AlmaLinux 8 : idm:DL1 (ALSA-2025:9188)

🗓️ 30 Jun 2025 00:00:00Reported by TenableType
AlmaLinux 8 has affected packages allowing privilege escalation in FreeIPA according to advisory ALSA-2025:9188.
Reporter	Title	Published	Views	Family All 116
IBM Security Bulletins	Security Bulletin: Vulnerability in FreeIPA affects IBM Netezza Appliance	22 Apr 202613:18	–	ibm
GithubExploit	Exploit for CVE-2025-4404	9 Aug 202507:19	–	githubexploit
Tenable Nessus	Amazon Linux 2 : ipa (ALAS-2025-2901)	25 Jun 202500:00	–	nessus
Tenable Nessus	Alibaba Cloud Linux 3 : 0116: idm:DL1 (ALINUX3-SA-2025:0116)	22 Jul 202500:00	–	nessus
Tenable Nessus	Alibaba Cloud Linux 3 : 0162: idm:DL1 (ALINUX3-SA-2025:0162)	16 Oct 202500:00	–	nessus
Tenable Nessus	AlmaLinux 9 : ipa (ALSA-2025:9184)	30 Jun 202500:00	–	nessus
Tenable Nessus	AlmaLinux 10 : ipa (ALSA-2025:9190)	9 Oct 202500:00	–	nessus
Tenable Nessus	MiracleLinux 8 : idm:DL1 (AXSA:2025-10036:01)	13 Jan 202600:00	–	nessus
Tenable Nessus	MiracleLinux 9 : ipa-4.12.2-14.el9_6.1 (AXSA:2025-10543:04)	13 Jan 202600:00	–	nessus
Tenable Nessus	Oracle Linux 9 : ipa (ELSA-2025-9184)	18 Jun 202500:00	–	nessus
Source	Link
errata	www.errata.almalinux.org/8/ALSA-2025-9188.html
access	www.access.redhat.com/errata/RHSA-2025:9188
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The package checks in this plugin were extracted from
# AlmaLinux Security Advisory ALSA-2025:9188.
##

include('compat.inc');

if (description)
{
  script_id(240953);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2025/06/30");

  script_cve_id("CVE-2025-4404");
  script_xref(name:"ALSA", value:"2025:9188");
  script_xref(name:"RHSA", value:"2025:9188");

  script_name(english:"AlmaLinux 8 : idm:DL1 (ALSA-2025:9188)");

  script_set_attribute(attribute:"synopsis", value:
"The remote AlmaLinux host is missing a security update.");
  script_set_attribute(attribute:"description", value:
"The remote AlmaLinux 8 host has packages installed that are affected by a vulnerability as referenced in the
ALSA-2025:9188 advisory.

    * freeIPA: idm: Privilege escalation from host to domain admin in FreeIPA (CVE-2025-4404)

Tenable has extracted the preceding description block directly from the AlmaLinux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://errata.almalinux.org/8/ALSA-2025-9188.html");
  script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2025:9188");
  script_set_attribute(attribute:"solution", value:
"Update the affected packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:M/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2025-4404");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_cwe_id(1220);

  script_set_attribute(attribute:"vuln_publication_date", value:"2025/06/17");
  script_set_attribute(attribute:"patch_publication_date", value:"2025/06/17");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/06/30");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:alma:linux:bind-dyndb-ldap");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:alma:linux:custodia");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:alma:linux:ipa-client");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:alma:linux:ipa-client-common");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:alma:linux:ipa-client-epn");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:alma:linux:ipa-client-samba");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:alma:linux:ipa-common");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:alma:linux:ipa-healthcheck");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:alma:linux:ipa-healthcheck-core");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:alma:linux:ipa-python-compat");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:alma:linux:ipa-selinux");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:alma:linux:ipa-server");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:alma:linux:ipa-server-common");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:alma:linux:ipa-server-dns");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:alma:linux:ipa-server-trust-ad");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:alma:linux:opendnssec");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:alma:linux:python3-custodia");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:alma:linux:python3-ipaclient");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:alma:linux:python3-ipalib");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:alma:linux:python3-ipaserver");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:alma:linux:python3-ipatests");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:alma:linux:python3-jwcrypto");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:alma:linux:python3-kdcproxy");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:alma:linux:python3-pyusb");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:alma:linux:python3-qrcode");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:alma:linux:python3-qrcode-core");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:alma:linux:python3-yubico");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:alma:linux:slapi-nis");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:alma:linux:softhsm");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:alma:linux:softhsm-devel");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:alma:linux:8");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:alma:linux:8::appstream");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:alma:linux:8::baseos");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:alma:linux:8::highavailability");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:alma:linux:8::nfv");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:alma:linux:8::powertools");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:alma:linux:8::realtime");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:alma:linux:8::resilientstorage");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:alma:linux:8::sap");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:alma:linux:8::sap_hana");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:alma:linux:8::supplementary");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Alma Linux Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2025 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/AlmaLinux/release", "Host/AlmaLinux/rpm-list", "Host/cpu");

