ID DEBIAN_DLA-2283.NASL Type nessus Reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. Modified 2020-07-21T00:00:00
Description
An HTTP request smuggling issue was discovered in the ngx_lua plugin
for nginx, a high-performance web and reverse proxy server, as
demonstrated by the ngx.location.capture API.
For Debian 9 stretch, this problem has been fixed in version
1.10.3-1+deb9u5.
We recommend that you upgrade your nginx packages.
For the detailed security status of nginx please refer to its security
tracker page at: https://security-tracker.debian.org/tracker/nginx
NOTE: Tenable Network Security has extracted the preceding description
block directly from the DLA security advisory. Tenable has attempted
to automatically clean and format it as much as possible without
introducing additional issues.
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Debian Security Advisory DLA-2283-1. The text
# itself is copyright (C) Software in the Public Interest, Inc.
#
include("compat.inc");
if (description)
{
script_id(138782);
script_version("1.2");
script_set_attribute(attribute:"plugin_modification_date", value:"2020/07/23");
script_cve_id("CVE-2020-11724");
script_name(english:"Debian DLA-2283-1 : nginx security update");
script_summary(english:"Checks dpkg output for the updated packages.");
script_set_attribute(
attribute:"synopsis",
value:"The remote Debian host is missing a security update."
);
script_set_attribute(
attribute:"description",
value:
"An HTTP request smuggling issue was discovered in the ngx_lua plugin
for nginx, a high-performance web and reverse proxy server, as
demonstrated by the ngx.location.capture API.
For Debian 9 stretch, this problem has been fixed in version
1.10.3-1+deb9u5.
We recommend that you upgrade your nginx packages.
For the detailed security status of nginx please refer to its security
tracker page at: https://security-tracker.debian.org/tracker/nginx
NOTE: Tenable Network Security has extracted the preceding description
block directly from the DLA security advisory. Tenable has attempted
to automatically clean and format it as much as possible without
introducing additional issues."
);
script_set_attribute(
attribute:"see_also",
value:"https://lists.debian.org/debian-lts-announce/2020/07/msg00014.html"
);
script_set_attribute(
attribute:"see_also",
value:"https://packages.debian.org/source/stretch/nginx"
);
script_set_attribute(
attribute:"see_also",
value:"https://security-tracker.debian.org/tracker/source-package/nginx"
);
script_set_attribute(attribute:"solution", value:"Upgrade the affected packages.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libnginx-mod-http-auth-pam");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libnginx-mod-http-cache-purge");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libnginx-mod-http-dav-ext");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libnginx-mod-http-echo");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libnginx-mod-http-fancyindex");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libnginx-mod-http-geoip");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libnginx-mod-http-headers-more-filter");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libnginx-mod-http-image-filter");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libnginx-mod-http-lua");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libnginx-mod-http-ndk");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libnginx-mod-http-perl");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libnginx-mod-http-subs-filter");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libnginx-mod-http-uploadprogress");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libnginx-mod-http-upstream-fair");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libnginx-mod-http-xslt-filter");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libnginx-mod-mail");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libnginx-mod-nchan");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libnginx-mod-stream");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:nginx");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:nginx-common");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:nginx-doc");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:nginx-extras");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:nginx-full");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:nginx-light");
script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:9.0");
script_set_attribute(attribute:"vuln_publication_date", value:"2020/04/12");
script_set_attribute(attribute:"patch_publication_date", value:"2020/07/20");
script_set_attribute(attribute:"plugin_publication_date", value:"2020/07/21");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_family(english:"Debian Local Security Checks");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
