Detections
Analytics
Fedora 40 : golang-cloud-google / golang-cloud-google-bigquery / etc (2023-f23d9c5057)
high Nessus Plugin ID 194636
Language:
Synopsis
The remote Fedora host is missing one or more security updates.Description
The remote Fedora 40 host has packages installed that are affected by multiple vulnerabilities as referenced in the FEDORA-2023-f23d9c5057 advisory.- Apache Airflow, versions before 2.7.1, is affected by a vulnerability that allows authenticated and DAG- view authorized Users to modify some DAG run detail values when submitting notes. This could have them alter details such as configuration parameters, start date, etc. Users should upgrade to version 2.7.1 or later which has removed the vulnerability. (CVE-2023-40611)
- Apache Airflow, versions before 2.7.1, is affected by a vulnerability that allows authenticated users who have access to see the task/dag in the UI, to craft a URL, which could lead to unmasking the secret configuration of the task that otherwise would be masked in the UI. Users are strongly advised to upgrade to version 2.7.1 or later which has removed the vulnerability. (CVE-2023-40712)
- In the Apache Airflow HDFS Provider, versions prior to 4.1.1, a documentation info pointed users to an install incorrect pip package. As this package name was unclaimed, in theory, an attacker could claim this package and provide code that would be executed when this package was installed. The Airflow team has since taken ownership of the package (neutralizing the risk), and fixed the doc strings in version 4.1.1 (CVE-2023-41267)
- We failed to apply CVE-2023-40611 in 2.7.1 and this vulnerability was marked as fixed then. Apache Airflow, versions before 2.7.3, is affected by a vulnerability that allows authenticated and DAG-view authorized Users to modify some DAG run detail values when submitting notes. This could have them alter details such as configuration parameters, start date, etc. Users should upgrade to version 2.7.3 or later which has removed the vulnerability. (CVE-2023-47037)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
Solution
Update the affected packages.See Also
https://bodhi.fedoraproject.org/updates/FEDORA-2023-f23d9c5057
Plugin Details
Severity: High
ID: 194636
File Name: fedora_2023-f23d9c5057.nasl
Version: 1.0
Type: local
Agent: unix
Family: Fedora Local Security Checks
Published: 4/29/2024
Updated: 4/29/2024
Supported Sensors: Agentless Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus
Risk Information
VPR
Risk Factor: Medium
Score: 5.9
CVSS v2
Risk Factor: High
Base Score: 7.2
Temporal Score: 5.3
Vector: CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C
CVSS Score Source: CVE-2023-41267
CVSS v3
Risk Factor: High
Base Score: 7.8
Temporal Score: 6.8
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C
Vulnerability Information
CPE: cpe:/o:fedoraproject:fedora:40, p-cpe:/a:fedoraproject:fedora:golang-cloud-google, p-cpe:/a:fedoraproject:fedora:golang-cloud-google-bigquery, p-cpe:/a:fedoraproject:fedora:golang-cloud-google-compute, p-cpe:/a:fedoraproject:fedora:golang-cloud-google-compute-metadata, p-cpe:/a:fedoraproject:fedora:golang-cloud-google-datacatalog, p-cpe:/a:fedoraproject:fedora:golang-cloud-google-datastore, p-cpe:/a:fedoraproject:fedora:golang-cloud-google-firestore, p-cpe:/a:fedoraproject:fedora:golang-cloud-google-iam, p-cpe:/a:fedoraproject:fedora:golang-cloud-google-kms, p-cpe:/a:fedoraproject:fedora:golang-cloud-google-logging, p-cpe:/a:fedoraproject:fedora:golang-cloud-google-longrunning, p-cpe:/a:fedoraproject:fedora:golang-cloud-google-monitoring, p-cpe:/a:fedoraproject:fedora:golang-cloud-google-osconfig, p-cpe:/a:fedoraproject:fedora:golang-cloud-google-pubsub, p-cpe:/a:fedoraproject:fedora:golang-cloud-google-secretmanager, p-cpe:/a:fedoraproject:fedora:golang-cloud-google-spanner, p-cpe:/a:fedoraproject:fedora:golang-cloud-google-storage, p-cpe:/a:fedoraproject:fedora:golang-cloud-google-trace
Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list
Exploit Ease: No known exploits are available
Patch Publication Date: 11/20/2023
Vulnerability Publication Date: 9/12/2023
Reference Information
CVE: CVE-2023-40611, CVE-2023-40712, CVE-2023-41267, CVE-2023-47037
FEDORA: 2023-f23d9c5057