CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
AI Score
Confidence
Low
The remote SUSE Linux SLES12 / SLES_SAP12 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2024:3293-1 advisory.
- CVE-2024-7592: quadratic complexity when parsing cookies with backslashes. (bsc#1229596)
- CVE-2024-6923: email header injection due to unquoted newlines. (bsc#1228780)
Bug fixes:
- Set variable %{profileopt} according to the variable %{do_profiling}. (bsc#1227999)
- Stop using %%defattr, as it seems to be breaking proper executable attributes on /usr/bin/ scripts.
(bsc#1227378)
- Remove %suse_update_desktop_file macro, as it is not useful any more.
Tenable has extracted the preceding description block directly from the SUSE security advisory.
Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.
File data suse_SU-2024-3293-1.nasl
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-6923
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-7592
www.nessus.org/u?38cbef1b
bugzilla.suse.com/1227378
bugzilla.suse.com/1227999
bugzilla.suse.com/1228780
bugzilla.suse.com/1229596
www.suse.com/security/cve/CVE-2024-6923
www.suse.com/security/cve/CVE-2024-7592