The JsonErrorReportValve in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and 10.1.0-M1 to 10.1.1 did not escape the type, message or description values. In some circumstances these are constructed from user provided data and it was therefore possible for users to supply values that invalidated or manipulated the JSON output.

The version of Atlassian Confluence Server running on the remote host is affected by a vulnerability as referenced in the CONFSERVER-93173 advisory.

  - The JsonErrorReportValve in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and 10.1.0-M1 to 10.1.1 did not escape     the type, message or description values. In some circumstances these are constructed from user provided     data and it was therefore possible for users to supply values that invalidated or manipulated the JSON     output. (CVE-2022-45143)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of tomcat installed on the remote host is prior to 9.0.73-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2TOMCAT9-2023-008 advisory.

  - When Apache Tomcat 9.0.0.M1 to 9.0.28, 8.5.0 to 8.5.47, 7.0.0 and 7.0.97 is configured with the JMX Remote     Lifecycle Listener, a local attacker without access to the Tomcat process or configuration files is able     to manipulate the RMI registry to perform a man-in-the-middle attack to capture user names and passwords     used to access the JMX interface. The attacker can then use these credentials to access the JMX interface     and gain complete control over the Tomcat instance. (CVE-2019-12418)

  - When using FORM authentication with Apache Tomcat 9.0.0.M1 to 9.0.29, 8.5.0 to 8.5.49 and 7.0.0 to 7.0.98     there was a narrow window where an attacker could perform a session fixation attack. The window was     considered too narrow for an exploit to be practical but, erring on the side of caution, this issue has     been treated as a security vulnerability. (CVE-2019-17563)

  - The payload length in a WebSocket frame was not correctly validated in Apache Tomcat 10.0.0-M1 to     10.0.0-M6, 9.0.0.M1 to 9.0.36, 8.5.0 to 8.5.56 and 7.0.27 to 7.0.104. Invalid payload lengths could     trigger an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of     service. (CVE-2020-13935)

  - The JsonErrorReportValve in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and 10.1.0-M1 to 10.1.1 did not escape     the type, message or description values. In some circumstances these are constructed from user provided     data and it was therefore possible for users to supply values that invalidated or manipulated the JSON     output. (CVE-2022-45143)

  - Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting     in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Note     that, like all of the file upload limits, the new configuration option (FileUploadBase#setFileCountMax) is     not enabled by default and must be explicitly configured. (CVE-2023-24998)

  - When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the     X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11.0.0-M1 to 11.0.0.-M2,     10.1.0-M1 to 10.1.5, 9.0.0-M1 to 9.0.71 and 8.5.0 to 8.5.85 did not include the secure attribute. This     could result in the user agent transmitting the session cookie over an insecure channel. (CVE-2023-28708)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of tomcat installed on the remote host is prior to 8.5.87-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2TOMCAT8.5-2023-013 advisory.

  - When Apache Tomcat 9.0.0.M1 to 9.0.28, 8.5.0 to 8.5.47, 7.0.0 and 7.0.97 is configured with the JMX Remote     Lifecycle Listener, a local attacker without access to the Tomcat process or configuration files is able     to manipulate the RMI registry to perform a man-in-the-middle attack to capture user names and passwords     used to access the JMX interface. The attacker can then use these credentials to access the JMX interface     and gain complete control over the Tomcat instance. (CVE-2019-12418)

  - When using FORM authentication with Apache Tomcat 9.0.0.M1 to 9.0.29, 8.5.0 to 8.5.49 and 7.0.0 to 7.0.98     there was a narrow window where an attacker could perform a session fixation attack. The window was     considered too narrow for an exploit to be practical but, erring on the side of caution, this issue has     been treated as a security vulnerability. (CVE-2019-17563)

  - The payload length in a WebSocket frame was not correctly validated in Apache Tomcat 10.0.0-M1 to     10.0.0-M6, 9.0.0.M1 to 9.0.36, 8.5.0 to 8.5.56 and 7.0.27 to 7.0.104. Invalid payload lengths could     trigger an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of     service. (CVE-2020-13935)

  - The simplified implementation of blocking reads and writes introduced in Tomcat 10 and back-ported to     Tomcat 9.0.47 onwards exposed a long standing (but extremely hard to trigger) concurrency bug in Apache     Tomcat 10.1.0 to 10.1.0-M12, 10.0.0-M1 to 10.0.18, 9.0.0-M1 to 9.0.60 and 8.5.0 to 8.5.77 that could cause     client connections to share an Http11Processor instance resulting in responses, or part responses, to be     received by the wrong client. (CVE-2021-43980)

