Vulnerabilities > CVE-2016-7103 - Cross-site Scripting vulnerability in multiple products
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
LOW Integrity impact
LOW Availability impact
NONE Summary
Cross-site scripting (XSS) vulnerability in jQuery UI before 1.12.0 might allow remote attackers to inject arbitrary web script or HTML via the closeText parameter of the dialog function.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Cross Site Scripting through Log Files An attacker may leverage a system weakness where logs are susceptible to log injection to insert scripts into the system's logs. If these logs are later viewed by an administrator through a thin administrative interface and the log data is not properly HTML encoded before being written to the page, the attackers' scripts stored in the log will be executed in the administrative interface with potentially serious consequences. This attack pattern is really a combination of two other attack patterns: log injection and stored cross site scripting.
- Embedding Scripts in Non-Script Elements This attack is a form of Cross-Site Scripting (XSS) where malicious scripts are embedded in elements that are not expected to host scripts such as image tags (<img>), comments in XML documents (< !-CDATA->), etc. These tags may not be subject to the same input validation, output validation, and other content filtering and checking routines, so this can create an opportunity for an attacker to tunnel through the application's elements and launch a XSS attack through other elements. As with all remote attacks, it is important to differentiate the ability to launch an attack (such as probing an internal network for unpatched servers) and the ability of the remote attacker to collect and interpret the output of said attack.
- Embedding Scripts within Scripts An attack of this type exploits a programs' vulnerabilities that are brought on by allowing remote hosts to execute scripts. The attacker leverages this capability to execute scripts to execute his/her own script by embedding it within other scripts that the target software is likely to execute. The attacker must have the ability to inject script into script that is likely to be executed. If this is done, then the attacker can potentially launch a variety of probes and attacks against the web server's local environment, in many cases the so-called DMZ, back end resources the web server can communicate with, and other hosts. With the proliferation of intermediaries, such as Web App Firewalls, network devices, and even printers having JVMs and Web servers, there are many locales where an attacker can inject malicious scripts. Since this attack pattern defines scripts within scripts, there are likely privileges to execute said attack on the host. Of course, these attacks are not solely limited to the server side, client side scripts like Ajax and client side JavaScript can contain malicious scripts as well. In general all that is required is for there to be sufficient privileges to execute a script, but not protected against writing.
- Cross-Site Scripting in Error Pages An attacker distributes a link (or possibly some other query structure) with a request to a third party web server that is malformed and also contains a block of exploit code in order to have the exploit become live code in the resulting error page. When the third party web server receives the crafted request and notes the error it then creates an error message that echoes the malformed message, including the exploit. Doing this converts the exploit portion of the message into to valid language elements that are executed by the viewing browser. When a victim executes the query provided by the attacker the infected error message error message is returned including the exploit code which then runs in the victim's browser. XSS can result in execution of code as well as data leakage (e.g. session cookies can be sent to the attacker). This type of attack is especially dangerous since the exploit appears to come from the third party web server, who the victim may trust and hence be more vulnerable to deception.
- Cross-Site Scripting Using Alternate Syntax The attacker uses alternate forms of keywords or commands that result in the same action as the primary form but which may not be caught by filters. For example, many keywords are processed in a case insensitive manner. If the site's web filtering algorithm does not convert all tags into a consistent case before the comparison with forbidden keywords it is possible to bypass filters (e.g., incomplete black lists) by using an alternate case structure. For example, the "script" tag using the alternate forms of "Script" or "ScRiPt" may bypass filters where "script" is the only form tested. Other variants using different syntax representations are also possible as well as using pollution meta-characters or entities that are eventually ignored by the rendering engine. The attack can result in the execution of otherwise prohibited functionality.
Nessus
NASL family Misc. NASL id ORACLE_WEBLOGIC_SERVER_CPU_JUL_2019.NASL description The version of Oracle WebLogic Server installed on the remote host is affected by multiple vulnerabilities: - An unspecified vulnerability allows a remote unauthenticated attacker with network access to compromise and takeover the StorageTek Tape Analytics SW Tool. (CVE-2019-2725) (CVE-2019-2729) - An unspecified vulnerability allows a remote unauthenticated attacker with network access to compromise and takeover the Tape Virtual Storage Manager GUI. (CVE-2019-2725) - An unspecified vulnerability in the WLS Core Component allows an authenticated low privileged attacker with network access via HTTP to compromise Oracle WebLogic Server, resulting in unauthorized update, insert or delete access to Oracle WebLogic Server accessible data. (CVE-2019-2824) (CVE-2019-2827) - An unspecified vulnerability in the jQuery Component allows an authenticated low privileged attacker with network access via HTTP to compromise Oracle WebLogic Server, resulting in unauthorized update, insert or delete access to Oracle WebLogic Server accessible data. Successful attacks require human interaction from actions from another Weblogic user. (CVE-2016-71030) - An unspecified vulnerability in the Application Container - JavaEE Component of Oracle WebLogic Server allows an unauthenticated attacker with network access via T3 to compromise Oracle WebLogic Server. A successful attack of this vulnerability could result in takeover of Oracle WebLogic Server. (CVE-2019-2856) - An unspecified vulnerability in the Sample apps (Spring Framework) Component of Oracle WebLogic Server allows an unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. A successful attack of this vulnerability could result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle WebLogic Server. (CVE-2018-15756) last seen 2020-06-01 modified 2020-06-02 plugin id 126915 published 2019-07-22 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/126915 title Oracle WebLogic Server Multiple Vulnerabilities (Jul 2019 CPU) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(126915); script_version("1.10"); script_cvs_date("Date: 2019/11/20"); script_cve_id( "CVE-2016-7103", "CVE-2018-15756", "CVE-2019-2725", "CVE-2019-2729", "CVE-2019-2824", "CVE-2019-2827", "CVE-2019-2856" ); script_bugtraq_id(107944); script_name(english:"Oracle WebLogic Server Multiple Vulnerabilities (Jul 2019 CPU)"); script_summary(english:"Checks the version of Oracle WebLogic to ensure the July 2019 CPU is applied."); script_set_attribute(attribute:"synopsis", value: "An application server installed on the remote host is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The version of Oracle WebLogic Server installed on the remote host is affected by multiple vulnerabilities: - An unspecified vulnerability allows a remote unauthenticated attacker with network access to compromise and takeover the StorageTek Tape Analytics SW Tool. (CVE-2019-2725) (CVE-2019-2729) - An unspecified vulnerability allows a remote unauthenticated attacker with network access to compromise and takeover the Tape Virtual Storage Manager GUI. (CVE-2019-2725) - An unspecified vulnerability in the WLS Core Component allows an authenticated low privileged attacker with network access via HTTP to compromise