The version of AOS installed on the remote host is prior to 6.6. It is, therefore, affected by multiple vulnerabilities as referenced in the NXSA-AOS-6.6 advisory.
In Apache Tomcat 10.1.0-M1 to 10.1.0-M16, 10.0.0-M1 to 10.0.22, 9.0.30 to 9.0.64 and 8.5.50 to 8.5.81 the Form authentication example in the examples web application displayed user provided data without filtering, exposing a XSS vulnerability. (CVE-2022-34305)
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JAXP). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.
(CVE-2022-21426)
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. (CVE-2022-21434)
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. (CVE-2022-21443)
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 17.0.2 and 18; Oracle GraalVM Enterprise Edition: 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. (CVE-2022-21449)
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. (CVE-2022-21476)
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: JNDI). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.
(CVE-2022-21496)
An arbitrary file write vulnerability was found in GNU gzip’s zgrep utility. When zgrep is applied on the attacker’s chosen file name (for example, a crafted file name), this can overwrite an attacker’s content to an arbitrary attacker-selected file. This flaw occurs due to insufficient validation when processing filenames with two or more newlines where selected content and the target file names are embedded in crafted multi-line file names. This flaw allows a remote, low privileged attacker to force zgrep to write arbitrary files on the system. (CVE-2022-1271)
An issue was discovered in rsync before 3.2.5 that allows malicious remote servers to write arbitrary files inside the directories of connecting peers. The server chooses which files/directories are sent to the client. However, the rsync client performs insufficient validation of file names. A malicious rsync server (or Man-in-The-Middle attacker) can overwrite arbitrary files in the rsync client target directory and subdirectories (for example, overwrite the .ssh/authorized_keys file). (CVE-2022-29154)
http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of HTTPConnection.request. (CVE-2020-26116)
urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116. (CVE-2020-26137)
Python 3.x through 3.9.1 has a buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution in certain Python applications that accept floating-point numbers as untrusted input, as demonstrated by a 1e300 argument to c_double.from_param. This occurs because sprintf is used unsafely. (CVE-2021-3177)
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 7u343, 8u333, 11.0.15.1, 17.0.3.1, 18.0.1.1; Oracle GraalVM Enterprise Edition: 20.3.6, 21.3.2 and 22.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data.
Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.
(CVE-2022-21540)
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 7u343, 8u333, 11.0.15.1, 17.0.3.1, 18.0.1.1; Oracle GraalVM Enterprise Edition: 20.3.6, 21.3.2 and 22.1.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. (CVE-2022-21541)
The Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets. This can be used to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode. Users are recommended to update to version 2.7.3 or later. Note: Java runtimes (such as OpenJDK) include repackaged copies of Xalan. (CVE-2022-34169)
Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the broker that can lead to a remote code execution attack. (CVE-2018-1270)
An issue was discovered in SaltStack Salt before 3003.3. A user who has control of the source, and source_hash URLs can gain full file system access as root on a salt minion. (CVE-2021-21996)
Apache HTTP Server 2.4.52 and earlier fails to close inbound connection when errors are encountered discarding the request body, exposing the server to HTTP Request Smuggling (CVE-2022-22720)
VMware Tools (12.0.0, 11.x.y and 10.x.y) contains a local privilege escalation vulnerability. A malicious actor with local non-administrative access to the Guest OS can escalate privileges as a root user in the virtual machine. (CVE-2022-31676)
zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many distant matches. (CVE-2018-25032)
If a web application sends a WebSocket message concurrently with the WebSocket connection closing when running on Apache Tomcat 8.5.0 to 8.5.75 or Apache Tomcat 9.0.0.M1 to 9.0.20, it is possible that the application will continue to use the socket after it has been closed. The error handling triggered in this case could cause the a pooled object to be placed in the pool twice. This could result in subsequent connections using the same object concurrently which could result in data being returned to the wrong use and/or other errors. (CVE-2022-25762)
