The version of AOS installed on the remote host is prior to 6.5.2. It is, therefore, affected by multiple vulnerabilities as referenced in the NXSA-AOS-6.5.2 advisory.
http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of HTTPConnection.request. (CVE-2020-26116)
urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116. (CVE-2020-26137)
Python 3.x through 3.9.1 has a buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution in certain Python applications that accept floating-point numbers as untrusted input, as demonstrated by a 1e300 argument to c_double.from_param. This occurs because sprintf is used unsafely. (CVE-2021-3177)
An arbitrary file write vulnerability was found in GNU gzip’s zgrep utility. When zgrep is applied on the attacker’s chosen file name (for example, a crafted file name), this can overwrite an attacker’s content to an arbitrary attacker-selected file. This flaw occurs due to insufficient validation when processing filenames with two or more newlines where selected content and the target file names are embedded in crafted multi-line file names. This flaw allows a remote, low privileged attacker to force zgrep to write arbitrary files on the system. (CVE-2022-1271)
A race condition was found the Linux kernel in perf_event_open() which can be exploited by an unprivileged user to gain root privileges. The bug allows to build several exploit primitives such as kernel address information leak, arbitrary execution, etc. (CVE-2022-1729)
Incomplete cleanup of multi-core shared buffers for some Intel® Processors may allow an authenticated user to potentially enable information disclosure via local access. (CVE-2022-21123)
Incomplete cleanup of microarchitectural fill buffers on some Intel® Processors may allow an authenticated user to potentially enable information disclosure via local access. (CVE-2022-21125)
Incomplete cleanup in specific special register write operations for some Intel® Processors may allow an authenticated user to potentially enable information disclosure via local access. (CVE-2022-21166)
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 7u343, 8u333, 11.0.15.1, 17.0.3.1, 18.0.1.1; Oracle GraalVM Enterprise Edition: 20.3.6, 21.3.2 and 22.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data.
Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.
(CVE-2022-21540)
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 7u343, 8u333, 11.0.15.1, 17.0.3.1, 18.0.1.1; Oracle GraalVM Enterprise Edition: 20.3.6, 21.3.2 and 22.1.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. (CVE-2022-21541)
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security). Supported versions that are affected are Oracle Java SE: 8u341, 8u345-perf, 11.0.16.1, 17.0.4.1, 19; Oracle GraalVM Enterprise Edition: 20.3.7, 21.3.3 and 22.2.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. (CVE-2022-21619)
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JNDI). Supported versions that are affected are Oracle Java SE: 8u341, 8u345-perf, 11.0.16.1, 17.0.4.1, 19; Oracle GraalVM Enterprise Edition: 20.3.7, 21.3.3 and 22.2.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. (CVE-2022-21624)
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Security). Supported versions that are affected are Oracle Java SE: 8u341, 8u345-perf, 11.0.16.1; Oracle GraalVM Enterprise Edition: 20.3.7, 21.3.3 and 22.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.
(CVE-2022-21626)
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Lightweight HTTP Server). Supported versions that are affected are Oracle Java SE: 8u341, 8u345-perf, 11.0.16.1, 17.0.4.1, 19; Oracle GraalVM Enterprise Edition: 20.3.7, 21.3.3 and 22.2.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). (CVE-2022-21628)
A use-after-free vulnerability was found in systemd. This issue occurs due to the on_stream_io() function and dns_stream_complete() function in ‘resolved-dns-stream.c’ not incrementing the reference counting for the DnsStream object. Therefore, other functions and callbacks called can dereference the DNSStream object, causing the use-after-free when the reference is still used later. (CVE-2022-2526)
An issue was discovered in rsync before 3.2.5 that allows malicious remote servers to write arbitrary files inside the directories of connecting peers. The server chooses which files/directories are sent to the client. However, the rsync client performs insufficient validation of file names. A malicious rsync server (or Man-in-The-Middle attacker) can overwrite arbitrary files in the rsync client target directory and subdirectories (for example, overwrite the .ssh/authorized_keys file). (CVE-2022-29154)
VMware Tools (12.0.0, 11.x.y and 10.x.y) contains a local privilege escalation vulnerability. A malicious actor with local non-administrative access to the Guest OS can escalate privileges as a root user in the virtual machine. (CVE-2022-31676)
The Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets. This can be used to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode. The Apache Xalan Java project is dormant and in the process of being retired. No future releases of Apache Xalan Java to address this issue are expected. Note: Java runtimes (such as OpenJDK) include repackaged copies of Xalan. (CVE-2022-34169)
In Apache Tomcat 10.1.0-M1 to 10.1.0-M16, 10.0.0-M1 to 10.0.22, 9.0.30 to 9.0.64 and 8.5.50 to 8.5.81 the Form authentication example in the examples web application displayed user provided data without filtering, exposing a XSS vulnerability. (CVE-2022-34305)
By spoofing the target resolver with responses that have a malformed ECDSA signature, an attacker can trigger a small memory leak. It is possible to gradually erode available memory to the point where named crashes for lack of resources. (CVE-2022-38177)
By spoofing the target resolver with responses that have a malformed EdDSA signature, an attacker can trigger a small memory leak. It is possible to gradually erode available memory to the point where named crashes for lack of resources. (CVE-2022-38178)
libexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c. (CVE-2022-40674)
multipath-tools 0.7.0 through 0.9.x before 0.9.2 allows local users to obtain root access, as exploited alone or in conjunction with CVE-2022-41973. Local users able to write to UNIX domain sockets can bypass access controls and manipulate the multipath setup. This can lead to local privilege escalation to root.
