "type": "oraclelinux", "title": "nss and nspr security, bug fix, and enhancement update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11719", "CVE-2019-11727", "CVE-2019-11756", "CVE-2019-17006", "CVE-2019-17023", "CVE-2020-12400", "CVE-2020-12401", "CVE-2020-12402", "CVE-2020-12403", "CVE-2020-6829"], "modified": "2020-10-08T00:00:00", "id": "ELSA-2020-4076", "href": "http://linux.oracle.com/errata/ELSA-2020-4076.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "debian": [{"lastseen": "2023-07-04T15:04:39", "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-4726-1 security@debian.org\nhttps://www.debian.org/security/ Moritz Muehlenhoff\nJuly 17, 2020 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : nss\nCVE ID : CVE-2019-17006 CVE-2019-17023 CVE-2020-12399 CVE-2020-12402\n\nSeveral vulnerabilities were discovered in NSS, a set of cryptographic\nlibraries, which may result in side channel/timing attacks or denial\nof service.\n\nFor the stable distribution (buster), these problems have been fixed in\nversion 2:3.42.1-1+deb10u3.\n\nWe recommend that you upgrade your nss packages.\n\nFor the detailed security status of nss please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/nss\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-07-17T18:06:14", "type": "debian", "title": "[SECURITY] [DSA 4726-1] nss security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-17006", "CVE-2019-17023", "CVE-2020-12399", "CVE-2020-12402"], "modified": "2020-07-17T18:06:14", "id": "DEBIAN:DSA-4726-1:A1D0C", "href": "https://lists.debian.org/debian-security-announce/2020/msg00132.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "redhat": [{"lastseen": "2023-08-04T12:27:59", "description": "Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications.\n\nNetscape Portable Runtime (NSPR) provides platform independence for non-GUI operating system facilities.\n\nThe following packages have been upgraded to a later upstream version: nss (3.53.1), nspr (4.25.0). (BZ#1809549, BZ#1809550)\n\nSecurity Fix(es):\n\n* nss: UAF in sftk_FreeSession due to improper refcounting (CVE-2019-11756)\n\n* nss: Check length of inputs for cryptographic primitives (CVE-2019-17006)\n\n* nss: Side channel vulnerabilities during RSA key generation (CVE-2020-12402)\n\n* nss: TLS 1.3 HelloRetryRequest downgrade request sets client into invalid state (CVE-2019-17023)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nBug Fix(es):\n\n* Install of update of nss.x86_64 adds i686 into transaction (BZ#1663187)\n\n* NSS does not set downgrade sentinel in ServerHello.random for TLS 1.0 and TLS 1.1 (BZ#1691409)\n\n* TLS Keying Material Exporter is unsupported by command line tools (BZ#1691454)\n\n* TLS_AES_256_GCM_SHA384 is not marked as FIPS compatible (BZ#1711375)\n\n* Make TLS 1.3 work in FIPS mode (BZ#1724250)\n\n* NSS rejects records with large padding with SHA384 HMAC (BZ#1750921)\n\n* NSS missing IKEv1 Quick Mode KDF (BZ#1809637)\n\n* Name Constraints validation: CN treated as DNS name even when syntactically invalid as DNS name (BZ#1825270)\n\n* FIPS needs nss to restrict valid dh primes to those primes that are approved. (BZ#1854564)\n\n* nss needs to comply to the new SP800-56A rev 3 requirements (BZ#1855825)\n\nEnhancement(s):\n\n* [RFE] nss should use AES for storage of keys (BZ#1723819)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-08-03T12:45:28", "type": "redhat", "title": "(RHSA-2020:3280) Moderate: nss and nspr security, bug fix, and enhancement update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11756", "CVE-2019-17006", "CVE-2019-17023", "CVE-2020-12399", "CVE-2020-12402"], "modified": "2021-11-10T18:45:56", "id": "RHSA-2020:3280", "href": "https://access.redhat.com/errata/RHSA-2020:3280", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-08-04T12:27:59", "description": "OpenShift Virtualization is Red Hat's virtualization solution designed for Red Hat OpenShift Container Platform.\n\nSecurity Fix(es):\n\n* golang: data race in certain net/http servers including ReverseProxy can lead to DoS (CVE-2020-15586)\n\n* golang: ReadUvarint and ReadVarint can read an unlimited number of bytes from invalid inputs (CVE-2020-16845)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nBug Fix(es):\n\n* Container-native Virtualization 2.4.2 Images (BZ#1877407)\n\nThis advisory contains the following OpenShift Virtualization 2.4.2 images:\n\nRHEL-7-CNV-2.4\n==============\nkubevirt-ssp-operator-container-v2.4.2-2\n\nRHEL-8-CNV-2.4\n==============\nvirt-cdi-controller-container-v2.4.2-1\nvirt-cdi-apiserver-container-v2.4.2-1\nhostpath-provisioner-operator-container-v2.4.2-1\nvirt-cdi-uploadproxy-container-v2.4.2-1\nvirt-cdi-cloner-container-v2.4.2-1\nvirt-cdi-importer-container-v2.4.2-1\nkubevirt-template-validator-container-v2.4.2-1\nhostpath-provisioner-container-v2.4.2-1\nvirt-cdi-uploadserver-container-v2.4.2-1\nvirt-cdi-operator-container-v2.4.2-1\nvirt-controller-container-v2.4.2-1\nkubevirt-cpu-model-nfd-plugin-container-v2.4.2-1\nvirt-api-container-v2.4.2-1\novs-cni-marker-container-v2.4.2-1\nkubevirt-cpu-node-labeller-container-v2.4.2-1\nbridge-marker-container-v2.4.2-1\nkubevirt-metrics-collector-container-v2.4.2-1\nkubemacpool-container-v2.4.2-1\ncluster-network-addons-operator-container-v2.4.2-1\novs-cni-plugin-container-v2.4.2-1\nkubernetes-nmstate-handler-container-v2.4.2-1\ncnv-containernetworking-plugins-container-v2.4.2-1\nvirtio-win-container-v2.4.2-1\nvirt-handler-container-v2.4.2-1\nvirt-launcher-container-v2.4.2-1\ncnv-must-gather-container-v2.4.2-1\nvirt-operator-container-v2.4.2-1\nvm-import-controller-container-v2.4.2-1\nhyperconverged-cluster-operator-container-v2.4.2-1\nvm-import-operator-container-v2.4.2-1\nkubevirt-vmware-container-v2.4.2-1\nkubevirt-v2v-conversion-container-v2.4.2-1\nkubevirt-kvm-info-nfd-plugin-container-v2.4.2-1\nnode-maintenance-operator-container-v2.4.2-1\nhco-bundle-registry-container-v2.4.2-15", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-10-06T22:47:14", "type": "redhat", "title": "(RHSA-2020:4201) Low: OpenShift Virtualization 2.4.2 Images", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11756", "CVE-2019-17006", "CVE-2019-17023", "CVE-2020-12402", "CVE-2020-12825", "CVE-2020-14352", "CVE-2020-14365", "CVE-2020-15586", "CVE-2020-16845"], "modified": "2020-10-06T22:50:13", "id": "RHSA-2020:4201", "href": "https://access.redhat.com/errata/RHSA-2020:4201", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-08-04T12:27:59", "description": "Network Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications.\n\nNetscape Portable Runtime (NSPR) provides platform independence for non-GUI operating system facilities.