An attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage will take significant time to parse.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - An attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage     will take significant time to parse. (CVE-2022-32149)

Note that Nessus relies on the presence of the package as reported by the vendor.

The version of application-gateway-kubernetes-ingress / cf-cli / cni / containerized-data-importer / gh / keda / kubevirt / multus installed on the remote Azure Linux 3.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2022-32149 advisory.

  - An attacker May cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage     will take significant time to parse. (CVE-2022-32149)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of Splunk installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the SVD-2023-0808 advisory.

  - The go command may execute arbitrary code at build time when using cgo. This may occur when running go     get on a malicious module, or when running any other command which builds untrusted code. This is can by     triggered by linker flags, specified via a #cgo LDFLAGS directive. Flags containing embedded spaces are     mishandled, allowing disallowed flags to be smuggled through the LDFLAGS sanitization by including them in     the argument of another flag. This only affects usage of the gccgo compiler. (CVE-2023-29405)

  - When curl < 7.84.0 saves cookies, alt-svc and hsts data to local files, it makes the operation atomic by     finalizing the operation with a rename from a temporary name to the final target file name.In that rename     operation, it might accidentally *widen* the permissions for the target file, leaving the updated file     accessible to more users than intended. (CVE-2022-32207)

  - decode-uri-component 0.2.0 is vulnerable to Improper Input Validation resulting in DoS. (CVE-2022-38900)

  - The got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket.
    (CVE-2022-33987)

  - Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils via the     name variable in parseQuery.js. This affects all versions prior to 1.4.1 and 2.0.3. (CVE-2022-37601)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2024:2077 advisory.

    The container-tools module contains tools for working with containers, notably podman, buildah, skopeo,     and runc.

    Security Fix(es):

    * golang: golang.org/x/text/language: ParseAcceptLanguage takes a long time to parse complex tags     (CVE-2022-32149)

    * podman: Symlink error leads to information disclosure (CVE-2022-4122)

    * buildah: full container escape at build time (CVE-2024-1753)

    For more details about the security issue(s), including the impact, a CVSS     score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References     section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 7 / 8 / 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2023:3204 advisory.

    OpenShift Virtualization is Red Hat's virtualization solution designed for Red Hat OpenShift Container     Platform.

    This advisory contains OpenShift Virtualization 4.13.0 RPMs.

    Security Fix(es):

    * golang: net/http: handle server errors after sending GOAWAY (CVE-2022-27664)

    * golang: golang.org/x/text/language: ParseAcceptLanguage takes a long time to parse complex tags     (CVE-2022-32149)

    * golang: net/url: JoinPath does not strip relative path components in all circumstances (CVE-2022-32190)

    * golang: net/http: excessive memory growth in a Go server accepting HTTP/2 requests (CVE-2022-41717)

    * golang: math/big: decoding big.Float and big.Rat types can panic if the encoded message is too short,     potentially allowing a denial of service (CVE-2022-32189)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

    Bug Fix(es):

    * 4.13.0 rpms (BZ#2124993)

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 / 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2023:3613 advisory.

    Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution     designed for on-premise or private cloud deployments.

    This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.12.22. See the     following advisory for the container images for this release:

    https://access.redhat.com/errata/RHSA-2023:3615

    Security Fix(es):

    * golang: archive/tar: unbounded memory consumption when reading headers (CVE-2022-2879)

    * golang: net/http/httputil: ReverseProxy should not forward unparseable query parameters (CVE-2022-2880)

    * golang: net/http: handle server errors after sending GOAWAY (CVE-2022-27664)

    * golang: golang.org/x/text/language: ParseAcceptLanguage takes a long time to parse complex tags     (CVE-2022-32149)

    * golang: net/url: JoinPath does not strip relative path components in all circumstances (CVE-2022-32190)

    * golang: regexp/syntax: limit memory used by parsing regexps (CVE-2022-41715)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

    All OpenShift Container Platform 4.12 users are advised to upgrade to these updated packages and images     when they are available in the appropriate release channel. To check for available updates, use the     OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at     https://docs.openshift.com/container-platform/4.12/updating/updating-cluster-cli.html.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2024:1994 advisory.

