The remote CentOS Linux 9 host has a package installed that is affected by multiple vulnerabilities as referenced in the grafana-9.0.9-1.el9 build changelog.

  - XSS (CVE-2021-23648)

  - Grafana is an open source data visualization platform. In affected versions unauthenticated and     authenticated users are able to view the snapshot with the lowest database key by accessing the literal     paths: /dashboard/snapshot/:key, or /api/snapshots/:key. If the snapshot public_mode configuration     setting is set to true (vs default of false), unauthenticated users are able to delete the snapshot with     the lowest database key by accessing the literal path: /api/snapshots-delete/:deleteKey. Regardless of the     snapshot public_mode setting, authenticated users are able to delete the snapshot with the lowest     database key by accessing the literal paths: /api/snapshots/:key, or /api/snapshots-delete/:deleteKey. The     combination of deletion and viewing enables a complete walk through all snapshot data while resulting in     complete snapshot data loss. This issue has been resolved in versions 8.1.6 and 7.5.11. If for some reason     you cannot upgrade you can use a reverse proxy or similar to block access to the literal paths:
    /api/snapshots/:key, /api/snapshots-delete/:deleteKey, /dashboard/snapshot/:key, and /api/snapshots/:key.
    They have no normal function and can be disabled without side effects. (CVE-2021-39226)

  - directory traversal vulnerability for *.md files (CVE-2021-43813)

  - net/http: limit growth of header canonicalization cache (CVE-2021-44716)

  - net/http: improper sanitization of Transfer-Encoding header (CVE-2022-1705)

  - go/parser: stack exhaustion in all Parse* functions (CVE-2022-1962)

  - Forward OAuth Identity Token can allow users to access some data sources (CVE-2022-21673)

  - client_golang is the instrumentation library for Go applications in Prometheus, and the promhttp package     in client_golang provides tooling around HTTP servers and clients. In client_golang prior to version     1.11.1, HTTP server is susceptible to a Denial of Service through unbounded cardinality, and potential     memory exhaustion, when handling requests with non-standard HTTP methods. In order to be affected, an     instrumented software must use any of `promhttp.InstrumentHandler*` middleware except `RequestsInFlight`;
    not filter any specific methods (e.g GET) before middleware; pass metric with `method` label name to our     middleware; and not have any firewall/LB/proxy that filters away requests with unknown `method`.
    client_golang version 1.11.1 contains a patch for this issue. Several workarounds are available, including     removing the `method` label name from counter/gauge used in the InstrumentHandler; turning off affected     promhttp handlers; adding custom middleware before promhttp handler that will sanitize the request method     given by Go http.Request; and using a reverse proxy or web application firewall, configured to only allow     a limited set of methods. (CVE-2022-21698)

  - XSS vulnerability in data source handling (CVE-2022-21702)

  - CSRF vulnerability can lead to privilege escalation (CVE-2022-21703)

  - IDOR vulnerability can lead to information disclosure (CVE-2022-21713)

  - encoding/xml: stack exhaustion in Decoder.Skip (CVE-2022-28131)

  - io/fs: stack exhaustion in Glob (CVE-2022-30630)

  - compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631)

  - path/filepath: stack exhaustion in Glob (CVE-2022-30632)

  - encoding/xml: stack exhaustion in Unmarshal (CVE-2022-30633)

  - encoding/gob: stack exhaustion in Decoder.Decode (CVE-2022-30635)

  - OAuth account takeover (CVE-2022-31107)

  - net/http/httputil: NewSingleHostReverseProxy (CVE-2022-32148)

  - Escalation from admin to server admin when auth proxy is used (rhbz#2125530) (CVE-2022-35957)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Splunk installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the SVD-2023-0808 advisory.

  - The go command may execute arbitrary code at build time when using cgo. This may occur when running go     get on a malicious module, or when running any other command which builds untrusted code. This is can by     triggered by linker flags, specified via a #cgo LDFLAGS directive. Flags containing embedded spaces are     mishandled, allowing disallowed flags to be smuggled through the LDFLAGS sanitization by including them in     the argument of another flag. This only affects usage of the gccgo compiler. (CVE-2023-29405)

  - When curl < 7.84.0 saves cookies, alt-svc and hsts data to local files, it makes the operation atomic by     finalizing the operation with a rename from a temporary name to the final target file name.In that rename     operation, it might accidentally *widen* the permissions for the target file, leaving the updated file     accessible to more users than intended. (CVE-2022-32207)

  - decode-uri-component 0.2.0 is vulnerable to Improper Input Validation resulting in DoS. (CVE-2022-38900)

  - The got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket.
    (CVE-2022-33987)

  - Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils via the     name variable in parseQuery.js. This affects all versions prior to 1.4.1 and 2.0.3. (CVE-2022-37601)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Published	Updated	Severity
191236	CentOS 9 : grafana-9.0.9-1.el9	Nessus	CentOS Local Security Checks	2/29/2024	4/26/2024	high
194928	Splunk Enterprise 8.2.0 < 8.2.12, 9.0.0 < 9.0.6, 9.1.0 < 9.1.1 (SVD-2023-0808)	Nessus	CGI abuses	5/2/2024	7/29/2024	critical

Detections

Analytics

Plugins Search

high

critical