Lucene search
Huawei EulerOS: Security Advisory for python3 (EulerOS-SA-2024-1406)
🗓️ 21 Mar 2024 00:00:00Reported by Copyright (C) 2024 Greenbone AGType 
openvas🔗 plugins.openvas.org👁 24 Views
Huawei EulerOS: Security Advisory for python3 (EulerOS-SA-2024-1406) - An issue was discovered in Python before 3.8.18, 3.9.x before 3.9.18, 3.10.x before 3.10.13, and 3.11.x before 3.11.5 affecting servers using TLS client authentication. Vulnerable to CVE-2023-40217
Show more
| Reporter | Title | Published | Views | Family All 199 |
|---|---|---|---|---|
 | SUSE-SU-2023:3828-2 Security update for python3 | 19 Oct 202309:54 | – | osv |
| RHSA-2023:5472 Red Hat Security Advisory: python3.9 security update | 13 Sep 202418:53 | – | osv |
| RHSA-2023:5995 Red Hat Security Advisory: python3 security update | 13 Sep 202418:58 | – | osv |
| RHSA-2023:5991 Red Hat Security Advisory: python27:2.7 security update | 13 Sep 202418:58 | – | osv |
| OPENSUSE-SU-2024:13193-1 python310-3.10.13-1.1 on GA media | 15 Jun 202400:00 | – | osv |
| RLSA-2023:5997 Important: python3 security update | 24 Oct 202318:36 | – | osv |
| RHSA-2023:5462 Red Hat Security Advisory: python3.9 security update | 13 Sep 202418:53 | – | osv |
| RHSA-2023:6068 Red Hat Security Advisory: python39:3.9 and python39-devel:3.9 security update | 13 Sep 202418:59 | – | osv |
| SUSE-SU-2023:3804-1 Security update for python3 | 27 Sep 202312:36 | – | osv |
| RHSA-2023:6823 Red Hat Security Advisory: python3 security update | 13 Sep 202419:01 | – | osv |
10
| Source | Link |
|---|---|
| developer | www.developer.huaweicloud.com/intl/en-us/euleros/securitydetail.html |
# SPDX-FileCopyrightText: 2024 Greenbone AG
# Some text descriptions might be excerpted from (a) referenced
# source(s), and are Copyright (C) by the respective right holder(s).
#
# SPDX-License-Identifier: GPL-2.0-only
if(description)
{
script_oid("1.3.6.1.4.1.25623.1.1.2.2024.1406");
script_cve_id("CVE-2023-40217");
script_tag(name:"creation_date", value:"2024-03-21 04:24:36 +0000 (Thu, 21 Mar 2024)");
script_version("2024-03-21T05:06:54+0000");
script_tag(name:"last_modification", value:"2024-03-21 05:06:54 +0000 (Thu, 21 Mar 2024)");
script_tag(name:"cvss_base", value:"5.0");
script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:P/I:N/A:N");
script_tag(name:"severity_vector", value:"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N");
script_tag(name:"severity_origin", value:"NVD");
script_tag(name:"severity_date", value:"2023-08-31 14:35:35 +0000 (Thu, 31 Aug 2023)");
script_name("Huawei EulerOS: Security Advisory for python3 (EulerOS-SA-2024-1406)");
script_category(ACT_GATHER_INFO);
script_copyright("Copyright (C) 2024 Greenbone AG");
script_family("Huawei EulerOS Local Security Checks");
script_dependencies("gb_huawei_euleros_consolidation.nasl");
script_mandatory_keys("ssh/login/euleros", "ssh/login/rpms", re:"ssh/login/release=EULEROSVIRT\-2\.11\.1");
script_xref(name:"Advisory-ID", value:"EulerOS-SA-2024-1406");
script_xref(name:"URL", value:"https://developer.huaweicloud.com/intl/en-us/euleros/securitydetail.html?secId=EulerOS-SA-2024-1406");
script_tag(name:"summary", value:"The remote host is missing an update for the Huawei EulerOS 'python3' package(s) announced via the EulerOS-SA-2024-1406 advisory.");
script_tag(name:"vuldetect", value:"Checks if a vulnerable package version is present on the target host.");
script_tag(name:"insight", value:"An issue was discovered in Python before 3.8.18, 3.9.x before 3.9.18, 3.10.x before 3.10.13, and 3.11.x before 3.11.5. It primarily affects servers (such as HTTP servers) that use TLS client authentication. If a TLS server-side socket is created, receives data into the socket buffer, and then is closed quickly, there is a brief window where the SSLSocket instance will detect the socket as 'not connected' and won't initiate a handshake, but buffered data will still be readable from the socket buffer. This data will not be authenticated if the server-side TLS peer is expecting client certificate authentication, and is indistinguishable from valid TLS stream data. Data is limited in size to the amount that will fit in the buffer. (The TLS connection cannot directly be used for data exfiltration because the vulnerable code path requires that the connection be closed on initialization of the SSLSocket.)(CVE-2023-40217)");
script_tag(name:"affected", value:"'python3' package(s) on Huawei EulerOS Virtualization release 2.11.1.");
script_tag(name:"solution", value:"Please install the updated package(s).");
script_tag(name:"solution_type", value:"VendorFix");
script_tag(name:"qod_type", value:"package");
exit(0);
}
include("revisions-lib.inc");
include("pkg-lib-rpm.inc");
release = rpm_get_ssh_release();
if(!release)
exit(0);
res = "";
report = "";
if(release == "EULEROSVIRT-2.11.1") {
if(!isnull(res = isrpmvuln(pkg:"python3", rpm:"python3~3.9.9~7.h25.eulerosv2r11", rls:"EULEROSVIRT-2.11.1"))) {
report += res;
}
if(!isnull(res = isrpmvuln(pkg:"python3-unversioned-command", rpm:"python3-unversioned-command~3.9.9~7.h25.eulerosv2r11", rls:"EULEROSVIRT-2.11.1"))) {
report += res;
}
if(report != "") {
security_message(data:report);
} else if(__pkg_match) {
exit(99);
}
exit(0);
}
exit(0);
Transform Your Security Services
Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.
Book a live demo21 Mar 2024 00:00Current
6.1Medium risk
Vulners AI Score6.1
CVSS35.3
EPSS0.00284
SSVC