Detections
Analytics

RHEL 8 : RHUI 4.8 Release - Security Updates, Bug Fixes, and Enhancements (Moderate) (RHSA-2024:1878)

high Nessus Plugin ID 193467

Language:

Synopsis

The remote Red Hat host is missing one or more security updates.

Description

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2024:1878 advisory.

 - python-django: Potential regular expression denial of service vulnerability in EmailValidator/URLValidator (CVE-2023-36053)

 - python-aiohttp: HTTP request smuggling via llhttp HTTP request parser (CVE-2023-37276)

 - python-django: Potential denial of service vulnerability in ``django.utils.encoding.uri_to_iri()`` (CVE-2023-41164)

 - python-django: Denial-of-service possibility in django.utils.text.Truncator (CVE-2023-43665)

 - python-aiohttp: numerous issues in HTTP parser with header parsing (CVE-2023-47627)

 - aiohttp: HTTP request modification (CVE-2023-49081)

 - aiohttp: CRLF injection if user controls the HTTP method using aiohttp client (CVE-2023-49082)

 - python-cryptography: NULL-dereference when loading PKCS7 certificates (CVE-2023-49083)

 - jinja2: HTML attribute injection when passing user input as keys to xmlattr filter (CVE-2024-22195)

 - aiohttp: follow_symlinks directory traversal vulnerability (CVE-2024-23334)

 - python-ecdsa: vulnerable to the Minerva attack (CVE-2024-23342)

 - python-aiohttp: http request smuggling (CVE-2024-23829)

 - Django: denial-of-service in ``intcomma`` template filter (CVE-2024-24680)

 - python-django: Potential regular expression denial-of-service in django.utils.text.Truncator.words() (CVE-2024-27351)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

https://access.redhat.com/security/updates/classification/#moderate

https://bugzilla.redhat.com/show_bug.cgi?id=2218004

https://bugzilla.redhat.com/show_bug.cgi?id=2224185

https://bugzilla.redhat.com/show_bug.cgi?id=2227307

https://bugzilla.redhat.com/show_bug.cgi?id=2237258

https://bugzilla.redhat.com/show_bug.cgi?id=2241046

https://bugzilla.redhat.com/show_bug.cgi?id=2249825

https://bugzilla.redhat.com/show_bug.cgi?id=2252235

https://bugzilla.redhat.com/show_bug.cgi?id=2252248

https://bugzilla.redhat.com/show_bug.cgi?id=2255331

https://bugzilla.redhat.com/show_bug.cgi?id=2257854

https://bugzilla.redhat.com/show_bug.cgi?id=2259780

https://bugzilla.redhat.com/show_bug.cgi?id=2261856

https://bugzilla.redhat.com/show_bug.cgi?id=2261887

https://bugzilla.redhat.com/show_bug.cgi?id=2261909

https://bugzilla.redhat.com/show_bug.cgi?id=2266045

https://issues.redhat.com/browse/RHUI-434

https://issues.redhat.com/browse/RHUI-514

https://issues.redhat.com/browse/RHUI-516

http://www.nessus.org/u?ef85de2f

https://access.redhat.com/errata/RHSA-2024:1878

Plugin Details

Severity: High

ID: 193467

File Name: redhat-RHSA-2024-1878.nasl

Version: 1.0

Type: local

Agent: unix

Published: 4/18/2024

Updated: 4/18/2024

Supported Sensors: Agentless Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.1

CVSS v2

Risk Factor: High

Base Score: 7.8

Temporal Score: 6.1

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:N

CVSS Score Source: CVE-2024-23334

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:redhat:enterprise_linux:8, p-cpe:/a:redhat:enterprise_linux:python-aiohttp, p-cpe:/a:redhat:enterprise_linux:python-cryptography, p-cpe:/a:redhat:enterprise_linux:python-django, p-cpe:/a:redhat:enterprise_linux:python-ecdsa, p-cpe:/a:redhat:enterprise_linux:python-jinja2, p-cpe:/a:redhat:enterprise_linux:python3.11-aiohttp, p-cpe:/a:redhat:enterprise_linux:python3.11-cryptography, p-cpe:/a:redhat:enterprise_linux:python3.11-django, p-cpe:/a:redhat:enterprise_linux:python3.11-ecdsa, p-cpe:/a:redhat:enterprise_linux:python3.11-jinja2

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list, Host/cpu

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 4/18/2024

Vulnerability Publication Date: 7/3/2023

Reference Information

CVE: CVE-2023-36053, CVE-2023-37276, CVE-2023-41164, CVE-2023-43665, CVE-2023-47627, CVE-2023-49081, CVE-2023-49082, CVE-2023-49083, CVE-2024-22195, CVE-2024-23334, CVE-2024-23342, CVE-2024-23829, CVE-2024-24680, CVE-2024-27351

CWE: 1333, 20, 22, 385, 400, 444, 476, 79, 93

RHSA: 2024:1878