Oracle WebLogic Server, resulting in unauthorized update, insert or delete access to Oracle WebLogic Server accessible data. (CVE-2019-2824) (CVE-2019-2827) - An unspecified vulnerability in the jQuery Component allows an authenticated low privileged attacker with network access via HTTP to compromise Oracle WebLogic Server, resulting in unauthorized update, insert or delete access to Oracle WebLogic Server accessible data. Successful attacks require human interaction from actions from another Weblogic user. (CVE-2016-71030) - An unspecified vulnerability in the Application Container - JavaEE Component of Oracle WebLogic Server allows an unauthenticated attacker with network access via T3 to compromise Oracle WebLogic Server. A successful attack of this vulnerability could result in takeover of Oracle WebLogic Server. (CVE-2019-2856) - An unspecified vulnerability in the Sample apps (Spring Framework) Component of Oracle WebLogic Server allows an unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. A successful attack of this vulnerability could result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle WebLogic Server. (CVE-2018-15756)"); # https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?9aa2b901"); # https://www.oracle.com/technetwork/security-advisory/cpujul2019verbose-5072838.html#FMW script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?09b101ce"); script_set_attribute(attribute:"solution", value: "Apply the appropriate patch according to the July 2019 Oracle Critical Patch Update advisory. Refer to Oracle for any additional patch instructions or mitigation options."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-2729"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Oracle Weblogic Server Deserialization RCE - AsyncResponseService'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"agent", value:"all"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/07/16"); script_set_attribute(attribute:"patch_publication_date", value:"2019/07/16"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/07/22"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:fusion_middleware"); script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:weblogic_server"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Misc."); script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("oracle_weblogic_server_installed.nbin", "os_fingerprint.nasl"); script_require_keys("installed_sw/Oracle WebLogic Server"); exit(0); } include('audit.inc'); include('global_settings.inc'); include('misc_func.inc'); include('install_func.inc'); include('obj.inc'); include('spad_log_func.inc'); app_name = "Oracle WebLogic Server"; install = get_single_install(app_name:app_name, exit_if_unknown_ver:TRUE); ohome = install["Oracle Home"]; subdir = install["path"]; version = install["version"]; fix = NULL; fix_ver = NULL; spad_log(message:"checking version [" + version + "]"); # individual security patches if (version =~ "^12\.2\.1\.3($|[^0-9])") { fix_ver = "12.2.1.3.190522"; fix = make_list("29814665"); } else if (version =~ "^12\.1\.3\.") { fix_ver = "12.1.3.0.190716"; fix = make_list("29633448"); } else if (version =~ "^10\.3\.6\.") { fix_ver = "10.3.6.0.190716"; fix = make_list("MXLE"); # patchid is obtained from the readme and 10.3.6.x assets are different } else audit(AUDIT_INST_PATH_NOT_VULN, app_name, version, subdir); spad_log(message:"checking fix [" + obj_rep(fix) + "]"); PATCHED=FALSE; # Iterate over the list of patches and check the install for the patchID foreach id (fix) { spad_log(message:"Checking fix id: [" + id +"]"); if (install[id]) { PATCHED=TRUE; break; } } VULN=FALSE; if (ver_compare(ver:version, fix:fix_ver, strict:FALSE) == -1) VULN=TRUE; if (PATCHED || !VULN) audit(AUDIT_INST_PATH_NOT_VULN, app_name, version, subdir); os = get_kb_item_or_exit("Host/OS"); if ('windows' >< tolower(os)) { port = get_kb_item("SMB/transport"); if (!port) port = 445; } else port = 0; report = '\n Oracle Home : ' + ohome + '\n Install path : ' + subdir + '\n Version : ' + version + '\n Fixes : ' + join(sep:", ", fix); security_report_v4(extra:report, severity:SECURITY_HOLE, port:port);
NASL family Misc. NASL id ORACLE_BI_PUBLISHER_OCT_2019_CPU.NASL description The version of Oracle Business Intelligence Publisher running on the remote host is 11.1.1.9.x prior to 11.1.1.9.191015 or 12.2.1.3.x prior to 12.2.1.3.191015 or 12.2.1.4.x prior to 12.2.1.4.191015. It is, therefore, affected by multiple vulnerabilities as noted in the October 2019 Critical Patch Update advisory: - An unspecified vulnerability in the Installation component of Oracle BI Publisher that allows unauthenticated attacker with network access via HTTP to compromise Oracle BI Publisher. While the vulnerability is in Oracle BI Publisher, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle BI Publisher accessible data. (CVE-2019-2905) - An unspecified vulnerability in the MobileService component of Oracle BI Publisher could allow an unauthenticated attacker with network access via HTTP to compromise BI Publisher. A successful attack requires human interaction from a person other than the attacker and while the vulnerability is in BI Publisher, attacks may significantly impact additional products. (CVE-2019-2906) - An unspecified vulnerability in the BI PublisherSecurity component of Oracle BI Publisher could allow a low privileged attacker with networkaccess via HTTP to compromise Oracle BI Publisher. A successful attack of this vulnerability canresult in unauthorized read access to a subset of BIPublisher accessible data (CVE-2019-2898) - An unspecified vulnerability in the Analytics Actions component of Oracle BI Publisher could allow a low privileged attacker with network access via HTTP to compromise Oracle BI Publisher. While the vulnerability is in Oracle BI Publisher, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle BI Publisher accessible data as well as unauthorized read access to a subset of Oracle BI Publisher accessible data. (CVE-2019-2897) - An unspecified vulnerability in the Secure Store (OpenSSL) component of Oracle BI Publisher could allow an unauthenticated attacker with network access via HTTPS to compromise Oracle BI Publisher. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle BI Publisher data. (CVE-2019-1559) - An unspecified vulnerability in the BI Platform Security (JQuery) component of Oracle BI Publisher could allow an unauthenticated attacker with network access via HTTP to compromise Oracle BI Publisher. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle BI Publisher, attacks may significantly impact additional products. (CVE-2016-7103) - An unspecified vulnerability in the Analytics Actions component of Oracle BI Publisher could allow an unauthenticated attacker with network access via HTTP to compromise Oracle BI Publisher. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle BI Publisher accessible data. (CVE-2019-2900) - An unspecified vulnerability in the BI Platform Security component of Oracle BI Publisher could allow an unauthenticated attacker with network access via HTTP to compromise Oracle BI Publisher. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle BI Publisher accessible data. (CVE-2019-3012) Note that Nessus has not tested for these issues but has instead relied only on the application last seen 2020-05-31 modified 2019-11-06 plugin id 130589 published 2019-11-06 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/130589 title Oracle Business Intelligence Publisher Multiple Vulnerabilities (Oct 2019 CPU) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(130589); script_version("1.4"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/27"); script_cve_id( "CVE-2015-9251", "CVE-2016-7103", "CVE-2019-1559", "CVE-2019-2897", "CVE-2019-2898", "CVE-2019-2900", "CVE-2019-2905", "CVE-2019-2906", "CVE-2019-3012" ); script_bugtraq_id(104823, 105658, 107174); script_xref(name:"IAVA", value:"2019-A-0382"); script_name(english:"Oracle Business Intelligence Publisher Multiple Vulnerabilities (Oct 2019 CPU)"); script_set_attribute(attribute:"synopsis", value: "The remote host is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The version of Oracle Business Intelligence Publisher running on the remote host is 11.1.1.9.x prior to 11.1.1.9.191015 or 12.2.1.3.x prior to 12.2.1.3.191015 or 12.2.1.4.x prior to 12.2.1.4.191015. It is, therefore, affected by multiple vulnerabilities as noted in the October 2019 Critical Patch Update advisory: - An unspecified vulnerability in the Installation component of Oracle BI Publisher that allows unauthenticated attacker with network access via HTTP to compromise Oracle BI Publisher. While the vulnerability is in Oracle BI Publisher, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle BI Publisher accessible data. (CVE-2019-2905) - An unspecified vulnerability in the MobileService component of Oracle BI Publisher could allow an unauthenticated attacker with network access via HTTP to compromise BI Publisher. A successful attack requires human interaction from a person other than the attacker and while the vulnerability is in BI Publisher, attacks may significantly impact additional products. (CVE-2019-2906) - An unspecified vulnerability in the BI PublisherSecurity component of Oracle BI Publisher could allow a low privileged attacker with networkaccess via HTTP to compromise Oracle BI Publisher. A successful attack of this vulnerability canresult in unauthorized read access to a subset of BIPublisher accessible data (CVE-2019-2898) - An unspecified vulnerability in the Analytics Actions component of Oracle BI Publisher could allow a low privileged attacker with network access via HTTP to compromise Oracle BI Publisher. While the vulnerability is in Oracle BI Publisher, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle BI Publisher accessible data as well as unauthorized read access to a subset of Oracle BI Publisher accessible data. (CVE-2019-2897) - An unspecified vulnerability in the Secure Store (OpenSSL) component of Oracle BI Publisher could allow an unauthenticated attacker with network access via HTTPS to compromise Oracle BI Publisher. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle BI Publisher data. (CVE-2019-1559) - An unspecified vulnerability in the BI Platform Security (JQuery) component of Oracle BI Publisher could allow an unauthenticated attacker with network access via HTTP to compromise Oracle BI Publisher. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle BI Publisher, attacks may significantly impact additional products. (CVE-2016-7103) - An unspecified vulnerability in the Analytics Actions component of Oracle BI Publisher could allow an unauthenticated attacker with network access via HTTP to compromise Oracle BI Publisher. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle BI Publisher accessible data. (CVE-2019-2900) - An unspecified vulnerability in the BI Platform Security component of Oracle BI Publisher could allow an unauthenticated attacker with network access via HTTP to compromise Oracle BI Publisher. Successful attacks of this vulnerability can result in unauthorized read access to a subset of Oracle BI Publisher accessible data. (CVE-2019-3012) Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number."); # https://www.oracle.com/security-alerts/cpuoct2019.html script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?2c94f8e4"); script_set_attribute(attribute:"solution", value: "Apply the appropriate patch according to the October 2019 Oracle Critical Patch Update advisory."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-2906"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"vuln_publication_date", value:"2019/10/15"); script_set_attribute(attribute:"patch_publication_date", value:"2019/10/31"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/11/06"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"agent", value:"all"); script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:fusion_middleware"); script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:business_intelligence_publisher"); script_set_attribute(attribute:"stig_severity", value:"I"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Misc."); script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("oracle_bi_publisher_installed.nbin"); script_require_keys("installed_sw/Oracle Business Intelligence Publisher"); exit(0); } include('vcf.inc'); include('vcf_extras.inc'); appname = 'Oracle Business Intelligence Publisher'; app_info = vcf::get_app_info(app:appname); # 11.1.1.9.x - Bundle: 30386665 | Patch: 30406851 # 12.2.1.3.x - Bundle: 30349417 | Patch: 30349417 # 12.2.1.4.x - Bundle: 29321695 | Patch: 29321695 constraints = [ {'min_version': '11.1.1.9', 'fixed_version': '11.1.1.9.191015', 'patch': '30406851', 'bundle': '30386665'}, {'min_version': '12.2.1.3', 'fixed_version': '12.2.1.3.191015', 'patch': '30349417', 'bundle': '30349417'}, {'min_version': '12.2.1.4', 'fixed_version': '12.2.1.4.191015', 'patch': '29321695', 'bundle': '29321695'} ]; vcf::oracle_bi_publisher::check_version_and_report(app_info: app_info, constraints:constraints, severity:SECURITY_WARNING);
NASL family Misc. NASL id PVS_5_2_0.NASL description The version of Tenable Passive Vulnerability Scanner (PVS) installed on the remote host is 5.x < 5.2.0. It is, therefore, affected by multiple vulnerabilities : - Multiple denial of service vulnerabilities exist in Expat within file xmlparse.c due to a logical error in hash computations. An unauthenticated, remote attacker can exploit these, via a specially crafted XML file containing many identifiers with the same value, to cause the service to exhaust CPU resources. (CVE-2012-0876, CVE-2016-5300) - A flaw exists in the generate_hash_secret_salt() function in file lib/xmlparse.c within Expat due to the generation of non-random output by the PRNG. An unauthenticated, remote attacker can exploit this to more easily predict the PRNG output. (CVE-2012-6702) - Multiple buffer overflow conditions exist within Expat, specifically in the XML_GetBuffer() function in file lib/xmlparse.c, due to improper validation of user-supplied input when handling compressed XML content. An unauthenticated, remote attacker can exploit these to execute arbitrary code. (CVE-2015-1283, CVE-2016-4472) - Multiple buffer overflow conditions exist within the Expat XML parser when handling malformed input documents due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit these to cause a denial of service condition or the execution of arbitrary code. (CVE-2016-0718, CVE-2016-0719) - Multiple integer overflow conditions exist in s3_srvr.c, ssl_sess.c, and t1_lib.c due to improper use of pointer arithmetic for heap-buffer boundary checks. An unauthenticated, remote attacker can exploit these to cause a denial of service. (CVE-2016-2177) - An information disclosure vulnerability exists in the dsa_sign_setup() function in dsa_ossl.c due to a failure to properly ensure the use of constant-time operations. An unauthenticated, remote attacker can exploit this, via a timing side-channel attack, to disclose DSA key information. (CVE-2016-2178) - A denial of service vulnerability exists in the DTLS implementation due to a failure to properly restrict the lifetime of queue entries associated with unused out-of-order messages. An unauthenticated, remote attacker can exploit this, by maintaining multiple crafted DTLS sessions simultaneously, to exhaust memory. (CVE-2016-2179) - An out-of-bounds read error exists in the X.509 Public Key Infrastructure Time-Stamp Protocol (TSP) implementation. An unauthenticated, remote attacker can exploit this, via a crafted time-stamp file that is mishandled by the last seen 2020-06-01 modified 2020-06-02 plugin id 96337 published 2017-01-06 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/96337 title Tenable Passive Vulnerability Scanner 5.x < 5.2.0 Multiple Vulnerabilities (SWEET32) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(96337); script_version("1.7"); script_cvs_date("Date: 2019/11/13"); script_cve_id( "CVE-2012-0876", "CVE-2012-6702", "CVE-2015-1283", "CVE-2016-0718", "CVE-2016-0719", "CVE-2016-2177", "CVE-2016-2178", "CVE-2016-2179", "CVE-2016-2180", "CVE-2016-2181", "CVE-2016-2182", "CVE-2016-2183", "CVE-2016-4472", "CVE-2016-5300", "CVE-2016-6153", "CVE-2016-6302", "CVE-2016-6303", "CVE-2016-6304", "CVE-2016-6305", "CVE-2016-6306", "CVE-2016-6307", "CVE-2016-6308", "CVE-2016-6309", "CVE-2016-7052", "CVE-2016-7103" ); script_bugtraq_id( 52379, 75973, 90729, 91081, 91159, 91319, 91483, 91528, 91546, 92117, 92557, 92628, 92630, 92982, 92984, 92987, 93149, 93150, 93151, 93152, 93153, 93171, 93177 ); script_name(english:"Tenable Passive Vulnerability Scanner 5.x < 5.2.0 Multiple Vulnerabilities (SWEET32)"); script_summary(english:"Checks the PVS version."); script_set_attribute(attribute:"synopsis", value: "A vulnerability scanner installed on the remote host is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The version of Tenable Passive Vulnerability Scanner (PVS) installed on the remote host is 5.x < 5.2.0. It is, therefore, affected by multiple vulnerabilities : - Multiple denial of service vulnerabilities exist in Expat within file xmlparse.c due to a logical error in hash computations. An unauthenticated, remote attacker can exploit these, via a specially crafted XML file containing many identifiers with the same value, to cause the service to exhaust CPU resources. (CVE-2012-0876, CVE-2016-5300) - A flaw exists in the generate_hash_secret_salt() function in file lib/xmlparse.c within Expat due to the generation of non-random output by the PRNG. An unauthenticated, remote attacker can exploit this to more easily predict the PRNG output. (CVE-2012-6702) - Multiple buffer overflow conditions exist within Expat, specifically in the XML_GetBuffer() function in file lib/xmlparse.c, due to improper validation of user-supplied input when handling compressed XML content. An unauthenticated, remote attacker can exploit these to execute arbitrary code. (CVE-2015-1283, CVE-2016-4472) - Multiple buffer overflow conditions exist within the Expat XML parser when handling malformed input documents due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit these to cause a denial of service condition or the execution of arbitrary code. (CVE-2016-0718, CVE-2016-0719) - Multiple integer overflow conditions exist in s3_srvr.c, ssl_sess.c, and t1_lib.c due to improper use of pointer arithmetic for heap-buffer boundary checks. An unauthenticated, remote attacker can exploit these to cause a denial of service. (CVE-2016-2177) - An information disclosure vulnerability exists in the dsa_sign_setup() function in dsa_ossl.c due to a failure to properly ensure the use of constant-time operations. An unauthenticated, remote attacker can exploit this, via a timing side-channel attack, to disclose DSA key information. (CVE-2016-2178) - A denial of service vulnerability exists in the DTLS implementation due to a failure to properly restrict the lifetime of queue entries associated with unused out-of-order messages. An unauthenticated, remote attacker can exploit this, by maintaining multiple crafted DTLS sessions simultaneously, to exhaust memory. (CVE-2016-2179) - An out-of-bounds read error exists in the X.509 Public Key Infrastructure Time-Stamp Protocol (TSP) implementation. An unauthenticated, remote attacker can exploit this, via a crafted time-stamp file that is mishandled by the 'openssl ts' command, to cause denial of service or to disclose sensitive information. (CVE-2016-2180) - A denial of service vulnerability exists in the Anti-Replay feature in the DTLS implementation due to improper handling of epoch sequence numbers in records. An unauthenticated, remote attacker can exploit this, via spoofed DTLS records, to cause legitimate packets to be dropped. (CVE-2016-2181) - An overflow condition exists in the BN_bn2dec() function in bn_print.c due to improper validation of user-supplied input when handling BIGNUM values. An unauthenticated, remote attacker can exploit this to crash the process. (CVE-2016-2182) - A vulnerability exists, known as SWEET32, in the 3DES and Blowfish algorithms due to the use of weak 64-bit block ciphers by default. A man-in-the-middle attacker who has sufficient resources can exploit this vulnerability, via a 'birthday' attack, to detect a collision that leaks the XOR between the fixed secret and a known plaintext, allowing the disclosure of the secret text, such as secure HTTPS cookies, and possibly resulting in the hijacking of an authenticated session. (CVE-2016-2183) - A flaw exists in SQLite due to the use of insecure temporary directories. A local attacker can exploit this to cause a denial of service condition or possibly have other more severe impact. (CVE-2016-6153) - A flaw exists in the tls_decrypt_ticket() function in t1_lib.c due to improper handling of ticket HMAC digests. An unauthenticated, remote attacker can exploit this, via a ticket that is too short, to crash the process, resulting in a denial of service. (CVE-2016-6302) - An integer overflow condition exists in the MDC2_Update() function in mdc2dgst.c due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to cause a heap-based buffer overflow, resulting in a denial of service condition or possibly the execution of arbitrary code. (CVE-2016-6303) - A flaw exists in the ssl_parse_clienthello_tlsext() function in t1_lib.c due to improper handling of overly large OCSP Status Request extensions from clients. An unauthenticated, remote attacker can exploit this, via large OCSP Status Request extensions, to exhaust memory resources, resulting in a denial of service condition. (CVE-2016-6304) - A flaw exists in the SSL_peek() function in rec_layer_s3.c due to improper handling of empty records. An unauthenticated, remote attacker can exploit this, by triggering a zero-length record in an SSL_peek call, to cause an infinite loop, resulting in a denial of service condition. (CVE-2016-6305) - An out-of-bounds read error exists in the certificate parser that allows an unauthenticated, remote attacker to cause a denial of service via crafted certificate operations. (CVE-2016-6306) - A denial of service vulnerability exists in the state-machine implementation due to a failure to check for an excessive length before allocating memory. An unauthenticated, remote attacker can exploit this, via a crafted TLS message, to exhaust memory resources. (CVE-2016-6307) - A denial of service vulnerability exists in the DTLS implementation due to improper handling of excessively long DTLS messages. An unauthenticated, remote attacker can exploit this, via a crafted DTLS message, to exhaust available memory resources. (CVE-2016-6308) - A remote code execution vulnerability exists in the read_state_machine() function in statem.c due to improper handling of messages larger than 16k. An unauthenticated, remote attacker can exploit this, via a specially crafted message, to cause a use-after-free error, resulting in a denial of service condition or possibly the execution of arbitrary code. (CVE-2016-6309) - A cross-site scripting (XSS) vulnerability exists within the JQuery UI dialog() function due to improper validation of input to the 'closeText' parameter before returning it to users. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to execute arbitrary script code in a user's browser session. (CVE-2016-7103) - A denial of service vulnerability exists in x509_vfy.c due to improper handling of certificate revocation lists (CRLs). An unauthenticated, remote attacker can exploit this, via a specially crafted CRL, to cause a NULL pointer dereference, resulting in a crash of the service. (CVE-2016-7052) - An unspecified cross-site scripting (XSS) vulnerability exists in the web interface due to improper validation of input before returning it to users. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to execute arbitrary script code in a user's browser session."); script_set_attribute(attribute:"see_also", value:"https://www.tenable.com/security/tns-2016-20"); script_set_attribute(attribute:"see_also", value:"https://www.tenable.com/products/nessus/nessus-network-monitor"); script_set_attribute(attribute:"see_also", value:"https://sweet32.info"); script_set_attribute(attribute:"see_also", value:"https://www.openssl.org/blog/blog/2016/08/24/sweet32/"); script_set_attribute(attribute:"solution", value: "Upgrade to Tenable Passive Vulnerability Scanner version 5.2.0 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"in_the_news", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2012/03/06"); script_set_attribute(attribute:"patch_publication_date", value:"2016/12/12"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/01/06"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"x-cpe:/a:tenable:pvs"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Misc."); script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("os_fingerprint.nasl", "pvs_installed_win.nbin", "pvs_installed_nix.nbin", "pvs_installed_macosx.nbin"); script_require_keys("Host/OS", "Host/pvs_installed"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("install_func.inc"); pvs_installed = get_kb_item_or_exit("Host/pvs_installed"); os = get_kb_item_or_exit("Host/OS"); if ('windows' >< tolower(os)) { version = get_kb_item_or_exit("SMB/PVS/Version"); port = get_kb_item("SMB/transport"); if (isnull(port)) port = 445; } else { # linux KB entry version = get_kb_item("Host/PVS/Version"); # If that's not set, try Mac if (empty_or_null(version)) { install = get_single_install( app_name:"Tenable Passive Vulnerability Scanner", exit_if_unknown_ver:TRUE ); version = install['version']; } port = 0; } app_name = "Tenable PVS"; fixed_version = '5.2.0'; # Affects 5.x < 5.2.0 if (version !~ "^5\.[01]\.") { audit(AUDIT_INST_VER_NOT_VULN, app_name, version); } if (ver_compare(ver:version, fix:fixed_version, strict:FALSE) >= 0) audit(AUDIT_INST_VER_NOT_VULN, app_name, version); report = '\n Application : ' + app_name + '\n Installed version : ' + version + '\n Fixed version : ' + fixed_version + '\n'; security_report_v4(port:port, severity:SECURITY_HOLE, extra:report, xss:TRUE);