exit(0);
}
include("audit.inc");
include("debian_package.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
flag = 0;
if (deb_check(release:"9.0", prefix:"libnginx-mod-http-auth-pam", reference:"1.10.3-1+deb9u5")) flag++;
if (deb_check(release:"9.0", prefix:"libnginx-mod-http-cache-purge", reference:"1.10.3-1+deb9u5")) flag++;
if (deb_check(release:"9.0", prefix:"libnginx-mod-http-dav-ext", reference:"1.10.3-1+deb9u5")) flag++;
if (deb_check(release:"9.0", prefix:"libnginx-mod-http-echo", reference:"1.10.3-1+deb9u5")) flag++;
if (deb_check(release:"9.0", prefix:"libnginx-mod-http-fancyindex", reference:"1.10.3-1+deb9u5")) flag++;
if (deb_check(release:"9.0", prefix:"libnginx-mod-http-geoip", reference:"1.10.3-1+deb9u5")) flag++;
if (deb_check(release:"9.0", prefix:"libnginx-mod-http-headers-more-filter", reference:"1.10.3-1+deb9u5")) flag++;
if (deb_check(release:"9.0", prefix:"libnginx-mod-http-image-filter", reference:"1.10.3-1+deb9u5")) flag++;
if (deb_check(release:"9.0", prefix:"libnginx-mod-http-lua", reference:"1.10.3-1+deb9u5")) flag++;
if (deb_check(release:"9.0", prefix:"libnginx-mod-http-ndk", reference:"1.10.3-1+deb9u5")) flag++;
if (deb_check(release:"9.0", prefix:"libnginx-mod-http-perl", reference:"1.10.3-1+deb9u5")) flag++;
if (deb_check(release:"9.0", prefix:"libnginx-mod-http-subs-filter", reference:"1.10.3-1+deb9u5")) flag++;
if (deb_check(release:"9.0", prefix:"libnginx-mod-http-uploadprogress", reference:"1.10.3-1+deb9u5")) flag++;
if (deb_check(release:"9.0", prefix:"libnginx-mod-http-upstream-fair", reference:"1.10.3-1+deb9u5")) flag++;
if (deb_check(release:"9.0", prefix:"libnginx-mod-http-xslt-filter", reference:"1.10.3-1+deb9u5")) flag++;
if (deb_check(release:"9.0", prefix:"libnginx-mod-mail", reference:"1.10.3-1+deb9u5")) flag++;
if (deb_check(release:"9.0", prefix:"libnginx-mod-nchan", reference:"1.10.3-1+deb9u5")) flag++;
if (deb_check(release:"9.0", prefix:"libnginx-mod-stream", reference:"1.10.3-1+deb9u5")) flag++;
if (deb_check(release:"9.0", prefix:"nginx", reference:"1.10.3-1+deb9u5")) flag++;
if (deb_check(release:"9.0", prefix:"nginx-common", reference:"1.10.3-1+deb9u5")) flag++;
if (deb_check(release:"9.0", prefix:"nginx-doc", reference:"1.10.3-1+deb9u5")) flag++;
if (deb_check(release:"9.0", prefix:"nginx-extras", reference:"1.10.3-1+deb9u5")) flag++;
if (deb_check(release:"9.0", prefix:"nginx-full", reference:"1.10.3-1+deb9u5")) flag++;
if (deb_check(release:"9.0", prefix:"nginx-light", reference:"1.10.3-1+deb9u5")) flag++;
if (flag)
{
if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());
else security_warning(0);
exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");
{"id": "DEBIAN_DLA-2283.NASL", "bulletinFamily": "scanner", "title": "Debian DLA-2283-1 : nginx security update", "description": "An HTTP request smuggling issue was discovered in the ngx_lua plugin\nfor nginx, a high-performance web and reverse proxy server, as\ndemonstrated by the ngx.location.capture API.\n\nFor Debian 9 stretch, this problem has been fixed in version\n1.10.3-1+deb9u5.\n\nWe recommend that you upgrade your nginx packages.\n\nFor the detailed security status of nginx please refer to its security\ntracker page at: https://security-tracker.debian.org/tracker/nginx\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.", "published": "2020-07-21T00:00:00", "modified": "2020-07-21T00:00:00", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}, "href": "https://www.tenable.com/plugins/nessus/138782", "reporter": "This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["https://security-tracker.debian.org/tracker/source-package/nginx", "https://lists.debian.org/debian-lts-announce/2020/07/msg00014.html", "https://packages.debian.org/source/stretch/nginx"], "cvelist": ["CVE-2020-11724"], "type": "nessus", "lastseen": "2020-07-24T09:14:17", "edition": 2, "viewCount": 4, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2020-11724"]}, {"type": "debian", "idList": ["DEBIAN:DSA-4750-1:2756A", "DEBIAN:DLA-2283-1:31C77"]}, {"type": "nessus", "idList": ["DEBIAN_DSA-4750.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310892283"]}], "modified": "2020-07-24T09:14:17", "rev": 2}, "score": {"value": 5.4, "vector": "NONE", "modified": "2020-07-24T09:14:17", "rev": 2}, "vulnersScore": 5.4}, "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-2283-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(138782);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/07/23\");\n\n script_cve_id(\"CVE-2020-11724\");\n\n script_name(english:\"Debian DLA-2283-1 : nginx security update\");\n script_summary(english:\"Checks dpkg output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"An HTTP request smuggling issue was discovered in the ngx_lua plugin\nfor nginx, a high-performance web and reverse proxy server, as\ndemonstrated by the ngx.location.capture API.