    The container-tools module contains tools for working with containers, notably podman, buildah, skopeo,     and runc.

    Security Fix(es):

    * podman: golang.org/x/text/language: ParseAcceptLanguage takes a long time to parse complex tags     (CVE-2022-32149)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of containerd installed on the remote host is prior to 1.7.2-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2NITRO-ENCLAVES-2024-035 advisory.

    An attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage     will take significant time to parse. (CVE-2022-32149)

    A request smuggling attack is possible when using MaxBytesHandler. When using MaxBytesHandler, the body of     an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the connection,     it will instead be reading the body of the HTTP request, which could be attacker-manipulated to represent     arbitrary HTTP2 requests. (CVE-2022-41721)

    containerd is an open source container runtime. Before versions 1.6.18 and 1.5.18, when importing an OCI     image, there was no limit on the number of bytes read for certain files. A maliciously crafted image with     a large file where a limit was not applied could cause a denial of service. This bug has been fixed in     containerd 1.6.18 and 1.5.18. Users should update to these versions to resolve the issue. As a workaround,     ensure that only trusted images are used and that only trusted users have permissions to import images.
    (CVE-2023-25153)

    containerd is an open source container runtime. A bug was found in containerd prior to versions 1.6.18 and     1.5.18 where supplementary groups are not set up properly inside a container. If an attacker has direct     access to a container and manipulates their supplementary group access, they may be able to use     supplementary group access to bypass primary group restrictions in some cases, potentially gaining access     to sensitive information or gaining the ability to execute code in that container. Downstream applications     that use the containerd client library may be affected as well. This bug has been fixed in containerd     v1.6.18 and v.1.5.18. Users should update to these versions and recreate containers to resolve this issue.
    Users who rely on a downstream application that uses containerd's client library should check that     application for a separate advisory and instructions. As a workaround, ensure that the `USER $USERNAME`     Dockerfile instruction is not used. Instead, set the container entrypoint to a value similar to     `ENTRYPOINT [su, -, user]` to allow `su` to properly set up supplementary groups. (CVE-2023-25173)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of containerd installed on the remote host is prior to 1.7.2-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2DOCKER-2024-035 advisory.

    An attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage     will take significant time to parse. (CVE-2022-32149)

    A request smuggling attack is possible when using MaxBytesHandler. When using MaxBytesHandler, the body of     an HTTP request is not fully consumed. When the server attempts to read HTTP2 frames from the connection,     it will instead be reading the body of the HTTP request, which could be attacker-manipulated to represent     arbitrary HTTP2 requests. (CVE-2022-41721)

    containerd is an open source container runtime. Before versions 1.6.18 and 1.5.18, when importing an OCI     image, there was no limit on the number of bytes read for certain files. A maliciously crafted image with     a large file where a limit was not applied could cause a denial of service. This bug has been fixed in     containerd 1.6.18 and 1.5.18. Users should update to these versions to resolve the issue. As a workaround,     ensure that only trusted images are used and that only trusted users have permissions to import images.
    (CVE-2023-25153)

    containerd is an open source container runtime. A bug was found in containerd prior to versions 1.6.18 and     1.5.18 where supplementary groups are not set up properly inside a container. If an attacker has direct     access to a container and manipulates their supplementary group access, they may be able to use     supplementary group access to bypass primary group restrictions in some cases, potentially gaining access     to sensitive information or gaining the ability to execute code in that container. Downstream applications     that use the containerd client library may be affected as well. This bug has been fixed in containerd     v1.6.18 and v.1.5.18. Users should update to these versions and recreate containers to resolve this issue.
    Users who rely on a downstream application that uses containerd's client library should check that     application for a separate advisory and instructions. As a workaround, ensure that the `USER $USERNAME`     Dockerfile instruction is not used. Instead, set the container entrypoint to a value similar to     `ENTRYPOINT [su, -, user]` to allow `su` to properly set up supplementary groups. (CVE-2023-25173)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Red Hat Enterprise Linux CoreOS 4 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2023:3613 advisory.