\n\nThe following packages have been upgraded to a later upstream version: nss (3.53.1), nss-softokn (3.53.1), nss-util (3.53.1), nspr (4.25.0). (BZ#1804262, BZ#1804264, BZ#1804271, BZ#1804273)\n\nSecurity Fix(es):\n\n* nss: Out-of-bounds read when importing curve25519 private key (CVE-2019-11719)\n\n* nss: Use-after-free in sftk_FreeSession due to improper refcounting (CVE-2019-11756)\n\n* nss: Check length of inputs for cryptographic primitives (CVE-2019-17006)\n\n* nss: Side channel attack on ECDSA signature generation (CVE-2020-6829)\n\n* nss: P-384 and P-521 implementation uses a side-channel vulnerable modular inversion function (CVE-2020-12400)\n\n* nss: ECDSA timing attack mitigation bypass (CVE-2020-12401)\n\n* nss: Side channel vulnerabilities during RSA key generation (CVE-2020-12402)\n\n* nss: CHACHA20-POLY1305 decryption with undersized tag leads to out-of-bounds read (CVE-2020-12403)\n\n* nss: PKCS#1 v1.5 signatures can be used for TLS 1.3 (CVE-2019-11727)\n\n* nss: TLS 1.3 HelloRetryRequest downgrade request sets client into invalid state (CVE-2019-17023)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nBug Fix(es):\n\n* Memory leak: libcurl leaks 120 bytes on each connection (BZ#1688958)\n\n* NSS does not set downgrade sentinel in ServerHello.random for TLS 1.0 and TLS 1.1 (BZ#1712924)\n\n* Make TLS 1.3 work in FIPS mode (BZ#1724251)\n\n* Name Constraints validation: CN treated as DNS name even when syntactically invalid as DNS name (BZ#1737910)\n\n* x25519 allowed in FIPS mode (BZ#1754518)\n\n* When NSS_SDB_USE_CACHE not set, after curl access https, dentry increase but never released - consider alternative algorithm for benchmarking ACCESS call in sdb_measureAccess (BZ#1779325)\n\n* Running ipa-backup continuously causes httpd to crash and makes it irrecoverable (BZ#1804015)\n\n* nss needs to comply to the new SP800-56A rev 3 requirements (BZ#1857308)\n\n* KDF-self-tests-induced changes for nss in RHEL 7.9 (BZ#1870885)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-09-29T19:33:00", "type": "redhat", "title": "(RHSA-2020:4076) Moderate: nss and nspr security, bug fix, and enhancement update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11719", "CVE-2019-11727", "CVE-2019-11756", "CVE-2019-17006", "CVE-2019-17023", "CVE-2020-12400", "CVE-2020-12401", "CVE-2020-12402", "CVE-2020-12403", "CVE-2020-6829"], "modified": "2020-09-29T20:14:37", "id": "RHSA-2020:4076", "href": "https://access.redhat.com/errata/RHSA-2020:4076", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-09-12T04:36:23", "description": "Red Hat OpenShift Do (odo) is a simple CLI tool for developers to create,\nbuild, and deploy applications on OpenShift. The odo tool is completely\nclient-based and requires no server within the OpenShift cluster for\ndeployment. It detects changes to local code and deploys it to the cluster\nautomatically, giving instant feedback to validate changes in real-time. It\nsupports multiple programming languages and frameworks.\n\nRed Hat OpenShift Do openshift/odo-init-image 1.1.3 is a container image\nthat is used as part of the InitContainer setup that provisions odo\ncomponents.\n\nThe advisory addresses the following issues:\n\n* Re-release of odo-init-image 1.1.3 for security updates", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-22T09:48:51", "type": "redhat", "title": "(RHSA-2021:0949) Low: Red Hat OpenShift Do openshift/odo-init-image 1.1.3 security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-20843", "CVE-2019-11719", "CVE-2019-11727", "CVE-2019-11756", "CVE-2019-12749", "CVE-2019-14866", "CVE-2019-15903", "CVE-2019-17006", "CVE-2019-17023", "CVE-2019-17498", "CVE-2019-19956", "CVE-2019-20388", "CVE-2019-20907", "CVE-2019-5094", "CVE-2019-5188", "CVE-2020-12243", "CVE-2020-12400", "CVE-2020-12401", "CVE-2020-12402", "CVE-2020-12403", "CVE-2020-1971", "CVE-2020-6829", "CVE-2020-7595", "CVE-2020-8177"], "modified": "2021-03-22T09:49:43", "id": "RHSA-2021:0949", "href": "https://access.redhat.com/errata/RHSA-2021:0949", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-09-12T04:36:27", "description": "* Updated python-psutil version to 5.6.6 inside ansible-runner container (CVE-2019-18874)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-10-14T12:50:53", "type": "redhat", "title": "(RHSA-2020:4254) Moderate: security update - Red Hat Ansible Tower 3.7 runner release (CVE-2019-18874)", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-12652", "CVE-2018-20843", "CVE-2019-11719", "CVE-2019-11727", "CVE-2019-11756", "CVE-2019-12450", "CVE-2019-12749", "CVE-2019-14822", "CVE-2019-14866", "CVE-2019-14973", "CVE-2019-15903", "CVE-2019-16935", "CVE-2019-17006", "CVE-2019-17023", "CVE-2019-17498", "CVE-2019-17546", "CVE-2019-18874", "CVE-2019-19126", "CVE-2019-19956", "CVE-2019-20386", "CVE-2019-20388", "CVE-2019-5094", "CVE-2019-5188", "CVE-2019-5482", "CVE-2020-12243", "CVE-2020-12400", "CVE-2020-12401", "CVE-2020-12402", "CVE-2020-12403", "CVE-2020-14365", "CVE-2020-5313", "CVE-2020-6829", "CVE-2020-7595"], "modified": "2020-10-14T12:52:22", "id": "RHSA-2020:4254", "href": "https://access.redhat.com/errata/RHSA-2020:4254", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-09-12T04:36:27", "description": "* Updated python-psutil version to 5.6.6 inside ansible-runner container\n(CVE-2019-18874)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-10-14T12:51:09", "type": "redhat", "title": "(RHSA-2020:4255) Moderate: security update - Red Hat Ansible Tower 3.6 runner release (CVE-2019-18874)", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-12652", "CVE-2018-20843", "CVE-2019-11719", "CVE-2019-11727", "CVE-2019-11756", "CVE-2019-12450", "CVE-2019-12749", "CVE-2019-14822", "CVE-2019-14866", "CVE-2019-14973", "CVE-2019-15903", "CVE-2019-16935", "CVE-2019-17006", "CVE-2019-17023", "CVE-2019-17498", "CVE-2019-17546", "CVE-2019-18874", "CVE-2019-19126", "CVE-2019-19956", "CVE-2019-20386", "CVE-2019-20388", "CVE-2019-5094", "CVE-2019-5188", "CVE-2019-5482", "CVE-2020-12243", "CVE-2020-12400", "CVE-2020-12401", "CVE-2020-12402", "CVE-2020-12403", "CVE-2020-14365", "CVE-2020-5313", "CVE-2020-6829", "CVE-2020-7595"], "modified": "2020-10-14T12:52:24", "id": "RHSA-2020:4255", "href": "https://access.redhat.com/errata/RHSA-2020:4255", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-09-12T04:36:27", "description": "Security Fix(es):\n\n* Addressed a security issue which can allow a malicious playbook author to elevate to the awx user from outside the isolated environment: CVE-2021-20253\n* Upgraded to a more recent version of nginx to address CVE-2019-20372\n* Upgraded to a more recent version of autobahn to address CVE-2020-35678\n* Upgraded to a more recent version of jquery to address CVE-2020-11022 and