  - The JsonErrorReportValve in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and 10.1.0-M1 to 10.1.1 did not escape     the type, message or description values. In some circumstances these are constructed from user provided     data and it was therefore possible for users to supply values that invalidated or manipulated the JSON     output. (CVE-2022-45143)

  - Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting     in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Note     that, like all of the file upload limits, the new configuration option (FileUploadBase#setFileCountMax) is     not enabled by default and must be explicitly configured. (CVE-2023-24998)

  - When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the     X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11.0.0-M1 to 11.0.0.-M2,     10.1.0-M1 to 10.1.5, 9.0.0-M1 to 9.0.71 and 8.5.0 to 8.5.85 did not include the secure attribute. This     could result in the user agent transmitting the session cookie over an insecure channel. (CVE-2023-28708)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The 19c and 21c versions of Oracle Database Server installed on the remote host are affected by multiple vulnerabilities as referenced in the July CPU advisory.

  - Vulnerability in the Oracle Text (LibExpat) component of Oracle Database Server. Supported versions that     are affected are 19.3-19.19 and 21.3-21.10. Easily exploitable vulnerability allows low privileged     attacker having Create Session, Create Index privilege with network access via Oracle Net to compromise     Oracle Text (LibExpat). Successful attacks of this vulnerability can result in unauthorized ability to     cause a hang or frequently repeatable crash (complete DOS) of Oracle Text (LibExpat). (CVE-2022-43680)

  - Vulnerability in the Advanced Networking Option component of Oracle Database Server. Supported versions     that are affected are 19.3-19.19 and 21.3-21.10. Difficult to exploit vulnerability allows     unauthenticated attacker with network access via Oracle Net to compromise Advanced Networking Option.
    Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to     some of Advanced Networking Option accessible data. (CVE-2023-21949)

  - Vulnerability in the Unified Audit component of Oracle Database Server. Supported versions that are     affected are 19.3-19.19 and 21.3-21.10. Easily exploitable vulnerability allows high privileged     attacker having SYSDBA privilege with network access via Oracle Net to compromise Unified Audit.
    Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification     access to critical data or all Unified Audit accessible data. (CVE-2023-22034)

  - Security-in-depth updates for CVE-2021-3520, CVE-2022-21189, CVE-2022-45143, CVE-2023-24998, CVE-2023-28708,     CVE-2023-28709, CVE-2023-30533 and CVE-2023-34981

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote host is affected by the vulnerability described in GLSA-202305-37 (Apache Tomcat: Multiple Vulnerabilities)

  - If Apache Tomcat 8.5.0 to 8.5.82, 9.0.0-M1 to 9.0.67, 10.0.0-M1 to 10.0.26 or 10.1.0-M1 to 10.1.0 was     configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false (the default for 8.5.x     only), Tomcat did not reject a request containing an invalid Content-Length header making a request     smuggling attack possible if Tomcat was located behind a reverse proxy that also failed to reject the     request with the invalid header. (CVE-2022-42252)

  - The JsonErrorReportValve in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and 10.1.0-M1 to 10.1.1 did not escape     the type, message or description values. In some circumstances these are constructed from user provided     data and it was therefore possible for users to supply values that invalidated or manipulated the JSON     output. (CVE-2022-45143)

  - Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting     in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Note     that, like all of the file upload limits, the new configuration option (FileUploadBase#setFileCountMax) is     not enabled by default and must be explicitly configured. (CVE-2023-24998)

  - The fix for CVE-2023-24998 was incomplete for Apache Tomcat 11.0.0-M2 to 11.0.0-M4, 10.1.5 to 10.1.7,     9.0.71 to 9.0.73 and 8.5.85 to 8.5.87. If non-default HTTP connector settings were used such that the     maxParameterCount could be reached using query string parameters and a request was submitted that supplied     exactly maxParameterCount parameters in the query string, the limit for uploaded request parts could be     bypassed with the potential for a denial of service to occur. (CVE-2023-28709)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2023-176 advisory.