  - In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because     an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error. (CVE-2022-27664)

  - Reader.Read does not set a limit on the maximum size of file headers. A maliciously crafted archive could     cause Read to allocate unbounded amounts of memory, potentially causing resource exhaustion or panics.
    After fix, Reader.Read limits the maximum size of header blocks to 1 MiB. (CVE-2022-2879)

  - Requests forwarded by ReverseProxy include the raw query parameters from the inbound request, including     unparsable parameters rejected by net/http. This could permit query parameter smuggling when a Go proxy     forwards a parameter with an unparsable value. After fix, ReverseProxy sanitizes the query parameters in     the forwarded query when the outbound request's Form field is set after the ReverseProxy. Director     function returns, indicating that the proxy has parsed the query parameters. Proxies which do not parse     query parameters continue to forward the original query parameters unchanged. (CVE-2022-2880)

  - An attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage     will take significant time to parse. (CVE-2022-32149)

  - JoinPath and URL.JoinPath do not remove ../ path elements appended to a relative path. For example,     JoinPath(https://go.dev, ../go) returns the URL https://go.dev/../go, despite the JoinPath     documentation stating that ../ path elements are removed from the result. (CVE-2022-32190)

  - Programs which compile regular expressions from untrusted sources may be vulnerable to memory exhaustion     or denial of service. The parsed regexp representation is linear in the size of the input, but in some     cases the constant factor can be as high as 40,000, making relatively small regexps consume much larger     amounts of memory. After fix, each regexp being parsed is limited to a 256 MB memory footprint. Regular     expressions whose representation would use more space than that are rejected. Normal use of regular     expressions is unaffected. (CVE-2022-41715)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of application-gateway-kubernetes-ingress / cf-cli / cni / containerized-data-importer / gh / keda / kubevirt / multus installed on the remote CBL Mariner 2.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2022-32149 advisory.

  - An attacker May cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage     will take significant time to parse. (CVE-2022-32149)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2023:3868-1 advisory.

  - An attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage     will take significant time to parse. (CVE-2022-32149)

  - A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient     to cause a denial of service from a small number of small requests. (CVE-2022-41723)

  - Prometheus Exporter Toolkit is a utility package to build exporters. Prior to versions 0.7.2 and 0.8.2, if     someone has access to a Prometheus web.yml file and users' bcrypted passwords, they can bypass security by     poisoning the built-in authentication cache. Versions 0.7.2 and 0.8.2 contain a fix for the issue. There     is no workaround, but attacker must have access to the hashed password to use this functionality.
    (CVE-2022-46146)

  - Extremely large RSA keys in certificate chains can cause a client/server to expend significant CPU time     verifying signatures. With fix, the size of RSA keys transmitted during handshakes is restricted to <=     8192 bits. Based on a survey of publicly trusted RSA keys, there are currently only three certificates in     circulation with keys larger than this, and all three appear to be test certificates that are not actively     deployed. It is possible there are larger keys in use in private PKIs, but we target the web PKI, so     causing breakage here in the interests of increasing the default safety of users of crypto/tls seems     reasonable. (CVE-2023-29409)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES12 / SLES_SAP12 host has a package installed that is affected by multiple vulnerabilities as referenced in the SUSE-SU-2023:3867-1 advisory.

