Vulnerabilities > CVE-2019-19039 - Information Exposure Through Log Files vulnerability in multiple products

047910
CVSS 5.5 - MEDIUM
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
NONE
Availability impact
NONE
local
low complexity
linux
debian
canonical
CWE-532
nessus

Summary

__btrfs_free_extent in fs/btrfs/extent-tree.c in the Linux kernel through 5.3.12 calls btrfs_print_leaf in a certain ENOENT case, which allows local users to obtain potentially sensitive information about register values via the dmesg program. NOTE: The BTRFS development team disputes this issues as not being a vulnerability because “1) The kernel provide facilities to restrict access to dmesg - dmesg_restrict=1 sysctl option. So it's really up to the system administrator to judge whether dmesg access shall be disallowed or not. 2) WARN/WARN_ON are widely used macros in the linux kernel. If this CVE is considered valid this would mean there are literally thousands CVE lurking in the kernel - something which clearly is not the case.

Vulnerable Configurations

Part Description Count
OS
Linux
4176
OS
Debian
1
OS
Canonical
3

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Fuzzing and observing application log data/errors for application mapping
    An attacker sends random, malformed, or otherwise unexpected messages to a target application and observes the application's log or error messages returned. Fuzzing techniques involve sending random or malformed messages to a target and monitoring the target's response. The attacker does not initially know how a target will respond to individual messages but by attempting a large number of message variants they may find a variant that trigger's desired behavior. In this attack, the purpose of the fuzzing is to observe the application's log and error messages, although fuzzing a target can also sometimes cause the target to enter an unstable state, causing a crash. By observing logs and error messages, the attacker can learn details about the configuration of the target application and might be able to cause the target to disclose sensitive information.

Nessus

  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2020-1508.NASL
    descriptionAccording to the versions of the kernel packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - In f2fs_xattr_generic_list of xattr.c, there is a possible out of bounds read due to a missing bounds check. This could lead to local information disclosure with System execution privileges needed. User interaction is not required for exploitation.(CVE-2020-0067) - An issue was discovered in the Linux kernel before 5.2 on the powerpc platform. arch/powerpc/kernel/idle_book3s.S does not have save/restore functionality for PNV_POWERSAVE_AMR, PNV_POWERSAVE_UAMOR, and PNV_POWERSAVE_AMOR, aka CID-53a712bae5dd.(CVE-2020-11669) - In the Linux kernel before 5.6.1, drivers/media/usb/gspca/xirlink_cit.c (aka the Xirlink camera USB driver) mishandles invalid descriptors, aka CID-a246b4d54770.(CVE-2020-11668) - In the Linux kernel before 5.4.12, drivers/input/input.c has out-of-bounds writes via a crafted keycode table, as demonstrated by input_set_keycode, aka CID-cb222aed03d7.(CVE-2019-20636) - An issue was discovered in the Linux kernel before 5.6.1. drivers/media/usb/gspca/ov519.c allows NULL pointer dereferences in ov511_mode_init_regs and ov518_mode_init_regs when there are zero endpoints, aka CID-998912346c0d.(CVE-2020-11608) - An issue was discovered in the stv06xx subsystem in the Linux kernel before 5.6.1. drivers/media/usb/gspca/stv06xx/stv06xx.c and drivers/media/usb/gspca/stv06xx/stv06xx_pb0100.c mishandle invalid descriptors, as demonstrated by a NULL pointer dereference, aka CID-485b06aadb93.(CVE-2020-11609) - A flaw was found in the Linux kernel
    last seen2020-05-03
    modified2020-04-20
    plugin id135741
    published2020-04-20
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/135741
    titleEulerOS 2.0 SP8 : kernel (EulerOS-SA-2020-1508)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(135741);
      script_version("1.3");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/01");
    
      script_cve_id(
        "CVE-2019-19036",
        "CVE-2019-19037",
        "CVE-2019-19039",
        "CVE-2019-19815",
        "CVE-2019-20636",
        "CVE-2020-0067",
        "CVE-2020-11494",
        "CVE-2020-11565",
        "CVE-2020-11608",
        "CVE-2020-11609",
        "CVE-2020-11668",
        "CVE-2020-11669",
        "CVE-2020-1749"
      );
    
      script_name(english:"EulerOS 2.0 SP8 : kernel (EulerOS-SA-2020-1508)");
      script_summary(english:"Checks the rpm output for the updated packages.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote EulerOS host is missing multiple security updates.");
      script_set_attribute(attribute:"description", value:
    "According to the versions of the kernel packages installed, the
    EulerOS installation on the remote host is affected by the following
    vulnerabilities :
    
