The remote Debian 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-3288 advisory.

  - An insufficiently protected credentials vulnerability exists in curl 4.9 to and include curl 7.82.0 are     affected that could allow an attacker to extract credentials when follows HTTP(S) redirects is used with     authentication could leak credentials to other services that exist on different protocols or port numbers.
    (CVE-2022-27774)

  - libcurl would reuse a previously created connection even when a TLS or SSHrelated option had been changed     that should have prohibited reuse.libcurl keeps previously used connections in a connection pool for     subsequenttransfers to reuse if one of them matches the setup. However, several TLS andSSH settings were     left out from the configuration match checks, making themmatch too easily. (CVE-2022-27782)

  - When doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to     ask for data to send, even when the `CURLOPT_POSTFIELDS` option has been set, if the same handle     previously was used to issue a `PUT` request which used that callback. This flaw may surprise the     application and cause it to misbehave and either send off the wrong data or use memory after free or     similar in the subsequent `POST` request. The problem exists in the logic for a reused handle when it is     changed from a PUT to a POST. (CVE-2022-32221)

  - When curl is used to retrieve and parse cookies from a HTTP(S) server, itaccepts cookies using control     codes that when later are sent back to a HTTPserver might make the server return 400 responses.
    Effectively allowing asister site to deny service to all siblings. (CVE-2022-35252)

  - No description is available for this CVE. (CVE-2022-43551) (CVE-2022-43552)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Siemens SINEC NMS installed on the remote host is prior to 1.0.3.1. It is, therefore, affected by multiple vulnerabilities as referenced in the SSA-892048 advisory.

  - When doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to     ask for data to send, even when the `CURLOPT_POSTFIELDS` option has been set, if the same handle     previously was used to issue a `PUT` request which used that callback. This flaw may surprise the     application and cause it to misbehave and either send off the wrong data or use memory after free or     similar in the subsequent `POST` request. The problem exists in the logic for a reused handle when it is     changed from a PUT to a POST. (CVE-2022-32221)

  - When curl is used to retrieve and parse cookies from a HTTP(S) server, itaccepts cookies using control     codes that when later are sent back to a HTTPserver might make the server return 400 responses.
    Effectively allowing a 'sister site to deny service to all siblings. (CVE-2022-35252)

  - curl can be told to parse a `.netrc` file for credentials. If that file endsin a line with 4095     consecutive non-white space letters and no newline, curlwould first read past the end of the stack-based     buffer, and if the readworks, write a zero byte beyond its boundary.This will in most cases cause a     segfault or similar, but circumstances might also cause different outcomes.If a malicious user can provide     a custom netrc file to an application or otherwise affect its contents, this flaw could be used as denial-     of-service. (CVE-2022-35260)

  - libexpat before 2.4.9 has a use-after-free in the doContent function in xmlparse.c. (CVE-2022-40674)

  - A use after free vulnerability exists in curl <7.87.0. Curl can be asked to *tunnel* virtually all     protocols it supports through an HTTP proxy. HTTP proxies can (and often do) deny such tunnel operations.
    When getting denied to tunnel the specific protocols SMB or TELNET, curl would use a heap-allocated struct     after it had been freed, in its transfer shutdown code path. (CVE-2022-43552)

  - In libexpat through 2.4.9, there is a use-after free caused by overeager destruction of a shared DTD in     XML_ExternalEntityParserCreate in out-of-memory situations. (CVE-2022-43680)

  - curl before 7.86.0 has a double free. If curl is told to use an HTTP proxy for a transfer with a non-     HTTP(S) URL, it sets up the connection to the remote server by issuing a CONNECT request to the proxy, and     then tunnels the rest of the protocol through. An HTTP proxy might refuse this request (HTTP proxies often     only allow outgoing connections to specific port numbers, like 443 for HTTPS) and instead return a non-200     status code to the client. Due to flaws in the error/cleanup handling, this could trigger a double free in     curl if one of the following schemes were used in the URL for the transfer: dict, gopher, gophers, ldap,     ldaps, rtmp, rtmps, or telnet. The earliest affected version is 7.77.0. (CVE-2022-42915)

  - In curl before 7.86.0, the HSTS check could be bypassed to trick it into staying with HTTP. Using its HSTS     support, curl can be instructed to use HTTPS directly (instead of using an insecure cleartext HTTP step)     even when HTTP is provided in the URL. This mechanism could be bypassed if the host name in the given URL     uses IDN characters that get replaced with ASCII counterparts as part of the IDN conversion, e.g., using     the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full stop of U+002E (.).
    The earliest affected version is 7.77.0 2021-05-26. (CVE-2022-42916)