CVE-2020-11023\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-03-09T15:06:59", "type": "redhat", "title": "(RHSA-2021:0778) Important: Red Hat Ansible Tower 3.6.7-1 - Container security and bug fix update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-5766", "CVE-2018-20843", "CVE-2019-11719", "CVE-2019-11727", "CVE-2019-11756", "CVE-2019-12749", "CVE-2019-14866", "CVE-2019-15903", "CVE-2019-17006", "CVE-2019-17023", "CVE-2019-17498", "CVE-2019-19956", "CVE-2019-20372", "CVE-2019-20388", "CVE-2019-20907", "CVE-2020-10543", "CVE-2020-10878", "CVE-2020-11022", "CVE-2020-11023", "CVE-2020-12243", "CVE-2020-12400", "CVE-2020-12401", "CVE-2020-12402", "CVE-2020-12403", "CVE-2020-12723", "CVE-2020-1971", "CVE-2020-35678", "CVE-2020-6829", "CVE-2020-7595", "CVE-2020-8177", "CVE-2021-20178", "CVE-2021-20180", "CVE-2021-20191", "CVE-2021-20228", "CVE-2021-20253"], "modified": "2021-03-09T15:08:46", "id": "RHSA-2021:0778", "href": "https://access.redhat.com/errata/RHSA-2021:0778", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-09-12T04:36:23", "description": "Red Hat Ansible Automation Platform Resource Operator container images \nwith security fixes.\n\nAnsible Automation Platform manages Ansible Platform jobs and workflows\nthat can interface with any infrastructure on a Red Hat OpenShift Container\nPlatform cluster, or on a traditional infrastructure that is running\noff-cluster.\n\nSecurity fixes:\n\nCVE-2021-20191 ansible: multiple modules expose secured values [ansible_automation_platform-1.2] (BZ#1916813)\n\nCVE-2021-20178 ansible: user data leak in snmp_facts module [ansible_automation_platform-1.2] (BZ#1914774)\n\nCVE-2021-20180 ansible: ansible module: bitbucket_pipeline_variable exposes secured values [ansible_automation_platform-1.2] (BZ#1915808)\n\nCVE-2021-20228 ansible: basic.py no_log with fallback option [ansible_automation_platform-1.2] (BZ#1925002)\n\nCVE-2021-3447 ansible: multiple modules expose secured values [ansible_automation_platform-1.2] (BZ#1939349)\n\nFor more details about the security issue, including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE\npage(s) listed in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-04-06T12:40:30", "type": "redhat", "title": "(RHSA-2021:1079) Moderate: Red Hat Ansible Automation Platform Operator 1.2 security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-12652", "CVE-2018-20843", "CVE-2019-11719", "CVE-2019-11727", "CVE-2019-11756", "CVE-2019-12749", "CVE-2019-14866", "CVE-2019-14973", "CVE-2019-15903", "CVE-2019-17006", "CVE-2019-17023", "CVE-2019-17498", "CVE-2019-17546", "CVE-2019-19956", "CVE-2019-20388", "CVE-2019-20907", "CVE-2019-5094", "CVE-2019-5188", "CVE-2020-12243", "CVE-2020-12400", "CVE-2020-12401", "CVE-2020-12402", "CVE-2020-12403", "CVE-2020-14422", "CVE-2020-15999", "CVE-2020-1971", "CVE-2020-5313", "CVE-2020-6829", "CVE-2020-7595", "CVE-2020-8177", "CVE-2020-8625", "CVE-2021-20178", "CVE-2021-20180", "CVE-2021-20191", "CVE-2021-20228", "CVE-2021-3156", "CVE-2021-3447"], "modified": "2021-04-06T12:41:06", "id": "RHSA-2021:1079", "href": "https://access.redhat.com/errata/RHSA-2021:1079", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-09-12T04:36:23", "description": "Red Hat 3scale API Management delivers centralized API management features through a distributed, cloud-hosted layer. It includes built-in features to help in building a more successful API program, including access control, rate limits, payment gateway integration, and developer experience tools.\n\nThis advisory is intended to use with container images for Red Hat 3scale API Management 2.10.0.\n\nSecurity Fix(es):\n\n* golang.org/x/crypto: Processing of crafted ssh-ed25519 public keys allows for panic (CVE-2020-9283)\n\n* golang.org/x/text: possibility to trigger an infinite loop in encoding/unicode could lead to crash (CVE-2020-14040)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-04-07T09:52:40", "type": "redhat", "title": "(RHSA-2021:1129) Moderate: Red Hat 3scale API Management 2.10.0 security update and release", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-20843", "CVE-2019-11719", "CVE-2019-11727", "CVE-2019-11756", "CVE-2019-12749", "CVE-2019-14836", "CVE-2019-14866", "CVE-2019-15903", "CVE-2019-17006", "CVE-2019-17023", "CVE-2019-17498", "CVE-2019-19126", "CVE-2019-19532", "CVE-2019-19956", "CVE-2019-20388", "CVE-2019-20907", "CVE-2019-5094", "CVE-2019-5188", "CVE-2020-0427", "CVE-2020-12243", "CVE-2020-12400", "CVE-2020-12401", "CVE-2020-12402", "CVE-2020-12403", "CVE-2020-12723", "CVE-2020-14040", "CVE-2020-14351", "CVE-2020-1971", "CVE-2020-25211", "CVE-2020-25645", "CVE-2020-25656", "CVE-2020-25705", "CVE-2020-28374", "CVE-2020-29661", "CVE-2020-6829", "CVE-2020-7053", "CVE-2020-7595", "CVE-2020-8177", "CVE-2020-9283", "CVE-2021-20265"], "modified": "2021-05-25T21:31:07", "id": "RHSA-2021:1129", "href": "https://access.redhat.com/errata/RHSA-2021:1129", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-09-12T04:36:27", "description": "Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments.\n\nSecurity Fix(es):\n\n* golang.org/x/crypto: Processing of crafted ssh-ed25519 public keys allows for panic (CVE-2020-9283)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nBug Fix(es):\n\n* Gather image registry config (backport to 4.3) (BZ#1836815)\n\n* Builds fail after running postCommit script if OCP cluster is configured with a container registry whitelist (BZ#1849176)\n\n* Login with OpenShift not working after cluster upgrade (BZ#1852429)\n\n* Limit the size of gathered federated metrics from alerts in Insights Operator (BZ#1874018)\n\n* [4.3] Storage operator stops reconciling when going Upgradeable=False on v1alpha1 CRDs (BZ#1879110)\n\n* [release 4.3] OpenShift APIs become unavailable for more than 15 minutes after one of master nodes went down(OAuth) (BZ#1880293)\n\nYou may download the oc tool and use it to inspect release image metadata\nas follows:\n\n(For x86_64 architecture)\n\n $ oc adm release info\nquay.io/openshift-release-dev/ocp-release:4.3.40-x86_64\n\nThe image digest is sha256:9ff90174a170379e90a9ead6e0d8cf6f439004191f80762764a5ca3dbaab01dc\n\n(For s390x architecture)\n\n $ oc adm release info\nquay.io/openshift-release-dev/ocp-release:4.3.40-s390x\nThe image digest is sha256:605ddde0442e604cfe2d6bd1541ce48df5956fe626edf9cc95b1fca75d231b64\n\n(For ppc64le architecture)\n\n $ oc adm release info\nquay.io/openshift-release-dev/ocp-release:4.3.40-ppc64le\n\nThe image digest is sha256:d3c9e391c145338eae3feb7f6a4e487dadc8139a353117d642fe686d277bcccc", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-10-20T21:25:42", "type": "redhat", "title": "(RHSA-2020:4264) Low: OpenShift Container Platform 4.3.40 security and bug fix