  exit(0);
}


include('rpm2.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_product = get_kb_item('installed_os/local/SSH/0/product');
if (isnull(os_product) || 'AlmaLinux' >!< os_product) audit(AUDIT_OS_NOT, 'AlmaLinux');
var os_version = get_kb_item('installed_os/local/SSH/0/version');
if (isnull(os_version)) audit(AUDIT_UNKNOWN_APP_VER, 'AlmaLinux');
if (! preg(pattern:"^8([^0-9]|$)", string:os_version)) audit(AUDIT_OS_NOT, 'AlmaLinux 8.x', 'AlmaLinux ' + os_version);

if (!get_kb_item('Host/AlmaLinux/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('aarch64' >!< cpu && 'ppc' >!< cpu && 's390' >!< cpu && 'x86_64' >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'AlmaLinux', cpu);

var module_ver = get_kb_item('Host/AlmaLinux/appstream/idm');
if (isnull(module_ver)) audit(AUDIT_PACKAGE_NOT_INSTALLED, 'Module idm:DL1');
if ('DL1' >!< module_ver) audit(AUDIT_PACKAGE_NOT_AFFECTED, 'Module idm:' + module_ver);

var constraints = {
  'idm:DL1': [
    {
      'release': '8',
      'pkgs': [
        {'reference':'bind-dyndb-ldap-11.6-6.module_el8.10.0+3980+d78e8e90', 'cpu':'aarch64', 'el_string':'el8.10.0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
        {'reference':'bind-dyndb-ldap-11.6-6.module_el8.10.0+3980+d78e8e90', 'cpu':'ppc64le', 'el_string':'el8.10.0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
        {'reference':'bind-dyndb-ldap-11.6-6.module_el8.10.0+3980+d78e8e90', 'cpu':'s390x', 'el_string':'el8.10.0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
        {'reference':'bind-dyndb-ldap-11.6-6.module_el8.10.0+3980+d78e8e90', 'cpu':'x86_64', 'el_string':'el8.10.0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
        {'reference':'custodia-0.6.0-3.module_el8.6.0+2881+2f24dc92', 'el_string':'el8.6.0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
        {'reference':'ipa-client-4.9.13-18.module_el8.10.0+4018+32aeeb28', 'cpu':'aarch64', 'el_string':'el8.10.0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
        {'reference':'ipa-client-4.9.13-18.module_el8.10.0+4018+32aeeb28', 'cpu':'ppc64le', 'el_string':'el8.10.0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
        {'reference':'ipa-client-4.9.13-18.module_el8.10.0+4018+32aeeb28', 'cpu':'s390x', 'el_string':'el8.10.0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
        {'reference':'ipa-client-4.9.13-18.module_el8.10.0+4018+32aeeb28', 'cpu':'x86_64', 'el_string':'el8.10.0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
        {'reference':'ipa-client-common-4.9.13-18.module_el8.10.0+4018+32aeeb28', 'el_string':'el8.10.0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
        {'reference':'ipa-client-epn-4.9.13-18.module_el8.10.0+4018+32aeeb28', 'cpu':'aarch64', 'el_string':'el8.10.0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
        {'reference':'ipa-client-epn-4.9.13-18.module_el8.10.0+4018+32aeeb28', 'cpu':'ppc64le', 'el_string':'el8.10.0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
        {'reference':'ipa-client-epn-4.9.13-18.module_el8.10.0+4018+32aeeb28', 'cpu':'s390x', 'el_string':'el8.10.0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
        {'reference':'ipa-client-epn-4.9.13-18.module_el8.10.0+4018+32aeeb28', 'cpu':'x86_64', 'el_string':'el8.10.0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
        {'reference':'ipa-client-samba-4.9.13-18.module_el8.10.0+4018+32aeeb28', 'cpu':'aarch64', 'el_string':'el8.10.0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
        {'reference':'ipa-client-samba-4.9.13-18.module_el8.10.0+4018+32aeeb28', 'cpu':'ppc64le', 'el_string':'el8.10.0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
        {'reference':'ipa-client-samba-4.9.13-18.module_el8.10.0+4018+32aeeb28', 'cpu':'s390x', 'el_string':'el8.10.0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
        {'reference':'ipa-client-samba-4.9.13-18.module_el8.10.0+4018+32aeeb28', 'cpu':'x86_64', 'el_string':'el8.10.0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
        {'reference':'ipa-common-4.9.13-18.module_el8.10.0+4018+32aeeb28', 'el_string':'el8.10.0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
        {'reference':'ipa-healthcheck-0.12-5.module_el8.10.0+3980+d78e8e90', 'el_string':'el8.10.0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
        {'reference':'ipa-healthcheck-core-0.12-5.module_el8.10.0+3980+d78e8e90', 'el_string':'el8.10.0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
        {'reference':'ipa-python-compat-4.9.13-18.module_el8.10.0+4018+32aeeb28', 'el_string':'el8.10.0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
        {'reference':'ipa-selinux-4.9.13-18.module_el8.10.0+4018+32aeeb28', 'el_string':'el8.10.0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
        {'reference':'ipa-server-4.9.13-18.module_el8.10.0+4018+32aeeb28', 'cpu':'aarch64', 'el_string':'el8.10.0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
        {'reference':'ipa-server-4.9.13-18.module_el8.10.0+4018+32aeeb28', 'cpu':'ppc64le', 'el_string':'el8.10.0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
        {'reference':'ipa-server-4.9.13-18.module_el8.10.0+4018+32aeeb28', 'cpu':'s390x', 'el_string':'el8.10.0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
        {'reference':'ipa-server-4.9.13-18.module_el8.10.0+4018+32aeeb28', 'cpu':'x86_64', 'el_string':'el8.10.0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