  - A vulnerability exists in curl <7.87.0 HSTS check that could be bypassed to trick it to keep using HTTP.
    Using its HSTS support, curl can be instructed to use HTTPS instead of using an insecure clear-text HTTP     step even when HTTP is provided in the URL. However, the HSTS mechanism could be bypassed if the host name     in the given URL first uses IDN characters that get replaced to ASCII counterparts as part of the IDN     conversion. Like using the character UTF-8 U+3002 (IDEOGRAPHIC FULL STOP) instead of the common ASCII full     stop (U+002E) `.`. Then in a subsequent request, it does not detect the HSTS state and makes a clear text     transfer. Because it would store the info IDN encoded but look for it IDN decoded. (CVE-2022-43551)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

According to the versions of the curl packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - When doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to     ask for data to send, even when the `CURLOPT_POSTFIELDS` option has been set, if the same handle     previously was used to issue a `PUT` request which used that callback. This flaw may surprise the     application and cause it to misbehave and either send off the wrong data or use memory after free or     similar in the subsequent `POST` request. The problem exists in the logic for a reused handle when it is     changed from a PUT to a POST. (CVE-2022-32221)

  - A use after free vulnerability exists in curl <7.87.0. Curl can be asked to *tunnel* virtually all     protocols it supports through an HTTP proxy. HTTP proxies can (and often do) deny such tunnel operations.
    When getting denied to tunnel the specific protocols SMB or TELNET, curl would use a heap-allocated struct     after it had been freed, in its transfer shutdown code path. (CVE-2022-43552)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2024:0428 advisory.

  - curl: Incorrect handling of control code characters in cookies (CVE-2022-35252)

  - curl: Use-after-free triggered by an HTTP proxy deny response (CVE-2022-43552)

  - curl: FTP too eager connection reuse (CVE-2023-27535)

  - curl: GSS delegation too eager connection re-use (CVE-2023-27536)

  - curl: more POST-after-PUT confusion (CVE-2023-28322)

  - curl: information disclosure by exploiting a mixed case flaw (CVE-2023-46218)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of curl installed on the remote host is prior to 7.61.1-12.104. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS-2023-1729 advisory.

  - A use after free vulnerability exists in curl <7.87.0. Curl can be asked to *tunnel* virtually all     protocols it supports through an HTTP proxy. HTTP proxies can (and often do) deny such tunnel operations.
    When getting denied to tunnel the specific protocols SMB or TELNET, curl would use a heap-allocated struct     after it had been freed, in its transfer shutdown code path. (CVE-2022-43552)

  - An allocation of resources without limits or throttling vulnerability exists in curl <v7.88.0 based on the     chained HTTP compression algorithms, meaning that a server response can be compressed multiple times and     potentially with differentalgorithms. The number of acceptable links in this decompression chain     wascapped, but the cap was implemented on a per-header basis allowing a maliciousserver to insert a     virtually unlimited number of compression steps simply byusing many headers. The use of such a     decompression chain could result in a malloc bomb, making curl end up spending enormous amounts of     allocated heap memory, or trying to and returning out of memory errors. (CVE-2023-23916)

  - A path traversal vulnerability exists in curl <8.0.0 SFTP implementation causes the tilde (~) character to     be wrongly replaced when used as a prefix in the first path element, in addition to its intended use as     the first element to indicate a path relative to the user's home directory. Attackers can exploit this     flaw to bypass filtering or execute arbitrary code by crafting a path like /~2/foo while accessing a     server with a specific user. (CVE-2023-27534)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 7 / 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2023:3354 advisory.

  - httpd: mod_dav: out-of-bounds read/write of zero byte (CVE-2006-20001)

  - openssl: timing attack in RSA Decryption implementation (CVE-2022-4304)

  - openssl: double free after calling PEM_read_bio_ex (CVE-2022-4450)

  - apr-util: out-of-bounds writes in the apr_base64 (CVE-2022-25147)

  - curl: HSTS bypass via IDN (CVE-2022-43551)

  - curl: Use-after-free triggered by an HTTP proxy deny response (CVE-2022-43552)

  - openssl: use-after-free following BIO_new_NDEF (CVE-2023-0215)

  - openssl: X.400 address type confusion in X.509 GeneralName (CVE-2023-0286)

  - curl: HSTS ignored on multiple requests (CVE-2023-23914)

  - curl: HSTS amnesia with --parallel (CVE-2023-23915)

  - curl: HTTP multi-header compression denial of service (CVE-2023-23916)

