The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack

The remote Rocky Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2022:8506 advisory.

  - The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed     output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are     affected. The malicious input can trigger an OOME and so a DoS attack (CVE-2021-37136)

  - The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory     usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which     may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious     input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable     chunk. (CVE-2021-37137)

  - The {% debug %} template tag in Django 2.2 before 2.2.27, 3.2 before 3.2.12, and 4.0 before 4.0.2 does not     properly encode the current context. This may lead to XSS. (CVE-2022-22818)

  - Nokogiri is an open source XML and HTML library for Ruby. Nokogiri `< v1.13.4` contains an inefficient     regular expression that is susceptible to excessive backtracking when attempting to detect encoding in     HTML documents. Users are advised to upgrade to Nokogiri `>= 1.13.4`. There are no known workarounds for     this issue. (CVE-2022-24836)

  - The package git before 1.11.0 are vulnerable to Command Injection via git argument injection. When calling     the fetch(remote = 'origin', opts = {}) function, the remote parameter is passed to the git fetch     subcommand in a way that additional flags can be set. The additional flags can be used to perform a     command injection. (CVE-2022-25648)

  - Sinatra before 2.2.0 does not validate that the expanded path matches public_dir when serving static     files. (CVE-2022-29970)

  - # Possible XSS Vulnerability in Rails::Html::SanitizerThere is a possible XSS vulnerability with certain     configurations of Rails::Html::Sanitizer.This vulnerability has been assigned the CVE identifier     CVE-2022-32209.Versions Affected: ALLNot affected: NONEFixed Versions: v1.4.3## ImpactA possible XSS     vulnerability with certain configurations of Rails::Html::Sanitizer may allow an attacker to inject     content if the application developer has overridden the sanitizer's allowed tags to allow both `select`     and `style` elements.Code is only impacted if allowed tags are being overridden. This may be done via     application configuration:```ruby# In config/application.rbconfig.action_view.sanitized_allowed_tags =     [select, style]```see https://guides.rubyonrails.org/configuring.html#configuring-action-viewOr it may     be done with a `:tags` option to the Action View helper `sanitize`:```<%= sanitize @comment.body, tags:
    [select, style] %>```see     https://api.rubyonrails.org/classes/ActionView/Helpers/SanitizeHelper.html#method-i-sanitizeOr it may be     done with Rails::Html::SafeListSanitizer directly:```ruby# class-level     optionRails::Html::SafeListSanitizer.allowed_tags = [select, style]```or```ruby# instance-level     optionRails::Html::SafeListSanitizer.new.sanitize(@article.body, tags: [select, style])```All users     overriding the allowed tags by any of the above mechanisms to include both select and style should     either upgrade or use one of the workarounds immediately.## ReleasesThe FIXED releases are available at     the normal locations.## WorkaroundsRemove either `select` or `style` from the overridden allowed tags.##     CreditsThis vulnerability was responsibly reported by     [windshock](https://hackerone.com/windshock?type=user). (CVE-2022-32209)

  - An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The Trunc() and Extract()     database functions are subject to SQL injection if untrusted data is used as a kind/lookup_name value.
    Applications that constrain the lookup name and kind choice to a known safe list are unaffected.
    (CVE-2022-34265)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Oracle Access Manager installed on the remote host is missing a security patch from the October 2023 CPU Advisory. It is, therefore, affected by denial of service vulnerability. Vulnerability in the Oracle Access Manager product of Oracle Fusion Middleware (component: Centralized Thirdparty Jars (Netty)). The supported version that is affected is 12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Access Manager. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Access Manager. 

Note that Nessus has not attempted to exploit these issues but has instead relied only on the application's self-reported version number.

The remote Ubuntu 16.04 ESM / 18.04 ESM / 20.04 ESM / 22.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-6049-1 advisory.