This occurs because an attacker can repeat a keyword, which is mishandled because arithmetic ADD is used instead of bitwise OR. (CVE-2022-41974)
If Apache Tomcat 8.5.0 to 8.5.82, 9.0.0-M1 to 9.0.67, 10.0.0-M1 to 10.0.26 or 10.1.0-M1 to 10.1.0 was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false (the default for 8.5.x only), Tomcat did not reject a request containing an invalid Content-Length header making a request smuggling attack possible if Tomcat was located behind a reverse proxy that also failed to reject the request with the invalid header. (CVE-2022-42252)
PAC parsing in MIT Kerberos 5 (aka krb5) before 1.19.4 and 1.20.x before 1.20.1 has integer overflows that may lead to remote code execution (in KDC, kadmind, or a GSS or Kerberos application server) on 32-bit platforms (which have a resultant heap-based buffer overflow), and cause a denial of service on other platforms. This occurs in krb5_pac_parse in lib/krb5/krb/pac.c. Heimdal before 7.7.1 has a similar bug.
(CVE-2022-42898)
Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(170627);
script_version("1.6");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/01/16");
script_cve_id(
"CVE-2020-26116",
"CVE-2020-26137",
"CVE-2021-3177",
"CVE-2022-1271",
"CVE-2022-1729",
"CVE-2022-2526",
"CVE-2022-21123",
"CVE-2022-21125",
"CVE-2022-21166",
"CVE-2022-21540",
"CVE-2022-21541",
"CVE-2022-21619",
"CVE-2022-21624",
"CVE-2022-21626",
"CVE-2022-21628",
"CVE-2022-29154",
"CVE-2022-31676",
"CVE-2022-34169",
"CVE-2022-34305",
"CVE-2022-38177",
"CVE-2022-38178",
"CVE-2022-40674",
"CVE-2022-41974",
"CVE-2022-42252",
"CVE-2022-42898"
);
script_name(english:"Nutanix AOS : Multiple Vulnerabilities (NXSA-AOS-6.5.2)");
script_set_attribute(attribute:"synopsis", value:
"The Nutanix AOS host is affected by multiple vulnerabilities .");
script_set_attribute(attribute:"description", value:
"The version of AOS installed on the remote host is prior to 6.5.2. It is, therefore, affected by multiple
vulnerabilities as referenced in the NXSA-AOS-6.5.2 advisory.