  - The simplified implementation of blocking reads and writes introduced in Tomcat 10 and back-ported to     Tomcat 9.0.47 onwards exposed a long standing (but extremely hard to trigger) concurrency bug in Apache     Tomcat 10.1.0 to 10.1.0-M12, 10.0.0-M1 to 10.0.18, 9.0.0-M1 to 9.0.60 and 8.5.0 to 8.5.77 that could cause     client connections to share an Http11Processor instance resulting in responses, or part responses, to be     received by the wrong client. (CVE-2021-43980)

  - The JsonErrorReportValve in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and 10.1.0-M1 to 10.1.1 did not escape     the type, message or description values. In some circumstances these are constructed from user provided     data and it was therefore possible for users to supply values that invalidated or manipulated the JSON     output. (CVE-2022-45143)

  - When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the     X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11.0.0-M1 to 11.0.0.-M2,     10.1.0-M1 to 10.1.5, 9.0.0-M1 to 9.0.71 and 8.5.0 to 8.5.85 did not include the secure attribute. This     could result in the user agent transmitting the session cookie over an insecure channel. (CVE-2023-28708)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of AOS installed on the remote host is prior to 6.6.2. It is, therefore, affected by multiple vulnerabilities as referenced in the NXSA-AOS-6.6.2 advisory.

  - Mis-trained branch predictions for return instructions may allow arbitrary speculative code execution     under certain microarchitecture-dependent conditions. (CVE-2022-29900)

  - Intel microprocessor generations 6 to 8 are affected by a new Spectre variant that is able to bypass their     retpoline mitigation in the kernel to leak arbitrary data. An attacker with unprivileged user access can     hijack return instructions to achieve arbitrary speculative code execution under certain     microarchitecture-dependent conditions. (CVE-2022-29901)

  - An out-of-bounds memory read flaw was found in the Linux kernel's BPF subsystem in how a user calls the     bpf_tail_call function with a key larger than the max_entries of the map. This flaw allows a local user to     gain unauthorized access to data. (CVE-2022-2905)

  - In the Linux kernel before 5.17.3, fs/io_uring.c has a use-after-free due to a race condition in io_uring     timeouts. This can be triggered by a local user who has no access to any user namespace; however, the race     condition perhaps can only be exploited infrequently. (CVE-2022-29582)

  - An unprivileged write to the file handler flaw in the Linux kernel's control groups and namespaces     subsystem was found in the way users have access to some less privileged process that are controlled by     cgroups and have higher privileged parent process. It is actually both for cgroup2 and cgroup1 versions of     control groups. A local user could use this flaw to crash the system or escalate their privileges on the     system. (CVE-2021-4197)

  - PAC parsing in MIT Kerberos 5 (aka krb5) before 1.19.4 and 1.20.x before 1.20.1 has integer overflows that     may lead to remote code execution (in KDC, kadmind, or a GSS or Kerberos application server) on 32-bit     platforms (which have a resultant heap-based buffer overflow), and cause a denial of service on other     platforms. This occurs in krb5_pac_parse in lib/krb5/krb/pac.c. Heimdal before 7.7.1 has a similar bug.
    (CVE-2022-42898)

  - A flaw was found in the Linux kernel's KVM when attempting to set a SynIC IRQ. This issue makes it     possible for a misbehaving VMM to write to SYNIC/STIMER MSRs, causing a NULL pointer dereference. This     flaw allows an unprivileged local attacker on the host to issue specific ioctl calls, causing a kernel     oops condition that results in a denial of service. (CVE-2022-2153)

  - The JsonErrorReportValve in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and 10.1.0-M1 to 10.1.1 did not escape     the type, message or description values. In some circumstances these are constructed from user provided     data and it was therefore possible for users to supply values that invalidated or manipulated the JSON     output. (CVE-2022-45143)

  - libexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c. (CVE-2022-40674)

  - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE     (component: Serialization). Supported versions that are affected are Oracle Java SE: 8u351, 8u351-perf;
    Oracle GraalVM Enterprise Edition: 20.3.8 and 21.3.4. Easily exploitable vulnerability allows     unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle     GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update,     insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data.
    Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web     Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from     the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java     deployments, typically in servers, that load and run only trusted code (e.g., code installed by an     administrator). (CVE-2023-21830)

  - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE     (component: Sound). Supported versions that are affected are Oracle Java SE: 8u351, 8u351-perf, 11.0.17,     17.0.5, 19.0.1; Oracle GraalVM Enterprise Edition: 20.3.8, 21.3.4 and 22.3.0. Difficult to exploit     vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise     Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in     unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition     accessible data. Note: This vulnerability applies to Java deployments, typically in clients running     sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g.,     code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not     apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed     by an administrator). (CVE-2023-21843)

