7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
0.002 Low
EPSS
Percentile
52.0%
The version of AOS installed on the remote host is prior to 6.5.5.5. It is, therefore, affected by multiple vulnerabilities as referenced in the NXSA-AOS-6.5.5.5 advisory.
An issue was discovered in Python before 3.8.18, 3.9.x before 3.9.18, 3.10.x before 3.10.13, and 3.11.x before 3.11.5. It primarily affects servers (such as HTTP servers) that use TLS client authentication. If a TLS server-side socket is created, receives data into the socket buffer, and then is closed quickly, there is a brief window where the SSLSocket instance will detect the socket as not connected and won’t initiate a handshake, but buffered data will still be readable from the socket buffer. This data will not be authenticated if the server-side TLS peer is expecting client certificate authentication, and is indistinguishable from valid TLS stream data. Data is limited in size to the amount that will fit in the buffer. (The TLS connection cannot directly be used for data exfiltration because the vulnerable code path requires that the connection be closed on initialization of the SSLSocket.) (CVE-2023-40217)
An authentication issue was addressed with improved state management. This issue is fixed in macOS Big Sur 11.7.7, macOS Monterey 12.6.6, macOS Ventura 13.4. An unauthenticated user may be able to access recently printed documents. (CVE-2023-32360)
VMware Tools contains a SAML token signature bypass vulnerability. A malicious actor that has been granted Guest Operation Privileges https://docs.vmware.com/en/VMware-vSphere/8.0/vsphere- security/GUID-6A952214-0E5E-4CCF-9D2A-90948FF643EC.html in a target virtual machine may be able to elevate their privileges if that target virtual machine has been assigned a more privileged Guest Alias https://vdc-download.vmware.com/vmwb-repository/dcr-public/d1902b0e-d479-46bf-8ac9-cee0e31e8ec0/07ce8dbd- db48-4261-9b8f-c6d3ad8ba472/vim.vm.guest.AliasManager.html . (CVE-2023-34058)
open-vm-tools contains a file descriptor hijack vulnerability in the vmware-user-suid-wrapper. A malicious actor with non-root privileges may be able to hijack the /dev/uinput file descriptor allowing them to simulate user inputs. (CVE-2023-34059)
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: CORBA). Supported versions that are affected are Oracle Java SE: 8u381, 8u381-perf; Oracle GraalVM Enterprise Edition: 20.3.11 and 21.3.7. Easily exploitable vulnerability allows unauthenticated attacker with network access via CORBA to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.
Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web Start applications or Untrusted Java applets, such as through a web service. (CVE-2023-22067)
Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JSSE). Supported versions that are affected are Oracle Java SE: 8u381, 8u381-perf, 11.0.20, 17.0.8, 21; Oracle GraalVM for JDK: 17.0.8, 21; Oracle GraalVM Enterprise Edition:
20.3.11, 21.3.7 and 22.3.3. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.
Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note:
This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed by an administrator). (CVE-2023-22081)
A malicious actor that has been granted Guest Operation Privileges https://docs.vmware.com/en/VMware- vSphere/8.0/vsphere-security/GUID-6A952214-0E5E-4CCF-9D2A-90948FF643EC.html in a target virtual machine may be able to elevate their privileges if that target virtual machine has been assigned a more privileged Guest Alias https://vdc-download.vmware.com/vmwb-repository/dcr- public/d1902b0e-d479-46bf-8ac9-cee0e31e8ec0/07ce8dbd- db48-4261-9b8f-c6d3ad8ba472/vim.vm.guest.AliasManager.html . (CVE-2023-20900)
An issue in Zen 2 CPUs, under specific microarchitectural circumstances, may allow an attacker to potentially access sensitive information. (CVE-2023-20593)
An issue was discovered in fl_set_geneve_opt in net/sched/cls_flower.c in the Linux kernel before 6.3.7.
It allows an out-of-bounds write in the flower classifier code via TCA_FLOWER_KEY_ENC_OPTS_GENEVE packets.