  - The ZlibDecoders in Netty 4.1.x before 4.1.46 allow for unbounded memory allocation while decoding a     ZlibEncoded byte stream. An attacker could send a large ZlibEncoded byte stream to the Netty server,     forcing the server to allocate all of its free memory to a single decoder. (CVE-2020-11612)

  - Netty is an open-source, asynchronous event-driven network application framework for rapid development of     maintainable high performance protocol servers & clients. In Netty before version 4.1.59.Final there is a     vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are     used local information disclosure can occur via the local system temporary directory if temporary storing     uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user.
    As such, writing to this directory using APIs that do not explicitly set the file/directory permissions     can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems. The     method File.createTempFile on unix-like systems creates a random file, but, by default will create this     file with the permissions -rw-r--r--. Thus, if sensitive information is written to this file, other     local users can read this information. This is the case in netty's AbstractDiskHttpData is vulnerable.
    This has been fixed in version 4.1.59.Final. As a workaround, one may specify your own java.io.tmpdir     when you start the JVM or use DefaultHttpDataFactory.setBaseDir(...) to set the directory to something     that is only readable by the current user. (CVE-2021-21290)

  - Netty is an open-source, asynchronous event-driven network application framework for rapid development of     maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before     version 4.1.60.Final there is a vulnerability that enables request smuggling. If a Content-Length header     is present in the original HTTP/2 request, the field is not validated by `Http2MultiplexHandler` as it is     propagated up. This is fine as long as the request is not proxied through as HTTP/1.1. If the request     comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects (`HttpRequest`,     `HttpContent`, etc.) via `Http2StreamFrameToHttpObjectCodec `and then sent up to the child channel's     pipeline and proxied through a remote peer as HTTP/1.1 this may result in request smuggling. In a proxy     case, users may assume the content-length is validated somehow, which is not the case. If the request is     forwarded to a backend channel that is a HTTP/1.1 connection, the Content-Length now has meaning and needs     to be checked. An attacker can smuggle requests inside the body as it gets downgraded from HTTP/2 to     HTTP/1.1. For an example attack refer to the linked GitHub Advisory. Users are only affected if all of     this is true: `HTTP2MultiplexCodec` or `Http2FrameCodec` is used, `Http2StreamFrameToHttpObjectCodec` is     used to convert to HTTP/1.1 objects, and these HTTP/1.1 objects are forwarded to another remote peer. This     has been patched in 4.1.60.Final As a workaround, the user can do the validation by themselves by     implementing a custom `ChannelInboundHandler` that is put in the `ChannelPipeline` behind     `Http2StreamFrameToHttpObjectCodec`. (CVE-2021-21295)

  - Netty is an open-source, asynchronous event-driven network application framework for rapid development of     maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before     version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is     not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to     true. This could lead to request smuggling if the request is proxied to a remote peer and translated to     HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case.
    This was fixed as part of 4.1.61.Final. (CVE-2021-21409)

  - The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed     output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are     affected. The malicious input can trigger an OOME and so a DoS attack (CVE-2021-37136)

  - The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory     usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which     may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious     input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable     chunk. (CVE-2021-37137)

  - Netty is an asynchronous event-driven network application framework for rapid development of maintainable     high performance protocol servers & clients. Netty prior to version 4.1.71.Final skips control chars when     they are present at the beginning / end of the header name. It should instead fail fast as these are not     allowed by the spec and could lead to HTTP request smuggling. Failing to do the validation might cause     netty to sanitize header names before it forward these to another remote system when used as proxy. This     remote system can't see the invalid usage anymore, and therefore does not do the validation itself. Users     should upgrade to version 4.1.71.Final. (CVE-2021-43797)

  - Netty project is an event-driven asynchronous network application framework. In versions prior to     4.1.86.Final, a StackOverflowError can be raised when parsing a malformed crafted message due to an     infinite recursion. This issue is patched in version 4.1.86.Final. There is no workaround, except using a     custom HaProxyMessageDecoder. (CVE-2022-41881)

  - Netty project is an event-driven asynchronous network application framework. Starting in version     4.1.83.Final and prior to 4.1.86.Final, when calling `DefaultHttpHeadesr.set` with an _iterator_ of     values, header value validation was not performed, allowing malicious header values in the iterator to     perform HTTP Response Splitting. This issue has been patched in version 4.1.86.Final. Integrators can work     around the issue by changing the `DefaultHttpHeaders.set(CharSequence, Iterator<?>)` call, into a     `remove()` call, and call `add()` in a loop over the iterator of values. (CVE-2022-41915)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2022:1271-1 advisory.

