Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final.

redhat RHSA-2022:5498: RHSA-2022:5498: Satellite 6.11 Release (Moderate)

The remote Rocky Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2022:5498 advisory.

  - Netty is an open-source, asynchronous event-driven network application framework for rapid development of     maintainable high performance protocol servers & clients. In Netty before version 4.1.59.Final there is a     vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are     used local information disclosure can occur via the local system temporary directory if temporary storing     uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user.
    As such, writing to this directory using APIs that do not explicitly set the file/directory permissions     can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems. The     method File.createTempFile on unix-like systems creates a random file, but, by default will create this     file with the permissions -rw-r--r--. Thus, if sensitive information is written to this file, other     local users can read this information. This is the case in netty's AbstractDiskHttpData is vulnerable.
    This has been fixed in version 4.1.59.Final. As a workaround, one may specify your own java.io.tmpdir     when you start the JVM or use DefaultHttpDataFactory.setBaseDir(...) to set the directory to something     that is only readable by the current user. (CVE-2021-21290)

  - Netty is an open-source, asynchronous event-driven network application framework for rapid development of     maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before     version 4.1.60.Final there is a vulnerability that enables request smuggling. If a Content-Length header     is present in the original HTTP/2 request, the field is not validated by `Http2MultiplexHandler` as it is     propagated up. This is fine as long as the request is not proxied through as HTTP/1.1. If the request     comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects (`HttpRequest`,     `HttpContent`, etc.) via `Http2StreamFrameToHttpObjectCodec `and then sent up to the child channel's     pipeline and proxied through a remote peer as HTTP/1.1 this may result in request smuggling. In a proxy     case, users may assume the content-length is validated somehow, which is not the case. If the request is     forwarded to a backend channel that is a HTTP/1.1 connection, the Content-Length now has meaning and needs     to be checked. An attacker can smuggle requests inside the body as it gets downgraded from HTTP/2 to     HTTP/1.1. For an example attack refer to the linked GitHub Advisory. Users are only affected if all of     this is true: `HTTP2MultiplexCodec` or `Http2FrameCodec` is used, `Http2StreamFrameToHttpObjectCodec` is     used to convert to HTTP/1.1 objects, and these HTTP/1.1 objects are forwarded to another remote peer. This     has been patched in 4.1.60.Final As a workaround, the user can do the validation by themselves by     implementing a custom `ChannelInboundHandler` that is put in the `ChannelPipeline` behind     `Http2StreamFrameToHttpObjectCodec`. (CVE-2021-21295)

  - Netty is an open-source, asynchronous event-driven network application framework for rapid development of     maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before     version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is     not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to     true. This could lead to request smuggling if the request is proxied to a remote peer and translated to     HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case.
    This was fixed as part of 4.1.61.Final. (CVE-2021-21409)

  - Sidekiq through 5.1.3 and 6.x through 6.2.0 allows XSS via the queue name of the live-poll feature when     Internet Explorer is used. (CVE-2021-30151)

  - Buffer overflow vulnerability in libsolv 2020-12-13 via the Solver * testcase_read(Pool *pool, FILE *fp,     const char *testcase, Queue *job, char **resultp, int *resultflagsp function at src/testcase.c: line 2334,     which could cause a denial of service (CVE-2021-3200)

  - sqlparse is a non-validating SQL parser module for Python. In sqlparse versions 0.4.0 and 0.4.1 there is a     regular Expression Denial of Service in sqlparse vulnerability. The regular expression may cause     exponential backtracking on strings containing many repetitions of '\r\n' in SQL comments. Only the     formatting feature that removes comments from SQL statements is affected by this regular expression. As a     workaround don't use the sqlformat.format function with keyword strip_comments=True or the --strip-     comments command line flag when using the sqlformat command line tool. The issues has been fixed in     sqlparse 0.4.2. (CVE-2021-32839)

  - Buffer overflow vulnerability in function pool_installable in src/repo.h in libsolv before 0.7.17 allows     attackers to cause a Denial of Service. (CVE-2021-33928)