This may result in denial of service or privilege escalation. (CVE-2023-35788)
The code that processes control channel messages sent to named
calls certain functions recursively during packet parsing. Recursion depth is only limited by the maximum accepted packet size; depending on the environment, this may cause the packet-parsing code to run out of available stack memory, causing named
to terminate unexpectedly. Since each incoming control channel message is fully parsed before its contents are authenticated, exploiting this flaw does not require the attacker to hold a valid RNDC key;
only network access to the control channel’s configured TCP port is necessary. This issue affects BIND 9 versions 9.2.0 through 9.16.43, 9.18.0 through 9.18.18, 9.19.0 through 9.19.16, 9.9.3-S1 through 9.16.43-S1, and 9.18.0-S1 through 9.18.18-S1. (CVE-2023-3341)
Information exposure through microarchitectural state after transient execution in certain vector execution units for some Intel® Processors may allow an authenticated user to potentially enable information disclosure via local access. (CVE-2022-40982)
An out-of-bounds write vulnerability in the Linux kernel’s net/sched: sch_qfq component can be exploited to achieve local privilege escalation. The qfq_change_agg() function in net/sched/sch_qfq.c allows an out- of-bounds write because lmax is updated according to packet sizes without bounds checks. We recommend upgrading past commit 3e337087c3b5805fe0b8a46ba622a962880b5d64. (CVE-2023-3611)
A use-after-free vulnerability in the Linux kernel’s net/sched: cls_fw component can be exploited to achieve local privilege escalation. If tcf_change_indev() fails, fw_set_parms() will immediately return an error after incrementing or decrementing the reference counter in tcf_bind_filter(). If an attacker can control the reference counter and set it to zero, they can cause the reference to be freed, leading to a use-after-free vulnerability. We recommend upgrading past commit 0323bce598eea038714f941ce2b22541c46d488f.
(CVE-2023-3776)
A use-after-free vulnerability in the Linux kernel’s net/sched: cls_route component can be exploited to achieve local privilege escalation. When route4_change() is called on an existing filter, the whole tcf_result struct is always copied into the new instance of the filter. This causes a problem when updating a filter bound to a class, as tcf_unbind_filter() is always called on the old instance in the success path, decreasing filter_cnt of the still referenced class and allowing it to be deleted, leading to a use-after-free. We recommend upgrading past commit b80b829e9e2c1b3f7aae34855e04d8f6ecaf13c8.
(CVE-2023-4206)
A use-after-free vulnerability in the Linux kernel’s net/sched: cls_fw component can be exploited to achieve local privilege escalation. When fw_change() is called on an existing filter, the whole tcf_result struct is always copied into the new instance of the filter. This causes a problem when updating a filter bound to a class, as tcf_unbind_filter() is always called on the old instance in the success path, decreasing filter_cnt of the still referenced class and allowing it to be deleted, leading to a use-after- free. We recommend upgrading past commit 76e42ae831991c828cffa8c37736ebfb831ad5ec. (CVE-2023-4207)
A use-after-free vulnerability in the Linux kernel’s net/sched: cls_u32 component can be exploited to achieve local privilege escalation. When u32_change() is called on an existing filter, the whole tcf_result struct is always copied into the new instance of the filter. This causes a problem when updating a filter bound to a class, as tcf_unbind_filter() is always called on the old instance in the success path, decreasing filter_cnt of the still referenced class and allowing it to be deleted, leading to a use-after-free. We recommend upgrading past commit 3044b16e7c6fe5d24b1cdbcf1bd0a9d92d1ebd81.
(CVE-2023-4208)
In the Linux kernel through 6.3.1, a use-after-free in Netfilter nf_tables when processing batch requests can be abused to perform arbitrary read and write operations on kernel memory. Unprivileged local users can obtain root privileges. This occurs because anonymous sets are mishandled. (CVE-2023-32233)
Linux Kernel nftables Out-Of-Bounds Read/Write Vulnerability; nft_byteorder poorly handled vm register contents when CAP_NET_ADMIN is in any user or network namespace (CVE-2023-35001)
A use-after-free vulnerability in the Linux kernel’s net/sched: cls_u32 component can be exploited to achieve local privilege escalation. If tcf_change_indev() fails, u32_set_parms() will immediately return an error after incrementing or decrementing the reference counter in tcf_bind_filter(). If an attacker can control the reference counter and set it to zero, they can cause the reference to be freed, leading to a use-after-free vulnerability. We recommend upgrading past commit 04c55383fa5689357bcdd2c8036725a55ed632bc.
(CVE-2023-3609)
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u371, 8u371-perf, 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and 20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. (CVE-2023-22045)
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 8u371, 8u371-perf, 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle GraalVM for JDK: 17.0.7 and 20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. (CVE-2023-22049)
An issue was discovered in function _libssh2_packet_add in libssh2 1.10.0 allows attackers to access out of bounds memory. (CVE-2020-22218)
A use after free vulnerability exists in curl <7.87.0. Curl can be asked to tunnel virtually all protocols it supports through an HTTP proxy. HTTP proxies can (and often do) deny such tunnel operations.