\n\nFor Debian 9 stretch, this problem has been fixed in version\n1.10.3-1+deb9u5.\n\nWe recommend that you upgrade your nginx packages.\n\nFor the detailed security status of nginx please refer to its security\ntracker page at: https://security-tracker.debian.org/tracker/nginx\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2020/07/msg00014.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/stretch/nginx\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/source-package/nginx\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libnginx-mod-http-auth-pam\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libnginx-mod-http-cache-purge\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libnginx-mod-http-dav-ext\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libnginx-mod-http-echo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libnginx-mod-http-fancyindex\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libnginx-mod-http-geoip\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libnginx-mod-http-headers-more-filter\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libnginx-mod-http-image-filter\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libnginx-mod-http-lua\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libnginx-mod-http-ndk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libnginx-mod-http-perl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libnginx-mod-http-subs-filter\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libnginx-mod-http-uploadprogress\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libnginx-mod-http-upstream-fair\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libnginx-mod-http-xslt-filter\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libnginx-mod-mail\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libnginx-mod-nchan\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libnginx-mod-stream\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:nginx\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:nginx-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:nginx-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:nginx-extras\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:nginx-full\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:nginx-light\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:9.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/04/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/07/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/07/21\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"9.0\", prefix:\"libnginx-mod-http-auth-pam\", reference:\"1.10.3-1+deb9u5\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libnginx-mod-http-cache-purge\", reference:\"1.10.3-1+deb9u5\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libnginx-mod-http-dav-ext\", reference:\"1.10.3-1+deb9u5\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libnginx-mod-http-echo\", reference:\"1.10.3-1+deb9u5\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libnginx-mod-http-fancyindex\", reference:\"1.10.3-1+deb9u5\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libnginx-mod-http-geoip\", reference:\"1.10.3-1+deb9u5\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libnginx-mod-http-headers-more-filter\", reference:\"1.10.3-1+deb9u5\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libnginx-mod-http-image-filter\", reference:\"1.10.3-1+deb9u5\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libnginx-mod-http-lua\", reference:\"1.10.3-1+deb9u5\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libnginx-mod-http-ndk\", reference:\"1.10.3-1+deb9u5\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libnginx-mod-http-perl\", reference:\"1.10.3-1+deb9u5\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libnginx-mod-http-subs-filter\", reference:\"1.10.3-1+deb9u5\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libnginx-mod-http-uploadprogress\", reference:\"1.10.3-1+deb9u5\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libnginx-mod-http-upstream-fair\", reference:\"1.10.3-1+deb9u5\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libnginx-mod-http-xslt-filter\", reference:\"1.10.3-1+deb9u5\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libnginx-mod-mail\", reference:\"1.10.3-1+deb9u5\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libnginx-mod-nchan\", reference:\"1.10.3-1+deb9u5\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libnginx-mod-stream\", reference:\"1.10.3-1+deb9u5\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"nginx\", reference:\"1.10.3-1+deb9u5\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"nginx-common\", reference:\"1.10.3-1+deb9u5\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"nginx-doc\", reference:\"1.10.3-1+deb9u5\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"nginx-extras\", reference:\"1.10.3-1+deb9u5\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"nginx-full\", reference:\"1.10.3-1+deb9u5\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"nginx-light\", reference:\"1.10.3-1+deb9u5\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "naslFamily": "Debian