Detections
Analytics

TencentOS Server 3: python3:3.6.8 (TSSA-2024:1107)

high Nessus Plugin ID 239305

Synopsis

The remote TencentOS Server 3 host is missing one or more security updates.

Description

The version of Tencent Linux installed on the remote TencentOS Server 3 host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the TSSA-2024:1107 advisory.

 Package updates are available for TencentOS Server 3 that fix the following vulnerabilities:

 CVE-2024-9287:
 A vulnerability has been found in the CPython venv module and CLI where path names provided when creating a virtual environment were not quoted properly, allowing the creator to inject commands into virtual environment activation scripts (ie source venv/bin/activate). This means that attacker-controlled virtual environments are able to run commands when the virtual environment is activated. Virtual environments which are not created by an attacker or which aren't activated before being used (ie ./venv/bin/python) are not affected.

 CVE-2024-11168:
 The urllib.parse.urlsplit() and urlparse() functions improperly validated bracketed hosts ([]), allowing hosts that weren't IPv6 or IPvFuture. This behavior was not conformant to RFC 3986 and potentially enabled SSRF if a URL is processed by more than one URL parser.

Tenable has extracted the preceding description block directly from the Tencent Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

https://mirrors.tencent.com/tlinux/errata/tssa-20241107.xml

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9287

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-11168

Plugin Details

Severity: High

ID: 239305

File Name: tencentos_TSSA_2024_1107.nasl

Version: 1.1

Type: local

Published: 6/16/2025

Updated: 6/16/2025

Supported Sensors: Nessus

Vulnerability Information

CPE: cpe:/o:tencent:tencentos_server:3, p-cpe:/a:tencent:tencentos_server:python3

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/etc/os-release, Host/TencentOS/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 12/4/2024

Vulnerability Publication Date: 12/4/2024