When getting denied to tunnel the specific protocols SMB or TELNET, curl would use a heap-allocated struct after it had been freed, in its transfer shutdown code path. (CVE-2022-43552)
Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##
include('compat.inc');
if (description)
{
script_id(190796);
script_version("1.2");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/03/04");
script_cve_id(
"CVE-2020-22218",
"CVE-2022-40982",
"CVE-2022-43552",
"CVE-2023-3341",
"CVE-2023-3609",
"CVE-2023-3611",
"CVE-2023-3776",
"CVE-2023-4128",
"CVE-2023-4206",
"CVE-2023-4207",
"CVE-2023-4208",
"CVE-2023-20593",
"CVE-2023-20900",
"CVE-2023-22045",
"CVE-2023-22049",
"CVE-2023-22067",
"CVE-2023-22081",
"CVE-2023-32233",
"CVE-2023-32360",
"CVE-2023-34058",
"CVE-2023-34059",
"CVE-2023-35001",
"CVE-2023-35788",
"CVE-2023-40217"
);
script_name(english:"Nutanix AOS : Multiple Vulnerabilities (NXSA-AOS-6.5.5.5)");
script_set_attribute(attribute:"synopsis", value:
"The Nutanix AOS host is affected by multiple vulnerabilities .");
script_set_attribute(attribute:"description", value:
"The version of AOS installed on the remote host is prior to 6.5.5.5. It is, therefore, affected by multiple
vulnerabilities as referenced in the NXSA-AOS-6.5.5.5 advisory.
- An issue was discovered in Python before 3.8.18, 3.9.x before 3.9.18, 3.10.x before 3.10.13, and 3.11.x
before 3.11.5. It primarily affects servers (such as HTTP servers) that use TLS client authentication. If
a TLS server-side socket is created, receives data into the socket buffer, and then is closed quickly,
there is a brief window where the SSLSocket instance will detect the socket as not connected and won't
initiate a handshake, but buffered data will still be readable from the socket buffer. This data will not
be authenticated if the server-side TLS peer is expecting client certificate authentication, and is
indistinguishable from valid TLS stream data. Data is limited in size to the amount that will fit in the
buffer. (The TLS connection cannot directly be used for data exfiltration because the vulnerable code path
requires that the connection be closed on initialization of the SSLSocket.) (CVE-2023-40217)
- An authentication issue was addressed with improved state management. This issue is fixed in macOS Big Sur
11.7.7, macOS Monterey 12.6.6, macOS Ventura 13.4. An unauthenticated user may be able to access recently
printed documents. (CVE-2023-32360)
- VMware Tools contains a SAML token signature bypass vulnerability. A malicious actor that has been granted
Guest Operation Privileges https://docs.vmware.com/en/VMware-vSphere/8.0/vsphere-
security/GUID-6A952214-0E5E-4CCF-9D2A-90948FF643EC.html in a target virtual machine may be able to elevate
their privileges if that target virtual machine has been assigned a more privileged Guest Alias
https://vdc-download.vmware.com/vmwb-repository/dcr-public/d1902b0e-d479-46bf-8ac9-cee0e31e8ec0/07ce8dbd-
db48-4261-9b8f-c6d3ad8ba472/vim.vm.guest.AliasManager.html . (CVE-2023-34058)
- open-vm-tools contains a file descriptor hijack vulnerability in the vmware-user-suid-wrapper. A malicious
actor with non-root privileges may be able to hijack the /dev/uinput file descriptor allowing them to
simulate user inputs. (CVE-2023-34059)
- Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE
(component: CORBA). Supported versions that are affected are Oracle Java SE: 8u381, 8u381-perf; Oracle
GraalVM Enterprise Edition: 20.3.11 and 21.3.7. Easily exploitable vulnerability allows unauthenticated
attacker with network access via CORBA to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition.
Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to
some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can
only be exploited by supplying data to APIs in the specified Component without using Untrusted Java Web
Start applications or Untrusted Java applets, such as through a web service. (CVE-2023-22067)
- Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of
Oracle Java SE (component: JSSE). Supported versions that are affected are Oracle Java SE: 8u381,
8u381-perf, 11.0.20, 17.0.8, 21; Oracle GraalVM for JDK: 17.0.8, 21; Oracle GraalVM Enterprise Edition:
20.3.11, 21.3.7 and 22.3.3. Easily exploitable vulnerability allows unauthenticated attacker with network
access via HTTPS to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition.
Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of
service (partial DOS) of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Note:
This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start
applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the
internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java
deployments, typically in servers, that load and run only trusted code (e.g., code installed by an
administrator). (CVE-2023-22081)
- A malicious actor that has been granted Guest Operation Privileges https://docs.vmware.com/en/VMware-
vSphere/8.0/vsphere-security/GUID-6A952214-0E5E-4CCF-9D2A-90948FF643EC.html in a target virtual machine
may be able to elevate their privileges if that target virtual machine has been assigned a more privileged
Guest Alias https://vdc-download.vmware.com/vmwb-repository/dcr-
public/d1902b0e-d479-46bf-8ac9-cee0e31e8ec0/07ce8dbd-
db48-4261-9b8f-c6d3ad8ba472/vim.vm.guest.AliasManager.html . (CVE-2023-20900)
- An issue in Zen 2 CPUs, under specific microarchitectural circumstances, may allow an attacker to
potentially access sensitive information. (CVE-2023-20593)
- An issue was discovered in fl_set_geneve_opt in net/sched/cls_flower.c in the Linux kernel before 6.3.7.
It allows an out-of-bounds write in the flower classifier code via TCA_FLOWER_KEY_ENC_OPTS_GENEVE packets.
This may result in denial of service or privilege escalation. (CVE-2023-35788)
- The code that processes control channel messages sent to `named` calls certain functions recursively
during packet parsing. Recursion depth is only limited by the maximum accepted packet size; depending on
the environment, this may cause the packet-parsing code to run out of available stack memory, causing
`named` to terminate unexpectedly. Since each incoming control channel message is fully parsed before its
contents are authenticated, exploiting this flaw does not require the attacker to hold a valid RNDC key;
only network access to the control channel's configured TCP port is necessary. This issue affects BIND 9
versions 9.2.0 through 9.16.43, 9.18.0 through 9.18.18, 9.19.0 through 9.19.16, 9.9.3-S1 through
9.16.43-S1, and 9.18.0-S1 through 9.18.18-S1. (CVE-2023-3341)
- Information exposure through microarchitectural state after transient execution in certain vector
execution units for some Intel(R) Processors may allow an authenticated user to potentially enable
information disclosure via local access. (CVE-2022-40982)
- An out-of-bounds write vulnerability in the Linux kernel's net/sched: sch_qfq component can be exploited
to achieve local privilege escalation. The qfq_change_agg() function in net/sched/sch_qfq.c allows an out-
of-bounds write because lmax is updated according to packet sizes without bounds checks. We recommend
upgrading past commit 3e337087c3b5805fe0b8a46ba622a962880b5d64. (CVE-2023-3611)
- A use-after-free vulnerability in the Linux kernel's net/sched: cls_fw component can be exploited to
achieve local privilege escalation. If tcf_change_indev() fails, fw_set_parms() will immediately return an
error after incrementing or decrementing the reference counter in tcf_bind_filter(). If an attacker can
control the reference counter and set it to zero, they can cause the reference to be freed, leading to a
use-after-free vulnerability. We recommend upgrading past commit 0323bce598eea038714f941ce2b22541c46d488f.
(CVE-2023-3776)
- A use-after-free vulnerability in the Linux kernel's net/sched: cls_route component can be exploited to
achieve local privilege escalation. When route4_change() is called on an existing filter, the whole
tcf_result struct is always copied into the new instance of the filter. This causes a problem when
updating a filter bound to a class, as tcf_unbind_filter() is always called on the old instance in the
success path, decreasing filter_cnt of the still referenced class and allowing it to be deleted, leading
to a use-after-free. We recommend upgrading past commit b80b829e9e2c1b3f7aae34855e04d8f6ecaf13c8.
(CVE-2023-4206)
- A use-after-free vulnerability in the Linux kernel's net/sched: cls_fw component can be exploited to
achieve local privilege escalation. When fw_change() is called on an existing filter, the whole tcf_result
struct is always copied into the new instance of the filter. This causes a problem when updating a filter
bound to a class, as tcf_unbind_filter() is always called on the old instance in the success path,
decreasing filter_cnt of the still referenced class and allowing it to be deleted, leading to a use-after-
free. We recommend upgrading past commit 76e42ae831991c828cffa8c37736ebfb831ad5ec. (CVE-2023-4207)
- A use-after-free vulnerability in the Linux kernel's net/sched: cls_u32 component can be exploited to
achieve local privilege escalation. When u32_change() is called on an existing filter, the whole
tcf_result struct is always copied into the new instance of the filter. This causes a problem when
updating a filter bound to a class, as tcf_unbind_filter() is always called on the old instance in the
success path, decreasing filter_cnt of the still referenced class and allowing it to be deleted, leading
to a use-after-free. We recommend upgrading past commit 3044b16e7c6fe5d24b1cdbcf1bd0a9d92d1ebd81.