- http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5
allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR
and LF control characters in the first argument of HTTPConnection.request. (CVE-2020-26116)
- urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as
demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this
is similar to CVE-2020-26116. (CVE-2020-26137)
- Python 3.x through 3.9.1 has a buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to
remote code execution in certain Python applications that accept floating-point numbers as untrusted
input, as demonstrated by a 1e300 argument to c_double.from_param. This occurs because sprintf is used
unsafely. (CVE-2021-3177)
- An arbitrary file write vulnerability was found in GNU gzip's zgrep utility. When zgrep is applied on the
attacker's chosen file name (for example, a crafted file name), this can overwrite an attacker's content
to an arbitrary attacker-selected file. This flaw occurs due to insufficient validation when processing
filenames with two or more newlines where selected content and the target file names are embedded in
crafted multi-line file names. This flaw allows a remote, low privileged attacker to force zgrep to write
arbitrary files on the system. (CVE-2022-1271)
- A race condition was found the Linux kernel in perf_event_open() which can be exploited by an unprivileged
user to gain root privileges. The bug allows to build several exploit primitives such as kernel address
information leak, arbitrary execution, etc. (CVE-2022-1729)
- Incomplete cleanup of multi-core shared buffers for some Intel(R) Processors may allow an authenticated
user to potentially enable information disclosure via local access. (CVE-2022-21123)
- Incomplete cleanup of microarchitectural fill buffers on some Intel(R) Processors may allow an
authenticated user to potentially enable information disclosure via local access. (CVE-2022-21125)
- Incomplete cleanup in specific special register write operations for some Intel(R) Processors may allow an
authenticated user to potentially enable information disclosure via local access. (CVE-2022-21166)
- Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE
(component: Hotspot). Supported versions that are affected are Oracle Java SE: 7u343, 8u333, 11.0.15.1,
17.0.3.1, 18.0.1.1; Oracle GraalVM Enterprise Edition: 20.3.6, 21.3.2 and 22.1.0. Easily exploitable
vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise
Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in
unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data.
Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web
Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from
the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using
APIs in the specified Component, e.g., through a web service which supplies data to the APIs.
(CVE-2022-21540)
- Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE
(component: Hotspot). Supported versions that are affected are Oracle Java SE: 7u343, 8u333, 11.0.15.1,
17.0.3.1, 18.0.1.1; Oracle GraalVM Enterprise Edition: 20.3.6, 21.3.2 and 22.1.0. Difficult to exploit
vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise
Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in
unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle
GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments,
typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load
and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for
security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through
a web service which supplies data to the APIs. (CVE-2022-21541)
- Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE
(component: Security). Supported versions that are affected are Oracle Java SE: 8u341, 8u345-perf,
11.0.16.1, 17.0.4.1, 19; Oracle GraalVM Enterprise Edition: 20.3.7, 21.3.3 and 22.2.0. Difficult to
exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to
compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can
result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM
Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in
clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run
untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This
vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service
which supplies data to the APIs. (CVE-2022-21619)
- Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE
(component: JNDI). Supported versions that are affected are Oracle Java SE: 8u341, 8u345-perf, 11.0.16.1,
17.0.4.1, 19; Oracle GraalVM Enterprise Edition: 20.3.7, 21.3.3 and 22.2.0. Difficult to exploit
vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise
Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in
unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition
accessible data. Note: This vulnerability applies to Java deployments, typically in clients running
sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g.,
code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also
be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to
the APIs. (CVE-2022-21624)
- Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE
(component: Security). Supported versions that are affected are Oracle Java SE: 8u341, 8u345-perf,
11.0.16.1; Oracle GraalVM Enterprise Edition: 20.3.7, 21.3.3 and 22.2.0. Easily exploitable vulnerability
allows unauthenticated attacker with network access via HTTPS to compromise Oracle Java SE, Oracle GraalVM
Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a
partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This
vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start
applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the
internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using
APIs in the specified Component, e.g., through a web service which supplies data to the APIs.
(CVE-2022-21626)
- Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE
(component: Lightweight HTTP Server). Supported versions that are affected are Oracle Java SE: 8u341,
8u345-perf, 11.0.16.1, 17.0.4.1, 19; Oracle GraalVM Enterprise Edition: 20.3.7, 21.3.3 and 22.2.0. Easily
exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise
Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in
unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM
Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running
sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g.,
code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not
apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed
by an administrator). (CVE-2022-21628)
- A use-after-free vulnerability was found in systemd. This issue occurs due to the on_stream_io() function
and dns_stream_complete() function in 'resolved-dns-stream.c' not incrementing the reference counting for