update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-12652", "CVE-2017-18190", "CVE-2018-20843", "CVE-2019-11068", "CVE-2019-11719", "CVE-2019-11727", "CVE-2019-11756", "CVE-2019-12450", "CVE-2019-12749", "CVE-2019-14822", "CVE-2019-14866", "CVE-2019-14973", "CVE-2019-15903", "CVE-2019-16935", "CVE-2019-17006", "CVE-2019-17023", "CVE-2019-17498", "CVE-2019-17546", "CVE-2019-18197", "CVE-2019-19126", "CVE-2019-19956", "CVE-2019-20386", "CVE-2019-20388", "CVE-2019-2974", "CVE-2019-5094", "CVE-2019-5188", "CVE-2019-5482", "CVE-2019-8675", "CVE-2019-8696", "CVE-2020-12243", "CVE-2020-12400", "CVE-2020-12401", "CVE-2020-12402", "CVE-2020-12403", "CVE-2020-12825", "CVE-2020-14352", "CVE-2020-2181", "CVE-2020-2182", "CVE-2020-2224", "CVE-2020-2225", "CVE-2020-2226", "CVE-2020-24750", "CVE-2020-2574", "CVE-2020-2752", "CVE-2020-2780", "CVE-2020-2812", "CVE-2020-6829", "CVE-2020-7595", "CVE-2020-8492", "CVE-2020-9283"], "modified": "2020-10-20T21:47:29", "id": "RHSA-2020:4264", "href": "https://access.redhat.com/errata/RHSA-2020:4264", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "rocky": [{"lastseen": "2023-07-24T17:30:17", "description": "An update is available for nspr.\nThis update affects Rocky Linux 8.\nA Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list\nNetwork Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications.\n\nNetscape Portable Runtime (NSPR) provides platform independence for non-GUI operating system facilities.\n\nThe following packages have been upgraded to a later upstream version: nss (3.53.1), nspr (4.25.0). (BZ#1809549, BZ#1809550)\n\nSecurity Fix(es):\n\n* nss: UAF in sftk_FreeSession due to improper refcounting (CVE-2019-11756)\n\n* nss: Check length of inputs for cryptographic primitives (CVE-2019-17006)\n\n* nss: Side channel vulnerabilities during RSA key generation (CVE-2020-12402)\n\n* nss: TLS 1.3 HelloRetryRequest downgrade request sets client into invalid state (CVE-2019-17023)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nBug Fix(es):\n\n* Install of update of nss.x86_64 adds i686 into transaction (BZ#1663187)\n\n* NSS does not set downgrade sentinel in ServerHello.random for TLS 1.0 and TLS 1.1 (BZ#1691409)\n\n* TLS Keying Material Exporter is unsupported by command line tools (BZ#1691454)\n\n* TLS_AES_256_GCM_SHA384 is not marked as FIPS compatible (BZ#1711375)\n\n* Make TLS 1.3 work in FIPS mode (BZ#1724250)\n\n* NSS rejects records with large padding with SHA384 HMAC (BZ#1750921)\n\n* NSS missing IKEv1 Quick Mode KDF (BZ#1809637)\n\n* Name Constraints validation: CN treated as DNS name even when syntactically invalid as DNS name (BZ#1825270)\n\n* FIPS needs nss to restrict valid dh primes to those primes that are approved. (BZ#1854564)\n\n* nss needs to comply to the new SP800-56A rev 3 requirements (BZ#1855825)\n\nEnhancement(s):\n\n* [RFE] nss should use AES for storage of keys (BZ#1723819)", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-08-03T12:45:28", "type": "rocky", "title": "nss and nspr security, bug fix, and enhancement update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11756", "CVE-2019-17006", "CVE-2019-17023", "CVE-2020-12399", "CVE-2020-12402"], "modified": "2020-08-03T12:45:28", "id": "RLSA-2020:3280", "href": "https://errata.rockylinux.org/RLSA-2020:3280", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "archlinux": [{"lastseen": "2023-06-13T15:05:14", "description": "Arch Linux Security Advisory ASA-202001-1\n=========================================\n\nSeverity: Critical\nDate : 2020-01-08\nCVE-ID : CVE-2019-17016 CVE-2019-17017 CVE-2019-17020 CVE-2019-17022\nCVE-2019-17023 CVE-2019-17024 CVE-2019-17025\nPackage : firefox\nType : multiple issues\nRemote : Yes\nLink : https://security.archlinux.org/AVG-1084\n\nSummary\n=======\n\nThe package firefox before version 72.0-1 is vulnerable to multiple\nissues including arbitrary code execution, insufficient validation,\naccess restriction bypass and denial of service.\n\nResolution\n==========\n\nUpgrade to 72.0-1.\n\n# pacman -Syu \"firefox>=72.0-1\"\n\nThe problems have been fixed upstream in version 72.0.\n\nWorkaround\n==========\n\nNone.\n\nDescription\n===========\n\n- CVE-2019-17016 (insufficient validation)\n\nA security issue has been found in Firefox before 72.0. When pasting a\n<style> tag from the clipboard into a rich text editor, the CSS\nsanitizer incorrectly rewrites a @namespace rule. This could allow for\ninjection into certain types of websites resulting in data\nexfiltration.\n\n- CVE-2019-17017 (arbitrary code execution)\n\nA type confusion issue has been found in Firefox before 72.0, in\nXPCVariant.cpp where, due to a missing case handling object types, a\ntype confusion vulnerability could occur, resulting in a crash.\n\n- CVE-2019-17020 (access restriction bypass)\n\nA Content Security Policy bypass has been found in Firefox before 72.0,\nwhere the CSP is not applied to XSL stylesheets applied to XML\ndocuments. If the XSL sheet e.g. includes JavaScript, it would bypass\nany of the restrictions of the Content Security Policy applied to the\nXML document.\n\n- CVE-2019-17022 (insufficient validation)\n\nA security issue has been found in Firefox before 72.0, where CSS\nsanitization does not escape HTML tags. When pasting a <style> tag from\nthe clipboard into a rich text editor, the CSS sanitizer does not\nescape < and > characters. Because the resulting string is pasted\ndirectly into the text node of the element this does not result in a\ndirect injection into the webpage; however, if a webpage subsequently\ncopies the node's innerHTML, assigning it to another innerHTML, this\nwould result in an XSS vulnerability. Two WYSIWYG editors were\nidentified with this behavior, more may exist.\n\n- CVE-2019-17023 (denial of service)\n\nA security issue has been found in the NSS component of Firefox before\n72.0. After a HelloRetryRequest has been sent, the client may negotiate\na lower protocol that TLS 1.3, resulting in an invalid state transition\nin the TLS State Machine. If the client gets into this state, incoming\nApplication Data records will be ignored.\n\n- CVE-2019-17024 (arbitrary code execution)\n\nSeveral memory safety issues have been found in Firefox before 72.0 and\nFirefox ESR before 68.4. Some of these bugs showed evidence of memory\ncorruption and Mozilla presumes that with enough effort some of these\ncould have been exploited to run arbitrary code.\n\n- CVE-2019-17025 (arbitrary code execution)\n\nSeveral memory safety issues have been found in Firefox before 72.0.\nSome of these bugs showed evidence of memory corruption and Mozilla\npresumes that with enough effort some of these could have been\nexploited to run arbitrary code.\n\nImpact\n======\n\nA remote attacker could bypass security measures or execute arbitrary\ncode on the affected host.