NASL family Misc. NASL id SECURITYCENTER_5_4_1.NASL description According to its self-reported version, the Tenable SecurityCenter application installed on the remote host is prior to 5.4.1. It is, therefore, affected by multiple vulnerabilities : - A denial of service vulnerability exists in x509_vfy.c due to improper handling of certificate revocation lists (CRLs). An unauthenticated, remote attacker can exploit this, via a specially crafted CRL, to cause a NULL pointer dereference, resulting in a crash of the service. (CVE-2016-7052) - A cross-site scripting (XSS) vulnerability exists within the JQuery UI dialog() function due to improper validation of input to the last seen 2020-06-01 modified 2020-06-02 plugin id 96832 published 2017-01-27 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/96832 title Tenable SecurityCenter < 5.4.1 Multiple Vulnerabilities (TNS-2016-19) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(96832); script_version("1.8"); script_cvs_date("Date: 2019/01/02 11:18:37"); script_cve_id( "CVE-2016-7052", "CVE-2016-7103", "CVE-2016-7124", "CVE-2016-7125", "CVE-2016-7126", "CVE-2016-7127", "CVE-2016-7128", "CVE-2016-7129", "CVE-2016-7130", "CVE-2016-7131", "CVE-2016-7132", "CVE-2016-7412", "CVE-2016-7413", "CVE-2016-7414", "CVE-2016-7415", "CVE-2016-7416", "CVE-2016-7417", "CVE-2016-7418", "CVE-2016-9137" ); script_bugtraq_id( 92552, 92564, 92755, 92756, 92757, 92758, 92764, 92767, 92768, 93004, 93005, 93006, 93007, 93008, 93011, 93022, 93171, 93577 ); script_name(english:"Tenable SecurityCenter < 5.4.1 Multiple Vulnerabilities (TNS-2016-19)"); script_summary(english:"Checks the SecurityCenter version."); script_set_attribute(attribute:"synopsis", value: "An application installed on the remote host is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "According to its self-reported version, the Tenable SecurityCenter application installed on the remote host is prior to 5.4.1. It is, therefore, affected by multiple vulnerabilities : - A denial of service vulnerability exists in x509_vfy.c due to improper handling of certificate revocation lists (CRLs). An unauthenticated, remote attacker can exploit this, via a specially crafted CRL, to cause a NULL pointer dereference, resulting in a crash of the service. (CVE-2016-7052) - A cross-site scripting (XSS) vulnerability exists within the JQuery UI dialog() function due to improper validation of input to the 'closeText' parameter before returning it to users. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to execute arbitrary script code in a user's browser session. (CVE-2016-7103) - A denial of service vulnerability exists in PHP within file ext/standard/var_unserializer.c due to improper handling of certain invalid objects. An unauthenticated, remote attacker can exploit this, via specially crafted serialized data that leads to a __destruct() or magic() function call, to cause a denial of service condition or potentially execute arbitrary code. (CVE-2016-7124) - A flaw exists in PHP in file ext/session/session.c when handling session names. An unauthenticated, remote attacker can exploit this to inject arbitrary data into sessions. (CVE-2016-7125) - An integer truncation error exists in PHP in the select_colors() function in file ext/gd/libgd/gd_topal.c when handling the number of colors. An unauthenticated, remote attacker can exploit this to cause a heap-based buffer overflow, resulting in the execution of arbitrary code. (CVE-2016-7126) - An array-indexing error exists in PHP in the imagegammacorrect() function within file ext/gd/gd.c when handling negative gamma values. An unauthenticated, remote attacker can exploit this, by writing a NULL to an arbitrary memory location, to cause a crash or the execution of arbitrary code. (CVE-2016-7127) - A flaw exists in PHP in the exif_process_IFD_in_TIFF() function within file ext/exif/exif.c when handling TIFF image content. An unauthenticated, remote attacker can exploit this to disclose memory contents. (CVE-2016-7128) - A denial of service vulnerability exists in PHP in the php_wddx_process_data() function within file ext/wddx/wddx.c when deserializing invalid dateTime values. An unauthenticated, remote attacker can exploit this to cause a crash. (CVE-2016-7129) - A NULL pointer dereference flaw exists in PHP in the php_wddx_pop_element() function within file ext/wddx/wddx.c when handling Base64 binary values. An unauthenticated, remote attacker can exploit this to cause a denial of service condition. (CVE-2016-7130) - A NULL pointer dereference flaw exists in PHP in the php_wddx_deserialize_ex() function within file ext/wddx/wddx.c when handling invalid XML content. An unauthenticated, remote attacker can exploit this to cause a denial of service condition. (CVE-2016-7131) - A NULL pointer dereference flaw exists in PHP in the php_wddx_pop_element() function within file ext/wddx/wddx.c. An unauthenticated, remote attacker can exploit this to cause a denial of service condition. (CVE-2016-7132) - A buffer overflow condition exists in PHP in file ext/mysqlnd/mysqlnd_wireprotocol.c within the php_mysqlnd_rowp_read_text_protocol_aux() function when handling the BIT field. An unauthenticated, remote attacker can exploit this to cause a heap-based buffer overflow, resulting in a crash or the execution of arbitrary code. (CVE-2016-7412) - A use-after-free error exists in PHP in the wddx_stack_destroy() function within file ext/wddx/wddx.c when deserializing recordset elements. An unauthenticated, remote attacker can exploit this to dereference already freed memory, resulting in the execution of arbitrary code. (CVE-2016-7413) - An out-of-bounds access error exists in PHP in the phar_parse_zipfile() function within file ext/phar/zip.c when handling the uncompressed file size. An unauthenticated, remote attacker can exploit this to have an unspecified impact. (CVE-2016-7414) - Multiple stack-based buffer overflow conditions exist in the International Components for Unicode for C/C++ (ICU4C) component in the msgfmt_format_message() function within file common/locid.cpp when handling locale strings. An unauthenticated, remote attacker can exploit these, via a long locale string, to cause a denial of service condition or the execution of arbitrary code. (CVE-2016-7415, CVE-2016-7416) - A flaw exists in PHP within file ext/spl/spl_array.c, specifically in the spl_array_get_dimension_ptr_ptr() function during the deserialization of SplArray, due to improper validation of types. An unauthenticated, remote attacker can exploit this to cause a crash or other unspecified impact. (CVE-2016-7417) - An out-of-bounds read error exists in PHP in the php_wddx_push_element() function within file ext/wddx/wddx.c. An unauthenticated, remote attacker can exploit this to cause a crash or the disclosure of memory contents. (CVE-2016-7418) - A use-after-free error exists in PHP within the unserialize() function in file ext/curl/curl_file.c. An unauthenticated, remote attacker can exploit this to execute arbitrary code. (CVE-2016-9137) - An integer overflow condition exists in PHP in the php_snmp_parse_oid() function in file ext/snmp/snmp.c. An