The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2024:5630 advisory.

    Kerberos is a network authentication system, which can improve the security of your network by eliminating     the insecure practice of sending passwords over the network in unencrypted form. It allows clients and     servers to authenticate to each other with the help of a trusted third party, the Kerberos key     distribution center (KDC).

    Security Fix(es):

    * krb5: GSS message token handling (CVE-2024-37371)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2024:5884 advisory.

    Kerberos is a network authentication system, which can improve the security of your network by eliminating     the insecure practice of sending passwords over the network in unencrypted form. It allows clients and     servers to authenticate to each other with the help of a trusted third party, the Kerberos key     distribution center (KDC).

    Security Fix(es):

    * krb5: GSS message token handling (CVE-2024-37371)

    * krb5: GSS message token handling (CVE-2024-37370)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

An update of the krb5 package has been released.

According to the versions of the krb5 packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

    In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can modify the plaintext Extra Count field of a     confidential GSS krb5 wrap token, causing the unwrapped token to appear truncated to the     application.(CVE-2024-37370)

    In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can cause invalid memory reads during GSS message     token handling by sending message tokens with invalid length fields.(CVE-2024-37371)

Tenable has extracted the preceding description block directly from the EulerOS krb5 security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

According to the versions of the krb5 packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

    In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can cause invalid memory reads during GSS message     token handling by sending message tokens with invalid length fields.(CVE-2024-37371)

    In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can modify the plaintext Extra Count field of a     confidential GSS krb5 wrap token, causing the unwrapped token to appear truncated to the     application.(CVE-2024-37370)

Tenable has extracted the preceding description block directly from the EulerOS krb5 security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote NewStart CGSL host, running version MAIN 7.02, has krb5 packages installed that are affected by multiple vulnerabilities:

  - In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can cause invalid memory reads during GSS message     token handling by sending message tokens with invalid length fields. (CVE-2024-37371)

  - Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/lib/gssapi/krb5/k5sealv3.c.
    (CVE-2024-26461)

  - Kerberos 5 (aka krb5) 1.21.2 contains a memory leak vulnerability in /krb5/src/kdc/ndr.c. (CVE-2024-26462)

  - In MIT Kerberos 5 (aka krb5) before 1.21.3, an attacker can modify the plaintext Extra Count field of a     confidential GSS krb5 wrap token, causing the unwrapped token to appear truncated to the application.
    (CVE-2024-37370)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The versions of MySQL Server installed on the remote host are affected by multiple vulnerabilities as referenced in the January 2025 CPU advisory.

  - Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Packaging (Kerberos)). Supported     versions that are affected are 8.0.39 and prior, 8.4.2 and prior and  9.0.1 and prior. Easily exploitable vulnerability     allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Server.  Successful     attacks of this vulnerability can result in  unauthorized access to critical data or complete access to all MySQL     Server accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL     Server. (CVE-2024-37371)

  - Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Packaging (OpenSSL)).
    Supported versions that are affected are 8.0.39 and prior, 8.4.2 and prior and 9.0.1 and prior. Easily exploitable     vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL     Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete     access to all MySQL Server accessible data and unauthorized ability to cause a hang or frequently repeatable     crash (complete DOS) of MySQL Server. (CVE-2024-5535)

  - Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Packaging (curl)). Supported     versions that are affected are 8.0.39 and prior, 8.4.2 and prior and 9.0.1 and prior. Easily exploitable     vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Server.
    Successful attacks require human interaction from a person other than the attacker. Successful attacks of     this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete     DOS) of MySQL Server. (CVE-2024-7264)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote AlmaLinux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALSA-2025:1671 advisory.