the DnsStream object. Therefore, other functions and callbacks called can dereference the DNSStream
object, causing the use-after-free when the reference is still used later. (CVE-2022-2526)
- An issue was discovered in rsync before 3.2.5 that allows malicious remote servers to write arbitrary
files inside the directories of connecting peers. The server chooses which files/directories are sent to
the client. However, the rsync client performs insufficient validation of file names. A malicious rsync
server (or Man-in-The-Middle attacker) can overwrite arbitrary files in the rsync client target directory
and subdirectories (for example, overwrite the .ssh/authorized_keys file). (CVE-2022-29154)
- VMware Tools (12.0.0, 11.x.y and 10.x.y) contains a local privilege escalation vulnerability. A malicious
actor with local non-administrative access to the Guest OS can escalate privileges as a root user in the
virtual machine. (CVE-2022-31676)
- The Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious
XSLT stylesheets. This can be used to corrupt Java class files generated by the internal XSLTC compiler
and execute arbitrary Java bytecode. The Apache Xalan Java project is dormant and in the process of being
retired. No future releases of Apache Xalan Java to address this issue are expected. Note: Java runtimes
(such as OpenJDK) include repackaged copies of Xalan. (CVE-2022-34169)
- In Apache Tomcat 10.1.0-M1 to 10.1.0-M16, 10.0.0-M1 to 10.0.22, 9.0.30 to 9.0.64 and 8.5.50 to 8.5.81 the
Form authentication example in the examples web application displayed user provided data without
filtering, exposing a XSS vulnerability. (CVE-2022-34305)
- By spoofing the target resolver with responses that have a malformed ECDSA signature, an attacker can
trigger a small memory leak. It is possible to gradually erode available memory to the point where named
crashes for lack of resources. (CVE-2022-38177)
- By spoofing the target resolver with responses that have a malformed EdDSA signature, an attacker can
trigger a small memory leak. It is possible to gradually erode available memory to the point where named
crashes for lack of resources. (CVE-2022-38178)
- libexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c. (CVE-2022-40674)
- multipath-tools 0.7.0 through 0.9.x before 0.9.2 allows local users to obtain root access, as exploited
alone or in conjunction with CVE-2022-41973. Local users able to write to UNIX domain sockets can bypass
access controls and manipulate the multipath setup. This can lead to local privilege escalation to root.
This occurs because an attacker can repeat a keyword, which is mishandled because arithmetic ADD is used
instead of bitwise OR. (CVE-2022-41974)
- If Apache Tomcat 8.5.0 to 8.5.82, 9.0.0-M1 to 9.0.67, 10.0.0-M1 to 10.0.26 or 10.1.0-M1 to 10.1.0 was
configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false (the default for 8.5.x
only), Tomcat did not reject a request containing an invalid Content-Length header making a request
smuggling attack possible if Tomcat was located behind a reverse proxy that also failed to reject the
request with the invalid header. (CVE-2022-42252)
- PAC parsing in MIT Kerberos 5 (aka krb5) before 1.19.4 and 1.20.x before 1.20.1 has integer overflows that
may lead to remote code execution (in KDC, kadmind, or a GSS or Kerberos application server) on 32-bit
platforms (which have a resultant heap-based buffer overflow), and cause a denial of service on other
platforms. This occurs in krb5_pac_parse in lib/krb5/krb/pac.c. Heimdal before 7.7.1 has a similar bug.
(CVE-2022-42898)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
# https://portal.nutanix.com/page/documents/security-advisories/release-advisories/details?id=NXSA-AOS-6.5.2
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?dddf3b07");
script_set_attribute(attribute:"solution", value:
"Update the Nutanix AOS software to recommended version.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2021-3177");
script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2022-2526");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2020/07/30");
script_set_attribute(attribute:"patch_publication_date", value:"2023/01/25");
script_set_attribute(attribute:"plugin_publication_date", value:"2023/01/25");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/o:nutanix:aos");
script_set_attribute(attribute:"generated_plugin", value:"former");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Misc.");
script_copyright(english:"This script is Copyright (C) 2023-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("nutanix_collect.nasl");
script_require_keys("Host/Nutanix/Data/lts", "Host/Nutanix/Data/Service", "Host/Nutanix/Data/Version", "Host/Nutanix/Data/arch");
exit(0);
}
include('vcf.inc');
include('vcf_extras.inc');
var app_info = vcf::nutanix::get_app_info();
var constraints = [
{ 'fixed_version' : '6.5.2', 'product' : 'AOS', 'fixed_display' : 'Upgrade the AOS install to 6.5.2 or higher.', 'lts' : TRUE },
{ 'fixed_version' : '6.5.2', 'product' : 'NDFS', 'fixed_display' : 'Upgrade the AOS install to 6.5.2 or higher.', 'lts' : TRUE }
];
vcf::nutanix::check_version_and_report(
app_info:app_info,
constraints:constraints,
severity:SECURITY_HOLE,
flags:{'xss':TRUE}
);
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26116
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26137
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3177
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1271
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1729
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21123
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21125
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21166
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21540
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21541
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21619
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21624
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21626
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21628
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2526
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29154
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31676
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34169
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34305
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38177
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-38178
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40674
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-41974
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42252
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42898
www.nessus.org/u?dddf3b07