ID FEDORA:E015D612BF91 Type fedora Reporter Fedora Modified 2016-01-08T03:37:25
Description
Shell In A Box implements a web server that can export arbitrary command li ne tools to a web based terminal emulator. This emulator is accessible to any JavaScript and CSS enabled web browser and does not require any additional browser plugins.
{"id": "FEDORA:E015D612BF91", "type": "fedora", "bulletinFamily": "unix", "title": "[SECURITY] Fedora 22 Update: shellinabox-2.19-1.fc22", "description": "Shell In A Box implements a web server that can export arbitrary command li ne tools to a web based terminal emulator. This emulator is accessible to any JavaScript and CSS enabled web browser and does not require any additional browser plugins. ", "published": "2016-01-08T03:37:25", "modified": "2016-01-08T03:37:25", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "href": "", "reporter": "Fedora", "references": [], "cvelist": ["CVE-2015-8400"], "lastseen": "2020-12-21T08:17:53", "viewCount": 0, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2015-8400"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310806936", "OPENVAS:1361412562310806935"]}, {"type": "nessus", "idList": ["FEDORA_2015-463143720F.NASL", "OPENSUSE-2016-1501.NASL", "FEDORA_2015-1C773E8702.NASL"]}, {"type": "fedora", "idList": ["FEDORA:3BB786108A46"]}], "modified": "2020-12-21T08:17:53", "rev": 2}, "score": {"value": 4.5, "vector": "NONE", "modified": "2020-12-21T08:17:53", "rev": 2}, "vulnersScore": 4.5}, "affectedPackage": [{"OS": "Fedora", "OSVersion": "22", "arch": "any", "packageName": "shellinabox", "packageVersion": "2.19", "packageFilename": "UNKNOWN", "operator": "lt"}]}
{"cve": [{"lastseen": "2021-02-02T06:21:30", "description": "The HTTPS fallback implementation in Shell In A Box (aka shellinabox) before 2.19 makes it easier for remote attackers to conduct DNS rebinding attacks via the \"/plain\" URL.", "edition": 6, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "baseScore": 7.4, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 4.0}, "published": "2016-01-12T19:59:00", "title": "CVE-2015-8400", "type": "cve", "cwe": ["CWE-254"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-8400"], "modified": "2016-01-20T14:15:00", "cpe": ["cpe:/a:shellinabox_project:shellinabox:2.18", "cpe:/o:fedoraproject:fedora:22", "cpe:/o:fedoraproject:fedora:23"], "id": "CVE-2015-8400", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-8400", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:shellinabox_project:shellinabox:2.18:*:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:23:*:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:22:*:*:*:*:*:*:*"]}], "fedora": [{"lastseen": "2020-12-21T08:17:53", "bulletinFamily": "unix", "cvelist": ["CVE-2015-8400"], "description": "Shell In A Box implements a web server that can export arbitrary command li ne tools to a web based terminal emulator. This emulator is accessible to any JavaScript and CSS enabled web browser and does not require any additional browser plugins. ", "modified": "2016-01-07T20:00:55", "published": "2016-01-07T20:00:55", "id": "FEDORA:3BB786108A46", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 23 Update: shellinabox-2.19-1.fc23", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "openvas": [{"lastseen": "2019-05-29T18:34:56", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-8400"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2016-01-08T00:00:00", "id": "OPENVAS:1361412562310806935", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310806935", "type": "openvas", "title": "Fedora Update for shellinabox FEDORA-2015-463143720", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for shellinabox FEDORA-2015-463143720\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.806935\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-01-08 06:29:46 +0100 (Fri, 08 Jan 2016)\");\n script_cve_id(\"CVE-2015-8400\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for shellinabox FEDORA-2015-463143720\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'shellinabox'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"shellinabox on Fedora 22\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2015-463143720\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/pipermail/package-announce/2016-January/175224.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC22\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC22\")\n{\n\n if ((res = isrpmvuln(pkg:\"shellinabox\", rpm:\"shellinabox~2.19~1.fc22\", rls:\"FC22\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2019-05-29T18:34:56", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-8400"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2016-01-08T00:00:00", "id": "OPENVAS:1361412562310806936", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310806936", "type": "openvas", "title": "Fedora Update for shellinabox FEDORA-2015-1", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for shellinabox FEDORA-2015-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.806936\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2016-01-08 06:29:45 +0100 (Fri, 08 Jan 2016)\");\n script_cve_id(\"CVE-2015-8400\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for shellinabox FEDORA-2015-1\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'shellinabox'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"affected\", value:\"shellinabox on Fedora 23\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_xref(name:\"FEDORA\", value:\"2015-1\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/pipermail/package-announce/2016-January/175117.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC23\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC23\")\n{\n\n if ((res = isrpmvuln(pkg:\"shellinabox\", rpm:\"shellinabox~2.19~1.fc23\", rls:\"FC23\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "nessus": [{"lastseen": "2021-01-12T10:13:35", "description": " - Added support for middle-click paste * Improved iOS\n support * New logic to enable soft keyboard icon *\n Disable HTTPS fallback using the URL /plain.\n Consequently disables automatic upgrades from HTTP to\n HTTPS (CVE-2015-8400)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 18, "cvss3": {"score": 7.4, "vector": "AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N"}, "published": "2016-03-04T00:00:00", "title": "Fedora 22 : shellinabox-2.19-1.fc22 (2015-463143720f)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-8400"], "modified": "2016-03-04T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:shellinabox", "cpe:/o:fedoraproject:fedora:22"], "id": "FEDORA_2015-463143720F.NASL", "href": "https://www.tenable.com/plugins/nessus/89229", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2015-463143720f.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(89229);\n script_version(\"2.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2015-8400\");\n script_xref(name:\"FEDORA\", value:\"2015-463143720f\");\n\n script_name(english:\"Fedora 22 : shellinabox-2.19-1.fc22 (2015-463143720f)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\" - Added support for middle-click paste * Improved iOS\n support * New logic to enable soft keyboard icon *\n Disable HTTPS fallback using the URL /plain.