  - Buffer overflow vulnerability in function pool_disabled_solvable in src/repo.h in libsolv before 0.7.17     allows attackers to cause a Denial of Service. (CVE-2021-33929)

  - Buffer overflow vulnerability in function pool_installable_whatprovides in src/repo.h in libsolv before     0.7.17 allows attackers to cause a Denial of Service. (CVE-2021-33930)

  - Buffer overflow vulnerability in function prune_to_recommended in src/policy.c in libsolv before 0.7.17     allows attackers to cause a Denial of Service. (CVE-2021-33938)

  - A server side remote code execution vulnerability was found in Foreman project. A authenticated attacker     could use Sendmail configuration options to overwrite the defaults and perform command injection. The     highest threat from this vulnerability is to confidentiality, integrity and availability of system. Fixed     releases are 2.4.1, 2.5.1, 3.0.0. (CVE-2021-3584)

  - Puma is a HTTP 1.1 server for Ruby/Rack applications. Prior to versions 5.5.1 and 4.3.9, using `puma` with     a proxy which forwards HTTP header values which contain the LF character could allow HTTP request     smugggling. A client could smuggle a request through a proxy, causing the proxy to send a response back to     another unknown client. The only proxy which has this behavior, as far as the Puma team is aware of, is     Apache Traffic Server. If the proxy uses persistent connections and the client adds another request in via     HTTP pipelining, the proxy may mistake it as the first request's body. Puma, however, would see it as two     requests, and when processing the second request, send back a response that the proxy does not expect. If     the proxy has reused the persistent connection to Puma to send another request for a different client, the     second response from the first client will be sent to the second client. This vulnerability was patched in     Puma 5.5.1 and 4.3.9. As a workaround, do not use Apache Traffic Server with `puma`. (CVE-2021-41136)

  - The Candlepin component of Red Hat Satellite was affected by an improper authentication flaw. Few factors     could allow an attacker to use the SCA (simple content access) certificate for authentication with     Candlepin. (CVE-2021-4142)

  - In logback version 1.2.7 and prior versions, an attacker with the required privileges to edit     configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from     LDAP servers. (CVE-2021-42550)

  - Netty is an asynchronous event-driven network application framework for rapid development of maintainable     high performance protocol servers & clients. Netty prior to version 4.1.71.Final skips control chars when     they are present at the beginning / end of the header name. It should instead fail fast as these are not     allowed by the spec and could lead to HTTP request smuggling. Failing to do the validation might cause     netty to sanitize header names before it forward these to another remote system when used as proxy. This     remote system can't see the invalid usage anymore, and therefore does not do the validation itself. Users     should upgrade to version 4.1.71.Final. (CVE-2021-43797)

  - lxml is a library for processing XML and HTML in the Python language. Prior to version 4.6.5, the HTML     Cleaner in lxml.html lets certain crafted script content pass through, as well as script content in SVG     files embedded using data URIs. Users that employ the HTML cleaner in a security relevant context should     upgrade to lxml 4.6.5 to receive a patch. There are no known workarounds available. (CVE-2021-43818)

  - In Django 2.2 before 2.2.25, 3.1 before 3.1.14, and 3.2 before 3.2.10, HTTP requests for URLs with     trailing newlines could bypass upstream access control based on URL paths. (CVE-2021-44420)

  - Two heap-overflow vulnerabilities exist in openSUSE/libsolv libsolv through 13 Dec 2020 in the decisionmap     variable via the resolve_dependencies function at src/solver.c (line 1940 & line 1995), which could cause     a remote Denial of Service. (CVE-2021-44568)

  - An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1.
    UserAttributeSimilarityValidator incurred significant overhead in evaluating a submitted password that was     artificially large in relation to the comparison values. In a situation where access to user registration     was unrestricted, this provided a potential vector for a denial-of-service attack. (CVE-2021-45115)

