Medium: open-vm-tools

Issue Overview: VMware Tools contains an insecure file handling vulnerability. A malicious actor with non-administrative privileges on a guest VM may tamper the local files to trigger insecure file operations within that VM. CVE-2025-22247 Affected Packages: open-vm-tools Note: This advisory is...

Medium: python-requests

Issue Overview: Requests is a HTTP library. Prior to 2.32.0, when making requests through a Requests Session, if the first request is made with verify=False to disable cert verification, all subsequent requests to the same host will continue to ignore cert verification regardless of changes to th...

Medium: tomcat

Issue Overview: Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat. For a subset of unlikely rewrite rule configurations, it was possible for a specially crafted request to bypass some rewrite rules. If those rewrite rules effectively enforced security...

Amazon Linux 2 : kernel (ALASKERNEL-5.15-2025-072)

The version of kernel installed on the remote host is prior to 5.15.182-123.190. It is, therefore, affected by a vulnerability as referenced in the ALAS2KERNEL-5.15-2025-072 advisory. Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported...

Amazon Linux 2 : jetty (ALAS-2025-2871)

It is, therefore, affected by a vulnerability as referenced in the ALAS2-2025-2871 advisory. In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame. CVE-2021-28165 Tenable has extracted the precedin...

Amazon Linux 2 : soci-snapshotter (ALASDOCKER-2025-064)

The version of soci-snapshotter installed on the remote host is prior to 0.9.0-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2DOCKER-2025-064 advisory. The net/http package accepted data in the chunked transfer encoding containing an invalid chunk-size line...

Medium: yelp-xsl

Issue Overview: A flaw was found in Yelp. The Gnome user help application allows the help document to execute arbitrary scripts. This vulnerability allows malicious users to input help documents, which may exfiltrate user files to an external environment. CVE-2025-3155 Affected Packages: yelp-xsl...

Important: kernel-livepatch-5.10.234-225.921

Issue Overview: In the Linux kernel, the following vulnerability has been resolved: geneve: Fix use-after-free in genevefinddev. CVE-2025-21858 Affected Packages: kernel-livepatch-5.10.234-225.921 Issue Correction: Please ensure you have live patching enabled. Run yum update...

Low: ImageMagick

Issue Overview: In MIFF image processing in ImageMagick before 7.1.1-44, image depth is mishandled after SetQuantumFormat is used. CVE-2025-43965 Affected Packages: ImageMagick Note: This advisory is applicable to Amazon Linux 2 AL2 Core repository. Visit this FAQ section for the difference betwe...

Amazon Linux 2 : kernel (ALAS-2025-2865)

The version of kernel installed on the remote host is prior to 4.14.355-277.647. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2025-2865 advisory. In the Linux kernel, the following vulnerability has been resolved: NFSv4.0: Fix a use-after-free problem in the...

Medium: yelp

Issue Overview: A flaw was found in Yelp. The Gnome user help application allows the help document to execute arbitrary scripts. This vulnerability allows malicious users to input help documents, which may exfiltrate user files to an external environment. CVE-2025-3155 Affected Packages: yelp Not...

Amazon Linux 2 : oci-add-hooks (ALASNITRO-ENCLAVES-2025-061)

The version of oci-add-hooks installed on the remote host is prior to 0-0.3.20200504git325a340. It is, therefore, affected by a vulnerability as referenced in the ALAS2NITRO-ENCLAVES-2025-061 advisory. The net/http package accepted data in the chunked transfer encoding containing an invalid...

Medium: jetty

Issue Overview: In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame. CVE-2021-28165 Affected Packages: jetty Note: This advisory is applicable to Amazon Linux 2 AL2 Core repository. Visit this FA...

Important: postgresql

Issue Overview: Improper neutralization of quoting syntax in PostgreSQL libpq functions PQescapeLiteral, PQescapeIdentifier, PQescapeString, and PQescapeStringConn allows a database input provider to achieve SQL injection in certain usage patterns. Specifically, SQL injection requires the...

Amazon Linux 2 : webkitgtk4, --advisory ALAS2-2025-2869 (ALAS-2025-2869)

The version of webkitgtk4 installed on the remote host is prior to 2.46.6-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2025-2869 advisory. The issue was addressed with improved memory handling. This issue is fixed in iOS 17.2 and iPadOS 17.2, macOS Sonoma...

Important: cri-tools

Issue Overview: The various Is methods IsPrivate, IsLoopback, etc did not work as expected for IPv4-mapped IPv6 addresses, returning false for addresses which would return true in their traditional IPv4 forms. CVE-2024-24790 The net/http package accepted data in the chunked transfer encoding...

Important: nerdctl

Issue Overview: The net/http package accepted data in the chunked transfer encoding containing an invalid chunk-size line terminated by a bare LF. When used in conjunction with a server or proxy which incorrectly interprets a bare LF in a chunk extension as part of the extension, this could permi...

Important: kernel

Issue Overview: In the Linux kernel, the following vulnerability has been resolved: NFSv4.0: Fix a use-after-free problem in the asynchronous open CVE-2024-53173 In the Linux kernel, the following vulnerability has been resolved: KVM: Explicitly verify target vCPU is online in kvmgetvcpu...

Amazon Linux 2 : oci-add-hooks (ALASDOCKER-2025-065)

The version of oci-add-hooks installed on the remote host is prior to 0-0.3.20200504git325a340. It is, therefore, affected by a vulnerability as referenced in the ALAS2DOCKER-2025-065 advisory. The net/http package accepted data in the chunked transfer encoding containing an invalid chunk-size li...

Amazon Linux 2 : python-requests (ALAS-2025-2868)

The version of python-requests installed on the remote host is prior to 2.6.0-10. It is, therefore, affected by a vulnerability as referenced in the ALAS2-2025-2868 advisory. Requests is a HTTP library. Prior to 2.32.0, when making requests through a Requests Session, if the first request is made...