ws is an open source WebSocket client and server for Node.js. A request with a number of headers exceeding theserver.maxHeadersCount threshold could be used to crash a ws server. The vulnerability was fixed in ws@8.17.1 (e55e510) and backported to ws@7.5.10 (22c2876), ws@6.2.3 (eeb76d3), and ws@5.2.4 (4abd8f6). In vulnerable versions of ws, the issue can be mitigated in the following ways: 1. Reduce the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options so that no more headers than the server.maxHeadersCount limit can be sent. 2. Set server.maxHeadersCount to 0 so that no limit is applied.

The version of Atlassian Confluence Server running on the remote host is affected by a vulnerability as referenced in the CONFSERVER-101477 advisory.

  - ws is an open source WebSocket client and server for Node.js. A request with a number of headers exceeding     theserver.maxHeadersCount threshold could be used to crash a ws server. The vulnerability was fixed in     ws@8.17.1 (e55e510) and backported to ws@7.5.10 (22c2876), ws@6.2.3 (eeb76d3), and ws@5.2.4 (4abd8f6). In     vulnerable versions of ws, the issue can be mitigated in the following ways: 1. Reduce the maximum allowed     length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options so     that no more headers than the server.maxHeadersCount limit can be sent. 2. Set server.maxHeadersCount to 0     so that no limit is applied. (CVE-2024-37890)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - ws is an open source WebSocket client and server for Node.js. A request with a number of headers exceeding     theserver.maxHeadersCount threshold could be used to crash a ws server. The vulnerability was fixed in     ws@8.17.1 (e55e510) and backported to ws@7.5.10 (22c2876), ws@6.2.3 (eeb76d3), and ws@5.2.4 (4abd8f6). In     vulnerable versions of ws, the issue can be mitigated in the following ways: 1. Reduce the maximum allowed     length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options so     that no more headers than the server.maxHeadersCount limit can be sent. 2. Set server.maxHeadersCount to 0     so that no limit is applied. (CVE-2024-37890)

Note that Nessus relies on the presence of the package as reported by the vendor.

The remote Fedora 41 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2024-362915851c advisory.

    Update bundled ws (CVE-2024-37890)

    ----

    Update bundled elliptic to fix CVE-2024-48949.

Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Fedora 39 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2024-d79685d847 advisory.

    Update bundled ws (CVE-2024-37890)

    ----

    Update bundled dependencies to fix CVE-2024-48949.

Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Fedora 40 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2024-66b0bdad35 advisory.

    Update bundled ws (CVE-2024-37890)

    ----

    Update bundled elliptic to fix CVE-2024-48949.

Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The Azure CycleCloud product is missing security updates. It is, therefore, affected by the following vulnerabilities:

  - A remote code execution vulnerability exists due to a disclosure of the storage credentials. An     authenticated, remote attacker can exploit this to bypass authentication and execute arbitrary commands     with root privileges. (CVE-2024-38195)

  - A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt     captured messages in TLS servers that use RSA key exchanges, which may lead to exposure of confidential or     sensitive data. (CVE-2023-50782)

  - A denial of service (DoS) vulnerability exists in python-cryptography due to the     pkcs12.serialize_key_and_certificates function. An unauthenticated, remote attacker can exploit this     issue, via specially crafted certificate, to cause the process to stop responding. (CVE-2024-26130)

  - A denial of service (DoS) vulnerability exists in ws, an open source WebSocket client and server for     Node.js, due to the handling of headers. An unauthenticated, remote attacker can exploit this issue, via     specially crafted request, to cause the application to stop responding. (CVE-2024-37890)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of reaper installed on the remote CBL Mariner 2.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2024-37890 advisory.

  - ws is an open source WebSocket client and server for Node.js. A request with a number of headers exceeding     theserver.maxHeadersCount threshold could be used to crash a ws server. The vulnerability was fixed in     ws@8.17.1 (e55e510) and backported to ws@7.5.10 (22c2876), ws@6.2.3 (eeb76d3), and ws@5.2.4 (4abd8f6). In     vulnerable versions of ws, the issue can be mitigated in the following ways: 1. Reduce the maximum allowed     length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options so     that no more headers than the server.maxHeadersCount limit can be sent. 2. Set server.maxHeadersCount to 0     so that no limit is applied. (CVE-2024-37890)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
282325	Atlassian Confluence < 8.5.10 / 9.2.x < 9.2.5 / 9.3.x < 9.3.1 / 9.4.x < 9.5.1 / 10.0.x < 10.0.2 (CONFSERVER-101477)	Nessus	CGI abuses	high
228413	Linux Distros Unpatched Vulnerability : CVE-2024-37890	Nessus	Misc.	high
211233	Fedora 41 : yarnpkg (2024-362915851c)	Nessus	Fedora Local Security Checks	critical
209625	Fedora 39 : yarnpkg (2024-d79685d847)	Nessus	Fedora Local Security Checks	critical
209618	Fedora 40 : yarnpkg (2024-66b0bdad35)	Nessus	Fedora Local Security Checks	critical
205459	Security Updates for Azure CycleCloud (August 2024)	Nessus	Web Servers	high
202365	CBL Mariner 2.0 Security Update: reaper (CVE-2024-37890)	Nessus	MarinerOS Local Security Checks	high

Detections

Analytics

CVE-2024-37890

high

Tenable Plugins

high

high

critical

critical

critical

high

high