  - An issue was discovered in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1. Due to     leveraging the Django Template Language's variable resolution logic, the dictsort template filter was     potentially vulnerable to information disclosure, or an unintended method call, if passed a suitably     crafted key. (CVE-2021-45116)

  - Storage.save in Django 2.2 before 2.2.26, 3.2 before 3.2.11, and 4.0 before 4.0.1 allows directory     traversal if crafted filenames are directly passed to it. (CVE-2021-45452)

  - The {% debug %} template tag in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2 does not     properly encode the current context. This may lead to XSS. (CVE-2022-22818)

  - Action Pack is a framework for handling and responding to web requests. Under certain circumstances     response bodies will not be closed. In the event a response is *not* notified of a `close`,     `ActionDispatch::Executor` will not know to reset thread local state for the next request. This can lead     to data being leaked to subsequent requests.This has been fixed in Rails 7.0.2.1, 6.1.4.5, 6.0.4.5, and     5.2.6.1. Upgrading is highly recommended, but to work around this problem a middleware described in GHSA-     wh98-p28r-vrc9 can be used. (CVE-2022-23633)

  - Puma is a Ruby/Rack web server built for parallelism. Prior to `puma` version `5.6.2`, `puma` may not     always call `close` on the response body. Rails, prior to version `7.0.2.2`, depended on the response body     being closed in order for its `CurrentAttributes` implementation to work correctly. The combination of     these two behaviors (Puma not closing the body + Rails' Executor implementation) causes information     leakage. This problem is fixed in Puma versions 5.6.2 and 4.3.11. This problem is fixed in Rails versions     7.02.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2. Upgrading to a patched Rails _or_ Puma version fixes the     vulnerability. (CVE-2022-23634)

  - An issue was discovered in MultiPartParser in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before     4.0.2. Passing certain inputs to multipart forms could result in an infinite loop when parsing files.
    (CVE-2022-23833)

  - In api.rb in Sidekiq before 5.2.10 and 6.4.0, there is no limit on the number of days when requesting     stats for the graph. This overloads the system, affecting the Web UI, and makes it unavailable to users.
    (CVE-2022-23837)

  - An issue was discovered in Django 2.2 before 2.2.28, 3.2 before 3.2.13, and 4.0 before 4.0.4.
    QuerySet.annotate(), aggregate(), and extra() methods are subject to SQL injection in column aliases via a     crafted dictionary (with dictionary expansion) as the passed **kwargs. (CVE-2022-28346)

  - A SQL injection issue was discovered in QuerySet.explain() in Django 2.2 before 2.2.28, 3.2 before 3.2.13,     and 4.0 before 4.0.4. This occurs by passing a crafted dictionary (with dictionary expansion) as the
    **options argument, and placing the injection payload in an option name. (CVE-2022-28347)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Ubuntu 16.04 ESM / 18.04 ESM / 20.04 ESM / 22.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-6049-1 advisory.

  - The ZlibDecoders in Netty 4.1.x before 4.1.46 allow for unbounded memory allocation while decoding a     ZlibEncoded byte stream. An attacker could send a large ZlibEncoded byte stream to the Netty server,     forcing the server to allocate all of its free memory to a single decoder. (CVE-2020-11612)

  - Netty is an open-source, asynchronous event-driven network application framework for rapid development of     maintainable high performance protocol servers & clients. In Netty before version 4.1.59.Final there is a     vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are     used local information disclosure can occur via the local system temporary directory if temporary storing     uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user.
    As such, writing to this directory using APIs that do not explicitly set the file/directory permissions     can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems. The     method File.createTempFile on unix-like systems creates a random file, but, by default will create this     file with the permissions -rw-r--r--. Thus, if sensitive information is written to this file, other     local users can read this information. This is the case in netty's AbstractDiskHttpData is vulnerable.
    This has been fixed in version 4.1.59.Final. As a workaround, one may specify your own java.io.tmpdir     when you start the JVM or use DefaultHttpDataFactory.setBaseDir(...) to set the directory to something     that is only readable by the current user. (CVE-2021-21290)

