The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:0161 advisory.

  - hibernate-validator: safeHTML validator allows XSS (CVE-2019-10219)

  - jackson-databind: Serialization gadgets in com.zaxxer.hikari.HikariConfig (CVE-2019-14540)

  - JBoss EAP: Vault system property security attribute value is revealed on CLI 'reload' command     (CVE-2019-14885)

  - undertow: possible Denial Of Service (DOS) in Undertow HTTP server listening on HTTPS (CVE-2019-14888)

  - jackson-databind: Serialization gadgets in classes of the commons-configuration package (CVE-2019-14892)

  - jackson-databind: Serialization gadgets in classes of the xalan package (CVE-2019-14893)

  - jackson-databind: Serialization gadgets in com.zaxxer.hikari.HikariDataSource (CVE-2019-16335)

  - netty: HTTP request smuggling by mishandled whitespace before the colon in HTTP headers (CVE-2019-16869)

  - jackson-databind: Serialization gadgets in org.apache.commons.dbcp.datasources.* (CVE-2019-16942)

  - jackson-databind: Serialization gadgets in com.p6spy.engine.spy.P6DataSource (CVE-2019-16943)

  - jackson-databind: Serialization gadgets in classes of the ehcache package (CVE-2019-17267)

  - jackson-databind: Serialization gadgets in org.apache.log4j.receivers.db.* (CVE-2019-17531)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Detections

Analytics

RHEL 8 : Red Hat JBoss Enterprise Application Platform 7.2.6 on RHEL 8 (RHSA-2020:0161)

critical Nessus Plugin ID 133158

Version 1.6

Version 1.5

Version 1.5

Version 1.6 Mar 29, 2024, 4:15 PM CVSS temporal metrics ("CVSSv2 temporal vector" set to "CVSS2#E:POC/RL:OF/RC:C". "CVSSv3 temporal vector" set to "CVSS:3.0/E:P/RL:O/RC:C") CVSSv3 score source (set to "CVE-2019-17531") Exploit attributes ("Exploit available" set to "True". "Exploitability ease" changed from "No known exploits are available" to "Exploits are available") Plugin Feed: 202403291615
Version 1.5 Jan 23, 2023, 7:12 PM Logic Changes (Added support for repository relative URLs) Plugin Feed: 202301231912
Version 1.5 Mar 29, 2024, 1:58 PM CVSS temporal metrics ("CVSSv2 temporal vector" set to "CVSS2#E:POC/RL:OF/RC:C") CVSS temporal metrics ("CVSSv3 temporal vector" set to "CVSS:3.0/E:P/RL:O/RC:C") CVSSv3 score source (set to "CVE-2019-17531") Exploit attributes ("Exploit available" set to "True") Exploit attributes ("Exploitability ease" changed from "No known exploits are available" to "Exploits are available") Plugin Feed: 202403291358