  - An attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage     will take significant time to parse. (CVE-2022-32149)

  - A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient     to cause a denial of service from a small number of small requests. (CVE-2022-41723)

  - Prometheus Exporter Toolkit is a utility package to build exporters. Prior to versions 0.7.2 and 0.8.2, if     someone has access to a Prometheus web.yml file and users' bcrypted passwords, they can bypass security by     poisoning the built-in authentication cache. Versions 0.7.2 and 0.8.2 contain a fix for the issue. There     is no workaround, but attacker must have access to the hashed password to use this functionality.
    (CVE-2022-46146)

  - Extremely large RSA keys in certificate chains can cause a client/server to expend significant CPU time     verifying signatures. With fix, the size of RSA keys transmitted during handshakes is restricted to <=     8192 bits. Based on a survey of publicly trusted RSA keys, there are currently only three certificates in     circulation with keys larger than this, and all three appear to be test certificates that are not actively     deployed. It is possible there are larger keys in use in private PKIs, but we target the web PKI, so     causing breakage here in the interests of increasing the default safety of users of crypto/tls seems     reasonable. (CVE-2023-29409)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 / openSUSE 15 host has a package installed that is affected by multiple vulnerabilities as referenced in the SUSE-SU-2023:2575-1 advisory.

  - All versions of package trim are vulnerable to Regular Expression Denial of Service (ReDoS) via trim().
    (CVE-2020-7753)

  - ansi-regex is vulnerable to Inefficient Regular Expression Complexity (CVE-2021-3807)

  - json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype     Pollution') (CVE-2021-3918)

  - In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues()     method, aka lib/internal/iterator.js createObjectIterator prototype pollution. (CVE-2021-43138)

  - follow-redirects is vulnerable to Exposure of Private Personal Information to an Unauthorized Actor     (CVE-2022-0155)

  - In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because     an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error. (CVE-2022-27664)

  - Grafana is an open-source platform for monitoring and observability. Versions on the 8.x and 9.x branch     prior to 9.0.3, 8.5.9, 8.4.10, and 8.3.10 are vulnerable to stored cross-site scripting via the Unified     Alerting feature of Grafana. An attacker can exploit this vulnerability to escalate privilege from editor     to admin by tricking an authenticated admin to click on a link. Versions 9.0.3, 8.5.9, 8.4.10, and 8.3.10     contain a patch. As a workaround, it is possible to disable alerting or use legacy alerting.
    (CVE-2022-31097)

  - Grafana is an open-source platform for monitoring and observability. In versions 5.3 until 9.0.3, 8.5.9,     8.4.10, and 8.3.10, it is possible for a malicious user who has authorization to log into a Grafana     instance via a configured OAuth IdP which provides a login name to take over the account of another user     in that Grafana instance. This can occur when the malicious user is authorized to log in to Grafana via     OAuth, the malicious user's external user id is not already associated with an account in Grafana, the     malicious user's email address is not already associated with an account in Grafana, and the malicious     user knows the Grafana username of the target user. If these conditions are met, the malicious user can     set their username in the OAuth provider to that of the target user, then go through the OAuth flow to log     in to Grafana. Due to the way that external and internal user accounts are linked together during login,     if the conditions above are all met then the malicious user will be able to log in to the target user's     Grafana account. Versions 9.0.3, 8.5.9, 8.4.10, and 8.3.10 contain a patch for this issue. As a     workaround, concerned users can disable OAuth login to their Grafana instance, or ensure that all users     authorized to log in via OAuth have a corresponding user account in Grafana linked to their email address.
    (CVE-2022-31107)

  - An attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage     will take significant time to parse. (CVE-2022-32149)

  - Grafana is an open-source platform for monitoring and observability. Versions prior to 9.1.6 and 8.5.13     are vulnerable to an escalation from admin to server admin when auth proxy is used, allowing an admin to     take over the server admin account and gain full control of the grafana instance. All installations should     be upgraded as soon as possible. As a workaround deactivate auth proxy following the instructions at:
    https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/auth-     proxy/ (CVE-2022-35957)

