6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
[R2] Nessus Version 10.4.0 Fixes Multiple Vulnerabilities Arnie Cabral Thu, 10/27/2022 - 10:48
Nessus leverages third-party software to help provide underlying functionality. Several of the third-party components (select2.js, jQuery UI) were found to contain vulnerabilities, and updated versions have been made available by the providers. Additionally, two separate vulnerabilities (Client Side Validation Bypass and Improper Access Control) were discovered, reported and fixed.
1. CVE-2022-3498 - An authenticated attacker could modify the client-side behavior to bypass the protection mechanisms resulting in potentially unexpected interactions between the client and server.
2. CVE-2022-3499 - An authenticated attacker could utilize the identical agent and cluster node linking keys to potentially allow for a scenario where unauthorized disclosure of agent logs and data is present.
Out of caution and in line with good practice, Tenable has opted to upgrade these components to address the potential impact of the issues. Nessus 10.4.0 fixes the reported Client Side Validation Bypass and Improper Access Control vulnerabilities, updates jquery-ui to version 1.13.2 and select2.js to version 4.0.13 to address the remaining identified vulnerabilities.