  - multipath-tools 0.7.0 through 0.9.x before 0.9.2 allows local users to obtain root access, as exploited     alone or in conjunction with CVE-2022-41973. Local users able to write to UNIX domain sockets can bypass     access controls and manipulate the multipath setup. This can lead to local privilege escalation to root.
    This occurs because an attacker can repeat a keyword, which is mishandled because arithmetic ADD is used     instead of bitwise OR. (CVE-2022-41974)

  - A flaw was found in KVM. When updating a guest's page table entry, vm_pgoff was improperly used as the     offset to get the page's pfn. As vaddr and vm_pgoff are controllable by user-mode processes, this flaw     allows unprivileged local users on the host to write outside the userspace region and potentially corrupt     the kernel, resulting in a denial of service condition. (CVE-2022-1158)

  - The Linux kernel before 5.17.2 mishandles seccomp permissions. The PTRACE_SEIZE code path allows attackers     to bypass intended restrictions on setting the PT_SUSPEND_SECCOMP flag. (CVE-2022-30594)

  - A kernel information leak flaw was identified in the scsi_ioctl function in drivers/scsi/scsi_ioctl.c in     the Linux kernel. This flaw allows a local attacker with a special user privilege (CAP_SYS_ADMIN or     CAP_SYS_RAWIO) to create issues with confidentiality. (CVE-2022-0494)

  - With shadow paging enabled, the INVPCID instruction results in a call to kvm_mmu_invpcid_gva. If INVPCID     is executed with CR0.PG=0, the invlpg callback is not set and the result is a NULL pointer dereference.
    (CVE-2022-1789)

  - A use-after-free flaw was found in fs/ext4/namei.c:dx_insert_block() in the Linux kernel's filesystem sub-     component. This flaw allows a local attacker with a user privilege to cause a denial of service.
    (CVE-2022-1184)

  - An issue was discovered in the Linux kernel through 5.18.14. xfrm_expand_policies in     net/xfrm/xfrm_policy.c can cause a refcount to be dropped twice. (CVE-2022-36879)

  - nfqnl_mangle in net/netfilter/nfnetlink_queue.c in the Linux kernel through 5.18.14 allows remote     attackers to cause a denial of service (panic) because, in the case of an nf_queue verdict with a one-byte     nfta_payload attribute, an skb_pull can encounter a negative skb->len. (CVE-2022-36946)

  - Non-transparent sharing of return predictor targets between contexts in some Intel(R) Processors may allow     an authorized user to potentially enable information disclosure via local access. (CVE-2022-26373)

  - It was discovered that when exec'ing from a non-leader thread, armed POSIX CPU timers would be left on a     list but freed, leading to a use-after-free. (CVE-2022-2585)

  - mm/rmap.c in the Linux kernel before 5.19.7 has a use-after-free related to leaf anon_vma double reuse.
    (CVE-2022-42703)

  - An issue was found in the Linux kernel in nf_conntrack_irc where the message handling can be confused and     incorrectly matches the message. A firewall may be able to be bypassed when users are using unencrypted     IRC with nf_conntrack_irc configured. (CVE-2022-2663)

  - It was discovered that the cls_route filter implementation in the Linux kernel would not remove an old     filter from the hashtable before freeing it if its handle had the value 0. (CVE-2022-2588)

  - A race condition was found the Linux kernel in perf_event_open() which can be exploited by an unprivileged     user to gain root privileges. The bug allows to build several exploit primitives such as kernel address     information leak, arbitrary execution, etc. (CVE-2022-1729)

  - A use-after-free flaw was found in the Linux kernel's FUSE filesystem in the way a user triggers write().
    This flaw allows a local user to gain unauthorized access to data from the FUSE filesystem, resulting in     privilege escalation. (CVE-2022-1011)

  - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE     (component: Security). Supported versions that are affected are Oracle Java SE: 8u341, 8u345-perf,     11.0.16.1, 17.0.4.1, 19; Oracle GraalVM Enterprise Edition: 20.3.7, 21.3.3 and 22.2.0. Difficult to     exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to     compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can     result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM     Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in     clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run     untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This     vulnerability can also be exploited by using APIs in the specified Component, e.g., through a web service     which supplies data to the APIs. (CVE-2022-21619)

  - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE     (component: JNDI). Supported versions that are affected are Oracle Java SE: 8u341, 8u345-perf, 11.0.16.1,     17.0.4.1, 19; Oracle GraalVM Enterprise Edition: 20.3.7, 21.3.3 and 22.2.0. Difficult to exploit     vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise     Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in     unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition     accessible data. Note: This vulnerability applies to Java deployments, typically in clients running     sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g.,     code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also     be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to     the APIs. (CVE-2022-21624)

  - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE     (component: Security). Supported versions that are affected are Oracle Java SE: 8u341, 8u345-perf,     11.0.16.1; Oracle GraalVM Enterprise Edition: 20.3.7, 21.3.3 and 22.2.0. Easily exploitable vulnerability     allows unauthenticated attacker with network access via HTTPS to compromise Oracle Java SE, Oracle GraalVM     Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized ability to cause a     partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise Edition. Note: This     vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start     applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the     internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using     APIs in the specified Component, e.g., through a web service which supplies data to the APIs.
    (CVE-2022-21626)

  - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE     (component: Lightweight HTTP Server). Supported versions that are affected are Oracle Java SE: 8u341,     8u345-perf, 11.0.16.1, 17.0.4.1, 19; Oracle GraalVM Enterprise Edition: 20.3.7, 21.3.3 and 22.2.0. Easily     exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise     Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in     unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM     Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running     sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g.,     code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not     apply to Java deployments, typically in servers, that load and run only trusted code (e.g., code installed     by an administrator). (CVE-2022-21628)

  - In Sudo before 1.9.12p2, the sudoedit (aka -e) feature mishandles extra arguments passed in the user-     provided environment variables (SUDO_EDITOR, VISUAL, and EDITOR), allowing a local attacker to append     arbitrary entries to the list of files to process. This can lead to privilege escalation. Affected     versions are 1.8.0 through 1.9.12.p1. The problem exists because a user-specified editor may contain a
    -- argument that defeats a protection mechanism, e.g., an EDITOR='vim -- /path/to/extra/file' value.
    (CVE-2023-22809)

  - When sending malicous data to kernel by ioctl cmd FBIOPUT_VSCREENINFO,kernel will write memory out of     bounds. (CVE-2021-33655)

  - The Linux kernel before 5.18.13 lacks a certain clear operation for the block starting symbol (.bss). This     allows Xen PV guest OS users to cause a denial of service or gain privileges. (CVE-2022-36123)

  - Incomplete cleanup of microarchitectural fill buffers on some Intel(R) Processors may allow an     authenticated user to potentially enable information disclosure via local access. (CVE-2022-21125)

  - A use-after-free flaw was found in the Linux kernel's io_uring subsystem in the way a user sets up a ring     with IORING_SETUP_IOPOLL with more than one task completing submissions on this ring. This flaw allows a     local user to crash or escalate their privileges on the system. (CVE-2022-1786)

  - A memory leak problem was found in the TCP source port generation algorithm in net/ipv4/tcp.c due to the     small table perturb size. This flaw may allow an attacker to information leak and may cause a denial of     service problem. (CVE-2022-1012)

  - The SUNRPC subsystem in the Linux kernel through 5.17.2 can call xs_xprt_free before ensuring that sockets     are in the intended state. (CVE-2022-28893)

  - An out-of-bounds read flaw was found in the Linux kernel's TeleTYpe subsystem. The issue occurs in how a     user triggers a race condition using ioctls TIOCSPTLCK and TIOCGPTPEER and TIOCSTI and TCXONC with leakage     of memory in the flush_to_ldisc function. This flaw allows a local user to crash the system or read     unauthorized random data from memory. (CVE-2022-1462)

  - BIND 9.11.0 -> 9.11.36 9.12.0 -> 9.16.26 9.17.0 -> 9.18.0 BIND Supported Preview Editions: 9.11.4-S1 ->     9.11.36-S1 9.16.8-S1 -> 9.16.26-S1 Versions of BIND 9 earlier than those shown - back to 9.1.0, including     Supported Preview Editions - are also believed to be affected but have not been tested as they are EOL.
    The cache could become poisoned with incorrect records leading to queries being made to the wrong servers,     which might also result in false information being returned to clients. (CVE-2021-25220)

  - By flooding the target resolver with queries exploiting this flaw an attacker can significantly impair the     resolver's performance, effectively denying legitimate clients access to the DNS resolution service.
    (CVE-2022-2795)