  - Grafana is an open-source platform for monitoring and observability. In versions prior to 8.5.13, 9.0.9,     and 9.1.6, Grafana is subject to Improper Preservation of Permissions resulting in privilege escalation on     some folders where Admin is the only used permission. The vulnerability impacts Grafana instances where     RBAC was disabled and enabled afterwards, as the migrations which are translating legacy folder     permissions to RBAC permissions do not account for the scenario where the only user permission in the     folder is Admin, as a result RBAC adds permissions for Editors and Viewers which allow them to edit and     view folders accordingly. This issue has been patched in versions 8.5.13, 9.0.9, and 9.1.6. A workaround     when the impacted folder/dashboard is known is to remove the additional permissions manually.
    (CVE-2022-36062)

  - Grafana is an open-source platform for monitoring and observability. Starting with the 9.1 branch, Grafana     introduced the ability to search for a JWT in the URL query parameter auth_token and use it as the     authentication token. By enabling the url_login configuration option (disabled by default), a JWT might     be sent to data sources. If an attacker has access to the data source, the leaked token could be used to     authenticate to Grafana. (CVE-2023-1387)

  - Grafana is an open-source platform for monitoring and observability. Grafana had a stored XSS     vulnerability in the Graphite FunctionDescription tooltip. The stored XSS vulnerability was possible due     the value of the Function Description was not properly sanitized. An attacker needs to have control over     the Graphite data source in order to manipulate a function description and a Grafana admin needs to     configure the data source, later a Grafana user needs to select a tampered function and hover over the     description. Users may upgrade to version 8.5.22, 9.2.15 and 9.3.11 to receive a fix. (CVE-2023-1410)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2023:2578-1 advisory.

  - All versions of package trim are vulnerable to Regular Expression Denial of Service (ReDoS) via trim().
    (CVE-2020-7753)

  - ansi-regex is vulnerable to Inefficient Regular Expression Complexity (CVE-2021-3807)

  - json-schema is vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype     Pollution') (CVE-2021-3918)

  - In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues()     method, aka lib/internal/iterator.js createObjectIterator prototype pollution. (CVE-2021-43138)

  - follow-redirects is vulnerable to Exposure of Private Personal Information to an Unauthorized Actor     (CVE-2022-0155)

  - In net/http in Go before 1.18.6 and 1.19.x before 1.19.1, attackers can cause a denial of service because     an HTTP/2 connection can hang during closing if shutdown were preempted by a fatal error. (CVE-2022-27664)

  - Grafana is an open-source platform for monitoring and observability. Versions on the 8.x and 9.x branch     prior to 9.0.3, 8.5.9, 8.4.10, and 8.3.10 are vulnerable to stored cross-site scripting via the Unified     Alerting feature of Grafana. An attacker can exploit this vulnerability to escalate privilege from editor     to admin by tricking an authenticated admin to click on a link. Versions 9.0.3, 8.5.9, 8.4.10, and 8.3.10     contain a patch. As a workaround, it is possible to disable alerting or use legacy alerting.
    (CVE-2022-31097)

  - Grafana is an open-source platform for monitoring and observability. In versions 5.3 until 9.0.3, 8.5.9,     8.4.10, and 8.3.10, it is possible for a malicious user who has authorization to log into a Grafana     instance via a configured OAuth IdP which provides a login name to take over the account of another user     in that Grafana instance. This can occur when the malicious user is authorized to log in to Grafana via     OAuth, the malicious user's external user id is not already associated with an account in Grafana, the     malicious user's email address is not already associated with an account in Grafana, and the malicious     user knows the Grafana username of the target user. If these conditions are met, the malicious user can     set their username in the OAuth provider to that of the target user, then go through the OAuth flow to log     in to Grafana. Due to the way that external and internal user accounts are linked together during login,     if the conditions above are all met then the malicious user will be able to log in to the target user's     Grafana account. Versions 9.0.3, 8.5.9, 8.4.10, and 8.3.10 contain a patch for this issue. As a     workaround, concerned users can disable OAuth login to their Grafana instance, or ensure that all users     authorized to log in via OAuth have a corresponding user account in Grafana linked to their email address.
    (CVE-2022-31107)