    * openssl: SSL_select_next_proto buffer overread (CVE-2024-5535)
      * krb5: GSS message token handling (CVE-2024-37371)
      * curl: libcurl: ASN.1 date parser overread (CVE-2024-7264)
      * mysql: Thread Pooling unspecified vulnerability (CPU Oct 2024) (CVE-2024-21238)
      * mysql: X Plugin unspecified vulnerability (CPU Oct 2024) (CVE-2024-21196)
      * mysql: Optimizer unspecified vulnerability (CPU Oct 2024) (CVE-2024-21241)
      * mysql: Client programs unspecified vulnerability (CPU Oct 2024) (CVE-2024-21231)
      * mysql: Information Schema unspecified vulnerability (CPU Oct 2024) (CVE-2024-21197)
      * mysql: InnoDB unspecified vulnerability (CPU Oct 2024) (CVE-2024-21218)
      * mysql: Optimizer unspecified vulnerability (CPU Oct 2024) (CVE-2024-21201)
      * mysql: InnoDB unspecified vulnerability (CPU Oct 2024) (CVE-2024-21236)
      * mysql: Group Replication GCS unspecified vulnerability (CPU Oct 2024) (CVE-2024-21237)
      * mysql: FTS unspecified vulnerability (CPU Oct 2024) (CVE-2024-21203)
      * mysql: Health Monitor unspecified vulnerability (CPU Oct 2024) (CVE-2024-21212)
      * mysql: DML unspecified vulnerability (CPU Oct 2024) (CVE-2024-21219)
      * mysql: Optimizer unspecified vulnerability (CPU Oct 2024) (CVE-2024-21230)
      * mysql: InnoDB unspecified vulnerability (CPU Oct 2024) (CVE-2024-21213)
      * mysql: InnoDB unspecified vulnerability (CPU Oct 2024) (CVE-2024-21194)
      * mysql: InnoDB unspecified vulnerability (CPU Oct 2024) (CVE-2024-21199)
      * mysql: PS unspecified vulnerability (CPU Oct 2024) (CVE-2024-21193)
      * mysql: DDL unspecified vulnerability (CPU Oct 2024) (CVE-2024-21198)
      * mysql: mysqldump unspecified vulnerability (CPU Oct 2024) (CVE-2024-21247)
      * mysql: InnoDB unspecified vulnerability (CPU Oct 2024) (CVE-2024-21239)
      * curl: curl netrc password leak (CVE-2024-11053)
      * mysql: InnoDB unspecified vulnerability (CPU Jan 2025) (CVE-2025-21497)
      * mysql: MySQL Server Options Vulnerability (CVE-2025-21520)
      * mysql: High Privilege Denial of Service Vulnerability in MySQL Server (CVE-2025-21490)
      * mysql: Information Schema unspecified vulnerability (CPU Jan 2025) (CVE-2025-21529)
      * mysql: InnoDB unspecified vulnerability (CPU Jan 2025) (CVE-2025-21531)
      * mysql: Optimizer unspecified vulnerability (CPU Jan 2025) (CVE-2025-21504)
      * mysql: Privileges unspecified vulnerability (CPU Jan 2025) (CVE-2025-21540)
      * mysql: MySQL Server InnoDB Denial of Service and Unauthorized Data Modification Vulnerability     (CVE-2025-21555)
      * mysql: Packaging unspecified vulnerability (CPU Jan 2025) (CVE-2025-21543)
      * mysql: MySQL Server InnoDB Denial of Service and Unauthorized Data Modification Vulnerability     (CVE-2025-21491)
      * mysql: DDL unspecified vulnerability (CPU Jan 2025) (CVE-2025-21525)
      * mysql: Optimizer unspecified vulnerability (CPU Jan 2025) (CVE-2025-21536)
      * mysql: Thread Pooling unspecified vulnerability (CPU Jan 2025) (CVE-2025-21521)
      * mysql: Optimizer unspecified vulnerability (CPU Jan 2025) (CVE-2025-21501)
      * mysql: Performance Schema unspecified vulnerability (CPU Jan 2025) (CVE-2025-21534)
      * mysql: Privileges unspecified vulnerability (CPU Jan 2025) (CVE-2025-21494)
      * mysql: Privileges unspecified vulnerability (CPU Jan 2025) (CVE-2025-21519)
      * mysql: Parser unspecified vulnerability (CPU Jan 2025) (CVE-2025-21522)
      * mysql: InnoDB unspecified vulnerability (CPU Jan 2025) (CVE-2025-21503)
      * mysql: Optimizer unspecified vulnerability (CPU Jan 2025) (CVE-2025-21518)
      * mysql: MySQL Server InnoDB Denial of Service and Unauthorized Data Modification Vulnerability     (CVE-2025-21559)
      * mysql: Privilege Misuse in MySQL Server Security Component (CVE-2025-21546)
      * mysql: Optimizer unspecified vulnerability (CPU Jan 2025) (CVE-2025-21500)
      * mysql: InnoDB unspecified vulnerability (CPU Jan 2025) (CVE-2025-21523)
      * mysql: Components Services unspecified vulnerability (CPU Jan 2025) (CVE-2025-21505)

Tenable has extracted the preceding description block directly from the AlmaLinux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Published	Updated	Severity
205885	RHEL 9 : krb5 (RHSA-2024:5630)	Nessus	Red Hat Local Security Checks	8/20/2024	11/7/2024	critical
206231	RHEL 8 : krb5 (RHSA-2024:5884)	Nessus	Red Hat Local Security Checks	8/27/2024	11/7/2024	critical
206699	Photon OS 3.0: Krb5 PHSA-2024-3.0-0791	Nessus	PhotonOS Local Security Checks	9/6/2024	9/6/2024	critical
207126	EulerOS 2.0 SP9 : krb5 (EulerOS-SA-2024-2395)	Nessus	Huawei Local Security Checks	9/12/2024	9/12/2024	critical
207139	EulerOS 2.0 SP10 : krb5 (EulerOS-SA-2024-2419)	Nessus	Huawei Local Security Checks	9/12/2024	9/12/2024	critical
242746	NewStart CGSL MAIN 7.02 : krb5 Multiple Vulnerabilities (NS-SA-2025-0147)	Nessus	NewStart CGSL Local Security Checks	7/25/2025	7/25/2025	critical
209249	Oracle MySQL Server 9.x < 9.1.0 (January 2025 CPU)	Nessus	Databases	10/17/2024	4/18/2025	critical
216621	AlmaLinux 9 : mysql (ALSA-2025:1671)	Nessus	Alma Linux Local Security Checks	2/21/2025	4/18/2025	critical

Detections

Analytics

Plugins Search

critical

critical

critical

critical

critical

critical

critical

critical