Local Security Checks", "pluginID": "138782", "cpe": ["p-cpe:/a:debian:debian_linux:libnginx-mod-nchan", "p-cpe:/a:debian:debian_linux:libnginx-mod-stream", "p-cpe:/a:debian:debian_linux:libnginx-mod-http-uploadprogress", "p-cpe:/a:debian:debian_linux:libnginx-mod-http-auth-pam", "p-cpe:/a:debian:debian_linux:libnginx-mod-http-geoip", "p-cpe:/a:debian:debian_linux:libnginx-mod-http-upstream-fair", "p-cpe:/a:debian:debian_linux:libnginx-mod-http-subs-filter", "p-cpe:/a:debian:debian_linux:libnginx-mod-mail", "p-cpe:/a:debian:debian_linux:libnginx-mod-http-cache-purge", "p-cpe:/a:debian:debian_linux:libnginx-mod-http-echo", "p-cpe:/a:debian:debian_linux:libnginx-mod-http-image-filter", "p-cpe:/a:debian:debian_linux:nginx-light", "p-cpe:/a:debian:debian_linux:libnginx-mod-http-dav-ext", "p-cpe:/a:debian:debian_linux:libnginx-mod-http-xslt-filter", "p-cpe:/a:debian:debian_linux:nginx", "p-cpe:/a:debian:debian_linux:nginx-doc", "p-cpe:/a:debian:debian_linux:nginx-common", "p-cpe:/a:debian:debian_linux:libnginx-mod-http-lua", "p-cpe:/a:debian:debian_linux:libnginx-mod-http-perl", "p-cpe:/a:debian:debian_linux:nginx-full", "p-cpe:/a:debian:debian_linux:libnginx-mod-http-headers-more-filter", "p-cpe:/a:debian:debian_linux:libnginx-mod-http-fancyindex", "p-cpe:/a:debian:debian_linux:libnginx-mod-http-ndk", "p-cpe:/a:debian:debian_linux:nginx-extras", "cpe:/o:debian:debian_linux:9.0"], "cvss3": {"score": 7.5, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}, "scheme": null}
{"cve": [{"lastseen": "2020-12-09T22:03:05", "description": "An issue was discovered in OpenResty before 1.15.8.4. ngx_http_lua_subrequest.c allows HTTP request smuggling, as demonstrated by the ngx.location.capture API.", "edition": 9, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "baseScore": 7.5, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.6}, "published": "2020-04-12T21:15:00", "title": "CVE-2020-11724", "type": "cve", "cwe": ["CWE-444"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-11724"], "modified": "2020-08-27T00:15:00", "cpe": [], "id": "CVE-2020-11724", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-11724", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}, "cpe23": []}], "debian": [{"lastseen": "2020-08-27T01:06:59", "bulletinFamily": "unix", "cvelist": ["CVE-2020-11724"], "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-4750-1 security@debian.org\nhttps://www.debian.org/security/ Salvatore Bonaccorso\nAugust 26, 2020 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : nginx\nCVE ID : CVE-2020-11724\nDebian Bug : 964950\n\nIt was reported that the Lua module for Nginx, a high-performance web\nand reverse proxy server, is prone to a HTTP request smuggling\nvulnerability.\n\nFor the stable distribution (buster), this problem has been fixed in\nversion 1.14.2-2+deb10u3.\n\nWe recommend that you upgrade your nginx packages.\n\nFor the detailed security status of nginx please refer to its security\ntracker page at:\nhttps://security-tracker.debian.org/tracker/nginx\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org\n", "edition": 1, "modified": "2020-08-26T16:58:29", "published": "2020-08-26T16:58:29", "id": "DEBIAN:DSA-4750-1:2756A", "href": "https://lists.debian.org/debian-security-announce/debian-security-announce-2020/msg00157.html", "title": "[SECURITY] [DSA 4750-1] nginx security update", "type": "debian", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2020-08-12T00:49:15", "bulletinFamily": "unix", "cvelist": ["CVE-2020-11724"], "description": "- -------------------------------------------------------------------------\nDebian LTS Advisory DLA-2283-1 debian-lts@lists.debian.org\nhttps://www.debian.org/lts/security/ \nJuly 20, 2020 https://wiki.debian.org/LTS\n- -------------------------------------------------------------------------\n\nPackage : nginx\nVersion : 1.10.3-1+deb9u5\nCVE ID : CVE-2020-11724\nDebian Bug : 964950\n\nAn HTTP request smuggling issue was discovered in the ngx_lua plugin\nfor nginx, a high-performance web and reverse proxy server, as\ndemonstrated by the ngx.location.capture API.\n\nFor Debian 9 stretch, this problem has been fixed in version\n1.10.3-1+deb9u5.\n\nWe recommend that you upgrade your nginx packages.