  - Netty is an open-source, asynchronous event-driven network application framework for rapid development of     maintainable high performance protocol servers & clients. In Netty before version 4.1.59.Final there is a     vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are     used local information disclosure can occur via the local system temporary directory if temporary storing     uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user.
    As such, writing to this directory using APIs that do not explicitly set the file/directory permissions     can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems. The     method File.createTempFile on unix-like systems creates a random file, but, by default will create this     file with the permissions -rw-r--r--. Thus, if sensitive information is written to this file, other     local users can read this information. This is the case in netty's AbstractDiskHttpData is vulnerable.
    This has been fixed in version 4.1.59.Final. As a workaround, one may specify your own java.io.tmpdir     when you start the JVM or use DefaultHttpDataFactory.setBaseDir(...) to set the directory to something     that is only readable by the current user. (CVE-2021-21290)

  - Netty is an open-source, asynchronous event-driven network application framework for rapid development of     maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before     version 4.1.60.Final there is a vulnerability that enables request smuggling. If a Content-Length header     is present in the original HTTP/2 request, the field is not validated by `Http2MultiplexHandler` as it is     propagated up. This is fine as long as the request is not proxied through as HTTP/1.1. If the request     comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects (`HttpRequest`,     `HttpContent`, etc.) via `Http2StreamFrameToHttpObjectCodec `and then sent up to the child channel's     pipeline and proxied through a remote peer as HTTP/1.1 this may result in request smuggling. In a proxy     case, users may assume the content-length is validated somehow, which is not the case. If the request is     forwarded to a backend channel that is a HTTP/1.1 connection, the Content-Length now has meaning and needs     to be checked. An attacker can smuggle requests inside the body as it gets downgraded from HTTP/2 to     HTTP/1.1. For an example attack refer to the linked GitHub Advisory. Users are only affected if all of     this is true: `HTTP2MultiplexCodec` or `Http2FrameCodec` is used, `Http2StreamFrameToHttpObjectCodec` is     used to convert to HTTP/1.1 objects, and these HTTP/1.1 objects are forwarded to another remote peer. This     has been patched in 4.1.60.Final As a workaround, the user can do the validation by themselves by     implementing a custom `ChannelInboundHandler` that is put in the `ChannelPipeline` behind     `Http2StreamFrameToHttpObjectCodec`. (CVE-2021-21295)

  - The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed     output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are     affected. The malicious input can trigger an OOME and so a DoS attack (CVE-2021-37136)

  - The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory     usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which     may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious     input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable     chunk. (CVE-2021-37137)

  - Netty is an asynchronous event-driven network application framework for rapid development of maintainable     high performance protocol servers & clients. Netty prior to version 4.1.71.Final skips control chars when     they are present at the beginning / end of the header name. It should instead fail fast as these are not     allowed by the spec and could lead to HTTP request smuggling. Failing to do the validation might cause     netty to sanitize header names before it forward these to another remote system when used as proxy. This     remote system can't see the invalid usage anymore, and therefore does not do the validation itself. Users     should upgrade to version 4.1.71.Final. (CVE-2021-43797)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Debian 10 host has a package installed that is affected by multiple vulnerabilities as referenced in the dla-3268 advisory.

  - The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed     output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are     affected. The malicious input can trigger an OOME and so a DoS attack (CVE-2021-37136)

  - The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory     usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which     may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious     input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable     chunk. (CVE-2021-37137)

  - Netty is an asynchronous event-driven network application framework for rapid development of maintainable     high performance protocol servers & clients. Netty prior to version 4.1.71.Final skips control chars when     they are present at the beginning / end of the header name. It should instead fail fast as these are not     allowed by the spec and could lead to HTTP request smuggling. Failing to do the validation might cause     netty to sanitize header names before it forward these to another remote system when used as proxy. This     remote system can't see the invalid usage anymore, and therefore does not do the validation itself. Users     should upgrade to version 4.1.71.Final. (CVE-2021-43797)

