Lucene search
K

EulerOS Virtualization 2.13.0 : python3 (EulerOS-SA-2025-2595)

🗓️ 18 Dec 2025 00:00:00Reported by TenableType 
nessus
 nessus
🔗 www.tenable.com👁 6 Views

EulerOS virtualization Python packages face tarfile traversal, mailcap injection, and redirect flaws.

Related
Refs
Code
ReporterTitlePublishedViews
Family
IBM Security Bulletins
Security Bulletin: IBM Cloud Transformation Advisor is vulnerable to multiple vulnerabilities found in Java, Node.js and IBM WebSphere Application Server Liberty
15 Apr 202502:54
ibm
IBM Security Bulletins
Security Bulletin: Multiple vulnerabilities in IBM Storage Defender – Data Protect
30 Aug 202317:27
ibm
IBM Security Bulletins
Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to a path traversal in Python [CVE-2025-4517]
17 Dec 202514:16
ibm
IBM Security Bulletins
Security Bulletin: Vulnerability with Python affect IBM Cloud Object Storage Systems (Sept2023v2)
25 Sep 202322:25
ibm
IBM Security Bulletins
Security Bulletin: Vulnerabilities in Certifi, Setuptools and Python may affect IBM Spectrum Protect Plus Microsoft File Systems Backup and Restore (CVE-2022-23491, CVE-2022-40897, CVE-2022-45061)
1 Feb 202310:43
ibm
IBM Security Bulletins
Security Bulletin: Multiple vulnerabilities in Python may affect the IBM Storage Scale System
12 Dec 202312:03
ibm
IBM Security Bulletins
Security Bulletin: IBM QRadar Network Packet Capture includes components with multiple known vulnerabilities (CVE-2023-2828, CVE-2023-24329, CVE-2022-4839)
14 Nov 202315:29
ibm
IBM Security Bulletins
Security Bulletin: Multiple vulnerabilities in IBM Spectrum Protect Plus Container backup and restore for Kubernetes and OpenShift
15 Apr 202502:37
ibm
IBM Security Bulletins
Security Bulletin: IBM Maximo Application Suite - Iot Component uses axios 1.7.9 and Python-3.8.17 which is vulnerable to CVE-2023-40217, CVE-2024-6232, CVE-2022-40897, CVE-2024-6345, CVE-2023-5752 and CVE-2025-27152
25 Jun 202508:00
ibm
IBM Security Bulletins
Security Bulletin: multiple vulnerabilities in IBM Spectrum Symphony with Requests and urlib3
23 Oct 202520:25
ibm
Rows per page
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(279298);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2025/12/18");

  script_cve_id(
    "CVE-2007-4559",
    "CVE-2015-20107",
    "CVE-2020-10735",
    "CVE-2021-28861",
    "CVE-2022-42919",
    "CVE-2022-45061",
    "CVE-2023-24329",
    "CVE-2023-40217",
    "CVE-2024-12718",
    "CVE-2025-4138",
    "CVE-2025-4330",
    "CVE-2025-4435",
    "CVE-2025-4517"
  );

  script_name(english:"EulerOS Virtualization 2.13.0 : python3 (EulerOS-SA-2025-2595)");

  script_set_attribute(attribute:"synopsis", value:
"The remote EulerOS Virtualization host is missing multiple security updates.");
  script_set_attribute(attribute:"description", value:
"According to the versions of the python3 packages installed, the EulerOS Virtualization installation on the remote host
is affected by the following vulnerabilities :

    Directory traversal vulnerability in the (1) extract and (2) extractall functions in the tarfile module in
    Python allows user-assisted remote attackers to overwrite arbitrary files via a .. (dot dot) sequence in
    filenames in a TAR archive, a related issue to CVE-2001-1267.(CVE-2007-4559)

    In Python (aka CPython) up to 3.10.8, the mailcap module does not add escape characters into commands
    discovered in the system mailcap file. This may allow attackers to inject shell commands into applications
    that call mailcap.findmatch with untrusted input (if they lack validation of user-provided filenames or
    arguments). The fix is also back-ported to 3.7, 3.8, 3.9(CVE-2015-20107)