unauthenticated, remote attacker can exploit this to cause a heap-based buffer overflow, resulting in the execution of arbitrary code. - An integer overflow condition exists in PHP in the sql_regcase() function within file ext/ereg/ereg.c when handling overly long strings. An unauthenticated, remote attacker can exploit this to corrupt memory, resulting in the execution of arbitrary code. - An integer overflow condition exists in PHP in the php_base64_encode() function within file ext/standard/base64.c when handling overly long strings. An unauthenticated, remote attacker can exploit this to corrupt memory, resulting in the execution of arbitrary code. - An integer overflow condition exists in PHP in the php_quot_print_encode() function within file ext/standard/quot_print.c when handling overly long strings. An unauthenticated, remote attacker can exploit this to cause a heap-based buffer overflow, resulting in the execution of arbitrary code. - A use-after-free error exists in PHP in the unserialize() function within file ext/standard/var.c. An unauthenticated, remote attacker can exploit this to dereference already freed memory, resulting in the execution of arbitrary code. - A flaw exists in PHP in the php_ftp_fopen_connect() function within file ext/standard/ftp_fopen_wrapper.c due to silently downgrading to regular FTP even if a secure method has been requested. A man-in-the-middle (MitM) attacker can exploit this to downgrade the FTP communication. - An integer overflow condition exists in PHP in the php_url_encode() function within file ext/standard/url.c when handling overly long strings. An unauthenticated, remote attacker can exploit this to corrupt memory, resulting in the execution of arbitrary code. - An integer overflow condition exists in PHP in the php_uuencode() function in file ext/standard/uuencode.c. An unauthenticated, remote attacker can exploit this to corrupt memory, resulting in the execution of arbitrary code. - An integer overflow condition exists in PHP in the bzdecompress() function within file ext/bz2/bz2.c. An unauthenticated, remote attacker can exploit this to corrupt memory, resulting in the execution of arbitrary code. - An integer overflow condition exists in PHP in the curl_escape() function within file ext/curl/interface.c when handling overly long escaped strings. An unauthenticated, remote attacker can exploit this to corrupt memory, resulting in the execution of arbitrary code. - An out-of-bounds access error exists in PHP in file ext/phar/tar.c, specifically in the phar_parse_tarfile() function during the verification of signatures. An unauthenticated, remote attacker can exploit this to have an unspecified impact. - A flaw exists in PHP when destroying deserialized objects due to improper validation of certain unspecified input. An unauthenticated, remote attacker can exploit this to corrupt memory, resulting in a denial of service condition or the execution of arbitrary code. - An integer overflow condition exists in PHP within the fgetcsv() function due to improper validation of CSV field lengths. An unauthenticated, remote attacker can exploit this to corrupt memory, resulting in a denial of service condition or the execution of arbitrary code. - An integer overflow condition exists in PHP in the wordwrap() function within file ext/standard/string.c due to improper validation of certain unspecified input. An unauthenticated, remote attacker can exploit this to corrupt memory, resulting in a denial of service condition or the execution of arbitrary code. - An integer overflow condition exists in PHP in the fgets() function within file ext/standard/file.c due to improper validation of certain unspecified input. An unauthenticated, remote attacker can exploit this to corrupt memory, resulting in a denial of service condition or the execution of arbitrary code. - An integer overflow condition exists in PHP in the xml_utf8_encode() function within file ext/xml/xml.c due to improper validation of certain unspecified input. An unauthenticated, remote attacker can exploit this to cause an unspecified impact. - A flaw exists in PHP in the exif_process_IFD_in_TIFF() function within file ext/exif/exif.c when handling uninitialized thumbnail data. An unauthenticated, remote attacker can exploit this to disclose memory contents. - A flaw exists in PHP due to the parse_url() function returning the incorrect host. An unauthenticated, remote attacker can exploit this to bypass authentication or to conduct open redirection and server-side request forgery attacks, depending on how the function is implemented. - A NULL pointer dereference flaw exists in PHP in the SimpleXMLElement::asXML() function within file ext/simplexml/simplexml.c. An unauthenticated, remote attacker can exploit this to cause a denial of service condition. - An heap buffer overflow condition exists in PHP in the php_ereg_replace() function within file ext/ereg/ereg.c due to improper validation of certain unspecified input. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. - A flaw exists in PHP in file ext/openssl/openssl.c within the openssl_random_pseudo_bytes() function when handling strings larger than 2GB. An unauthenticated, remote attacker can exploit this to cause a denial of service condition. - A flaw exists in PHP in the openssl_encrypt() function within file ext/openssl/openssl.c when handling strings larger than 2GB. An unauthenticated, remote attacker can exploit this to cause a denial of service condition. - An integer overflow condition exists in PHP in the imap_8bit() function within file ext/imap/php_imap.c due to improper validation of certain unspecified input. An unauthenticated, remote attacker can exploit this to corrupt memory, resulting in a denial of service condition or the execution of arbitrary code. - A flaw exists in PHP in the _bc_new_num_ex() function within file ext/bcmath/libbcmath/src/init.c when handling values passed via the 'scale' parameter. An unauthenticated, remote attacker can exploit this to cause a denial of service condition. - A flaw exists in PHP in the php_resolve_path() function within file main/fopen_wrappers.c when handling negative size values passed via the 'filename' parameter. An unauthenticated, remote attacker can exploit this to cause a denial of service condition. - A flaw exists in PHP in the dom_document_save_html() function within file ext/dom/document.c due to missing NULL checks. An unauthenticated, remote attacker can exploit this to cause a denial of service condition. - An integer overflow condition exists in PHP in the mb_encode_*() function in file ext/mbstring/mbstring.c due to improper validation of the length of encoded data. An unauthenticated, remote attacker can exploit this to corrupt memory, resulting in a denial of service condition or the execution of arbitrary code. - A NULL pointer dereference flaw exists in PHP in the CachingIterator() function within file ext/spl/spl_iterators.c when handling string conversion. An unauthenticated, remote attacker can exploit this to cause a denial of service condition. - An integer overflow condition exists in PHP in the number_format() function within file ext/standard/math.c when handling 'decimals' and 'dec_point' parameters with values equal or close to 0x7FFFFFFF. An unauthenticated, remote attacker can exploit this to cause a heap-based buffer overflow, resulting in a denial of service condition or the execution of arbitrary code. - A overflow condition exists in PHP within file ext/intl/resourcebundle/resourcebundle_class.c, specifically in functions ResourceBundle::create() and ResourceBundle::getLocales(), due to improper validation of input passed via the 'bundlename' parameter. An unauthenticated, remote attacker can exploit this to cause a stack-based buffer overflow, resulting in a denial of service condition or the execution of arbitrary code. - An integer overflow condition exists in PHP in the php_pcre_replace_impl() function within file ext/pcre/php_pcre.c due to improper validation of certain unspecified input. An unauthenticated, remote attacker can exploit this to cause a heap-based buffer overflow, resulting in a denial of service condition or the execution of arbitrary code. - An integer overflow condition exists in PHP in the _php_imap_mail() function in file ext/imap/php_imap.c when handling overly long strings. An unauthenticated, remote attacker can exploit this to cause a heap-based buffer overflow, resulting in a denial of service condition or the execution of arbitrary code. - A flaw exists in PHP in the bzcompress() function when handling overly long strings. An unauthenticated, remote attacker can exploit this to cause a denial of service condition. - An integer overflow condition exists in PHP in the gdImageAALine() function within file ext/gd/libgd/gd.c due to improper validation of line limit values. An unauthenticated, remote attacker can exploit this to cause an out-of-bounds write or read, resulting in a denial of service condition, the disclosure of memory contents, or the execution of arbitrary code. - Multiple stored cross-site scripting (XSS) vulnerabilities exist in unspecified scripts due to improper validation of input before returning it to users. An unauthenticated, remote attacker can exploit these, via a specially crafted request, to execute arbitrary script code in a user's browser session. Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number."); script_set_attribute(attribute:"see_also", value:"https://www.tenable.com/security/tns-2016-19"); script_set_attribute(attribute:"solution", value: "Upgrade to Tenable SecurityCenter version 5.4.1 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-9137"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2015/10/19"); script_set_attribute(attribute:"patch_publication_date", value:"2016/11/28"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/01/27"); script_set_attribute(attribute:"plugin_type", value:"combined"); script_set_attribute(attribute:"cpe", value:"cpe:/a:tenable:securitycenter"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Misc."); script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("securitycenter_installed.nbin", "securitycenter_detect.nbin"); script_require_ports("Host/SecurityCenter/Version", "installed_sw/SecurityCenter"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("install_func.inc"); include("misc_func.inc"); include("install_func.inc"); version = get_kb_item("Host/SecurityCenter/Version"); if(empty_or_null(version)) { install = get_single_install(app_name:"SecurityCenter", combined:TRUE, exit_if_unknown_ver:TRUE); version = install["version"]; } fix = "5.4.1"; if ( version =~ "^5\.[0-3]([^0-9]|$)" || version =~ "^5\.4\.0([^0-9]|$)" ) { items = make_array("Installed version", version, "Fixed version", fix ); order = make_list("Installed version", "Fixed version"); report = report_items_str(report_items:items, ordered_fields:order); security_report_v4(severity:SECURITY_HOLE, port:0, extra:report, xss:TRUE); } else audit(AUDIT_INST_VER_NOT_VULN, 'SecurityCenter', version);
NASL family Databases NASL id ORACLE_RDBMS_CPU_APR_2020.NASL description The remote Oracle Database Server is missing the April 2020 Critical Patch Update (CPU). It is, therefore, affected by multiple vulnerabilities: - Vulnerability in the Oracle Multimedia component of Oracle Database Server. The supported version that is affected is 12.1.0.2. Easily exploitable vulnerability allows low privileged attacker having Create Session privilege with network access via Oracle Net to compromise Oracle Multimedia. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of Oracle Multimedia (CVE-2016-10251). - Vulnerability in the Oracle Application Express component of Oracle Database Server. The supported version that is affected is Prior to 19.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Application Express. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Application Express, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Application Express accessible data as well as unauthorized read access to a subset of Oracle Application Express accessible data (CVE-2016-7103). - Vulnerability in the WLM (Apache Tomcat) component of Oracle Database Server. Supported versions that are affected are 12.2.0.1, 18c and 19c. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTPS to compromise WLM (Apache Tomcat). Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of WLM (Apache Tomcat) (CVE-2019-17563). It is also affected by additional vulnerabilities; see the vendor advisory for more information. Note that Nessus has not tested for this issue but has instead relied only on the application last seen 2020-06-02 modified 2020-04-15 plugin id 135585 published 2020-04-15 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/135585 title Oracle Database Server Multiple Vulnerabilities (Apr 2020 CPU) code # # (C) Tenable Network Security, Inc. # # # (C) Tenable Network Security, Inc. # include('compat.inc'); if (description) { script_id(135585); script_version("1.6"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/01"); script_cve_id( "CVE-2016-7103", "CVE-2016-10251", "CVE-2019-2853", "CVE-2019-17563", "CVE-2020-2514", "CVE-2020-2734", "CVE-2020-2735", "CVE-2020-2737" ); script_bugtraq_id(97584, 104823, 109236); script_xref(name:"IAVA", value:"2020-A-0147"); script_name(english:"Oracle Database Server Multiple Vulnerabilities (Apr 2020 CPU)"); script_set_attribute(attribute:"synopsis", value: "The remote database server is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The remote Oracle Database Server is missing the April 2020 Critical Patch Update (CPU). It is, therefore, affected by multiple vulnerabilities: - Vulnerability in the Oracle Multimedia component of Oracle Database Server. The supported version that is affected is 12.1.0.2. Easily exploitable vulnerability allows low privileged attacker having Create Session privilege with network access via Oracle Net to compromise Oracle Multimedia. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of Oracle Multimedia (CVE-2016-10251). - Vulnerability in the Oracle Application Express component of Oracle Database Server. The supported version that is affected is Prior to 19.1. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Application Express. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Application Express, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Application Express accessible data as well as unauthorized read access to a subset of Oracle Application Express accessible data (CVE-2016-7103). - Vulnerability in the WLM (Apache Tomcat) component of Oracle Database Server. Supported versions that are affected are 12.2.0.1, 18c and 19c. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTPS to compromise WLM (Apache Tomcat). Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of WLM (Apache Tomcat) (CVE-2019-17563). It is also affected by additional vulnerabilities; see the vendor advisory for more information. Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number."); # https://www.oracle.com/security-alerts/cpuapr2020.html#AppendixDB script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?279de7b8"); script_set_attribute(attribute:"solution", value: "Apply the appropriate patch according to the April 2020 Oracle Critical Patch Update advisory."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-2853"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"vuln_publication_date", value:"2020/04/14"); script_set_attribute(attribute:"patch_publication_date", value:"2020/04/14"); script_set_attribute(attribute:"plugin_publication_date", value:"2020/04/15"); script_set_attribute(attribute:"plugin_type", value:"combined"); script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:database_server"); script_set_attribute(attribute:"stig_severity", value:"I"); script_set_attribute(attribute:"agent", value:"all"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Databases"); script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("oracle_rdbms_query_patch_info.nbin", "oracle_rdbms_patch_info.nbin"); exit(0); } include('oracle_rdbms_cpu_func.inc'); patches = make_nested_array(); # RDBMS 19.7.0.0 patches['19.7.0.0']['db']['nix'] = make_array('patch_level', '19.7.0.0.200414', 'CPU', '30869156'); patches['19.7.0.0']['db']['win'] = make_array('patch_level', '19.7.0.0.200414', 'CPU', '30901317'); # RDBMS 19.6.1.0 patches['19.6.1.0']['db']['nix'] = make_array('patch_level', '19.6.1.0.200414', 'CPU', '30797938'); # RDBMS 19.5.2.0 patches['19.5.2.0']['db']['nix'] = make_array('patch_level', '19.5.2.0.200414', 'CPU', '30830913'); # RDBMS 18.10.0.0 