      - In f2fs_xattr_generic_list of xattr.c, there is a
        possible out of bounds read due to a missing bounds
        check. This could lead to local information disclosure
        with System execution privileges needed. User
        interaction is not required for
        exploitation.(CVE-2020-0067)
    
      - An issue was discovered in the Linux kernel before 5.2
        on the powerpc platform.
        arch/powerpc/kernel/idle_book3s.S does not have
        save/restore functionality for PNV_POWERSAVE_AMR,
        PNV_POWERSAVE_UAMOR, and PNV_POWERSAVE_AMOR, aka
        CID-53a712bae5dd.(CVE-2020-11669)
    
      - In the Linux kernel before 5.6.1,
        drivers/media/usb/gspca/xirlink_cit.c (aka the Xirlink
        camera USB driver) mishandles invalid descriptors, aka
        CID-a246b4d54770.(CVE-2020-11668)
    
      - In the Linux kernel before 5.4.12,
        drivers/input/input.c has out-of-bounds writes via a
        crafted keycode table, as demonstrated by
        input_set_keycode, aka
        CID-cb222aed03d7.(CVE-2019-20636)
    
      - An issue was discovered in the Linux kernel before
        5.6.1. drivers/media/usb/gspca/ov519.c allows NULL
        pointer dereferences in ov511_mode_init_regs and
        ov518_mode_init_regs when there are zero endpoints, aka
        CID-998912346c0d.(CVE-2020-11608)
    
      - An issue was discovered in the stv06xx subsystem in the
        Linux kernel before 5.6.1.
        drivers/media/usb/gspca/stv06xx/stv06xx.c and
        drivers/media/usb/gspca/stv06xx/stv06xx_pb0100.c
        mishandle invalid descriptors, as demonstrated by a
        NULL pointer dereference, aka
        CID-485b06aadb93.(CVE-2020-11609)
    
      - A flaw was found in the Linux kernel's implementation
        of some networking protocols in IPsec, such as VXLAN
        and GENEVE tunnels over IPv6. When an encrypted tunnel
        is created between two hosts, the kernel isn't
        correctly routing tunneled data over the encrypted link
        rather sending the data unencrypted. This would allow
        anyone in between the two endpoints to read the traffic
        unencrypted. The main threat from this vulnerability is
        to data confidentiality.(CVE-2020-1749)
    
      - An issue was discovered in the Linux kernel through
        5.6.2. mpol_parse_str in mm/mempolicy.c has a
        stack-based out-of-bounds write because an empty
        nodelist is mishandled during mount option parsing, aka
        CID-aa9f7d5172fa.(CVE-2020-11565)
    
      - An issue was discovered in slc_bump in
        drivers/net/can/slcan.c in the Linux kernel through
        5.6.2. It allows attackers to read uninitialized
        can_frame data, potentially containing sensitive
        information from kernel stack memory, if the
        configuration lacks CONFIG_INIT_STACK_ALL, aka
        CID-b9258a2cece4.(CVE-2020-11494)
    
      - btrfs_root_node in fs/btrfs/ctree.c in the Linux kernel
        through 5.3.12 allows a NULL pointer dereference
        because rcu_dereference(root->node) can be
        zero.(CVE-2019-19036)
    
      - ext4_empty_dir in fs/ext4/namei.c in the Linux kernel
        through 5.3.12 allows a NULL pointer dereference
        because ext4_read_dirblock(inode,0,DIRENT_HTREE) can be
        zero.(CVE-2019-19037)
    
      - __btrfs_free_extent in fs/btrfs/extent-tree.c in the
        Linux kernel through 5.3.12 calls btrfs_print_leaf in a
        certain ENOENT case, which allows local users to obtain
        potentially sensitive information about register values
        via the dmesg program.(CVE-2019-19039)
    