  - A vulnerability was found in the fs/inode.c:inode_init_owner() function logic of the LInux kernel that     allows local users to create files for the XFS file-system with an unintended group ownership and with     group execution and SGID permission bits set, in a scenario where a directory is SGID and belongs to a     certain group and is writable by a user who is not a member of this group. This can lead to excessive     permissions granted in case when they should not. This vulnerability is similar to the previous     CVE-2018-13405 and adds the missed fix for the XFS. (CVE-2021-4037)

  - Improper Update of Reference Count vulnerability in net/sched of Linux Kernel allows local attacker to     cause privilege escalation to root. This issue affects: Linux Kernel versions prior to 5.18; version 4.14     and later versions. (CVE-2022-29581)

  - mm/mremap.c in the Linux kernel before 5.13.3 has a use-after-free via a stale TLB because an rmap lock is     not held during a PUD move. (CVE-2022-41222)

  - A flaw was found in the Linux kernel. The existing KVM SEV API has a vulnerability that allows a non-root     (host) user-level application to crash the host kernel by creating a confidential guest VM instance in AMD     CPU that supports Secure Encrypted Virtualization (SEV). (CVE-2022-0171)

  - In bdi_put and bdi_unregister of backing-dev.c, there is a possible memory corruption due to a use after     free. This could lead to local escalation of privilege with System execution privileges needed. User     interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID:
    A-182815710References: Upstream kernel (CVE-2022-20158)

  - Product: AndroidVersions: Android kernelAndroid ID: A-224546354References: Upstream kernel     (CVE-2022-20368)

  - By spoofing the target resolver with responses that have a malformed ECDSA signature, an attacker can     trigger a small memory leak. It is possible to gradually erode available memory to the point where named     crashes for lack of resources. (CVE-2022-38177)

  - By spoofing the target resolver with responses that have a malformed EdDSA signature, an attacker can     trigger a small memory leak. It is possible to gradually erode available memory to the point where named     crashes for lack of resources. (CVE-2022-38178)

  - When setting font with malicous data by ioctl cmd PIO_FONT,kernel will write memory out of bounds.
    (CVE-2021-33656)

  - A flaw was found in hw. Mis-trained branch predictions for return instructions may allow arbitrary     speculative code execution under certain microarchitecture-dependent conditions. (CVE-2022-28693)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The versions of MySQL Enterprise Monitor installed on the remote host are affected by multiple vulnerabilities as referenced in the April 2023 CPU advisory.

  - Vulnerability in the MySQL Workbench product of Oracle MySQL (component: Workbench (OpenSSL)). Supported     versions that are affected are 8.0.32 and prior. Easily exploitable vulnerability allows unauthenticated     attacker with network access via MySQL Workbench to compromise MySQL Workbench. Successful attacks of this     vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete     DOS) of MySQL Workbench. (CVE-2023-0215)

  - Vulnerability in the Oracle SD-WAN Edge product of Oracle Communications (component: Internal tools     (Apache Tomcat)). The supported version that is affected is 9.1.1.4.0. Easily exploitable vulnerability     allows unauthenticated attacker with network access via HTTP to compromise Oracle SD-WAN Edge. Successful     attacks of this vulnerability can result in unauthorized creation, deletion or modification access to     critical data or all Oracle SD-WAN Edge accessible data. (CVE-2022-45143)

  - Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Console     (jQueryUI)). Supported versions that are affected are 12.2.1.4.0 and 14.1.1.0.0. Difficult to exploit     vulnerability allows high privileged attacker with logon to the infrastructure where Oracle WebLogic     Server executes to compromise Oracle WebLogic Server. While the vulnerability is in Oracle WebLogic     Server, attacks may significantly impact additional products (scope change). Successful attacks of this     vulnerability can result in unauthorized update, insert or delete access to some of Oracle WebLogic Server     accessible data as well as unauthorized read access to a subset of Oracle WebLogic Server accessible data.
    (CVE-2022-31160)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The 19c and 21c versions of Oracle Database Server installed on the remote host are affected by multiple vulnerabilities as referenced in the April 2023 CPU advisory.