  - httpd: HTTP request splitting with mod_rewrite and mod_proxy (CVE-2023-25690)

  - curl: TELNET option IAC injection (CVE-2023-27533)

  - curl: SFTP path ~ resolving discrepancy (CVE-2023-27534)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

According to the versions of the curl packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - An insufficiently protected credentials vulnerability exists in curl 4.9 to and include curl 7.82.0 are     affected that could allow an attacker to extract credentials when follows HTTP(S) redirects is used with     authentication could leak credentials to other services that exist on different protocols or port numbers.
    (CVE-2022-27774)

  - A insufficiently protected credentials vulnerability in fixed in curl 7.83.0 might leak authentication or     cookie header data on HTTP redirects to the same host but another port number. (CVE-2022-27776)

  - curl < 7.84.0 supports 'chained' HTTP compression algorithms, meaning that a serverresponse can be     compressed multiple times and potentially with different algorithms. The number of acceptable 'links' in     this 'decompression chain' was unbounded, allowing a malicious server to insert a virtually unlimited     number of compression steps.The use of such a decompression chain could result in a 'malloc bomb',     makingcurl end up spending enormous amounts of allocated heap memory, or trying toand returning out of     memory errors. (CVE-2022-32206)

  - When curl < 7.84.0 does FTP transfers secured by krb5, it handles message verification failures wrongly.
    This flaw makes it possible for a Man-In-The-Middle attack to go unnoticed and even allows it to inject     data to the client. (CVE-2022-32208)

  - When doing HTTP(S) transfers, libcurl might erroneously use the read callback (`CURLOPT_READFUNCTION`) to     ask for data to send, even when the `CURLOPT_POSTFIELDS` option has been set, if the same handle     previously was used to issue a `PUT` request which used that callback. This flaw may surprise the     application and cause it to misbehave and either send off the wrong data or use memory after free or     similar in the subsequent `POST` request. The problem exists in the logic for a reused handle when it is     changed from a PUT to a POST. (CVE-2022-32221)

  - When curl is used to retrieve and parse cookies from a HTTP(S) server, itaccepts cookies using control     codes that when later are sent back to a HTTPserver might make the server return 400 responses.
    Effectively allowing a'sister site' to deny service to all siblings. (CVE-2022-35252)

  - A use after free vulnerability exists in curl <7.87.0. Curl can be asked to *tunnel* virtually all     protocols it supports through an HTTP proxy. HTTP proxies can (and often do) deny such tunnel operations.
    When getting denied to tunnel the specific protocols SMB or TELNET, curl would use a heap-allocated struct     after it had been freed, in its transfer shutdown code path. (CVE-2022-43552)

  - An allocation of resources without limits or throttling vulnerability exists in curl <v7.88.0 based on the     'chained' HTTP compression algorithms, meaning that a server response can be compressed multiple times and     potentially with differentalgorithms. The number of acceptable 'links' in this 'decompression chain'     wascapped, but the cap was implemented on a per-header basis allowing a maliciousserver to insert a     virtually unlimited number of compression steps simply byusing many headers. The use of such a     decompression chain could result in a 'malloc bomb', making curl end up spending enormous amounts of     allocated heap memory, or trying to and returning out of memory errors. (CVE-2023-23916)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Published	Updated	Severity
170757	Debian DLA-3288-1 : curl - LTS security update	Nessus	Debian Local Security Checks	1/28/2023	9/5/2023	critical
175628	Siemens SINEC NMS < V1.0 SP2 Update 1 Multiple Vulnerabilities	Nessus	Windows	5/14/2023	10/23/2023	critical
178892	EulerOS Virtualization 3.0.6.6 : curl (EulerOS-SA-2023-2419)	Nessus	Huawei Local Security Checks	7/26/2023	7/26/2023	critical
189567	RHEL 8 : curl (RHSA-2024:0428)	Nessus	Red Hat Local Security Checks	1/25/2024	4/28/2024	medium
174617	Amazon Linux AMI : curl (ALAS-2023-1729)	Nessus	Amazon Linux Local Security Checks	4/21/2023	5/19/2023	high
176683	RHEL 7 / 8 : Red Hat JBoss Core Services Apache HTTP Server 2.4.51 SP2 (RHSA-2023:3354)	Nessus	Red Hat Local Security Checks	6/5/2023	4/28/2024	critical
177190	EulerOS Virtualization 3.0.6.0 : curl (EulerOS-SA-2023-2235)	Nessus	Huawei Local Security Checks	6/13/2023	6/19/2023	critical

Detections

Analytics

Plugins Search

critical

critical

critical

medium

high

critical

critical