      - In the Linux kernel 5.0.21, mounting a crafted f2fs
        filesystem image can cause a NULL pointer dereference
        in f2fs_recover_fsync_data in fs/f2fs/recovery.c. This
        is related to F2FS_P_SB in
        fs/f2fs/f2fs.h.(CVE-2019-19815)
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the EulerOS security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues.");
      # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-1508
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?d1bbee1a");
      script_set_attribute(attribute:"solution", value:
    "Update the affected kernel packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2020/04/20");
      script_set_attribute(attribute:"plugin_publication_date", value:"2020/04/20");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:bpftool");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-headers");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-source");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:perf");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:python-perf");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:python3-perf");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Huawei Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp");
      script_exclude_keys("Host/EulerOS/uvp_version");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/EulerOS/release");
    if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
    if (release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0");
    
    sp = get_kb_item("Host/EulerOS/sp");
    if (isnull(sp) || sp !~ "^(8)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP8");
    
    uvp = get_kb_item("Host/EulerOS/uvp_version");
    if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP8", "EulerOS UVP " + uvp);
    
    if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
    if ("aarch64" >!< cpu) audit(AUDIT_ARCH_NOT, "aarch64", cpu);
    
    flag = 0;
    
    pkgs = ["bpftool-4.19.36-vhulk1907.1.0.h729.eulerosv2r8",
            "kernel-4.19.36-vhulk1907.1.0.h729.eulerosv2r8",
            "kernel-devel-4.19.36-vhulk1907.1.0.h729.eulerosv2r8",
            "kernel-headers-4.19.36-vhulk1907.1.0.h729.eulerosv2r8",
            "kernel-source-4.19.36-vhulk1907.1.0.h729.eulerosv2r8",
            "kernel-tools-4.19.36-vhulk1907.1.0.h729.eulerosv2r8",
            "kernel-tools-libs-4.19.36-vhulk1907.1.0.h729.eulerosv2r8",
            "perf-4.19.36-vhulk1907.1.0.h729.eulerosv2r8",
            "python-perf-4.19.36-vhulk1907.1.0.h729.eulerosv2r8",
            "python3-perf-4.19.36-vhulk1907.1.0.h729.eulerosv2r8"];
    
    foreach (pkg in pkgs)
      if (rpm_check(release:"EulerOS-2.0", sp:"8", reference:pkg)) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel");
    }
    