        {'reference':'ipa-server-common-4.9.13-18.module_el8.10.0+4018+32aeeb28', 'el_string':'el8.10.0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
        {'reference':'ipa-server-dns-4.9.13-18.module_el8.10.0+4018+32aeeb28', 'el_string':'el8.10.0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
        {'reference':'ipa-server-trust-ad-4.9.13-18.module_el8.10.0+4018+32aeeb28', 'cpu':'aarch64', 'el_string':'el8.10.0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
        {'reference':'ipa-server-trust-ad-4.9.13-18.module_el8.10.0+4018+32aeeb28', 'cpu':'ppc64le', 'el_string':'el8.10.0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
        {'reference':'ipa-server-trust-ad-4.9.13-18.module_el8.10.0+4018+32aeeb28', 'cpu':'s390x', 'el_string':'el8.10.0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
        {'reference':'ipa-server-trust-ad-4.9.13-18.module_el8.10.0+4018+32aeeb28', 'cpu':'x86_64', 'el_string':'el8.10.0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
        {'reference':'opendnssec-2.1.7-2.module_el8.10.0+3980+d78e8e90', 'cpu':'aarch64', 'el_string':'el8.10.0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
        {'reference':'opendnssec-2.1.7-2.module_el8.10.0+3980+d78e8e90', 'cpu':'ppc64le', 'el_string':'el8.10.0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
        {'reference':'opendnssec-2.1.7-2.module_el8.10.0+3980+d78e8e90', 'cpu':'s390x', 'el_string':'el8.10.0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
        {'reference':'opendnssec-2.1.7-2.module_el8.10.0+3980+d78e8e90', 'cpu':'x86_64', 'el_string':'el8.10.0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
        {'reference':'python3-custodia-0.6.0-3.module_el8.6.0+2881+2f24dc92', 'el_string':'el8.6.0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
        {'reference':'python3-ipaclient-4.9.13-18.module_el8.10.0+4018+32aeeb28', 'el_string':'el8.10.0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
        {'reference':'python3-ipalib-4.9.13-18.module_el8.10.0+4018+32aeeb28', 'el_string':'el8.10.0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
        {'reference':'python3-ipaserver-4.9.13-18.module_el8.10.0+4018+32aeeb28', 'el_string':'el8.10.0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
        {'reference':'python3-ipatests-4.9.13-18.module_el8.10.0+4018+32aeeb28', 'el_string':'el8.10.0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
        {'reference':'python3-jwcrypto-0.5.0-2.module_el8.10.0+3844+20e075e5', 'el_string':'el8.10.0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
        {'reference':'python3-kdcproxy-0.4-5.module_el8.10.0+3942+63b39a46.1', 'el_string':'el8.10.0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
        {'reference':'python3-pyusb-1.0.0-9.1.module_el8.7.0+3349+cfeff52e', 'el_string':'el8.7.0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
        {'reference':'python3-qrcode-5.3-1.module_el8.10.0+3942+63b39a46', 'el_string':'el8.10.0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
        {'reference':'python3-qrcode-core-5.3-1.module_el8.10.0+3942+63b39a46', 'el_string':'el8.10.0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
        {'reference':'python3-yubico-1.3.2-9.1.module_el8.7.0+3349+cfeff52e', 'el_string':'el8.7.0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
        {'reference':'slapi-nis-0.60.0-4.module_el8.10.0+3844+20e075e5.alma.1', 'cpu':'aarch64', 'el_string':'el8.10.0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
        {'reference':'slapi-nis-0.60.0-4.module_el8.10.0+3844+20e075e5.alma.1', 'cpu':'ppc64le', 'el_string':'el8.10.0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
        {'reference':'slapi-nis-0.60.0-4.module_el8.10.0+3844+20e075e5.alma.1', 'cpu':'s390x', 'el_string':'el8.10.0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
        {'reference':'slapi-nis-0.60.0-4.module_el8.10.0+3844+20e075e5.alma.1', 'cpu':'x86_64', 'el_string':'el8.10.0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
        {'reference':'softhsm-2.6.0-5.module_el8.6.0+2881+2f24dc92', 'cpu':'aarch64', 'el_string':'el8.6.0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
        {'reference':'softhsm-2.6.0-5.module_el8.6.0+2881+2f24dc92', 'cpu':'ppc64le', 'el_string':'el8.6.0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
        {'reference':'softhsm-2.6.0-5.module_el8.6.0+2881+2f24dc92', 'cpu':'s390x', 'el_string':'el8.6.0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
        {'reference':'softhsm-2.6.0-5.module_el8.6.0+2881+2f24dc92', 'cpu':'x86_64', 'el_string':'el8.6.0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
        {'reference':'softhsm-devel-2.6.0-5.module_el8.6.0+2881+2f24dc92', 'cpu':'aarch64', 'el_string':'el8.6.0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
        {'reference':'softhsm-devel-2.6.0-5.module_el8.6.0+2881+2f24dc92', 'cpu':'ppc64le', 'el_string':'el8.6.0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
        {'reference':'softhsm-devel-2.6.0-5.module_el8.6.0+2881+2f24dc92', 'cpu':'s390x', 'el_string':'el8.6.0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
        {'reference':'softhsm-devel-2.6.0-5.module_el8.6.0+2881+2f24dc92', 'cpu':'x86_64', 'el_string':'el8.6.0', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'}
      ]
    }
  ]
};