patches['18.10.0.0']['db']['nix'] = make_array('patch_level', '18.10.0.0.200414', 'CPU', '30872794'); patches['18.10.0.0']['db']['win'] = make_array('patch_level', '18.10.0.0.200414', 'CPU', '30901451'); # RDVMS 18.9.1.0 patches['18.9.1.0']['db']['nix'] = make_array('patch_level', '18.9.1.0.200414', 'CPU', '30798089'); # RDVMS 18.8.2.0 patches['18.8.2.0']['db']['nix'] = make_array('patch_level', '18.8.2.0.200414', 'CPU', '30830887'); # RDBMS 12.2.0.1 patches['12.2.0.1']['db']['nix'] = make_array('patch_level', '12.2.0.1.200414', 'CPU', '30799484, 30831066, 30886680'); patches['12.2.0.1']['db']['win'] = make_array('patch_level', '12.2.0.1.200414', 'CPU', '30861472'); # RDBMS 12.1.0.2 patches['12.1.0.2']['db']['nix'] = make_array('patch_level', '12.1.0.2.200414', 'CPU', '30691015, 30700212'); patches['12.1.0.2']['db']['win'] = make_array('patch_level', '12.1.0.2.200414', 'CPU', '30861721'); # RDBMS 11.2.0.4 patches['11.2.0.4']['db']['nix'] = make_array('patch_level', '11.2.0.4.200414', 'CPU', '30670774, 30691206, 31010960'); patches['11.2.0.4']['db']['win'] = make_array('patch_level', '11.2.0.4.200414', 'CPU', '31169916'); # OJVM 19.7.0.0 patches['19.7.0.0']['ojvm']['nix'] = make_array('patch_level', '19.7.0.0.200414', 'CPU', '30805684'); patches['19.7.0.0']['ojvm']['win'] = make_array('patch_level', '19.7.0.0.200414', 'CPU', '30805684'); # OJVM 18.10.0.0 patches['18.10.0.0']['ojvm']['nix'] = make_array('patch_level', '18.10.0.0.200414', 'CPU', '30805598'); patches['18.10.0.0']['ojvm']['win'] = make_array('patch_level', '18.10.0.0.200414', 'CPU', '30805598'); # OJVM 12.2.0.1 patches['12.2.0.1']['ojvm']['nix'] = make_array('patch_level', '12.2.0.1.200414', 'CPU', '30805580'); patches['12.2.0.1']['ojvm']['win'] = make_array('patch_level', '12.2.0.1.200414', 'CPU', '31035002'); # OJVM 12.1.0.2 patches['12.1.0.2']['ojvm']['nix'] = make_array('patch_level', '12.1.0.2.200414', 'CPU', '30805558'); patches['12.1.0.2']['ojvm']['win'] = make_array('patch_level', '12.1.0.2.200414', 'CPU', '31037459'); # OJVM 11.2.0.4 patches['11.2.0.4']['ojvm']['nix'] = make_array('patch_level', '11.2.0.4.200414', 'CPU', '30805543'); patches['11.2.0.4']['ojvm']['win'] = make_array('patch_level', '11.2.0.4.200414', 'CPU', '31169933'); check_oracle_database(patches:patches, high_risk:TRUE);
NASL family CGI abuses NASL id ORACLE_PRIMAVERA_UNIFIER_CPU_JUL_2018.NASL description According to its self-reported version number, the Oracle Primavera Unifier installation running on the remote web server is 16.x prior to 16.2.15.0, 17.x prior to 17.12.7.0, or 18.x prior to 18.7.0.0. It is, therefore, affected by multiple vulnerabilities. Note that Nessus has not tested for these issues but has instead relied only on the application last seen 2020-06-01 modified 2020-06-02 plugin id 111213 published 2018-07-20 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/111213 title Oracle Primavera Unifier Multiple Vulnerabilities (July 2018 CPU) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(111213); script_version("1.5"); script_cvs_date("Date: 2019/11/04"); script_cve_id( "CVE-2016-4055", "CVE-2016-7103", "CVE-2018-2965", "CVE-2018-2966", "CVE-2018-2967", "CVE-2018-2968", "CVE-2018-2969" ); script_bugtraq_id(95849, 104823, 104828); script_name(english:"Oracle Primavera Unifier Multiple Vulnerabilities (July 2018 CPU)"); script_summary(english:"Checks the version of Oracle Primavera Unifier."); script_set_attribute(attribute:"synopsis", value: "An application running on the remote web server is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "According to its self-reported version number, the Oracle Primavera Unifier installation running on the remote web server is 16.x prior to 16.2.15.0, 17.x prior to 17.12.7.0, or 18.x prior to 18.7.0.0. It is, therefore, affected by multiple vulnerabilities. Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number."); # http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?50f36723"); script_set_attribute(attribute:"solution", value: "Upgrade to Oracle Primavera Unifier version 16.2.15.0 / 17.12.7.0 / 18.7.0.0 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-2965"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/07/17"); script_set_attribute(attribute:"patch_publication_date", value:"2018/07/17"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/07/20"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"x-cpe:/a:oracle:primavera_unifier"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("oracle_primavera_unifier.nbin"); script_require_keys("installed_sw/Oracle Primavera Unifier", "www/weblogic"); script_require_ports("Services/www", 8002); exit(0); } include("http.inc"); include("vcf.inc"); get_install_count(app_name:"Oracle Primavera Unifier", exit_if_zero:TRUE); port = get_http_port(default:8002); get_kb_item_or_exit("www/weblogic/" + port + "/installed"); app_info = vcf::get_app_info(app:"Oracle Primavera Unifier", port:port); constraints = [ { "min_version" : "16.0.0.0", "fixed_version" : "16.2.15.0" }, { "min_version" : "17.0.0.0", "fixed_version" : "17.12.7.0" }, { "min_version" : "18.0.0.0", "fixed_version" : "18.7.0.0" } ]; vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_WARNING);
Redhat
advisories |
| ||||||||||||
rpms |
|
References
- http://rhn.redhat.com/errata/RHSA-2016-2932.html
- http://rhn.redhat.com/errata/RHSA-2016-2932.html
- http://rhn.redhat.com/errata/RHSA-2016-2933.html
- http://rhn.redhat.com/errata/RHSA-2016-2933.html
- http://rhn.redhat.com/errata/RHSA-2017-0161.html
- http://rhn.redhat.com/errata/RHSA-2017-0161.html
- http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
- http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
- http://www.securityfocus.com/bid/104823
- http://www.securityfocus.com/bid/104823
- https://github.com/jquery/api.jqueryui.com/issues/281
- https://github.com/jquery/api.jqueryui.com/issues/281
- https://github.com/jquery/jquery-ui/commit/9644e7bae9116edaf8d37c5b38cb32b892f10ff6
- https://github.com/jquery/jquery-ui/commit/9644e7bae9116edaf8d37c5b38cb32b892f10ff6
- https://jqueryui.com/changelog/1.12.0/
- https://jqueryui.com/changelog/1.12.0/
- https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E
- https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E
- https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E
- https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E
- https://lists.apache.org/thread.html/ba79cf1658741e9f146e4c59b50aee56656ea95d841d358d006c18b6%40%3Ccommits.roller.apache.org%3E
- https://lists.apache.org/thread.html/ba79cf1658741e9f146e4c59b50aee56656ea95d841d358d006c18b6%40%3Ccommits.roller.apache.org%3E
- https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E
- https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E
- https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8%40%3Ccommits.pulsar.apache.org%3E
- https://lists.apache.org/thread.html/ff8dcfe29377088ab655fda9d585dccd5b1f07fabd94ae84fd60a7f8%40%3Ccommits.pulsar.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2022/01/msg00014.html
- https://lists.debian.org/debian-lts-announce/2022/01/msg00014.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E2I4UHPIW26FIALH7GGZ3IYUUA53VOOJ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/E2I4UHPIW26FIALH7GGZ3IYUUA53VOOJ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVKIOWSXL2RF2ULNAP7PHESYCFSZIJE3/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HVKIOWSXL2RF2ULNAP7PHESYCFSZIJE3/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SGSY236PYSFYIEBRGDERLA7OSY6D7XL4/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SGSY236PYSFYIEBRGDERLA7OSY6D7XL4/
- https://nodesecurity.io/advisories/127
- https://nodesecurity.io/advisories/127
- https://security.netapp.com/advisory/ntap-20190416-0007/
- https://security.netapp.com/advisory/ntap-20190416-0007/
- https://www.drupal.org/sa-core-2022-002
- https://www.drupal.org/sa-core-2022-002
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
- https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
- https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
- https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
- https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
- https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
- https://www.tenable.com/security/tns-2016-19
- https://www.tenable.com/security/tns-2016-19