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2020-1536.NASL
    descriptionAccording to the versions of the kernel packages installed, the EulerOS Virtualization for ARM 64 installation on the remote host is affected by the following vulnerabilities : - In the Linux kernel before 5.2.9, there is an info-leak bug that can be caused by a malicious USB device in the drivers/net/can/usb/peak_usb/pcan_usb_pro.c driver, aka CID-ead16e53c2f0.(CVE-2019-19536) - In the Linux kernel before 5.2.9, there is an info-leak bug that can be caused by a malicious USB device in the drivers/net/can/usb/peak_usb/pcan_usb_fd.c driver, aka CID-30a8beeb3042.(CVE-2019-19535) - vcs_write in drivers/tty/vt/vc_screen.c in the Linux kernel through 5.3.13 does not prevent write access to vcsu devices, aka CID-0c9acb1af77a.(CVE-2019-19252) - In the AppleTalk subsystem in the Linux kernel before 5.1, there is a potential NULL pointer dereference because register_snap_client may return NULL. This will lead to denial of service in net/appletalk/aarp.c and net/appletalk/ddp.c, as demonstrated by unregister_snap_client, aka CID-9804501fa122.(CVE-2019-19227) - A memory leak in the adis_update_scan_mode() function in drivers/iio/imu/adis_buffer.c in the Linux kernel before 5.3.9 allows attackers to cause a denial of service (memory consumption), aka CID-ab612b1daf41.(CVE-2019-19060) - In the Linux kernel before 5.3.11, there is an info-leak bug that can be caused by a malicious USB device in the drivers/net/can/usb/peak_usb/pcan_usb_core.c driver, aka CID-f7a1337f0d29.(CVE-2019-19534) - In the Linux kernel before 5.3.11, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/net/can/usb/mcba_usb.c driver, aka CID-4d6636498c41.(CVE-2019-19529) - In the Linux kernel before 5.3.9, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/nfc/pn533/usb.c driver, aka CID-6af3aa57a098.(CVE-2019-19526) - In the Linux kernel before 5.3.6, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/net/ieee802154/atusb.c driver, aka CID-7fd25e6fc035.(CVE-2019-19525) - In the Linux kernel before 5.3.9, there are multiple out-of-bounds write bugs that can be caused by a malicious USB device in the Linux kernel HID drivers, aka CID-d9d4b1e46d95. This affects drivers/hid/hid-axff.c, drivers/hid/hid-dr.c, drivers/hid/hid-emsff.c, drivers/hid/hid-gaff.c, drivers/hid/hid-holtekff.c, drivers/hid/hid-lg2ff.c, drivers/hid/hid-lg3ff.c, drivers/hid/hid-lg4ff.c, drivers/hid/hid-lgff.c, drivers/hid/hid-logitech-hidpp.c, drivers/hid/hid-microsoft.c, drivers/hid/hid-sony.c, drivers/hid/hid-tmff.c, and drivers/hid/hid-zpff.c.(CVE-2019-19532) - In the Linux kernel before 5.2.10, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/hid/usbhid/hiddev.c driver, aka CID-9c09b214f30e.(CVE-2019-19527) - ** DISPUTED ** The Linux kernel through 5.0.7, when CONFIG_IA32_AOUT is enabled and ia32_aout is loaded, allows local users to bypass ASLR on setuid a.out programs (if any exist) because install_exec_creds() is called too late in load_aout_binary() in fs/binfmt_aout.c, and thus the ptrace_may_access() check has a race condition when reading /proc/pid/stat. NOTE: the software maintainer disputes that this is a vulnerability because ASLR for a.out format executables has never been supported.(CVE-2019-11191) - In the Linux kernel before 5.3.12, there is a use-after-free bug that can be caused by a malicious USB device in the drivers/input/ff-memless.c driver, aka CID-fa3a5a1880c9.(CVE-2019-19524) - drivers/net/wireless/marvell/libertas/if_sdio.c in the Linux kernel 5.2.14 does not check the alloc_workqueue return value, leading to a NULL pointer dereference.(CVE-2019-16232) - drivers/net/fjes/fjes_main.c in the Linux kernel 5.2.14 does not check the alloc_workqueue return value, leading to a NULL pointer dereference.(CVE-2019-16231) - ** DISPUTED ** drivers/gpu/drm/amd/amdkfd/kfd_interrupt.c in the Linux kernel 5.2.14 does not check the alloc_workqueue return value, leading to a NULL pointer dereference. NOTE: The security community disputes this issues as not being serious enough to be deserving a CVE id.(CVE-2019-16229) - Linux kernel CIFS implementation, version 4.9.0 is vulnerable to a relative paths injection in directory entry lists.(CVE-2019-10220) - A heap overflow flaw was found in the Linux kernel, all versions 3.x.x and 4.x.x before 4.18.0, in Marvell WiFi chip driver. The vulnerability allows a remote attacker to cause a system crash, resulting in a denial of service, or execute arbitrary code. The highest threat with this vulnerability is with the availability of the system. If code execution occurs, the code will run with the permissions of root. This will affect both confidentiality and integrity of files on the system.(CVE-2019-14901) - The Linux kernel before 5.4.2 mishandles ext4_expand_extra_isize, as demonstrated by use-after-free errors in __ext4_expand_extra_isize and ext4_xattr_set_entry, related to fs/ext4/inode.c and fs/ext4/super.c, aka CID-4ea99936a163.(CVE-2019-19767) - A heap-based buffer overflow was discovered in the Linux kernel, all versions 3.x.x and 4.x.x before 4.18.0, in Marvell WiFi chip driver. The flaw could occur when the station attempts a connection negotiation during the handling of the remote devices country settings. This could allow the remote device to cause a denial of service (system crash) or possibly execute arbitrary code.(CVE-2019-14895) - Linux Kernel could allow a local authenticated attacker to obtain sensitive information, caused by a Transaction Asynchronous Abort (TAA) h/w issue in KVM. By sending a specially-crafted request, an attacker could exploit this vulnerability to obtain sensitive information, and use this information to launch further attacks against the affected system.(CVE-2019-19338) - TSX Asynchronous Abort condition on some CPUs utilizing speculative execution may allow an authenticated user to potentially enable information disclosure via a side channel with local access.(CVE-2019-11135) - An out-of-bounds memory write issue was found in the Linux Kernel, version 3.13 through 5.4, in the way the Linux kernel
    last seen2020-05-08
    modified2020-05-01
    plugin id136239
    published2020-05-01
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/136239
    titleEulerOS Virtualization for ARM 64 3.0.2.0 : kernel (EulerOS-SA-2020-1536)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(136239);
      script_version("1.2");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/05/07");
    
