The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output     a regular expression that can be exploited to cause poor performance. Because JavaScript is single     threaded and regex matching runs on the main thread, poor performance will block the event loop and lead     to a DoS. The bad regular expression is generated any time you have two parameters within a single     segment, separated by something that is not a period (.). For users of 0.1, upgrade to 0.1.10. All other     users should upgrade to 8.0.0. (CVE-2024-45296)

Note that Nessus relies on the presence of the package as reported by the vendor.

The remote Redhat Enterprise Linux 8 / 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2024:10762 advisory.

    Red Hat Ansible Automation Platform provides an enterprise framework for building, deploying and managing     IT automation at scale. IT Managers can provide top-down guidelines on how automation is applied to     individual teams, while automation developers retain the freedom to write tasks that leverage existing     knowledge without the overhead. Ansible Automation Platform makes it possible for users across an     organization to share, vet, and manage automation content by means of a simple, powerful, and agentless     language.

    Security Fix(es):
    * automation-controller: dompurify: XSS vulnerability via prototype pollution (CVE-2024-45801)
    * automation-controller: path-to-regexp: Backtracking regular expressions cause ReDoS (CVE-2024-45296)
    * ansible-core: Exposure of Sensitive Information in Ansible Vault Files Due to Improper Logging     (CVE-2024-8775)
    * ansible-core: ansible-core user may read/write unauthorized content (CVE-2024-9902)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

    Updates and fixes for automation controller:
    * Fix job schedules running at incorrect times when rrule interval was set to HOURLY or MINUTELY     (AAP-36573)
    * Fixed an issue where sensitive data was displayed in the job output (AAP-35582)
    * With this update, you can now save a constructed inventory when verbosity is greater than 2 (AAP-35570)
    * Fix bug where unrelated jobs could be marked as a dependency of other jobs (AAP-35310)
    * Add support for receiving webhooks from Bitbucket Data Center, and add support for posting build     statuses back (AAP-35013)
    * Notification List no longer errors when notifications have a missing or null organization field     (AAP-34051)
    * Fixed an issue where Thycotic secret server credentials form fields were mis-matched (AAP-31236)
    * automation-controller has been updated to 4.5.13

    Updates and fixes for receptor:
    * Fixed an issue that caused a Receptor runtime panic error (AAP-36477)
    * receptor has been updated to 1.5.1

    Updates and fixes for installer and setup:
    * Receptor data directory can now be configured using 'receptor_datadir' variable (AAP-36699)
    * Fixed issue where metrics-utility command failed to run after updating Automation controller (AAP-36567)
    * Fix issue where the dispatcher service went into FATAL status and failed to process new jobs after a     database outage of a few minutes (AAP-36456)
    * Fixed an issue that caused incorrect IDs for RBAC in the database following a backup restore (AAP-35311)
    * With this update, installer tasks that include CA or key information are obfuscated (AAP-27480)
    * installer and setup have been updated to 2.4-8

    Note: The 2.4-8 installer can restore a backup created with 2.4-8 or later only. Ensure that you make a     backup before and after the upgrade to 2.4-8 or later.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Atlassian Confluence Server running on the remote host is affected by a vulnerability as referenced in the CONFSERVER-101480 advisory.

  - path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output     a regular expression that can be exploited to cause poor performance. Because JavaScript is single     threaded and regex matching runs on the main thread, poor performance will block the event loop and lead     to a DoS. The bad regular expression is generated any time you have two parameters within a single     segment, separated by something that is not a period (.). For users of 0.1, upgrade to 0.1.10. All other     users should upgrade to 8.0.0. (CVE-2024-45296)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of Atlassian Jira Service Management Data Center and Server (Jira Service Desk) running on the remote host is affected by a vulnerability as referenced in the JSDSERVER-16485 advisory.