\n\nFor the detailed security status of nginx please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/nginx\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS\n", "edition": 3, "modified": "2020-07-20T13:17:53", "published": "2020-07-20T13:17:53", "id": "DEBIAN:DLA-2283-1:31C77", "href": "https://lists.debian.org/debian-lts-announce/2020/debian-lts-announce-202007/msg00014.html", "title": "[SECURITY] [DLA 2283-1] nginx security update", "type": "debian", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}], "openvas": [{"lastseen": "2020-07-21T20:07:04", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-11724"], "description": "The remote host is missing an update for the ", "modified": "2020-07-21T00:00:00", "published": "2020-07-21T00:00:00", "id": "OPENVAS:1361412562310892283", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310892283", "type": "openvas", "title": "Debian LTS: Security Advisory for nginx (DLA-2283-1)", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.892283\");\n script_version(\"2020-07-21T03:01:33+0000\");\n script_cve_id(\"CVE-2020-11724\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_tag(name:\"last_modification\", value:\"2020-07-21 10:01:45 +0000 (Tue, 21 Jul 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-07-21 03:01:33 +0000 (Tue, 21 Jul 2020)\");\n script_name(\"Debian LTS: Security Advisory for nginx (DLA-2283-1)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB9\");\n\n script_xref(name:\"URL\", value:\"https://lists.debian.org/debian-lts-announce/2020/07/msg00014.html\");\n script_xref(name:\"URL\", value:\"https://security-tracker.debian.org/tracker/DLA-2283-1\");\n script_xref(name:\"URL\", value:\"https://bugs.debian.org/964950\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'nginx'\n package(s) announced via the DLA-2283-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"An HTTP request smuggling issue was discovered in the ngx_lua plugin\nfor nginx, a high-performance web and reverse proxy server, as\ndemonstrated by the ngx.location.capture API.\");\n\n script_tag(name:\"affected\", value:\"'nginx' package(s) on Debian Linux.\");\n\n script_tag(name:\"solution\", value:\"For Debian 9 stretch, this problem has been fixed in version\n1.10.3-1+deb9u5.\n\nWe recommend that you upgrade your nginx packages.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"libnginx-mod-http-auth-pam\", ver:\"1.10.3-1+deb9u5\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libnginx-mod-http-cache-purge\", ver:\"1.10.3-1+deb9u5\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libnginx-mod-http-dav-ext\", ver:\"1.10.3-1+deb9u5\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libnginx-mod-http-echo\", ver:\"1.10.3-1+deb9u5\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libnginx-mod-http-fancyindex\", ver:\"1.10.3-1+deb9u5\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libnginx-mod-http-geoip\", ver:\"1.10.3-1+deb9u5\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libnginx-mod-http-headers-more-filter\", ver:\"1.10.3-1+deb9u5\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libnginx-mod-http-image-filter\", ver:\"1.10.3-1+deb9u5\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libnginx-mod-http-lua\", ver:\"1.10.3-1+deb9u5\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libnginx-mod-http-ndk\", ver:\"1.10.3-1+deb9u5\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libnginx-mod-http-perl\", ver:\"1.10.3-1+deb9u5\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libnginx-mod-http-subs-filter\", ver:\"1.10.3-1+deb9u5\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libnginx-mod-http-uploadprogress\", ver:\"1.10.3-1+deb9u5\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libnginx-mod-http-upstream-fair\", ver:\"1.10.3-1+deb9u5\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libnginx-mod-http-xslt-filter\", ver:\"1.10.3-1+deb9u5\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libnginx-mod-mail\", ver:\"1.10.3-1+deb9u5\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libnginx-mod-nchan\", ver:\"1.10.3-1+deb9u5\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libnginx-mod-stream\", ver:\"1.10.3-1+deb9u5\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"nginx\", ver:\"1.10.3-1+deb9u5\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"nginx-common\", ver:\"1.10.3-1+deb9u5\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"nginx-doc\", ver:\"1.10.3-1+deb9u5\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"nginx-extras\", ver:\"1.10.3-1+deb9u5\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"nginx-full\", ver:\"1.10.3-1+deb9u5\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"nginx-light\", ver:\"1.10.3-1+deb9u5\", rls:\"DEB9\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}\n\nexit(0);\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}], "nessus": [{"lastseen": "2020-09-04T01:37:43", "description": "It