In Apache PDFBox, a carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - In Apache PDFBox, a carefully crafted PDF file can trigger an infinite loop while loading the file. This     issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions. (CVE-2021-31812)

Note that Nessus relies on the presence of the package as reported by the vendor.

The versions of Oracle Siebel CRM installed on the remote host are affected by a vulnerability as referenced in the July 2022 CPU advisory.

  - Vulnerability in the Siebel Apps - Field Service product of Oracle Siebel CRM (component: Smart Answer     (Apache PDFBox)). Supported versions that are affected are 22.6 and prior. Easily exploitable     vulnerability allows unauthenticated attacker with logon to the infrastructure where Siebel Apps - Field     Service executes to compromise Siebel Apps - Field Service. Successful attacks require human interaction     from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized     ability to cause a hang or frequently repeatable crash (complete DOS) of Siebel Apps - Field Service.
    (CVE-2021-31812)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The 12.2.1.4.0 version of WebCenter Sites installed on the remote host is affected by multiple vulnerabilities as referenced in the January 2023 CPU advisory.

  - Vulnerability in the Oracle WebCenter Sites product of Oracle Fusion Middleware (component: WebCenter     Sites (Apache PDFBox)). The supported version that is affected is 12.2.1.4.0. Easily exploitable     vulnerability allows unauthenticated attacker with logon to the infrastructure where Oracle WebCenter     Sites executes to compromise Oracle WebCenter Sites. Successful attacks require human interaction from a     person other than the attacker. Successful attacks of this vulnerability can result in unauthorized     ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle WebCenter Sites.
    (CVE-2021-31812)

  - Vulnerability in the Oracle WebCenter Sites product of Oracle Fusion Middleware (component: WebCenter     Sites (Apache Shiro)). The supported version that is affected is 12.2.1.4.0. Easily exploitable     vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle WebCenter     Sites. Successful attacks of this vulnerability can result in takeover of Oracle WebCenter Sites.
    (CVE-2022-40664)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Oracle WebCenter Portal installed on the remote host is missing a security patch from the April 2022 Critical Patch Update (CPU). It is, therefore, affected by multiple vulnerabilities:

  - An XML external entity vulnerability in the bundled jackson-databind component which allows an unauthenticated     attacker with network access via HTTP to access, create or delete all data accessible to Oracle WebCenter     Portal. (CVE-2020-25649)

  - Denial of service vulnerabilities in the bundled Apache Tika, jsoup, Netty and Apache Commons Compress components which     allow an unauthenticated attacker with network access via HTTP to cause a hang or frequently repeatable crash     of the Oracle WebCenter Portal. (CVE-2020-28657, CVE-2021-36090, CVE-2021-37137, CVE-2021-37714)

  - A path traversal vulnerability in the bundled Apache Commons IO component which allows an unauthenticated attacker     with network access via HTTP to read, update or delete a subset of data accessible to Oracle WebCenter Portal.
    (CVE-2021-29425)

  - A Denial of service vulnerability in the bundled Apache PDFBox component which allows an unauthenticated attacker     with logon to the infrastructure where Oracle WebCenter Portal executes, with human interaction from another user     to cause a hang or frequently repeatable crash of the Oracle WebCenter Portal. (CVE-2021-31912)

  - A cross-site scripting vulnerability in the bundled CKEditor component which allows a low privileged attacker     with network access via HTTP, with human interaction from another user, to read, update or delete a subset of     data accessible to Oracle WebCenter Portal. (CVE-2021-41165)

  - A remote code execution vulnerability in the bundled Apache Log4J component which allows a high privileged     attacker with network access via HTTP to execute arbitrary code on the Oracle WebCenter Portal. (CVE-2021-44832)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
257927	Linux Distros Unpatched Vulnerability : CVE-2021-31812	Nessus	Misc.	medium
212449	Oracle Siebel Server (July 2022 CPU)	Nessus	Misc.	medium
170197	Oracle WebCenter Sites (Jan 2023 CPU)	Nessus	Windows	critical
159954	Oracle WebCenter Portal Multiple Vulnerabilities (Apr 2022 CPU)	Nessus	Misc.	high

Detections

Analytics

CVE-2021-31812

medium

Tenable Plugins

medium

medium

critical

high