(CVE-2023-4208)
- In the Linux kernel through 6.3.1, a use-after-free in Netfilter nf_tables when processing batch requests
can be abused to perform arbitrary read and write operations on kernel memory. Unprivileged local users
can obtain root privileges. This occurs because anonymous sets are mishandled. (CVE-2023-32233)
- Linux Kernel nftables Out-Of-Bounds Read/Write Vulnerability; nft_byteorder poorly handled vm register
contents when CAP_NET_ADMIN is in any user or network namespace (CVE-2023-35001)
- A use-after-free vulnerability in the Linux kernel's net/sched: cls_u32 component can be exploited to
achieve local privilege escalation. If tcf_change_indev() fails, u32_set_parms() will immediately return
an error after incrementing or decrementing the reference counter in tcf_bind_filter(). If an attacker can
control the reference counter and set it to zero, they can cause the reference to be freed, leading to a
use-after-free vulnerability. We recommend upgrading past commit 04c55383fa5689357bcdd2c8036725a55ed632bc.
(CVE-2023-3609)
- Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of
Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u371,
8u371-perf, 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle
GraalVM for JDK: 17.0.7 and 20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker
with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise
Edition, Oracle GraalVM for JDK. Successful attacks of this vulnerability can result in unauthorized read
access to a subset of Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK accessible
data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a
web service which supplies data to the APIs. This vulnerability also applies to Java deployments,
typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load
and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for
security. (CVE-2023-22045)
- Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle GraalVM for JDK product of
Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 8u371,
8u371-perf, 11.0.19, 17.0.7, 20.0.1; Oracle GraalVM Enterprise Edition: 20.3.10, 21.3.6, 22.3.2; Oracle
GraalVM for JDK: 17.0.7 and 20.0.1. Difficult to exploit vulnerability allows unauthenticated attacker
with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise
Edition, Oracle GraalVM for JDK. Successful attacks of this vulnerability can result in unauthorized
update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition, Oracle
GraalVM for JDK accessible data. Note: This vulnerability can be exploited by using APIs in the specified
Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to
Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java
applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java
sandbox for security. (CVE-2023-22049)
- An issue was discovered in function _libssh2_packet_add in libssh2 1.10.0 allows attackers to access out
of bounds memory. (CVE-2020-22218)
- A use after free vulnerability exists in curl <7.87.0. Curl can be asked to *tunnel* virtually all
protocols it supports through an HTTP proxy. HTTP proxies can (and often do) deny such tunnel operations.
When getting denied to tunnel the specific protocols SMB or TELNET, curl would use a heap-allocated struct
after it had been freed, in its transfer shutdown code path. (CVE-2022-43552)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
# https://portal.nutanix.com/page/documents/security-advisories/release-advisories/details?id=NXSA-AOS-6.5.5.5
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?3aa862c4");
script_set_attribute(attribute:"solution", value:
"Update the Nutanix AOS software to recommended version.");
script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:S/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2023-4208");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"exploit_framework_core", value:"true");
script_set_attribute(attribute:"exploited_by_malware", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2022/12/21");
script_set_attribute(attribute:"patch_publication_date", value:"2024/02/20");
script_set_attribute(attribute:"plugin_publication_date", value:"2024/02/20");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/o:nutanix:aos");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Misc.");
script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("nutanix_collect.nasl");
script_require_keys("Host/Nutanix/Data/lts", "Host/Nutanix/Data/Service", "Host/Nutanix/Data/Version", "Host/Nutanix/Data/arch");
exit(0);
}
include('vcf.inc');
include('vcf_extras.inc');
var app_info = vcf::nutanix::get_app_info();
var constraints = [
{ 'fixed_version' : '6.5.5.5', 'product' : 'AOS', 'fixed_display' : 'Upgrade the AOS install to 6.5.5.5 or higher.', 'lts' : TRUE },
{ 'fixed_version' : '6.5.5.5', 'product' : 'NDFS', 'fixed_display' : 'Upgrade the AOS install to 6.5.5.5 or higher.', 'lts' : TRUE }
];
vcf::nutanix::check_version_and_report(
app_info:app_info,
constraints:constraints,
severity:SECURITY_WARNING
);
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-22218
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40982
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-43552
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20593
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-20900
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22045
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22049
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22067
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22081
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32233
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32360
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3341
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-34058
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-34059
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-35001
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-35788
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3609
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3611
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3776
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-40217
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4128
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4206
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4207
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4208
www.nessus.org/u?3aa862c4