  - Vulnerability in the Java VM component of Oracle Database Server. Supported versions that are affected     are 19c and 21c. Difficult to exploit vulnerability allows low privileged attacker having User Account     privilege with network access via TLS to compromise Java VM. Successful attacks of this vulnerability     can result in unauthorized creation, deletion or modification access to critical data or all Java VM     accessible data as well as unauthorized access to critical data or complete access to all Java VM     accessible data. (CVE-2023-21934)

  - Vulnerability in the Oracle Database Recovery Manager component of Oracle Database Server. Supported     versions that are affected are 19c and 21c. Easily exploitable vulnerability allows high privileged     attacker having Local SYSDBA privilege with network access via Oracle Net to compromise Oracle Database     Recovery Manager. While the vulnerability is in Oracle Database Recovery Manager, attacks may     significantly impact additional products (scope change). Successful attacks of this vulnerability can     result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle     Database Recovery Manager. (CVE-2023-21918)

  - Vulnerability in the Oracle Database Workload Manager (Apache Commons FileUpload) component of Oracle     Database Server. The supported version that is affected is 21c. Easily exploitable vulnerability allows     low privileged attacker having Authenticated User privilege with network access via HTTP to compromise     Oracle Database Workload Manager (Apache Commons FileUpload). Successful attacks of this vulnerability     can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of     Oracle Database Workload Manager (Apache Commons FileUpload). (CVE-2023-24998)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES15 / SLES_SAP15 / openSUSE 15 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2023:1853-1 advisory.

  - The JsonErrorReportValve in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and 10.1.0-M1 to 10.1.1 did not escape     the type, message or description values. In some circumstances these are constructed from user provided     data and it was therefore possible for users to supply values that invalidated or manipulated the JSON     output. (CVE-2022-45143)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 7 / 8 / 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2023:1663 advisory.

  - tomcat: request smuggling (CVE-2022-42252)

  - tomcat: JsonErrorReportValve injection (CVE-2022-45143)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Debian 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-5381 advisory.

  - If Apache Tomcat 8.5.0 to 8.5.82, 9.0.0-M1 to 9.0.67, 10.0.0-M1 to 10.0.26 or 10.1.0-M1 to 10.1.0 was     configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false (the default for 8.5.x     only), Tomcat did not reject a request containing an invalid Content-Length header making a request     smuggling attack possible if Tomcat was located behind a reverse proxy that also failed to reject the     request with the invalid header. (CVE-2022-42252)

  - The JsonErrorReportValve in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and 10.1.0-M1 to 10.1.1 did not escape     the type, message or description values. In some circumstances these are constructed from user provided     data and it was therefore possible for users to supply values that invalidated or manipulated the JSON     output. (CVE-2022-45143)

  - When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the     X-Forwarded-Proto header set to https, session cookies created by Apache Tomcat 11.0.0-M1 to 11.0.0.-M2,     10.1.0-M1 to 10.1.5, 9.0.0-M1 to 9.0.71 and 8.5.0 to 8.5.85 did not include the secure attribute. This     could result in the user agent transmitting the session cookie over an insecure channel. (CVE-2023-28708)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of AOS installed on the remote host is prior to 6.6.0.5. It is, therefore, affected by a vulnerability as referenced in the NXSA-AOS-6.6.0.5 advisory.

  - The JsonErrorReportValve in Apache Tomcat 8.5.83, 9.0.40 to 9.0.68 and 10.1.0-M1 to 10.1.1 did not escape     the type, message or description values. In some circumstances these are constructed from user provided     data and it was therefore possible for users to supply values that invalidated or manipulated the JSON     output. (CVE-2022-45143)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of Apache Tomcat installed on the remote host is 8.5.x to 8.5.83, 9.0.0-M1 to 9.0.68 or 10.1.0-M1 to 10.1.1. It is, therefore, affected by a JsonErrorReportValve injection vulnerability. The JsonErrorReportValve did not escape the type, message or description values. In some circumstances these are constructed from user provided data and it was therefore possible for users to supply values that invalidated or manipulated the JSON output.

Note that the scanner has not attempted to exploit these issues but has instead relied only on the application's self-reported version number.

The version of Apache Tomcat installed on the remote host is < 8.5.84. It is, therefore, affected by a vulnerability as referenced in the fixed_in_apache_tomcat_8.5.84_security-8 advisory. Note that Nessus Network Monitor has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of Apache Tomcat installed on the remote host is < 9.0.69. It is, therefore, affected by a vulnerability as referenced in the fixed_in_apache_tomcat_9.0.69_security-9 advisory. Note that Nessus Network Monitor has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of Apache Tomcat installed on the remote host is < 10.1.2. It is, therefore, affected by a vulnerability as referenced in the fixed_in_apache_tomcat_10.1.2_security-10 advisory. Note that Nessus Network Monitor has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of Tomcat installed on the remote host is prior to 10.1.2. It is, therefore, affected by a vulnerability as referenced in the fixed_in_apache_tomcat_10.1.2_security-10 advisory.