The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop forever for non-prime moduli. Internally this function is used when parsing certificates that contain elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point encoded in compressed form. It is possible to trigger the infinite loop by crafting a certificate that has invalid explicit curve parameters. Since certificate parsing happens prior to verification of the certificate signature, any process that parses an externally supplied certificate may thus be subject to a denial of service attack. The infinite loop can also be reached when parsing crafted private keys as they can contain explicit elliptic curve parameters. Thus vulnerable situations include: - TLS clients consuming server certificates - TLS servers consuming client certificates - Hosting providers taking certificates or private keys from customers - Certificate authorities parsing certification requests from subscribers - Anything else which parses ASN.1 elliptic curve parameters Also any other applications that use the BN_mod_sqrt() where the attacker can control the parameter values are vulnerable to this DoS issue. In the OpenSSL 1.0.2 version the public key is not parsed during initial parsing of the certificate which makes it slightly harder to trigger the infinite loop. However any operation which requires the public key from the certificate will trigger the infinite loop. In particular the attacker can use a self- signed certificate to trigger the loop during verification of the certificate signature. This issue affects OpenSSL versions 1.0.2, 1.1.1 and 3.0. It was addressed in the releases of 1.1.1n and 3.0.2 on the 15th March 2022. Fixed in OpenSSL 3.0.2 (Affected 3.0.0,3.0.1). Fixed in OpenSSL 1.1.1n (Affected 1.1.1-1.1.1m). Fixed in OpenSSL 1.0.2zd (Affected 1.0.2-1.0.2zc). (CVE-2022-0778)
Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is ${prefix:name}, where prefix is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - script - execute expressions using the JVM script execution engine (javax.script) - dns - resolve dns records - url - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Text 1.10.0, which disables the problematic interpolators by default. (CVE-2022-42889)
A use-after-free vulnerability was found in systemd. This issue occurs due to the on_stream_io() function and dns_stream_complete() function in ‘resolved-dns-stream.c’ not incrementing the reference counting for the DnsStream object. Therefore, other functions and callbacks called can dereference the DNSStream object, causing the use-after-free when the reference is still used later. (CVE-2022-2526)
In Expat (aka libexpat) before 2.4.3, a left shift by 29 (or more) places in the storeAtts function in xmlparse.c can lead to realloc misbehavior (e.g., allocating too few bytes, or only freeing memory).
(CVE-2021-45960)
In doProlog in xmlparse.c in Expat (aka libexpat) before 2.4.3, an integer overflow exists for m_groupSize. (CVE-2021-46143)
addBinding in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow. (CVE-2022-22822)
build_model in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow. (CVE-2022-22823)
defineAttribute in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
(CVE-2022-22824)
lookup in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow. (CVE-2022-22825)
nextScaffoldPart in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
(CVE-2022-22826)
storeAtts in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow. (CVE-2022-22827)
Expat (aka libexpat) before 2.4.4 has a signed integer overflow in XML_GetBuffer, for configurations with a nonzero XML_CONTEXT_BYTES. (CVE-2022-23852)
xmltok_impl.c in Expat (aka libexpat) before 2.4.5 lacks certain validation of encoding, such as checks for whether a UTF-8 character is valid in a certain context. (CVE-2022-25235)
xmlparse.c in Expat (aka libexpat) before 2.4.5 allows attackers to insert namespace-separator characters into namespace URIs. (CVE-2022-25236)
In Expat (aka libexpat) before 2.4.5, there is an integer overflow in storeRawNames. (CVE-2022-25315)
The documentation of Apache Tomcat 10.1.0-M1 to 10.1.0-M14, 10.0.0-M1 to 10.0.20, 9.0.13 to 9.0.62 and 8.5.38 to 8.5.78 for the EncryptInterceptor incorrectly stated it enabled Tomcat clustering to run over an untrusted network. This was not correct. While the EncryptInterceptor does provide confidentiality and integrity protection, it does not protect against all risks associated with running over any untrusted network, particularly DoS risks. (CVE-2022-29885)
Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(170557);
script_version("1.15");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/03/06");
script_cve_id(
"CVE-2018-1270",
"CVE-2018-25032",
"CVE-2020-26116",
"CVE-2020-26137",
"CVE-2021-3177",
"CVE-2021-21996",
"CVE-2021-45960",
"CVE-2021-46143",
"CVE-2022-0778",
"CVE-2022-1271",
"CVE-2022-2526",
"CVE-2022-21426",
"CVE-2022-21434",
"CVE-2022-21443",
"CVE-2022-21449",
"CVE-2022-21476",
"CVE-2022-21496",
"CVE-2022-21540",
"CVE-2022-21541",
"CVE-2022-22720",
"CVE-2022-22822",
"CVE-2022-22823",
"CVE-2022-22824",
"CVE-2022-22825",
"CVE-2022-22826",
"CVE-2022-22827",
"CVE-2022-23852",
"CVE-2022-25235",
"CVE-2022-25236",
"CVE-2022-25315",
"CVE-2022-25762",
"CVE-2022-29154",
"CVE-2022-29885",
"CVE-2022-31676",
"CVE-2022-34169",
"CVE-2022-34305",
"CVE-2022-42889"
);
script_name(english:"Nutanix AOS : Multiple Vulnerabilities (NXSA-AOS-6.6)");
script_set_attribute(attribute:"synopsis", value:
"The Nutanix AOS host is affected by multiple vulnerabilities .");
script_set_attribute(attribute:"description", value:
"The version of AOS installed on the remote host is prior to 6.6. It is, therefore, affected by multiple vulnerabilities
as referenced in the NXSA-AOS-6.6 advisory.