  - An attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage     will take significant time to parse. (CVE-2022-32149)

  - Grafana is an open-source platform for monitoring and observability. Versions prior to 9.1.6 and 8.5.13     are vulnerable to an escalation from admin to server admin when auth proxy is used, allowing an admin to     take over the server admin account and gain full control of the grafana instance. All installations should     be upgraded as soon as possible. As a workaround deactivate auth proxy following the instructions at:
    https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-authentication/auth-     proxy/ (CVE-2022-35957)

  - Grafana is an open-source platform for monitoring and observability. In versions prior to 8.5.13, 9.0.9,     and 9.1.6, Grafana is subject to Improper Preservation of Permissions resulting in privilege escalation on     some folders where Admin is the only used permission. The vulnerability impacts Grafana instances where     RBAC was disabled and enabled afterwards, as the migrations which are translating legacy folder     permissions to RBAC permissions do not account for the scenario where the only user permission in the     folder is Admin, as a result RBAC adds permissions for Editors and Viewers which allow them to edit and     view folders accordingly. This issue has been patched in versions 8.5.13, 9.0.9, and 9.1.6. A workaround     when the impacted folder/dashboard is known is to remove the additional permissions manually.
    (CVE-2022-36062)

  - Programs which compile regular expressions from untrusted sources may be vulnerable to memory exhaustion     or denial of service. The parsed regexp representation is linear in the size of the input, but in some     cases the constant factor can be as high as 40,000, making relatively small regexps consume much larger     amounts of memory. After fix, each regexp being parsed is limited to a 256 MB memory footprint. Regular     expressions whose representation would use more space than that are rejected. Normal use of regular     expressions is unaffected. (CVE-2022-41715)

  - Prometheus Exporter Toolkit is a utility package to build exporters. Prior to versions 0.7.2 and 0.8.2, if     someone has access to a Prometheus web.yml file and users' bcrypted passwords, they can bypass security by     poisoning the built-in authentication cache. Versions 0.7.2 and 0.8.2 contain a fix for the issue. There     is no workaround, but attacker must have access to the hashed password to use this functionality.
    (CVE-2022-46146)

  - Grafana is an open-source platform for monitoring and observability. Starting with the 9.1 branch, Grafana     introduced the ability to search for a JWT in the URL query parameter auth_token and use it as the     authentication token. By enabling the url_login configuration option (disabled by default), a JWT might     be sent to data sources. If an attacker has access to the data source, the leaked token could be used to     authenticate to Grafana. (CVE-2023-1387)

  - Grafana is an open-source platform for monitoring and observability. Grafana had a stored XSS     vulnerability in the Graphite FunctionDescription tooltip. The stored XSS vulnerability was possible due     the value of the Function Description was not properly sanitized. An attacker needs to have control over     the Graphite data source in order to manipulate a function description and a Grafana admin needs to     configure the data source, later a Grafana user needs to select a tampered function and hover over the     description. Users may upgrade to version 8.5.22, 9.2.15 and 9.3.11 to receive a fix. (CVE-2023-1410)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Ubuntu 18.04 LTS / 20.04 LTS / 22.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-5873-1 advisory.

