Ubuntu 16.04 ESM / 18.04 ESM : Python vulnerabilities (USN-6513-1)

The remote Ubuntu 16.04 ESM / 18.04 ESM host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-6513-1 advisory. It was discovered that Python incorrectly handled certain plist files. If a user or an automated system were tricked into processing a...

Rocky Linux 8 : grafana (RLSA-2021:4226)

The remote Rocky Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2021:4226 advisory. - The snapshot feature in Grafana 6.7.3 through 7.4.1 can allow an unauthenticated remote attackers to trigger a Denial of Service via a remote API call...

RHEL 8 : curl (RHSA-2023:6292)

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2023:6292 advisory. The curl packages provide the libcurl library and the curl utility for downloading files from servers using various protocols, including HTT...

Code injection

It was discovered that when acting as TLS clients, Beats, Elastic Agent, APM Server, and Fleet Server did not verify whether the server certificate is valid for the target IP address; however, certificate signature validation is still performed. More specifically, when the client is configured to...

CVE-2023-5388

It was discovered that the numerical library used in NSS for RSA cryptography leaks information whether high order bits of the RSA decryption result are zero. This information can be used to mount a Bleichenbacher or Manger like attack against all RSA decryption operations. As the leak happens...

Debian dla-3613 : curl - security update

The remote Debian 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-3613 advisory. - ------------------------------------------------------------------------- Debian LTS Advisory DLA-3613-1 [email protected]...

AlmaLinux 9 : python3.11 (ALSA-2023:5456)

The remote AlmaLinux 9 host has packages installed that are affected by a vulnerability as referenced in the ALSA-2023:5456 advisory. - An issue was discovered in Python before 3.8.18, 3.9.x before 3.9.18, 3.10.x before 3.10.13, and 3.11.x before 3.11.5. It primarily affects servers such as HTTP...

Important: python3

Issue Overview: An issue was discovered in Python before 3.8.18, 3.9.x before 3.9.18, 3.10.x before 3.10.13, and 3.11.x before 3.11.5. It primarily affects servers such as HTTP servers that use TLS client authentication. If a TLS server-side socket is created, receives data into the socket buffer...

Security Bulletin: IBM InfoSphere Global Name Management Vulnerable to CVE-2023-30441

Summary InfoSphere Global Name Management bundles IBM Java as internal component. A combination of two flaws in the JSSE component and IBMJCEPlus security provider expose some IBM Java releases to various cryptographic attacks when acting as a TLS server. This vulnerability is addressed...

AlmaLinux 8 : curl (ALSA-2023:4523)

The remote AlmaLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALSA-2023:4523 advisory. - An authentication bypass vulnerability exists libcurl 8.0.0 in the connection reuse feature which can reuse previously established connections with...

EulerOS 2.0 SP9 : curl (EulerOS-SA-2023-2608)

According to the versions of the curl packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - An improper certificate validation vulnerability exists in curl v8.1.0 in the way it supports matching of wildcard patterns when listed as 'Subjec...

EulerOS 2.0 SP9 : curl (EulerOS-SA-2023-2578)

According to the versions of the curl packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - An improper certificate validation vulnerability exists in curl v8.1.0 in the way it supports matching of wildcard patterns when listed as 'Subjec...

AlmaLinux 9 : curl (ALSA-2023:4354)

The remote AlmaLinux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALSA-2023:4354 advisory. - An improper certificate validation vulnerability exists in curl v8.1.0 in the way it supports matching of wildcard patterns when listed as Subject...

openSUSE 15 Security Update : curl (SUSE-SU-2023:2224-2)

The remote openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2023:2224-2 advisory. - A use after free vulnerability exists in curl v8.1.0 in the way libcurl offers a feature to verify an SSH server's public key using a SHA 256 hash...

Fedora 38 : curl (2023-37eac50e9b)

The remote Fedora 38 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2023-37eac50e9b advisory. - fix more POST-after-PUT confusion CVE-2023-28322 - fix IDN wildcard match CVE-2023-28321 Tenable has extracted the preceding description block...

Improper Certificate Validation

curl is vulnerable to Improper Certificate Validation. The vulnerability allows matching of wildcard patterns when listed as 'Subject Alternative Name' in TLS server certificates and could result in accepting patterns that otherwise should be mismatched...

CVE-2023-28321

An improper certificate validation vulnerability exists in curl v8.1.0 in the way it supports matching of wildcard patterns when listed as "Subject Alternative Name" in TLS server certificates. curl can be built to use its own name matching function for TLS rather than one provided by a TLS...

CVE-2023-28321

An improper certificate validation vulnerability exists in curl v8.1.0 in the way it supports matching of wildcard patterns when listed as "Subject Alternative Name" in TLS server certificates. curl can be built to use its own name matching function for TLS rather than one provided by a TLS...

CVE-2023-28321

CVE-2023-28321 affects curl before 8.1.0, where a private wildcard matching function used for TLS SAN wildcard patterns can mis-match IDN hostnames. IDNs are punycode-encoded (starting with xn--), but the curl wildcard check could still accept patterns like x* that should not match, potentially a...

CVE-2023-28321

An improper certificate validation vulnerability exists in curl v8.1.0 in the way it supports matching of wildcard patterns when listed as "Subject Alternative Name" in TLS server certificates. curl can be built to use its own name matching function for TLS rather than one provided by a TLS...