\n\nReferences\n==========\n\nhttps://www.mozilla.org/en-US/security/advisories/mfsa2020-01/\nhttps://www.mozilla.org/en-US/security/advisories/mfsa2020-01/#CVE-2019-17016\nhttps://bugzilla.mozilla.org/show_bug.cgi?id=1599181\nhttps://www.mozilla.org/en-US/security/advisories/mfsa2020-01/#CVE-2019-17017\nhttps://bugzilla.mozilla.org/show_bug.cgi?id=1603055\nhttps://www.mozilla.org/en-US/security/advisories/mfsa2020-01/#CVE-2019-17020\nhttps://bugzilla.mozilla.org/show_bug.cgi?id=1597645\nhttps://www.mozilla.org/en-US/security/advisories/mfsa2020-01/#CVE-2019-17022\nhttps://bugzilla.mozilla.org/show_bug.cgi?id=1602843\nhttps://www.mozilla.org/en-US/security/advisories/mfsa2020-01/#CVE-2019-17023\nhttps://bugzilla.mozilla.org/show_bug.cgi?id=1590001\nhttps://www.mozilla.org/en-US/security/advisories/mfsa2020-01/#CVE-2019-17024\nhttps://bugzilla.mozilla.org/buglist.cgi?bug_id=1507180%2C1595470%2C1598605%2C1601826\nhttps://www.mozilla.org/en-US/security/advisories/mfsa2020-01/#CVE-2019-17025\nhttps://bugzilla.mozilla.org/buglist.cgi?bug_id=1328295%2C1328300%2C1590447%2C1590965%2C1595692%2C1597321%2C1597481\nhttps://security.archlinux.org/CVE-2019-17016\nhttps://security.archlinux.org/CVE-2019-17017\nhttps://security.archlinux.org/CVE-2019-17020\nhttps://security.archlinux.org/CVE-2019-17022\nhttps://security.archlinux.org/CVE-2019-17023\nhttps://security.archlinux.org/CVE-2019-17024\nhttps://security.archlinux.org/CVE-2019-17025", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-01-08T00:00:00", "type": "archlinux", "title": "[ASA-202001-1] firefox: multiple issues", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-17016", "CVE-2019-17017", "CVE-2019-17020", "CVE-2019-17022", "CVE-2019-17023", "CVE-2019-17024", "CVE-2019-17025"], "modified": "2020-01-08T00:00:00", "id": "ASA-202001-1", "href": "https://security.archlinux.org/ASA-202001-1", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "amazon": [{"lastseen": "2023-06-13T17:21:07", "description": "**Issue Overview:**\n\nWhen importing a curve25519 private key in PKCS#8format with leading 0x00 bytes, it is possible to trigger an out-of-bounds read in the Network Security Services (NSS) library. This could lead to information disclosure. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8. (CVE-2019-11719)\n\nA vulnerability exists where it possible to force Network Security Services (NSS) to sign CertificateVerify with PKCS#1 v1.5 signatures when those are the only ones advertised by server in CertificateRequest in TLS 1.3. PKCS#1 v1.5 signatures should not be used for TLS 1.3 messages. This vulnerability affects Firefox < 68\\. (CVE-2019-11727)\n\nA use-after-free flaw was found in Mozilla Network Security Services (NSS) related to PK11 session handling. An attacker could use this flaw to execute arbitrary code with the permissions of the user running the application compiled with NSS. (CVE-2019-11756)\n\nA vulnerability was discovered in nss where input text length was not checked when using certain cryptographic primitives. This could lead to a heap-buffer overflow resulting in a crash and data leak. The highest threat is to confidentiality and integrity of data as well as system availability. (CVE-2019-17006)\n\nA protocol downgrade flaw was found in Network Security Services (NSS). After a HelloRetryRequest has been sent, the client may negotiate a lower protocol than TLS 1.3, resulting in an invalid state transition in the TLS State Machine. If the client gets into this state, incoming Application Data records will be ignored. (CVE-2019-17023)\n\nA side-channel flaw was found in NSS, in the way P-384 and P-521 curves are used in the generation of EDSA signatures, leaking partial information about the ECDSA nonce. Given a small number of ECDSA signatures, this information can be used to steal the private key. The highest threat from this vulnerability is to data confidentiality. (CVE-2020-12400)\n\nA flaw was found in nss. Using the EM side-channel, it is possible to extract the position of zero and non-zero wNAF digits while nss-certutil tool performs scalar multiplication during the ECDSA signature generation, leaking partial information about the ECDSA nonce. Given a small number of ECDSA signatures, this information can be used to steal the private key. The highest threat from this vulnerability is to data confidentiality. (CVE-2020-12401)\n\nA flaw was found in NSS, where it is vulnerable to RSA key generation cache timing side-channel attacks. An attacker with sufficient access to mount cache timing attacks during the RSA key generation process could recover the private key. The highest threat to this flaw is to confidentiality. (CVE-2020-12402)\n\nA flaw was found in the way CHACHA20-POLY1305 was implemented in NSS. When using multi-part Chacha20, it could cause out-of-bounds reads. This issue was fixed by explicitly disabling multi-part ChaCha20 (which was not functioning correctly) and strictly enforcing tag length. The highest threat from this vulnerability is to confidentiality and system availability. (CVE-2020-12403)\n\nA flaw was found in nss. Using the EM side-channel, it is possible to extract the position of zero and non-zero wNAF digits while nss-certutil tool performs scalar multiplication during the ECDSA signature generation, leaking partial information about the ECDSA nonce. Given a small number of ECDSA signatures, this information can be used to steal the private key. The highest threat from this vulnerability is to data confidentiality. (CVE-2020-6829)\n\n \n**Affected Packages:** \n\n\nnspr, nss-softokn, nss-util\n\n \n**Issue Correction:** \nRun _yum update nspr_ to update your system. \nRun _yum update nss-softokn_ to update your system. \nRun _yum update nss-util_ to update your system. \n\n\n \n\n\n**New Packages:**\n \n \n i686: \n \u00a0\u00a0\u00a0 nspr-devel-4.25.0-2.45.amzn1.i686 \n \u00a0\u00a0\u00a0 nspr-debuginfo-4.25.0-2.45.amzn1.i686 \n \u00a0\u00a0\u00a0 nspr-4.25.0-2.45.amzn1.i686 \n \u00a0\u00a0\u00a0 nss-util-3.53.1-1.58.amzn1.i686 \n \u00a0\u00a0\u00a0 nss-util-debuginfo-3.53.1-1.58.amzn1.i686 \n \u00a0\u00a0\u00a0 nss-util-devel-3.53.1-1.58.amzn1.i686 \n \u00a0\u00a0\u00a0 nss-softokn-freebl-3.53.1-6.46.amzn1.i686 \n \u00a0\u00a0\u00a0 nss-softokn-freebl-devel-3.53.1-6.46.amzn1.i686 \n \u00a0\u00a0\u00a0 nss-softokn-3.53.1-6.46.amzn1.i686 \n \u00a0\u00a0\u00a0 nss-softokn-devel-3.53.1-6.46.amzn1.i686 \n \u00a0\u00a0\u00a0 nss-softokn-debuginfo-3.53.1-6.46.amzn1.i686 \n \n src: \n \u00a0\u00a0\u00a0 nspr-4.25.0-2.45.amzn1.src \n \u00a0\u00a0\u00a0 nss-util-3.53.1-1.58.amzn1.src \n \u00a0\u00a0\u00a0 nss-softokn-3.53.1-6.46.amzn1.src \n \n x86_64: \n \u00a0\u00a0\u00a0 nspr-debuginfo-4.25.0-2.45.amzn1.x86_64 \n \u00a0\u00a0\u00a0 nspr-4.25.0-2.45.amzn1.x86_64 \n \u00a0\u00a0\u00a0 nspr-devel-4.25.0-2.45.amzn1.x86_64 \n \u00a0\u00a0\u00a0 nss-util-devel-3.53.1-1.58.amzn1.x86_64 \n \u00a0\u00a0\u00a0 nss-util-3.53.1-1.58.amzn1.x86_64 \n \u00a0\u00a0\u00a0 nss-util-debuginfo-3.53.1-1.58.amzn1.x86_64 \n \u00a0\u00a0\u00a0 nss-softokn-devel-3.53.1-6.46.amzn1.x86_64 \n \u00a0\u00a0\u00a0 nss-softokn-freebl-devel-3.53.1-6.46.amzn1.x86_64 \n \u00a0\u00a0\u00a0 nss-softokn-debuginfo-3.53.1-6.46.amzn1.x86_64 \n \u00a0\u00a0\u00a0 nss-softokn-3.53.1-6.46.amzn1.x86_64 \n \u00a0\u00a0\u00a0 nss-softokn-freebl-3.53.1-6.46.amzn1.x86_64 \n \n \n\n### Additional References\n\nRed Hat: [CVE-2019-11719](<https://access.redhat.com/security/cve/CVE-2019-11719>), [CVE-2019-11727](<https://access.redhat.com/security/cve/CVE-2019-11727>), [CVE-2019-11756](<https://access.redhat.com/security/cve/CVE-2019-11756>), [CVE-2019-17006](<https://access.redhat.com/security/cve/CVE-2019-17006>), [CVE-2019-17023](<https://access.redhat.com/security/cve/CVE-2019-17023>), [CVE-2020-12400](<https://access.redhat.com/security/cve/CVE-2020-12400>), [CVE-2020-12401](<https://access.redhat.com/security/cve/CVE-2020-12401>), [CVE-2020-12402](<https://access.redhat.com/security/cve/CVE-2020-12402>), [CVE-2020-12403](<https://access.redhat.com/security/cve/CVE-2020-12403>), [CVE-2020-6829](<https://access.redhat.com/security/cve/CVE-2020-6829>)\n\nMitre: [CVE-2019-11719](<https://vulners.com/cve/CVE-2019-11719>), [CVE-2019-11727](<https://vulners.com/cve/CVE-2019-11727>), [CVE-2019-11756](<https://vulners.com/cve/CVE-2019-11756>), [CVE-2019-17006](<https://vulners.com/cve/CVE-2019-17006>), [CVE-2019-17023](<https://vulners.com/cve/CVE-2019-17023>), [CVE-2020-12400](<https://vulners.com/cve/CVE-2020-12400>), [CVE-2020-12401](<https://vulners.com/cve/CVE-2020-12401>), [CVE-2020-12402](<https://vulners.com/cve/CVE-2020-12402>), [CVE-2020-12403](<https://vulners.com/cve/CVE-2020-12403>), [CVE-2020-6829](<https://vulners.com/cve/CVE-2020-6829>)\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-08T18:41:00", "type": "amazon", "title": "Medium: nspr, nss-softokn, nss-util", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11719", "CVE-2019-11727", "CVE-2019-11756", "CVE-2019-17006", "CVE-2019-17023", "CVE-2020-12400", "CVE-2020-12401", "CVE-2020-12402", "CVE-2020-12403", "CVE-2020-6829"], "modified": "2021-07-12T21:53:00", "id": "ALAS-2021-1522", "href": "https://alas.aws.amazon.com/ALAS-2021-1522.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-13T15:31:30", "description": "**Issue Overview:**\n\nWhen importing a curve25519 private key in PKCS#8format with leading 0x00 bytes, it is possible to trigger an out-of-bounds read in the Network Security Services (NSS) library. This could lead to information disclosure. This vulnerability affects Firefox ESR < 60.8, Firefox < 68, and Thunderbird < 60.8. (CVE-2019-11719)\n\nA vulnerability exists where it possible to force Network Security Services (NSS) to sign CertificateVerify with PKCS#1 v1.5 signatures when those are the only ones advertised by server in CertificateRequest in TLS 1.3. PKCS#1 v1.5 signatures should not be used for TLS 1.3 messages. This vulnerability affects Firefox < 68\\. (CVE-2019-11727)\n\nA use-after-free flaw was found in Mozilla Network Security Services (NSS) related to PK11 session handling. An attacker could use this flaw to execute arbitrary code with the permissions of the user running the application compiled with NSS. (CVE-2019-11756)\n\nA vulnerability was discovered in nss where input text length was not checked when using certain cryptographic primitives. This could lead to a heap-buffer overflow resulting in a crash and data leak. The highest threat is to confidentiality and integrity of data as well as system availability. (CVE-2019-17006)\n\nA protocol downgrade flaw was found in Network Security Services (NSS). After a HelloRetryRequest has been sent, the client may negotiate a lower protocol than TLS 1.3, resulting in an invalid state transition in the TLS State Machine. If the client gets into this state, incoming Application Data records will be ignored. (CVE-2019-17023)\n\nA side channel flaw was found in nss, in the way P-384 and P-521 curves are used in the generation of EDSA signatures, leaking partial information about the ECDSA nonce. Given a small number of ECDSA signatures, this information can be used to steal the private key. The highest threat from this vulnerability is to data confidentiality. (CVE-2020-12400)\n\nA flaw was found in nss. Using the EM side-channel, it is possible to extract the position of zero and non-zero wNAF digits while nss-certutil tool performs scalar multiplication during the ECDSA signature generation, leaking partial information about the ECDSA nonce. Given a small number of ECDSA signatures, this information can be used to steal the private key. The highest threat from this vulnerability is to data confidentiality. (CVE-2020-12401)\n\nA flaw was found in NSS, where it is vulnerable to RSA key generation cache timing side-channel attacks. An attacker with sufficient access to mount cache timing attacks during the RSA key generation process could recover the private key. The highest threat to this flaw is to confidentiality. (CVE-2020-12402)\n\nA flaw was found in the way CHACHA20-POLY1305 was implemented in NSS. When using multi-part Chacha20, it could cause out-of-bounds reads. This issue was fixed by explicitly disabling multi-part ChaCha20 (which was not functioning correctly) and strictly enforcing tag length. The highest threat from this vulnerability is to confidentiality and system availability. (CVE-2020-12403)\n\nA flaw was found in nss. Using the EM side-channel, it is possible to extract the position of zero and non-zero wNAF digits while nss-certutil tool performs scalar multiplication during the ECDSA signature generation, leaking partial information about the ECDSA nonce. Given a small number of ECDSA signatures, this information can be used to steal the private key. The highest threat from this vulnerability is to data confidentiality. (CVE-2020-6829)\n\n \n**Affected Packages:** \n\n\nnspr, nss-softokn, nss-util, nss\n\n \n**Issue Correction:** \nRun _yum update nspr_ to update your system. \nRun _yum update nss-softokn_ to update your system. \nRun _yum update nss-util_ to update your system. \nRun _yum update nss_ to update your system. \n\n\n \n\n\n**New Packages:**\n \n \n aarch64: \n \u00a0\u00a0\u00a0 nspr-4.25.0-2.amzn2.aarch64 \n \u00a0\u00a0\u00a0 nspr-devel-4.25.0-2.amzn2.aarch64 \n \u00a0\u00a0\u00a0 nspr-debuginfo-4.25.0-2.amzn2.aarch64 \n \u00a0\u00a0\u00a0 nss-util-3.53.1-1.amzn2.aarch64 \n \u00a0\u00a0\u00a0 nss-util-devel-3.53.1-1.amzn2.aarch64 \n \u00a0\u00a0\u00a0 nss-util-debuginfo-3.53.1-1.amzn2.aarch64 \n \u00a0\u00a0\u00a0 nss-softokn-3.53.1-6.amzn2.aarch64 \n \u00a0\u00a0\u00a0 nss-softokn-freebl-3.53.1-6.amzn2.aarch64 \n \u00a0\u00a0\u00a0 nss-softokn-freebl-devel-3.53.1-6.amzn2.aarch64 \n \u00a0\u00a0\u00a0 nss-softokn-devel-3.53.1-6.amzn2.aarch64 \n \u00a0\u00a0\u00a0 nss-softokn-debuginfo-3.53.1-6.amzn2.aarch64 \n \u00a0\u00a0\u00a0 nss-3.53.1-3.amzn2.aarch64 \n \u00a0\u00a0\u00a0 nss-tools-3.53.1-3.amzn2.aarch64 \n \u00a0\u00a0\u00a0 nss-sysinit-3.53.1-3.amzn2.aarch64 \n \u00a0\u00a0\u00a0 nss-devel-3.53.1-3.amzn2.aarch64 \n \u00a0\u00a0\u00a0 nss-pkcs11-devel-3.53.1-3.amzn2.aarch64 \n \u00a0\u00a0\u00a0 nss-debuginfo-3.53.1-3.amzn2.aarch64 \n \n i686: \n \u00a0\u00a0\u00a0 nspr-4.25.0-2.amzn2.i686 \n \u00a0\u00a0\u00a0 nspr-devel-4.25.0-2.amzn2.i686 \n \u00a0\u00a0\u00a0 nspr-debuginfo-4.25.0-2.amzn2.i686 \n \u00a0\u00a0\u00a0 nss-util-3.53.1-1.amzn2.i686 \n \u00a0\u00a0\u00a0 nss-util-devel-3.53.1-1.amzn2.i686 \n \u00a0\u00a0\u00a0 nss-util-debuginfo-3.53.1-1.amzn2.i686 \n \u00a0\u00a0\u00a0 nss-softokn-3.53.1-6.amzn2.i686 \n \u00a0\u00a0\u00a0 nss-softokn-freebl-3.53.1-6.amzn2.i686 \n \u00a0\u00a0\u00a0 nss-softokn-freebl-devel-3.53.1-6.amzn2.i686 \n \u00a0\u00a0\u00a0 nss-softokn-devel-3.53.1-6.amzn2.i686 \n \u00a0\u00a0\u00a0 nss-softokn-debuginfo-3.53.1-6.amzn2.i686 \n \u00a0\u00a0\u00a0 nss-3.53.1-3.amzn2.i686 \n \u00a0\u00a0\u00a0 nss-tools-3.53.1-3.amzn2.i686 \n \u00a0\u00a0\u00a0 nss-sysinit-3.53.1-3.amzn2.i686 \n \u00a0\u00a0\u00a0 nss-devel-3.53.1-3.amzn2.i686 \n \u00a0\u00a0\u00a0 nss-pkcs11-devel-3.53.1-3.amzn2.i686 \n \u00a0\u00a0\u00a0 nss-debuginfo-3.53.1-3.amzn2.i686 \n \n src: \n \u00a0\u00a0\u00a0 nspr-4.25.0-2.amzn2.src \n \u00a0\u00a0\u00a0 nss-util-3.53.1-1.amzn2.src \n \u00a0\u00a0\u00a0 nss-softokn-3.53.1-6.amzn2.src \n \u00a0\u00a0\u00a0 nss-3.53.1-3.amzn2.src \n \n x86_64: \n \u00a0\u00a0\u00a0 nspr-4.25.0-2.amzn2.x86_64 \n \u00a0\u00a0\u00a0 nspr-devel-4.25.0-2.amzn2.x86_64 \n \u00a0\u00a0\u00a0 nspr-debuginfo-4.25.0-2.amzn2.x86_64 \n \u00a0\u00a0\u00a0 nss-util-3.53.1-1.amzn2.x86_64 \n \u00a0\u00a0\u00a0 nss-util-devel-3.53.1-1.amzn2.x86_64 \n \u00a0\u00a0\u00a0 nss-util-debuginfo-3.53.1-1.amzn2.x86_64 \n \u00a0\u00a0\u00a0 nss-softokn-3.53.1-6.amzn2.x86_64 \n \u00a0\u00a0\u00a0 nss-softokn-freebl-3.53.1-6.amzn2.x86_64 \n \u00a0\u00a0\u00a0 nss-softokn-freebl-devel-3.53.1-6.amzn2.x86_64 \n \u00a0\u00a0\u00a0 nss-softokn-devel-3.53.1-6.amzn2.x86_64 \n \u00a0\u00a0\u00a0 nss-softokn-debuginfo-3.53.1-6.amzn2.x86_64 \n \u00a0\u00a0\u00a0 nss-3.53.1-3.amzn2.x86_64 \n \u00a0\u00a0\u00a0 nss-tools-3.53.1-3.amzn2.x86_64 \n \u00a0\u00a0\u00a0 nss-sysinit-3.53.1-3.amzn2.x86_64 \n \u00a0\u00a0\u00a0 nss-devel-3.53.1-3.amzn2.x86_64 \n \u00a0\u00a0\u00a0 nss-pkcs11-devel-3.53.1-3.amzn2.x86_64 \n \u00a0\u00a0\u00a0 nss-debuginfo-3.53.1-3.amzn2.x86_64 \n \n \n\n### Additional References\n\nRed Hat: [CVE-2019-11719](<https://access.redhat.com/security/cve/CVE-2019-11719>), [CVE-2019-11727](<https://access.redhat.com/security/cve/CVE-2019-11727>), [CVE-2019-11756](<https://access.redhat.com/security/cve/CVE-2019-11756>), [CVE-2019-17006](<https://access.redhat.com/security/cve/CVE-2019-17006>), [CVE-2019-17023](<https://access.redhat.com/security/cve/CVE-2019-17023>), [CVE-2020-12400](<https://access.redhat.com/security/cve/CVE-2020-12400>), [CVE-2020-12401](<https://access.redhat.com/security/cve/CVE-2020-12401>), [CVE-2020-12402](<https://access.redhat.com/security/cve/CVE-2020-12402>), [CVE-2020-12403](<https://access.redhat.com/security/cve/CVE-2020-12403>), [CVE-2020-6829](<https://access.redhat.com/security/cve/CVE-2020-6829>)\n\nMitre: [CVE-2019-11719](<https://vulners.com/cve/CVE-2019-11719>), [CVE-2019-11727](<https://vulners.com/cve/CVE-2019-11727>), [CVE-2019-11756](<https://vulners.com/cve/CVE-2019-11756>), [CVE-2019-17006](<https://vulners.com/cve/CVE-2019-17006>), [CVE-2019-17023](<https://vulners.com/cve/CVE-2019-17023>), [CVE-2020-12400](<https://vulners.com/cve/CVE-2020-12400>), [CVE-2020-12401](<https://vulners.com/cve/CVE-2020-12401>), [CVE-2020-12402](<https://vulners.com/cve/CVE-2020-12402>), [CVE-2020-12403](<https://vulners.com/cve/CVE-2020-12403>), [CVE-2020-6829](<https://vulners.com/cve/CVE-2020-6829>)\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-11-09T21:02:00", "type": "amazon", "title": "Medium: nspr, nss-softokn, nss-util, nss", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11719", "CVE-2019-11727", "CVE-2019-11756", "CVE-2019-17006", "CVE-2019-17023", "CVE-2020-12400", "CVE-2020-12401", "CVE-2020-12402", "CVE-2020-12403", "CVE-2020-6829"], "modified": "2020-11-11T17:41:00", "id": "ALAS2-2020-1559", "href": "https://alas.aws.amazon.com/AL2/ALAS-2020-1559.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "centos": [{"lastseen": "2023-09-07T14:17:14", "description": "**CentOS Errata and Security Advisory** CESA-2020:4076\n\n\nNetwork Security Services (NSS) is a set of libraries designed to support the cross-platform development of security-enabled client and server applications.\n\nNetscape Portable Runtime (NSPR) provides platform independence for non-GUI operating system facilities.\n\nThe following packages have been upgraded to a later upstream version: nss (3.53.1), nss-softokn (3.53.1), nss-util (3.53.1), nspr (4.25.0). (BZ#1804262, BZ#1804264, BZ#1804271, BZ#1804273)\n\nSecurity Fix(es):\n\n* nss: Out-of-bounds read when importing curve25519 private key (CVE-2019-11719)\n\n* nss: Use-after-free in sftk_FreeSession due to improper refcounting (CVE-2019-11756)\n\n* nss: Check length of inputs for cryptographic primitives (CVE-2019-17006)\n\n* nss: Side channel attack on ECDSA signature generation (CVE-2020-6829)\n\n* nss: P-384 and P-521 implementation uses a side-channel vulnerable modular inversion function (CVE-2020-12400)\n\n* nss: ECDSA timing attack mitigation bypass (CVE-2020-12401)\n\n* nss: Side channel vulnerabilities during RSA key generation (CVE-2020-12402)\n\n* nss: CHACHA20-POLY1305 decryption with undersized tag leads to out-of-bounds read (CVE-2020-12403)\n\n* nss: PKCS#1 v1.5 signatures can be used for TLS 1.3 (CVE-2019-11727)\n\n* nss: TLS 1.3 HelloRetryRequest downgrade request sets client into invalid state (CVE-2019-17023)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nBug Fix(es):\n\n* Memory leak: libcurl leaks 120 bytes on each connection (BZ#1688958)\n\n* NSS does not set downgrade sentinel in ServerHello.random for TLS 1.0 and TLS 1.1 (BZ#1712924)\n\n* Make TLS 1.3 work in FIPS mode (BZ#1724251)\n\n* Name Constraints validation: CN treated as DNS name even when syntactically invalid as DNS name (BZ#1737910)\n\n* x25519 allowed in FIPS mode (BZ#1754518)\n\n* When NSS_SDB_USE_CACHE