  - Netty is an open-source, asynchronous event-driven network application framework for rapid development of     maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before     version 4.1.60.Final there is a vulnerability that enables request smuggling. If a Content-Length header     is present in the original HTTP/2 request, the field is not validated by `Http2MultiplexHandler` as it is     propagated up. This is fine as long as the request is not proxied through as HTTP/1.1. If the request     comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects (`HttpRequest`,     `HttpContent`, etc.) via `Http2StreamFrameToHttpObjectCodec `and then sent up to the child channel's     pipeline and proxied through a remote peer as HTTP/1.1 this may result in request smuggling. In a proxy     case, users may assume the content-length is validated somehow, which is not the case. If the request is     forwarded to a backend channel that is a HTTP/1.1 connection, the Content-Length now has meaning and needs     to be checked. An attacker can smuggle requests inside the body as it gets downgraded from HTTP/2 to     HTTP/1.1. For an example attack refer to the linked GitHub Advisory. Users are only affected if all of     this is true: `HTTP2MultiplexCodec` or `Http2FrameCodec` is used, `Http2StreamFrameToHttpObjectCodec` is     used to convert to HTTP/1.1 objects, and these HTTP/1.1 objects are forwarded to another remote peer. This     has been patched in 4.1.60.Final As a workaround, the user can do the validation by themselves by     implementing a custom `ChannelInboundHandler` that is put in the `ChannelPipeline` behind     `Http2StreamFrameToHttpObjectCodec`. (CVE-2021-21295)

  - Netty is an open-source, asynchronous event-driven network application framework for rapid development of     maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before     version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is     not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to     true. This could lead to request smuggling if the request is proxied to a remote peer and translated to     HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case.
    This was fixed as part of 4.1.61.Final. (CVE-2021-21409)

  - The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed     output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are     affected. The malicious input can trigger an OOME and so a DoS attack (CVE-2021-37136)

  - The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory     usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which     may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious     input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable     chunk. (CVE-2021-37137)

  - Netty is an asynchronous event-driven network application framework for rapid development of maintainable     high performance protocol servers & clients. Netty prior to version 4.1.71.Final skips control chars when     they are present at the beginning / end of the header name. It should instead fail fast as these are not     allowed by the spec and could lead to HTTP request smuggling. Failing to do the validation might cause     netty to sanitize header names before it forward these to another remote system when used as proxy. This     remote system can't see the invalid usage anymore, and therefore does not do the validation itself. Users     should upgrade to version 4.1.71.Final. (CVE-2021-43797)

  - Netty project is an event-driven asynchronous network application framework. In versions prior to     4.1.86.Final, a StackOverflowError can be raised when parsing a malformed crafted message due to an     infinite recursion. This issue is patched in version 4.1.86.Final. There is no workaround, except using a     custom HaProxyMessageDecoder. (CVE-2022-41881)

  - Netty project is an event-driven asynchronous network application framework. Starting in version     4.1.83.Final and prior to 4.1.86.Final, when calling `DefaultHttpHeadesr.set` with an _iterator_ of     values, header value validation was not performed, allowing malicious header values in the iterator to     perform HTTP Response Splitting. This issue has been patched in version 4.1.86.Final. Integrators can work     around the issue by changing the `DefaultHttpHeaders.set(CharSequence, Iterator<?>)` call, into a     `remove()` call, and call `add()` in a loop over the iterator of values. (CVE-2022-41915)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote openSUSE 15 host has packages installed that are affected by a vulnerability as referenced in the SUSE- SU-2022:1315-1 advisory.

  - Netty is an open-source, asynchronous event-driven network application framework for rapid development of     maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before     version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is     not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to     true. This could lead to request smuggling if the request is proxied to a remote peer and translated to     HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case.
    This was fixed as part of 4.1.61.Final. (CVE-2021-21409)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of Oracle NoSQL Database Enterprise running on the remote host is prior to 21.1.12. It is, therefore, affected by multiple vulnerabilities as referenced in the October 2021 CPU advisory.