- In Apache Tomcat 10.1.0-M1 to 10.1.0-M16, 10.0.0-M1 to 10.0.22, 9.0.30 to 9.0.64 and 8.5.50 to 8.5.81 the
Form authentication example in the examples web application displayed user provided data without
filtering, exposing a XSS vulnerability. (CVE-2022-34305)
- Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE
(component: JAXP). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2,
18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability
allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE,
Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized
ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise
Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java
Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes
from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by
using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.
(CVE-2022-21426)
- Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE
(component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14,
17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable
vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise
Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in
unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition
accessible data. Note: This vulnerability applies to Java deployments, typically in clients running
sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g.,
code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also
be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to
the APIs. (CVE-2022-21434)
- Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE
(component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14,
17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Difficult to exploit
vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise
Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in
unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM
Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running
sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g.,
code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also
be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to
the APIs. (CVE-2022-21443)
- Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE
(component: Libraries). Supported versions that are affected are Oracle Java SE: 17.0.2 and 18; Oracle
GraalVM Enterprise Edition: 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated
attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM
Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion
or modification access to critical data or all Oracle Java SE, Oracle GraalVM Enterprise Edition
accessible data. Note: This vulnerability applies to Java deployments, typically in clients running
sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g.,
code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also
be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to
the APIs. (CVE-2022-21449)
- Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE
(component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14,
17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable
vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise
Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in
unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise
Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients
running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code
(e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability
can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies
data to the APIs. (CVE-2022-21476)
- Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE
(component: JNDI). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2,
18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability
allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE,
Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized
update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible
data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java
Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes
from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by
using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.
(CVE-2022-21496)
- An arbitrary file write vulnerability was found in GNU gzip's zgrep utility. When zgrep is applied on the
attacker's chosen file name (for example, a crafted file name), this can overwrite an attacker's content
to an arbitrary attacker-selected file. This flaw occurs due to insufficient validation when processing
filenames with two or more newlines where selected content and the target file names are embedded in
crafted multi-line file names. This flaw allows a remote, low privileged attacker to force zgrep to write
arbitrary files on the system. (CVE-2022-1271)
- An issue was discovered in rsync before 3.2.5 that allows malicious remote servers to write arbitrary
files inside the directories of connecting peers. The server chooses which files/directories are sent to
the client. However, the rsync client performs insufficient validation of file names. A malicious rsync
server (or Man-in-The-Middle attacker) can overwrite arbitrary files in the rsync client target directory
and subdirectories (for example, overwrite the .ssh/authorized_keys file). (CVE-2022-29154)
- http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5
allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR
and LF control characters in the first argument of HTTPConnection.request. (CVE-2020-26116)
- urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as
demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this
is similar to CVE-2020-26116. (CVE-2020-26137)
- Python 3.x through 3.9.1 has a buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to
remote code execution in certain Python applications that accept floating-point numbers as untrusted
input, as demonstrated by a 1e300 argument to c_double.from_param. This occurs because sprintf is used
unsafely. (CVE-2021-3177)
- Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE
(component: Hotspot). Supported versions that are affected are Oracle Java SE: 7u343, 8u333, 11.0.15.1,
17.0.3.1, 18.0.1.1; Oracle GraalVM Enterprise Edition: 20.3.6, 21.3.2 and 22.1.0. Easily exploitable
vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise
Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in
unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data.
Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web
Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from
the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using
APIs in the specified Component, e.g., through a web service which supplies data to the APIs.
(CVE-2022-21540)
- Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE
(component: Hotspot). Supported versions that are affected are Oracle Java SE: 7u343, 8u333, 11.0.15.1,
17.0.3.1, 18.0.1.1; Oracle GraalVM Enterprise Edition: 20.3.6, 21.3.2 and 22.1.0. Difficult to exploit
vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise
Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in
unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle
GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments,
typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load
and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for
security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through
a web service which supplies data to the APIs. (CVE-2022-21541)
- The Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious
XSLT stylesheets. This can be used to corrupt Java class files generated by the internal XSLTC compiler
and execute arbitrary Java bytecode. Users are recommended to update to version 2.7.3 or later. Note: Java
runtimes (such as OpenJDK) include repackaged copies of Xalan. (CVE-2022-34169)
- Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported
versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP
broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the
broker that can lead to a remote code execution attack. (CVE-2018-1270)
- An issue was discovered in SaltStack Salt before 3003.3. A user who has control of the source, and
source_hash URLs can gain full file system access as root on a salt minion. (CVE-2021-21996)
- Apache HTTP Server 2.4.52 and earlier fails to close inbound connection when errors are encountered
discarding the request body, exposing the server to HTTP Request Smuggling (CVE-2022-22720)
- VMware Tools (12.0.0, 11.x.y and 10.x.y) contains a local privilege escalation vulnerability. A malicious
actor with local non-administrative access to the Guest OS can escalate privileges as a root user in the
virtual machine. (CVE-2022-31676)
- zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many
distant matches. (CVE-2018-25032)
- If a web application sends a WebSocket message concurrently with the WebSocket connection closing when
running on Apache Tomcat 8.5.0 to 8.5.75 or Apache Tomcat 9.0.0.M1 to 9.0.20, it is possible that the
application will continue to use the socket after it has been closed. The error handling triggered in this
case could cause the a pooled object to be placed in the pool twice. This could result in subsequent
connections using the same object concurrently which could result in data being returned to the wrong use
and/or other errors. (CVE-2022-25762)
- The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop
forever for non-prime moduli. Internally this function is used when parsing certificates that contain
elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point
encoded in compressed form. It is possible to trigger the infinite loop by crafting a certificate that has
invalid explicit curve parameters. Since certificate parsing happens prior to verification of the
certificate signature, any process that parses an externally supplied certificate may thus be subject to a
denial of service attack. The infinite loop can also be reached when parsing crafted private keys as they
can contain explicit elliptic curve parameters. Thus vulnerable situations include: - TLS clients
consuming server certificates - TLS servers consuming client certificates - Hosting providers taking
certificates or private keys from customers - Certificate authorities parsing certification requests from
subscribers - Anything else which parses ASN.1 elliptic curve parameters Also any other applications that
use the BN_mod_sqrt() where the attacker can control the parameter values are vulnerable to this DoS
issue. In the OpenSSL 1.0.2 version the public key is not parsed during initial parsing of the certificate
which makes it slightly harder to trigger the infinite loop. However any operation which requires the
public key from the certificate will trigger the infinite loop. In particular the attacker can use a self-
signed certificate to trigger the loop during verification of the certificate signature. This issue
affects OpenSSL versions 1.0.2, 1.1.1 and 3.0. It was addressed in the releases of 1.1.1n and 3.0.2 on the
15th March 2022. Fixed in OpenSSL 3.0.2 (Affected 3.0.0,3.0.1). Fixed in OpenSSL 1.1.1n (Affected
1.1.1-1.1.1m). Fixed in OpenSSL 1.0.2zd (Affected 1.0.2-1.0.2zc). (CVE-2022-0778)
- Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and
expanded. The standard format for interpolation is ${prefix:name}, where prefix is used to locate an
instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with
version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that
could result in arbitrary code execution or contact with remote servers. These lookups are: - script -
execute expressions using the JVM script execution engine (javax.script) - dns - resolve dns records -
url - load values from urls, including from remote servers Applications using the interpolation defaults
in the affected versions may be vulnerable to remote code execution or unintentional contact with remote
servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons
Text 1.10.0, which disables the problematic interpolators by default. (CVE-2022-42889)
- A use-after-free vulnerability was found in systemd. This issue occurs due to the on_stream_io() function
and dns_stream_complete() function in 'resolved-dns-stream.c' not incrementing the reference counting for
the DnsStream object. Therefore, other functions and callbacks called can dereference the DNSStream
object, causing the use-after-free when the reference is still used later. (CVE-2022-2526)
- In Expat (aka libexpat) before 2.4.3, a left shift by 29 (or more) places in the storeAtts function in
xmlparse.c can lead to realloc misbehavior (e.g., allocating too few bytes, or only freeing memory).