  - Netty project is an event-driven asynchronous network application framework. In versions prior to     4.1.86.Final, a StackOverflowError can be raised when parsing a malformed crafted message due to an     infinite recursion. This issue is patched in version 4.1.86.Final. There is no workaround, except using a     custom HaProxyMessageDecoder. (CVE-2022-41881)

  - Netty project is an event-driven asynchronous network application framework. Starting in version     4.1.83.Final and prior to 4.1.86.Final, when calling `DefaultHttpHeadesr.set` with an _iterator_ of     values, header value validation was not performed, allowing malicious header values in the iterator to     perform HTTP Response Splitting. This issue has been patched in version 4.1.86.Final. Integrators can work     around the issue by changing the `DefaultHttpHeaders.set(CharSequence, Iterator<?>)` call, into a     `remove()` call, and call `add()` in a loop over the iterator of values. (CVE-2022-41915)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Debian 11 host has a package installed that is affected by multiple vulnerabilities as referenced in the dsa-5316 advisory.

  - The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed     output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are     affected. The malicious input can trigger an OOME and so a DoS attack (CVE-2021-37136)

  - The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory     usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which     may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious     input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable     chunk. (CVE-2021-37137)

  - Netty is an asynchronous event-driven network application framework for rapid development of maintainable     high performance protocol servers & clients. Netty prior to version 4.1.71.Final skips control chars when     they are present at the beginning / end of the header name. It should instead fail fast as these are not     allowed by the spec and could lead to HTTP request smuggling. Failing to do the validation might cause     netty to sanitize header names before it forward these to another remote system when used as proxy. This     remote system can't see the invalid usage anymore, and therefore does not do the validation itself. Users     should upgrade to version 4.1.71.Final. (CVE-2021-43797)

  - Netty project is an event-driven asynchronous network application framework. In versions prior to     4.1.86.Final, a StackOverflowError can be raised when parsing a malformed crafted message due to an     infinite recursion. This issue is patched in version 4.1.86.Final. There is no workaround, except using a     custom HaProxyMessageDecoder. (CVE-2022-41881)

  - Netty project is an event-driven asynchronous network application framework. Starting in version     4.1.83.Final and prior to 4.1.86.Final, when calling `DefaultHttpHeadesr.set` with an _iterator_ of     values, header value validation was not performed, allowing malicious header values in the iterator to     perform HTTP Response Splitting. This issue has been patched in version 4.1.86.Final. Integrators can work     around the issue by changing the `DefaultHttpHeaders.set(CharSequence, Iterator<?>)` call, into a     `remove()` call, and call `add()` in a loop over the iterator of values. (CVE-2022-41915)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2022:4918 advisory.

  - jackson-databind: denial of service via a large depth of nested objects (CVE-2020-36518)

  - netty-codec: Bzip2Decoder doesn't allow setting size restrictions for decompressed data (CVE-2021-37136)

  - netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may buffer skippable chunks in an     unnecessary way (CVE-2021-37137)

  - h2: Remote Code Execution in Console (CVE-2021-42392)

  - netty: control chars in header names may lead to HTTP request smuggling (CVE-2021-43797)

  - xnio: org.xnio.StreamConnection.notifyReadClosed log to debug instead of stderr (CVE-2022-0084)

  - jboss-client: memory leakage in remote client transaction (CVE-2022-0853)

  - wildfly: Wildfly management of EJB Session context returns wrong caller principal with Elytron Security     enabled (CVE-2022-0866)

  - undertow: Double AJP response for 400 from EAP 7 results in CPING failures (CVE-2022-1319)

  - OpenJDK: Infinite loop related to incorrect handling of newlines in XMLEntityScanner (JAXP, 8270646)     (CVE-2022-21299)

  - mysql-connector-java: Difficult to exploit vulnerability allows high privileged attacker with network     access via multiple protocols to compromise MySQL Connectors (CVE-2022-21363)

  - h2: Loading of custom classes from remote servers through JNDI (CVE-2022-23221)

  - xerces-j2: infinite loop when handling specially crafted XML document payloads (CVE-2022-23437)

  - artemis-commons: Apache ActiveMQ Artemis DoS (CVE-2022-23913)

  - Moment.js: Path traversal  in moment.locale (CVE-2022-24785)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2022:4919 advisory.