not set, after curl access https, dentry increase but never released - consider alternative algorithm for benchmarking ACCESS call in sdb_measureAccess (BZ#1779325)\n\n* Running ipa-backup continuously causes httpd to crash and makes it irrecoverable (BZ#1804015)\n\n* nss needs to comply to the new SP800-56A rev 3 requirements (BZ#1857308)\n\n* KDF-self-tests-induced changes for nss in RHEL 7.9 (BZ#1870885)\n\n**Merged security bulletin from advisories:**\nhttps://lists.centos.org/pipermail/centos-announce/2021-April/086103.html\nhttps://lists.centos.org/pipermail/centos-cr-announce/2020-November/032946.html\nhttps://lists.centos.org/pipermail/centos-cr-announce/2020-November/032947.html\nhttps://lists.centos.org/pipermail/centos-cr-announce/2020-November/032948.html\nhttps://lists.centos.org/pipermail/centos-cr-announce/2020-November/032949.html\n\n**Affected packages:**\nnspr\nnspr-devel\nnss\nnss-devel\nnss-pkcs11-devel\nnss-softokn\nnss-softokn-devel\nnss-softokn-freebl\nnss-softokn-freebl-devel\nnss-sysinit\nnss-tools\nnss-util\nnss-util-devel\n\n**Upstream details at:**\nhttps://access.redhat.com/errata/RHSA-2020:4076", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-11-06T22:01:52", "type": "centos", "title": "nspr, nss security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-11719", "CVE-2019-11727", "CVE-2019-11756", "CVE-2019-17006", "CVE-2019-17023", "CVE-2020-12400", "CVE-2020-12401", "CVE-2020-12402", "CVE-2020-12403", "CVE-2020-6829"], "modified": "2021-04-29T17:59:20", "id": "CESA-2020:4076", "href": "https://lists.centos.org/pipermail/centos-cr-announce/2020-November/032946.html", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "mozilla": [{"lastseen": "2023-06-13T14:58:12", "description": "During the initialization of a new content process, a pointer offset can be manipulated leading to memory corruption and a potentially exploitable crash in the parent process. Note: this issue only occurs on Windows. Other operating systems are unaffected.\nWhen pasting a Due to a missing case handling object types, a type confusion vulnerability could occur, resulting in a crash. We presume that with enough effort that it could be exploited to run arbitrary code.\nWhen in Private Browsing Mode on Windows 10, the Windows keyboard may retain word suggestions to improve the accuracy of the keyboard.\nWhen Python was installed on Windows, a python file being served with the MIME type of text/plain could be executed by Python instead of being opened as a text file when the Open option was selected upon download. Note: this issue only occurs on Windows. Other operating systems are unaffected.\nIf an XML file is served with a Content Security Policy and the XML file includes an XSL stylesheet, the Content Security Policy will not be applied to the contents of the XSL stylesheet. If the XSL sheet e.g. includes JavaScript, it would bypass any of the restrictions of the Content Security Policy applied to the XML document.\nDuring the initialization of a new content process, a race condition occurs that can allow a content process to disclose heap addresses from the parent process. Note: this issue only occurs on Windows. Other operating systems are unaffected.\nWhen pasting a After a HelloRetryRequest has been sent, the client may negotiate a lower protocol that TLS 1.3, resulting in an invalid state transition in the TLS State Machine. If the client gets into this state, incoming Application Data records will be ignored.\nMozilla developers Jason Kratzer, Christian Holler, and Bob Clary reported memory safety bugs present in Firefox 71 and Firefox ESR 68.3. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.\nMozilla developers Karl Tomlinson, Jason Kratzer, Tyson Smith, Jon Coppeard, and Christian Holler reported memory safety bugs present in Firefox 71. Some of these bugs showed evidence of memory corruption and we presume that with enough effort some of these could have been exploited to run arbitrary code.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-01-07T00:00:00", "type": "mozilla", "title": "Security Vulnerabilities fixed in Firefox 72 \u2014 Mozilla", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-17015", "CVE-2019-17016", "CVE-2019-17017", "CVE-2019-17018", "CVE-2019-17019", "CVE-2019-17020", "CVE-2019-17021", "CVE-2019-17022", "CVE-2019-17023", "CVE-2019-17024", "CVE-2019-17025"], "modified": "2020-01-07T00:00:00", "id": "MFSA2020-01", "href": "https://www.mozilla.org/en-US/security/advisories/mfsa2020-01/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "kaspersky": [{"lastseen": "2023-06-13T15:17:58", "description": "### *Detect date*:\n01/07/2020\n\n### *Severity*:\nHigh\n\n### *Description*:\nMultiple vulnerabilities were found in Mozilla Firefox. Malicious users can exploit these vulnerabilities to execute arbitrary code, cause denial of service, obtain sensitive information, bypass security restrictions, perform cross-site scripting attack.\n\n### *Affected products*:\nMozilla Firefox earlier than 72\n\n### *Solution*:\nUpdate to the latest version \n[Download Mozilla Firefox](<https://www.mozilla.org/en-US/firefox/new/>)\n\n### *Original advisories*:\n[mfsa2020-01](<https://www.mozilla.org/en-US/security/advisories/mfsa2020-01/>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[Mozilla Firefox](<https://threats.kaspersky.com/en/product/Mozilla-Firefox/>)\n\n### *CVE-IDS*:\n[CVE-2019-17019](<https://vulners.com/cve/CVE-2019-17019>)6.8High \n[CVE-2019-17024](<https://vulners.com/cve/CVE-2019-17024>)6.8High \n[CVE-2019-17021](<https://vulners.com/cve/CVE-2019-17021>)2.6Warning \n[CVE-2019-17016](<https://vulners.com/cve/CVE-2019-17016>)4.3Warning \n[CVE-2019-17017](<https://vulners.com/cve/CVE-2019-17017>)6.8High \n[CVE-2019-17025](<https://vulners.com/cve/CVE-2019-17025>)6.8High \n[CVE-2019-17023](<https://vulners.com/cve/CVE-2019-17023>)4.3Warning \n[CVE-2019-17022](<https://vulners.com/cve/CVE-2019-17022>)4.3Warning \n[CVE-2019-17020](<https://vulners.com/cve/CVE-2019-17020>)4.3Warning \n[CVE-2019-17018](<https://vulners.com/cve/CVE-2019-17018>)5.0Critical \n[CVE-2019-17015](<https://vulners.com/cve/CVE-2019-17015>)6.8High", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2020-01-07T00:00:00", "type": "kaspersky", "title": "KLA11628 Multiple vulnerabilities in Mozilla Firefox", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-17015", "CVE-2019-17016", "CVE-2019-17017", "CVE-2019-17018", "CVE-2019-17019", "CVE-2019-17020", "CVE-2019-17021", "CVE-2019-17022", "CVE-2019-17023", "CVE-2019-17024", "CVE-2019-17025"], "modified": "2020-06-03T00:00:00", "id": "KLA11628", "href": "https://threats.kaspersky.com/en/vulnerability/KLA11628/", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}]}