The remote Ubuntu 16.04 ESM / 18.04 ESM / 20.04 ESM host has a package installed that is affected by a vulnerability as referenced in the USN-5220-1 advisory.
Note that Nessus has not tested for this issue but has instead relied only on the application’s self-reported version number.
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Ubuntu Security Notice USN-5220-1. The text
# itself is copyright (C) Canonical, Inc. See
# <https://ubuntu.com/security/notices>. Ubuntu(R) is a registered
# trademark of Canonical, Inc.
##
include('compat.inc');
if (description)
{
script_id(183145);
script_version("1.0");
script_set_attribute(attribute:"plugin_modification_date", value:"2023/10/16");
script_cve_id("CVE-2021-29472");
script_xref(name:"USN", value:"5220-1");
script_name(english:"Ubuntu 16.04 ESM / 18.04 ESM / 20.04 ESM : Composer vulnerability (USN-5220-1)");
script_set_attribute(attribute:"synopsis", value:
"The remote Ubuntu host is missing a security update.");
script_set_attribute(attribute:"description", value:
"The remote Ubuntu 16.04 ESM / 18.04 ESM / 20.04 ESM host has a package installed that is affected by a vulnerability as
referenced in the USN-5220-1 advisory.
- Composer is a dependency manager for PHP. URLs for Mercurial repositories in the root composer.json and
package source download URLs are not sanitized correctly. Specifically crafted URL values allow code to be
executed in the HgDriver if hg/Mercurial is installed on the system. The impact to Composer users directly
is limited as the composer.json file is typically under their own control and source download URLs can
only be supplied by third party Composer repositories they explicitly trust to download and execute source
code from, e.g. Composer plugins. The main impact is to services passing user input to Composer, including
Packagist.org and Private Packagist. This allowed users to trigger remote code execution. The
vulnerability has been patched on Packagist.org and Private Packagist within 12h of receiving the initial
vulnerability report and based on a review of logs, to the best of our knowledge, was not abused by
anyone. Other services/tools using VcsRepository/VcsDriver or derivatives may also be vulnerable and
should upgrade their composer/composer dependency immediately. Versions 1.10.22 and 2.0.13 include patches
for this issue. (CVE-2021-29472)
Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://ubuntu.com/security/notices/USN-5220-1");
script_set_attribute(attribute:"solution", value:
"Update the affected composer package.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2021-29472");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2021/04/27");
script_set_attribute(attribute:"patch_publication_date", value:"2022/07/08");
script_set_attribute(attribute:"plugin_publication_date", value:"2023/10/16");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:16.04:-:esm");
script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:18.04:-:esm");
script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:20.04:-:esm");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:composer");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Ubuntu Local Security Checks");
script_copyright(english:"Ubuntu Security Notice (C) 2023 Canonical, Inc. / NASL script (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
exit(0);
}
include('debian_package.inc');
if ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/Ubuntu/release');
if ( isnull(os_release) ) audit(AUDIT_OS_NOT, 'Ubuntu');
os_release = chomp(os_release);
if (! ('16.04' >< os_release || '18.04' >< os_release || '20.04' >< os_release)) audit(AUDIT_OS_NOT, 'Ubuntu 16.04 / 18.04 / 20.04', 'Ubuntu ' + os_release);
if ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);
var pkgs = [
{'osver': '16.04', 'pkgname': 'composer', 'pkgver': '1.0.0~beta2-1ubuntu0.1~esm1'},
{'osver': '18.04', 'pkgname': 'composer', 'pkgver': '1.6.3-1ubuntu0.1~esm1'},
{'osver': '20.04', 'pkgname': 'composer', 'pkgver': '1.10.1-1ubuntu0.1~esm1'}
];
var flag = 0;
foreach package_array ( pkgs ) {
var osver = NULL;
var pkgname = NULL;
var pkgver = NULL;
if (!empty_or_null(package_array['osver'])) osver = package_array['osver'];
if (!empty_or_null(package_array['pkgname'])) pkgname = package_array['pkgname'];
if (!empty_or_null(package_array['pkgver'])) pkgver = package_array['pkgver'];
if (osver && pkgname && pkgver) {
if (ubuntu_check(osver:osver, pkgname:pkgname, pkgver:pkgver)) flag++;
}
}
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_WARNING,
extra : ubuntu_report_get()
);
exit(0);
}
else
{
var tested = ubuntu_pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'composer');
}
Vendor | Product | Version | CPE |
---|---|---|---|
canonical | ubuntu_linux | 16.04 | cpe:/o:canonical:ubuntu_linux:16.04:-:esm |
canonical | ubuntu_linux | 18.04 | cpe:/o:canonical:ubuntu_linux:18.04:-:esm |
canonical | ubuntu_linux | 20.04 | cpe:/o:canonical:ubuntu_linux:20.04:-:esm |
canonical | ubuntu_linux | composer | p-cpe:/a:canonical:ubuntu_linux:composer |