  - jackson-databind: denial of service via a large depth of nested objects (CVE-2020-36518)

  - netty-codec: Bzip2Decoder doesn't allow setting size restrictions for decompressed data (CVE-2021-37136)

  - netty-codec: SnappyFrameDecoder doesn't restrict chunk length and may buffer skippable chunks in an     unnecessary way (CVE-2021-37137)

  - h2: Remote Code Execution in Console (CVE-2021-42392)

  - netty: control chars in header names may lead to HTTP request smuggling (CVE-2021-43797)

  - xnio: org.xnio.StreamConnection.notifyReadClosed log to debug instead of stderr (CVE-2022-0084)

  - jboss-client: memory leakage in remote client transaction (CVE-2022-0853)

  - wildfly: Wildfly management of EJB Session context returns wrong caller principal with Elytron Security     enabled (CVE-2022-0866)

  - undertow: Double AJP response for 400 from EAP 7 results in CPING failures (CVE-2022-1319)

  - OpenJDK: Infinite loop related to incorrect handling of newlines in XMLEntityScanner (JAXP, 8270646)     (CVE-2022-21299)

  - mysql-connector-java: Difficult to exploit vulnerability allows high privileged attacker with network     access via multiple protocols to compromise MySQL Connectors (CVE-2022-21363)

  - h2: Loading of custom classes from remote servers through JNDI (CVE-2022-23221)

  - xerces-j2: infinite loop when handling specially crafted XML document payloads (CVE-2022-23437)

  - artemis-commons: Apache ActiveMQ Artemis DoS (CVE-2022-23913)

  - Moment.js: Path traversal  in moment.locale (CVE-2022-24785)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Oracle NoSQL Database Enterprise running on the remote host is prior to 21.1.12. It is, therefore, affected by multiple vulnerabilities as referenced in the October 2021 CPU advisory.

  - Security-in-Depth issue in Oracle NoSQL Database (component: Administration (Netty). This vulnerability     cannot be exploited in the context of this product. (CVE-2021-21409)

  - Security-in-Depth issue in Oracle NoSQL Database (component: Snappy frame decoder function). The Snappy     frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside     this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to     excessive memory usage as well. This vulnerability can be triggered by supplying malicious input that     decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk.
    (CVE-2021-37137)

  - Security-in-Depth issue in Oracle NoSQL Database (component: Administration (Go). This vulnerability     cannot be exploited in the context of this product. (CVE-2021-34558)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
184617	Rocky Linux 8 : Satellite 6.12 Release (Important) (RLSA-2022:8506)	Nessus	Rocky Linux Local Security Checks	critical
183517	Oracle Access Manager DoS (October 2023 CPU)	Nessus	Misc.	high
174932	Ubuntu 16.04 ESM / 18.04 ESM / 20.04 ESM / 22.04 LTS : Netty vulnerabilities (USN-6049-1)	Nessus	Ubuntu Local Security Checks	medium
170223	openSUSE 15 Security Update : netty (SUSE-SU-2022:1271-1)	Nessus	SuSE Local Security Checks	medium
170079	Debian DLA-3268-1 : netty - LTS security update	Nessus	Debian Local Security Checks	medium
169929	Debian DSA-5316-1 : netty - security update	Nessus	Debian Local Security Checks	medium
161911	RHEL 7 : Red Hat JBoss Enterprise Application Platform 7.4.5 security update on RHEL 7 (Moderate) (RHSA-2022:4918)	Nessus	Red Hat Local Security Checks	critical
161910	RHEL 8 : Red Hat JBoss Enterprise Application Platform 7.4.5 security update on RHEL 8 (Moderate) (RHSA-2022:4919)	Nessus	Red Hat Local Security Checks	critical
154253	Oracle NoSQL Database Multiple Vulnerabilities (Oct 2021 CPU)	Nessus	Databases	medium

Detections

Analytics

CVE-2021-37136

high

Tenable Plugins

critical

high

medium

medium

medium

medium

critical

critical

medium