(CVE-2021-45960)
- In doProlog in xmlparse.c in Expat (aka libexpat) before 2.4.3, an integer overflow exists for
m_groupSize. (CVE-2021-46143)
- addBinding in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow. (CVE-2022-22822)
- build_model in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow. (CVE-2022-22823)
- defineAttribute in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
(CVE-2022-22824)
- lookup in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow. (CVE-2022-22825)
- nextScaffoldPart in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
(CVE-2022-22826)
- storeAtts in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow. (CVE-2022-22827)
- Expat (aka libexpat) before 2.4.4 has a signed integer overflow in XML_GetBuffer, for configurations with
a nonzero XML_CONTEXT_BYTES. (CVE-2022-23852)
- xmltok_impl.c in Expat (aka libexpat) before 2.4.5 lacks certain validation of encoding, such as checks
for whether a UTF-8 character is valid in a certain context. (CVE-2022-25235)
- xmlparse.c in Expat (aka libexpat) before 2.4.5 allows attackers to insert namespace-separator characters
into namespace URIs. (CVE-2022-25236)
- In Expat (aka libexpat) before 2.4.5, there is an integer overflow in storeRawNames. (CVE-2022-25315)
- The documentation of Apache Tomcat 10.1.0-M1 to 10.1.0-M14, 10.0.0-M1 to 10.0.20, 9.0.13 to 9.0.62 and
8.5.38 to 8.5.78 for the EncryptInterceptor incorrectly stated it enabled Tomcat clustering to run over an
untrusted network. This was not correct. While the EncryptInterceptor does provide confidentiality and
integrity protection, it does not protect against all risks associated with running over any untrusted
network, particularly DoS risks. (CVE-2022-29885)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
# https://portal.nutanix.com/page/documents/security-advisories/release-advisories/details?id=NXSA-AOS-6.6
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?a320a055");
script_set_attribute(attribute:"solution", value:
"Update the Nutanix AOS software to recommended version.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2021-45960");
script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2022-42889");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"metasploit_name", value:'Apache Commons Text RCE');
script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2018/04/05");
script_set_attribute(attribute:"patch_publication_date", value:"2023/01/24");
script_set_attribute(attribute:"plugin_publication_date", value:"2023/01/24");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/o:nutanix:aos");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Misc.");
script_copyright(english:"This script is Copyright (C) 2023-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("nutanix_collect.nasl");
script_require_keys("Host/Nutanix/Data/lts", "Host/Nutanix/Data/Service", "Host/Nutanix/Data/Version", "Host/Nutanix/Data/arch");
exit(0);
}
include('vcf.inc');
include('vcf_extras.inc');
var app_info = vcf::nutanix::get_app_info();
var constraints = [
{ 'fixed_version' : '6.6', 'product' : 'AOS', 'fixed_display' : 'Upgrade the AOS install to 6.6 or higher.', 'lts' : FALSE },
{ 'fixed_version' : '6.6', 'product' : 'NDFS', 'fixed_display' : 'Upgrade the AOS install to 6.6 or higher.', 'lts' : FALSE }
];
vcf::nutanix::check_version_and_report(
app_info:app_info,
constraints:constraints,
severity:SECURITY_HOLE,
flags:{'xss':TRUE}
);
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1270
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-25032
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26116
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26137
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21996
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3177
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45960
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-46143
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0778
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-1271
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21426
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21434
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21443
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21449
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21476
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21496
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21540
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21541
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22720
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22822
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22823
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22824
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22825
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22826
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22827
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23852
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25235
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25236
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2526
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25315
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25762
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29154
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29885
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31676
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34169
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-34305
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42889
www.nessus.org/u?a320a055