    It was discovered that Go Text incorrectly handled certain encodings. An attacker could possibly use this     issue to cause a denial of service. This issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS.
    (CVE-2020-14040)

    It was discovered that Go Text incorrectly handled certain BCP 47 language tags. An attacker could     possibly use this issue to cause a denial of service. CVE-2020-28851, CVE-2020-28852 and CVE-2021-38561     affected only Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. (CVE-2020-28851, CVE-2020-28852, CVE-2021-38561,     CVE-2022-32149)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote host is affected by the vulnerability described in GLSA-202210-14 (Gitea: Multiple Vulnerabilities)

  - Cross-site Scripting (XSS) - Stored in GitHub repository go-gitea/gitea prior to 1.16.9. (CVE-2022-1928)

  - An attacker may cause a denial of service by crafting an Accept-Language header which ParseAcceptLanguage     will take significant time to parse. (CVE-2022-32149)

  - In Gitea before 1.16.9, it was possible for users to add existing issues to projects. Due to improper     access controls, an attacker could assign any issue to any project in Gitea (there was no permission check     for fetching the issue). As a result, the attacker would get access to private issue titles.
    (CVE-2022-38183)

  - Gitea before 1.17.3 does not sanitize and escape refs in the git backend. Arguments to git commands are     mishandled. (CVE-2022-42968)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
224734	Linux Distros Unpatched Vulnerability : CVE-2022-32149	Nessus	Misc.	high
215247	Azure Linux 3.0 Security Update: application-gateway-kubernetes-ingress / cf-cli / cni / containerized-data-importer / gh / keda / kubevirt / multus (CVE-2022-32149)	Nessus	Azure Linux Local Security Checks	high
194928	Splunk Enterprise 8.2.0 < 8.2.12, 9.0.0 < 9.0.6, 9.1.0 < 9.1.1 (SVD-2023-0808)	Nessus	CGI abuses	critical
194467	RHEL 8 : container-tools:rhel8 (RHSA-2024:2077)	Nessus	Red Hat Local Security Checks	medium
194320	RHEL 7 / 8 / 9 : OpenShift Virtualization 4.13.0 RPMs (RHSA-2023:3204)	Nessus	Red Hat Local Security Checks	high
194228	RHEL 8 / 9 : OpenShift Container Platform 4.12.22 (RHSA-2023:3613)	Nessus	Red Hat Local Security Checks	high
193801	RHEL 8 : container-tools:rhel8 (RHSA-2024:1994)	Nessus	Red Hat Local Security Checks	high
189477	Amazon Linux 2 : containerd (ALASNITRO-ENCLAVES-2024-035)	Nessus	Amazon Linux Local Security Checks	high
189472	Amazon Linux 2 : containerd (ALASDOCKER-2024-035)	Nessus	Amazon Linux Local Security Checks	high
189414	RHCOS 4 : OpenShift Container Platform 4.12.22 (RHSA-2023:3613)	Nessus	Red Hat Local Security Checks	high
185997	CBL Mariner 2.0 Security Update: application-gateway-kubernetes-ingress / cf-cli / cni / containerized-data-importer / gh / keda / kubevirt / multus (CVE-2022-32149)	Nessus	MarinerOS Local Security Checks	high
182181	openSUSE 15 Security Update : SUSE Manager Client Tools (SUSE-SU-2023:3868-1)	Nessus	SuSE Local Security Checks	high
182172	SUSE SLES12 Security Update : SUSE Manager Client Tools (SUSE-SU-2023:3867-1)	Nessus	SuSE Local Security Checks	high
177500	SUSE SLED15 / SLES15 / openSUSE 15 Security Update : SUSE Manager Client Tools (SUSE-SU-2023:2575-1)	Nessus	SuSE Local Security Checks	critical
177497	SUSE SLES15 / openSUSE 15 Security Update : SUSE Manager Client Tools (SUSE-SU-2023:2578-1)	Nessus	SuSE Local Security Checks	critical
171575	Ubuntu 18.04 LTS / 20.04 LTS / 22.04 LTS : Go Text vulnerabilities (USN-5873-1)	Nessus	Ubuntu Local Security Checks	high
166729	GLSA-202210-14 : Gitea: Multiple Vulnerabilities	Nessus	Gentoo Local Security Checks	critical

Detections

Analytics

CVE-2022-32149

high

Tenable Plugins

high

high

critical

medium

high

high

high

high

high

high

high

high

high

critical

critical

high

critical