was reported that the Lua module for Nginx, a high-performance web\nand reverse proxy server, is prone to a HTTP request smuggling\nvulnerability.", "edition": 2, "cvss3": {"score": 7.5, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}, "published": "2020-08-27T00:00:00", "title": "Debian DSA-4750-1 : nginx - security update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-11724"], "modified": "2020-08-27T00:00:00", "cpe": ["cpe:/o:debian:debian_linux:10.0", "p-cpe:/a:debian:debian_linux:nginx"], "id": "DEBIAN_DSA-4750.NASL", "href": "https://www.tenable.com/plugins/nessus/139878", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-4750. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(139878);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/08/31\");\n\n script_cve_id(\"CVE-2020-11724\");\n script_xref(name:\"DSA\", value:\"4750\");\n\n script_name(english:\"Debian DSA-4750-1 : nginx - security update\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"It was reported that the Lua module for Nginx, a high-performance web\nand reverse proxy server, is prone to a HTTP request smuggling\nvulnerability.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=964950\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/source-package/nginx\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/buster/nginx\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2020/dsa-4750\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"Upgrade the nginx packages.\n\nFor the stable distribution (buster), this problem has been fixed in\nversion 1.14.2-2+deb10u3.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:nginx\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:10.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/04/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/08/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/08/27\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"10.0\", prefix:\"libnginx-mod-http-auth-pam\", reference:\"1.14.2-2+deb10u3\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"libnginx-mod-http-cache-purge\", reference:\"1.14.2-2+deb10u3\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"libnginx-mod-http-dav-ext\", reference:\"1.14.2-2+deb10u3\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"libnginx-mod-http-echo\", reference:\"1.14.2-2+deb10u3\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"libnginx-mod-http-fancyindex\", reference:\"1.14.2-2+deb10u3\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"libnginx-mod-http-geoip\", reference:\"1.14.2-2+deb10u3\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"libnginx-mod-http-headers-more-filter\", reference:\"1.14.2-2+deb10u3\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"libnginx-mod-http-image-filter\", reference:\"1.14.2-2+deb10u3\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"libnginx-mod-http-lua\", reference:\"1.14.2-2+deb10u3\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"libnginx-mod-http-ndk\", reference:\"1.14.2-2+deb10u3\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"libnginx-mod-http-perl\", reference:\"1.14.2-2+deb10u3\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"libnginx-mod-http-subs-filter\", reference:\"1.14.2-2+deb10u3\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"libnginx-mod-http-uploadprogress\", reference:\"1.14.2-2+deb10u3\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"libnginx-mod-http-upstream-fair\", reference:\"1.14.2-2+deb10u3\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"libnginx-mod-http-xslt-filter\", reference:\"1.14.2-2+deb10u3\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"libnginx-mod-mail\", reference:\"1.14.2-2+deb10u3\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"libnginx-mod-nchan\", reference:\"1.14.2-2+deb10u3\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"libnginx-mod-rtmp\", reference:\"1.14.2-2+deb10u3\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"libnginx-mod-stream\", reference:\"1.14.2-2+deb10u3\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"nginx\", reference:\"1.14.2-2+deb10u3\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"nginx-common\", reference:\"1.14.2-2+deb10u3\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"nginx-doc\", reference:\"1.14.2-2+deb10u3\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"nginx-extras\", reference:\"1.14.2-2+deb10u3\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"nginx-full\", reference:\"1.14.2-2+deb10u3\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"nginx-light\", reference:\"1.14.2-2+deb10u3\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}]}