    A flaw was found in python. In algorithms with quadratic time complexity using non-binary bases, when
    using int('text'), a system could take 50ms to parse an int string with 100,000 digits and 5s for
    1,000,000 digits (float, decimal, int.from_bytes(), and int() for binary bases 2, 4, 8, 16, and 32 are not
    affected). The highest threat from this vulnerability is to system availability.(CVE-2020-10735)

    Python 3.x through 3.10 has an open redirection vulnerability in lib/http/server.py due to no protection
    against multiple (/) at the beginning of URI path which may leads to information disclosure. NOTE: this is
    disputed by a third party because the http.server.html documentation page states 'Warning: http.server is
    not recommended for production. It only implements basic security checks.'(CVE-2021-28861)

    Python 3.9.x before 3.9.16 and 3.10.x before 3.10.9 on Linux allows local privilege escalation in a non-
    default configuration. The Python multiprocessing library, when used with the forkserver start method on
    Linux, allows pickles to be deserialized from any user in the same machine local network namespace, which
    in many system configurations means any user on the same machine. Pickles can execute arbitrary code.
    Thus, this allows for local user privilege escalation to the user that any forkserver process is running
    as. Setting multiprocessing.util.abstract_sockets_supported to False is a workaround. The forkserver start
    method for multiprocessing is not the default start method. This issue is Linux specific because only
    Linux supports abstract namespace sockets. CPython before 3.9 does not make use of Linux abstract
    namespace sockets by default. Support for users manually specifying an abstract namespace socket was added
    as a bugfix in 3.7.8 and 3.8.3, but users would need to make specific uncommon API calls in order to do
    that in CPython before 3.9.(CVE-2022-42919)

    An issue was discovered in Python before 3.11.1. An unnecessary quadratic algorithm exists in one path
    when processing some inputs to the IDNA (RFC 3490) decoder, such that a crafted, unreasonably long name
    being presented to the decoder could lead to a CPU denial of service. Hostnames are often supplied by
    remote servers that could be controlled by a malicious actor; in such a scenario, they could trigger
    excessive CPU consumption on the client attempting to make use of an attacker-supplied supposed hostname.
    For example, the attack payload could be placed in the Location header of an HTTP response with status
    code 302. A fix is planned in 3.11.1, 3.10.9, 3.9.16, 3.8.16, and 3.7.16.(CVE-2022-45061)

    An issue in the urllib.parse component of Python before 3.11.4 allows attackers to bypass blocklisting
    methods by supplying a URL that starts with blank characters.(CVE-2023-24329)

    An issue was discovered in Python before 3.8.18, 3.9.x before 3.9.18, 3.10.x before 3.10.13, and 3.11.x
    before 3.11.5. It primarily affects servers (such as HTTP servers) that use TLS client authentication. If
    a TLS server-side socket is created, receives data into the socket buffer, and then is closed quickly,
    there is a brief window where the SSLSocket instance will detect the socket as 'not connected' and won't
    initiate a handshake, but buffered data will still be readable from the socket buffer. This data will not
    be authenticated if the server-side TLS peer is expecting client certificate authentication, and is
    indistinguishable from valid TLS stream data. Data is limited in size to the amount that will fit in the
    buffer. (The TLS connection cannot directly be used for data exfiltration because the vulnerable code path
    requires that the connection be closed on initialization of the SSLSocket.)(CVE-2023-40217)

    Allows modifying some file metadata (e.g. last modified) with filter='data' or file permissions (chmod)
    with filter='tar' of files outside the extraction directory. You are affected by this vulnerability if
    using the tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract()
    using the filter= parameter with a value of 'data' or 'tar'. See the tarfile extraction filters
    documentation https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter for more
    information. Only Python versions 3.12 or later are affected by these vulnerabilities, earlier versions
    don't include the extraction filter feature. Note that for Python 3.14 or later the default value of
    filter= changed from 'no filtering' to `'data', so if you are relying on this new default behavior then
    your usage is also affected. Note that none of these vulnerabilities significantly affect the installation
    of source distributions which are tar archives as source distributions already allow arbitrary code
    execution during the build process. However when evaluating source distributions it's important to avoid
    installing source distributions with suspicious links. (CVE-2024-12718)