  - Security-in-Depth issue in Oracle NoSQL Database (component: Administration (Netty). This vulnerability     cannot be exploited in the context of this product. (CVE-2021-21409)

  - Security-in-Depth issue in Oracle NoSQL Database (component: Snappy frame decoder function). The Snappy     frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside     this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to     excessive memory usage as well. This vulnerability can be triggered by supplying malicious input that     decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk.
    (CVE-2021-37137)

  - Security-in-Depth issue in Oracle NoSQL Database (component: Administration (Go). This vulnerability     cannot be exploited in the context of this product. (CVE-2021-34558)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:3656 advisory.

  - velocity: arbitrary code execution when attacker is able to modify templates (CVE-2020-13936)

  - netty: possible request smuggling in HTTP/2 due missing validation (CVE-2021-21295)

  - netty: Request smuggling via content-length header (CVE-2021-21409)

  - jakarta-el: ELParserTokenManager enables invalid EL expressions to be evaluate (CVE-2021-28170)

  - apache-commons-io: Limited path traversal in Apache Commons IO 2.2 to 2.6 (CVE-2021-29425)

  - wildfly: XSS via admin console when creating roles in domain mode (CVE-2021-3536)

  - undertow: HTTP2SourceChannel fails to write final frame under some circumstances may lead to DoS     (CVE-2021-3597)

  - wildfly-elytron: possible timing attack in ScramServer (CVE-2021-3642)

  - wildfly-core: Invalid Sensitivity Classification of Vault Expression (CVE-2021-3644)

  - undertow: buffer leak on incoming websocket PONG message may lead to DoS (CVE-2021-3690)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:3658 advisory.

  - velocity: arbitrary code execution when attacker is able to modify templates (CVE-2020-13936)

  - netty: possible request smuggling in HTTP/2 due missing validation (CVE-2021-21295)

  - netty: Request smuggling via content-length header (CVE-2021-21409)

  - jakarta-el: ELParserTokenManager enables invalid EL expressions to be evaluate (CVE-2021-28170)

  - apache-commons-io: Limited path traversal in Apache Commons IO 2.2 to 2.6 (CVE-2021-29425)

  - wildfly: XSS via admin console when creating roles in domain mode (CVE-2021-3536)

  - undertow: HTTP2SourceChannel fails to write final frame under some circumstances may lead to DoS     (CVE-2021-3597)

  - wildfly-elytron: possible timing attack in ScramServer (CVE-2021-3642)

  - wildfly-core: Invalid Sensitivity Classification of Vault Expression (CVE-2021-3644)

  - undertow: buffer leak on incoming websocket PONG message may lead to DoS (CVE-2021-3690)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The 17.12.11, 18.8.11, 19.12.10, and 20.12.0 versions of Primavera Gateway installed on the remote host are affected by multiple vulnerabilities as referenced in the July 2021 CPU advisory.

  - Vulnerability in the Primavera Gateway product of Oracle Construction and Engineering (component: Admin     (Nimbus JOSE+JWT)). Supported versions that are affected are 18.8.0-18.8.11. Easily exploitable     vulnerability allows unauthenticated attacker with network access via HTTP to compromise Primavera     Gateway. Successful attacks of this vulnerability can result in takeover of Primavera Gateway.
    (CVE-2019-17195)

  - Vulnerability in the Primavera Gateway product of Oracle Construction and Engineering (component: Admin     (Lodash)). Supported versions that are affected are 17.12.0-17.12.11, 18.8.0-18.8.11, 19.12.0-19.12.10 and     20.12.0. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP     to compromise Primavera Gateway. Successful attacks of this vulnerability can result in unauthorized     creation, deletion or modification access to critical data or all Primavera Gateway accessible data and     unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Primavera Gateway.
    (CVE-2020-8203)

  - Vulnerability in the Primavera Gateway product of Oracle Construction and Engineering (component: Admin     (Netty)). Supported versions that are affected are 17.12.0-17.12.11, 18.8.0-18.8.11 and 19.12.0-19.12.10.
    Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to     compromise Primavera Gateway. Successful attacks of this vulnerability can result in unauthorized     creation, deletion or modification access to critical data or all Primavera Gateway accessible data.
    (CVE-2021-21409)     
  - Vulnerability in the Primavera Gateway product of Oracle Construction and Engineering (component:
    jackson-databind). (CVE-2020-36189)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:2692 advisory.