var os_release = get_one_kb_item('installed_os/local/SSH/0/release');
var os_sp = get_one_kb_item('Host/*/minor_release');

var flag = 0;
var reference;
var sp;
var _cpu;
var el_string;
var rpm_spec_vers_cmp;
var epoch;
var allowmaj;
var exists_check;
var cves;
var appstreams_found = 0;
var appstream;
var appstream_name;
var appstream_version;
foreach var module (keys(constraints)) {
  appstream = NULL;
  appstream_name = NULL;
  appstream_version = NULL;
  appstream_split = split(module, sep:':', keep:FALSE);
  if (!empty_or_null(appstream_split)) {
    appstream_name = appstream_split[0];
    appstream_version = appstream_split[1];
    if (!empty_or_null(appstream_name)) appstream = get_one_kb_item('Host/AlmaLinux/appstream/' + appstream_name);
  }
  if (!empty_or_null(appstream) && appstream_version == appstream || appstream_name == 'all') {
    appstreams_found++;
    foreach var module_array ( constraints[module] ) {
      # Check that the target release is equal to the affected release
      if (!empty_or_null(module_array['release'])){
        if (module_array['release'] != os_release) continue;
      }
      if (!empty_or_null(module_array['sp'])){
        if (module_array['sp'] != os_sp) continue;
      }
      foreach var package_array ( module_array['pkgs'] ) {
        reference = NULL;
        sp = NULL;
        _cpu = NULL;
        el_string = NULL;
        rpm_spec_vers_cmp = NULL;
        epoch = NULL;
        allowmaj = NULL;
        exists_check = NULL;
        cves = NULL;
        if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
        if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];
        if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];
        if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];
        if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];
        if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];
        if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];
        if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];
        if (!empty_or_null(package_array['cves'])) cves = package_array['cves'];
        if (reference &&
            (!exists_check || rpm_exists(rpm:exists_check)) &&
            rpm_check(sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
      }
    }
  }
}

if (!appstreams_found) audit(AUDIT_PACKAGE_NOT_INSTALLED, 'Module idm:DL1');

if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_HOLE,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'bind-dyndb-ldap / custodia / ipa-client / ipa-client-common / etc');
}
30 Jun 2025 00:00Current
8.5High risk
Vulners AI Score8.5
CVSS 3.19.1
EPSS0.00293
SSVC