    Allows the extraction filter to be ignored, allowing symlink targets to point outside the destination
    directory, and the modification of some file metadata. You are affected by this vulnerability if using the
    tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() using the
    filter= parameter with a value of 'data' or 'tar'. See the tarfile extraction filters documentation
    https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter for more information. Note that
    for Python 3.14 or later the default value of filter= changed from 'no filtering' to `'data', so if you
    are relying on this new default behavior then your usage is also affected. Note that none of these
    vulnerabilities significantly affect the installation of source distributions which are tar archives as
    source distributions already allow arbitrary code execution during the build process. However when
    evaluating source distributions it's important to avoid installing source distributions with suspicious
    links. (CVE-2025-4138)

    Allows the extraction filter to be ignored, allowing symlink targets to point outside the destination
    directory, and the modification of some file metadata. You are affected by this vulnerability if using the
    tarfile module to extract untrusted tar archives using TarFile.extractall() or TarFile.extract() using the
    filter= parameter with a value of 'data' or 'tar'. See the tarfile extraction filters documentation
    https://docs.python.org/3/library/tarfile.html#tarfile-extraction-filter for more information. Note that
    for Python 3.14 or later the default value of filter= changed from 'no filtering' to `'data', so if you
    are relying on this new default behavior then your usage is also affected. Note that none of these
    vulnerabilities significantly affect the installation of source distributions which are tar archives as
    source distributions already allow arbitrary code execution during the build process. However when
    evaluating source distributions it's important to avoid installing source distributions with suspicious
    links.(CVE-2025-4330)

    When using a TarFile.errorlevel = 0 and extracting with a filter the documented behavior is that any
    filtered members would be skipped and not extracted. However the actual behavior of TarFile.errorlevel = 0
    in affected versions is that the member would still be extracted and not skipped.(CVE-2025-4435)

    Allows arbitrary filesystem writes outside the extraction directory during extraction with filter='data'.
    You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using
    TarFile.extractall() or TarFile.extract() using the filter= parameter with a value of 'data' or 'tar'. See
    the tarfile extraction filters documentation https://docs.python.org/3/library/tarfile.html#tarfile-
    extraction-filter for more information. Note that for Python 3.14 or later the default value of filter=
    changed from 'no filtering' to `'data', so if you are relying on this new default behavior then your usage
    is also affected. Note that none of these vulnerabilities significantly affect the installation of source
    distributions which are tar archives as source distributions already allow arbitrary code execution during
    the build process. However when evaluating source distributions it's important to avoid installing source
    distributions with suspicious links. (CVE-2025-4517)

Tenable has extracted the preceding description block directly from the EulerOS Virtualization python3 security
advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2025-2595
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?660cbb86");
  script_set_attribute(attribute:"solution", value:
"Update the affected python3 packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:C/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss4_vector", value:"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H");
  script_set_attribute(attribute:"cvss4_threat_vector", value:"CVSS:4.0/E:P");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2015-20107");
  script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2022-42919");
  script_set_attribute(attribute:"cvss4_score_source", value:"CVE-2024-12718");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2007/08/27");
  script_set_attribute(attribute:"patch_publication_date", value:"2025/12/18");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/12/18");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:python3");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:python3-fgo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:python3-unversioned-command");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:uvp:2.13.0");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Huawei Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2025 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/uvp_version");

  exit(0);
}

include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

var _release = get_kb_item("Host/EulerOS/release");
if (isnull(_release) || _release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
var uvp = get_kb_item("Host/EulerOS/uvp_version");
if (uvp != "2.13.0") audit(AUDIT_OS_NOT, "EulerOS Virtualization 2.13.0");
if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu && "x86" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "x86" >!< cpu) audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu);

var flag = 0;

var pkgs = [
  "python3-3.9.9-28.h13.eulerosv2r13",
  "python3-fgo-3.9.9-28.h13.eulerosv2r13",
  "python3-unversioned-command-3.9.9-28.h13.eulerosv2r13"
];

foreach (var pkg in pkgs)
  if (rpm_check(release:"EulerOS-2.0", reference:pkg)) flag++;

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "python3");
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

18 Dec 2025 00:00Current
8.1High risk
Vulners AI Score8.1
CVSS 28
CVSS 3.17.8 - 9.8
EPSS0.27095
SSVC
6