  - netty: Request smuggling via content-length header (CVE-2021-21409)

  - wildfly: XSS via admin console when creating roles in domain mode (CVE-2021-3536)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:2693 advisory.

  - netty: Request smuggling via content-length header (CVE-2021-21409)

  - wildfly: XSS via admin console when creating roles in domain mode (CVE-2021-3536)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:2694 advisory.

  - netty: Request smuggling via content-length header (CVE-2021-21409)

  - wildfly: XSS via admin console when creating roles in domain mode (CVE-2021-3536)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

An update of the zookeeper package has been released.

The remote Redhat Enterprise Linux 7 / 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:1511 advisory.

  - netty: Information disclosure via the local system temporary directory (CVE-2021-21290)

  - netty: possible request smuggling in HTTP/2 due missing validation (CVE-2021-21295)

  - netty: Request smuggling via content-length header (CVE-2021-21409)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Multiple security issues were discovered in Netty, a Java NIO client/server framework, which could result in HTTP request smuggling, denial of service or information disclosure.

ID	Name	Product	Family	Severity
184590	Rocky Linux 8 : Satellite 6.11 Release (Moderate) (RLSA-2022:5498)	Nessus	Rocky Linux Local Security Checks	critical
174932	Ubuntu 16.04 ESM / 18.04 ESM / 20.04 ESM / 22.04 LTS : Netty vulnerabilities (USN-6049-1)	Nessus	Ubuntu Local Security Checks	medium
170224	openSUSE 15 Security Update : netty (SUSE-SU-2022:1315-1)	Nessus	SuSE Local Security Checks	medium
154253	Oracle NoSQL Database Multiple Vulnerabilities (Oct 2021 CPU)	Nessus	Databases	medium
153835	RHEL 7 : Red Hat JBoss Enterprise Application Platform 7.4.1 security update on RHEL 7 (Important) (RHSA-2021:3656)	Nessus	Red Hat Local Security Checks	high
153832	RHEL 8 : Red Hat JBoss Enterprise Application Platform 7.4.1 security update on RHEL 8 (Important) (RHSA-2021:3658)	Nessus	Red Hat Local Security Checks	high
151974	Oracle Primavera Gateway (Jul 2021 CPU)	Nessus	CGI abuses	critical
151580	RHEL 6 : Red Hat JBoss Enterprise Application Platform 7.3.8 on RHEL 6 (RHSA-2021:2692)	Nessus	Red Hat Local Security Checks	medium
151579	RHEL 7 : Red Hat JBoss Enterprise Application Platform 7.3.8 on RHEL 7 (RHSA-2021:2693)	Nessus	Red Hat Local Security Checks	medium
151578	RHEL 8 : Red Hat JBoss Enterprise Application Platform 7.3.8 on RHEL 8 (RHSA-2021:2694)	Nessus	Red Hat Local Security Checks	medium
150930	Photon OS 2.0: Zookeeper PHSA-2021-2.0-0358	Nessus	PhotonOS Local Security Checks	medium
150910	Photon OS 3.0: Zookeeper PHSA-2021-3.0-0254	Nessus	PhotonOS Local Security Checks	medium
149319	RHEL 7 / 8 : AMQ Clients 2.9.1 release and (RHSA-2021:1511)	Nessus	Red Hat Local Security Checks	medium
148326	Debian DSA-4885-1 : netty - security update	Nessus	Debian Local Security Checks	critical

Detections

Analytics

CVE-2021-21409

medium

Tenable Plugins

Coming Soon

critical

medium

medium

medium

high

high

critical

medium

medium

medium

medium

medium

medium

critical