\n Consequently disables automatic upgrades from HTTP to\n HTTPS (CVE-2015-8400)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1287578\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1287579\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2016-January/175224.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?df0836f4\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected shellinabox package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:shellinabox\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:22\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/01/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/03/04\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^22([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 22.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC22\", reference:\"shellinabox-2.19-1.fc22\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"shellinabox\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2021-01-12T10:13:25", "description": " - Added support for middle-click paste * Improved iOS\n support * New logic to enable soft keyboard icon *\n Disable HTTPS fallback using the URL /plain.\n Consequently disables automatic upgrades from HTTP to\n HTTPS (CVE-2015-8400)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 18, "cvss3": {"score": 7.4, "vector": "AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N"}, "published": "2016-03-04T00:00:00", "title": "Fedora 23 : shellinabox-2.19-1.fc23 (2015-1c773e8702)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-8400"], "modified": "2016-03-04T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:shellinabox", "cpe:/o:fedoraproject:fedora:23"], "id": "FEDORA_2015-1C773E8702.NASL", "href": "https://www.tenable.com/plugins/nessus/89163", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2015-1c773e8702.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(89163);\n script_version(\"2.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2015-8400\");\n script_xref(name:\"FEDORA\", value:\"2015-1c773e8702\");\n\n script_name(english:\"Fedora 23 : shellinabox-2.19-1.fc23 (2015-1c773e8702)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\" - Added support for middle-click paste * Improved iOS\n support * New logic to enable soft keyboard icon *\n Disable HTTPS fallback using the URL /plain.\n Consequently disables automatic upgrades from HTTP to\n HTTPS (CVE-2015-8400)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1287578\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=1287579\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2016-January/175117.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?3ba30dba\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected shellinabox package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:shellinabox\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:23\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/01/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/03/04\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^23([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 23.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC23\", reference:\"shellinabox-2.19-1.fc23\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"shellinabox\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2021-01-20T12:29:50", "description": "shellinabox was updated to version 2.20 to fix the following security\nissues :\n\n - It was possible to fallback to the HTTP protocol even\n when configured for HTTPS. (CVE-2015-8400, boo#957748)\n\n - Disable secure client-initiated renegotiation\n\n - Set SSL options for increased security (disable SSLv2,\n SSLv3)\n\n - Protection against large HTTP requests\n\nnon security fixes :\n\n - Includes some MSIE and iOS rendering fixes", "edition": 17, "cvss3": {"score": 7.4, "vector": "AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N"}, "published": "2016-12-22T00:00:00", "title": "openSUSE Security Update : shellinabox (openSUSE-2016-1501)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-8400"], "modified": "2016-12-22T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:shellinabox-debuginfo", "cpe:/o:novell:opensuse:42.1", "cpe:/o:novell:opensuse:13.2", "cpe:/o:novell:opensuse:42.2", "p-cpe:/a:novell:opensuse:shellinabox-debugsource", "p-cpe:/a:novell:opensuse:shellinabox"], "id": "OPENSUSE-2016-1501.NASL", "href": "https://www.tenable.com/plugins/nessus/96063", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2016-1501.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(96063);\n script_version(\"3.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2015-8400\");\n\n script_name(english:\"openSUSE Security Update : shellinabox (openSUSE-2016-1501)\");\n script_summary(english:\"Check for the openSUSE-2016-1501 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"shellinabox was updated to version 2.20 to fix the following security\nissues :\n\n - It was possible to fallback to the HTTP protocol even\n when configured for HTTPS. (CVE-2015-8400, boo#957748)\n\n - Disable secure client-initiated renegotiation\n\n - Set SSL options for increased security (disable SSLv2,\n SSLv3)\n\n - Protection against large HTTP requests\n\nnon security fixes :\n\n - Includes some MSIE and iOS rendering fixes\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=957748\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected shellinabox packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:shellinabox\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:shellinabox-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:shellinabox-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:13.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:42.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:42.2\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/12/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2016/12/22\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2016-2021 Tenable Network Security, Inc.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE13\\.2|SUSE42\\.1|SUSE42\\.2)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"13.2 / 42.1 / 42.2\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE13.2\", reference:\"shellinabox-2.20-5.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"shellinabox-debuginfo-2.20-5.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE13.2\", reference:\"shellinabox-debugsource-2.20-5.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"shellinabox-2.20-11.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"shellinabox-debuginfo-2.20-11.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.1\", reference:\"shellinabox-debugsource-2.20-11.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"shellinabox-2.20-12.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"shellinabox-debuginfo-2.20-12.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.2\", reference:\"shellinabox-debugsource-2.20-12.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"shellinabox / shellinabox-debuginfo / shellinabox-debugsource\");\n}\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}]}