  - path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output     a regular expression that can be exploited to cause poor performance. Because JavaScript is single     threaded and regex matching runs on the main thread, poor performance will block the event loop and lead     to a DoS. The bad regular expression is generated any time you have two parameters within a single     segment, separated by something that is not a period (.). For users of 0.1, upgrade to 0.1.10. All other     users should upgrade to 8.0.0. (CVE-2024-45296)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of IBM Spectrum Protect Plus Web UI installed on the remote host is prior to 10.1.17.1 IBM Spectrum Protect Plus. It is, therefore, affected by multiple vulnerabilities as referenced in the 7237702 advisory.

  - Jinja is an extensible templating engine. Prior to 3.1.6, an oversight in how the Jinja sandboxed     environment interacts with the |attr filter allows an attacker that controls the content of a template to     execute arbitrary Python code. To exploit the vulnerability, an attacker needs to control the content of a     template. Whether that is the case depends on the type of application using Jinja. This vulnerability     impacts users of applications which execute untrusted templates. Jinja's sandbox does catch calls to     str.format and ensures they don't escape the sandbox. However, it's possible to use the |attr filter to     get a reference to a string's plain format method, bypassing the sandbox. After the fix, the |attr filter     no longer bypasses the environment's attribute lookup. This vulnerability is fixed in 3.1.6.
    (CVE-2025-27516)

  - This affects the package node-notifier before 9.0.0. It allows an attacker to run arbitrary commands on     Linux machines due to the options params not being sanitised when being passed an array. (CVE-2020-7789)

  - Requests is a HTTP library. Since Requests 2.3.0, Requests has been leaking Proxy-Authorization headers to     destination servers when redirected to an HTTPS endpoint. This is a product of how we use     `rebuild_proxies` to reattach the `Proxy-Authorization` header to requests. For HTTP connections sent     through the tunnel, the proxy will identify the header in the request itself and remove it prior to     forwarding to the destination server. However when sent over HTTPS, the `Proxy-Authorization` header must     be sent in the CONNECT request as the proxy has no visibility into the tunneled request. This results in     Requests forwarding proxy credentials to the destination server unintentionally, allowing a malicious     actor to potentially exfiltrate sensitive information. This issue has been patched in version 2.31.0.
    (CVE-2023-32681)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of reaper installed on the remote CBL Mariner 2.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2024-45296 advisory.

  - path-to-regexp turns path strings into a regular expressions. In certain cases, path-to-regexp will output     a regular expression that can be exploited to cause poor performance. Because JavaScript is single     threaded and regex matching runs on the main thread, poor performance will block the event loop and lead     to a DoS. The bad regular expression is generated any time you have two parameters within a single     segment, separated by something that is not a period (.). For users of 0.1, upgrade to 0.1.10. All other     users should upgrade to 8.0.0. (CVE-2024-45296)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Published	Updated	Severity
229239	Linux Distros Unpatched Vulnerability : CVE-2024-45296	Nessus	Misc.	3/5/2025	1/30/2026	high
212033	RHEL 8 / 9 : Red Hat Ansible Automation Platform 2.4 Product Security and Bug Fix Update (Moderate) (RHSA-2024:10762)	Nessus	Red Hat Local Security Checks	12/3/2024	10/24/2025	medium
282324	Atlassian Confluence < 8.5.17 / 8.6.x < 9.2.6 / 9.3.1 < 9.4.0 / 9.5.x < 9.5.1 / 10.0.x < 10.0.2 (CONFSERVER-101480)	Nessus	CGI abuses	1/7/2026	1/7/2026	high
298004	Atlassian Jira Service Management Data Center and Server 10.2.x < 10.3.6 (JSDSERVER-16485)	Nessus	Misc.	2/5/2026	2/5/2026	high
240343	IBM Spectrum Protect Plus Web UI 10.1.0 < 10.1.17.1 (7237702)	Nessus	Misc.	6/25/2025	3/11/2026	medium
209179	CBL Mariner 2.0 Security Update: reaper (CVE-2024-45296)	Nessus	MarinerOS Local Security Checks	10/17/2024	1/22/2026	high

Detections

Analytics

Plugins Search

high

medium

high

high

medium

high