Detections
Analytics
Fedora 39 : exercism (2024-cafa04a149)
high Nessus Plugin ID 191779
Language:
Synopsis
The remote Fedora host is missing one or more security updates.Description
The remote Fedora 39 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2024-cafa04a149 advisory.- A malicious HTTP/2 client which rapidly creates requests and immediately resets them can cause excessive server resource consumption. While the total number of requests is bounded by the http2.Server.MaxConcurrentStreams setting, resetting an in-progress request allows the attacker to create a new request while the existing one is still executing. With the fix applied, HTTP/2 servers now bound the number of simultaneously executing handler goroutines to the stream concurrency limit (MaxConcurrentStreams). New requests arriving when at the limit (which can only happen after the client has reset an existing, in-flight request) will be queued until a handler exits. If the request queue grows too large, the server will terminate the connection. This issue is also fixed in golang.org/x/net/http2 for users manually configuring HTTP/2. The default stream concurrency limit is 250 streams (requests) per HTTP/2 connection. This value may be adjusted using the golang.org/x/net/http2 package; see the Server.MaxConcurrentStreams setting and the ConfigureServer function. (CVE-2023-39325)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
Solution
Update the affected exercism package.See Also
https://bodhi.fedoraproject.org/updates/FEDORA-2024-cafa04a149
Plugin Details
Severity: High
ID: 191779
File Name: fedora_2024-cafa04a149.nasl
Version: 1.0
Type: local
Agent: unix
Family: Fedora Local Security Checks
Published: 3/10/2024
Updated: 3/10/2024
Supported Sensors: Agentless Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus
Risk Information
VPR
Risk Factor: Medium
Score: 4.4
CVSS v2
Risk Factor: High
Base Score: 7.8
Temporal Score: 5.8
Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C
CVSS Score Source: CVE-2023-39325
CVSS v3
Risk Factor: High
Base Score: 7.5
Temporal Score: 6.5
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C
Vulnerability Information
CPE: cpe:/o:fedoraproject:fedora:39, p-cpe:/a:fedoraproject:fedora:exercism
Required KB Items: Host/RedHat/rpm-list, Host/local_checks_enabled, Host/RedHat/release
Exploit Ease: No known exploits are available
Patch Publication Date: 3/1/2024
Vulnerability Publication Date: 10/11/2023
Reference Information
CVE: CVE-2023-39325
FEDORA: 2024-cafa04a149