  - The JsonErrorReportValve did not escape the type, message or description values. In some circumstances     these are constructed from user provided data and it was therefore possible for users to supply values     that invalidated or manipulated the JSON output. (CVE-2022-45143)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of Tomcat installed on the remote host is prior to 9.0.69. It is, therefore, affected by a vulnerability as referenced in the fixed_in_apache_tomcat_9.0.69_security-9 advisory.

  - The JsonErrorReportValve did not escape the type, message or description values. In some circumstances     these are constructed from user provided data and it was therefore possible for users to supply values     that invalidated or manipulated the JSON output. (CVE-2022-45143)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of Tomcat installed on the remote host is 8.5.83. It is, therefore, affected by a vulnerability as referenced in the fixed_in_apache_tomcat_8.5.84_security-8 advisory.

  - The JsonErrorReportValve did not escape the type, message or description values. In some circumstances     these are constructed from user provided data and it was therefore possible for users to supply values     that invalidated or manipulated the JSON output. (CVE-2022-45143)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
186228	Atlassian Confluence 7.13.x / 7.19.1 < 7.19.16 (CONFSERVER-93173)	Nessus	CGI abuses	high
182065	Amazon Linux 2 : tomcat (ALASTOMCAT9-2023-008)	Nessus	Amazon Linux Local Security Checks	high
181934	Amazon Linux 2 : tomcat (ALASTOMCAT8.5-2023-013)	Nessus	Amazon Linux Local Security Checks	high
178468	Oracle Database Server (Jul 2023 CPU)	Nessus	Databases	critical
176471	GLSA-202305-37 : Apache Tomcat: Multiple Vulnerabilities	Nessus	Gentoo Local Security Checks	high
175066	Amazon Linux 2023 : tomcat9, tomcat9-admin-webapps, tomcat9-el-3.0-api (ALAS2023-2023-176)	Nessus	Amazon Linux Local Security Checks	high
174898	Nutanix AOS : Multiple Vulnerabilities (NXSA-AOS-6.6.2)	Nessus	Misc.	high
174528	Oracle MySQL Enterprise Monitor (Apr 2023 CPU)	Nessus	CGI abuses	high
174470	Oracle Database Server (Apr 2023 CPU)	Nessus	Databases	medium
174369	SUSE SLES15 / openSUSE 15 Security Update : tomcat (SUSE-SU-2023:1853-1)	Nessus	SuSE Local Security Checks	high
174176	RHEL 7 / 8 / 9 : Red Hat JBoss Web Server 5.7.2 (RHSA-2023:1663)	Nessus	Red Hat Local Security Checks	high
173947	Debian DSA-5381-1 : tomcat9 - security update	Nessus	Debian Local Security Checks	high
173333	Nutanix AOS : (NXSA-AOS-6.6.0.5)	Nessus	Misc.	high
113508	Apache Tomcat 8.5.x < 8.5.84 JsonErrorReportValve Injection	Web App Scanning	Component Vulnerability	high
113507	Apache Tomcat 9.0.0-M1 < 9.0.69 JsonErrorReportValve Injection	Web App Scanning	Component Vulnerability	high
113506	Apache Tomcat 10.1.0-M1 < 10.1.2 JsonErrorReportValve Injection	Web App Scanning	Component Vulnerability	high
701434	Apache Tomcat < 8.5.84 Vulnerability	Nessus Network Monitor	Web Servers	medium
701433	Apache Tomcat < 9.0.69 Vulnerability	Nessus Network Monitor	Web Servers	medium
701432	Apache Tomcat < 10.1.2 Vulnerability	Nessus Network Monitor	Web Servers	medium
169460	Apache Tomcat 10.1.0.M1 < 10.1.2	Nessus	Web Servers	high
169459	Apache Tomcat 9.0.40 < 9.0.69	Nessus	Web Servers	high
169458	Apache Tomcat 8.5.83	Nessus	Web Servers	high

Detections

Analytics

CVE-2022-45143

high

Tenable Plugins

high

high

high

critical

high

high

high

high

medium

high

high

high

high

high

high

high

medium

medium

medium

high

high

high