      script_cve_id(
        "CVE-2019-10220",
        "CVE-2019-11135",
        "CVE-2019-11191",
        "CVE-2019-14895",
        "CVE-2019-14896",
        "CVE-2019-14897",
        "CVE-2019-14901",
        "CVE-2019-16229",
        "CVE-2019-16231",
        "CVE-2019-16232",
        "CVE-2019-19036",
        "CVE-2019-19037",
        "CVE-2019-19039",
        "CVE-2019-19060",
        "CVE-2019-19227",
        "CVE-2019-19252",
        "CVE-2019-19332",
        "CVE-2019-19338",
        "CVE-2019-19447",
        "CVE-2019-19524",
        "CVE-2019-19525",
        "CVE-2019-19526",
        "CVE-2019-19527",
        "CVE-2019-19529",
        "CVE-2019-19532",
        "CVE-2019-19534",
        "CVE-2019-19535",
        "CVE-2019-19536",
        "CVE-2019-19767",
        "CVE-2019-19768",
        "CVE-2019-19770",
        "CVE-2019-19807",
        "CVE-2019-19815",
        "CVE-2019-19922",
        "CVE-2019-19947",
        "CVE-2019-20095",
        "CVE-2019-20096",
        "CVE-2019-20636",
        "CVE-2019-3016",
        "CVE-2019-5108",
        "CVE-2020-0067",
        "CVE-2020-11494",
        "CVE-2020-11565",
        "CVE-2020-11608",
        "CVE-2020-11609",
        "CVE-2020-11668",
        "CVE-2020-11669",
        "CVE-2020-1749",
        "CVE-2020-2732",
        "CVE-2020-8428",
        "CVE-2020-8647",
        "CVE-2020-8648",
        "CVE-2020-8649",
        "CVE-2020-9383"
      );
    
      script_name(english:"EulerOS Virtualization for ARM 64 3.0.2.0 : kernel (EulerOS-SA-2020-1536)");
      script_summary(english:"Checks the rpm output for the updated packages.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote EulerOS Virtualization for ARM 64 host is missing multiple security
    updates.");
      script_set_attribute(attribute:"description", value:
    "According to the versions of the kernel packages installed, the
    EulerOS Virtualization for ARM 64 installation on the remote host is
    affected by the following vulnerabilities :
    
      - In the Linux kernel before 5.2.9, there is an info-leak
        bug that can be caused by a malicious USB device in the
        drivers/net/can/usb/peak_usb/pcan_usb_pro.c driver, aka
        CID-ead16e53c2f0.(CVE-2019-19536)
    
      - In the Linux kernel before 5.2.9, there is an info-leak
        bug that can be caused by a malicious USB device in the
        drivers/net/can/usb/peak_usb/pcan_usb_fd.c driver, aka
        CID-30a8beeb3042.(CVE-2019-19535)
    
      - vcs_write in drivers/tty/vt/vc_screen.c in the Linux
        kernel through 5.3.13 does not prevent write access to
        vcsu devices, aka CID-0c9acb1af77a.(CVE-2019-19252)
    
      - In the AppleTalk subsystem in the Linux kernel before
        5.1, there is a potential NULL pointer dereference
        because register_snap_client may return NULL. This will
        lead to denial of service in net/appletalk/aarp.c and
        net/appletalk/ddp.c, as demonstrated by
        unregister_snap_client, aka
        CID-9804501fa122.(CVE-2019-19227)
    
      - A memory leak in the adis_update_scan_mode() function
        in drivers/iio/imu/adis_buffer.c in the Linux kernel
        before 5.3.9 allows attackers to cause a denial of
        service (memory consumption), aka
        CID-ab612b1daf41.(CVE-2019-19060)
    
      - In the Linux kernel before 5.3.11, there is an
        info-leak bug that can be caused by a malicious USB
        device in the
        drivers/net/can/usb/peak_usb/pcan_usb_core.c driver,
        aka CID-f7a1337f0d29.(CVE-2019-19534)
    
      - In the Linux kernel before 5.3.11, there is a
        use-after-free bug that can be caused by a malicious
        USB device in the drivers/net/can/usb/mcba_usb.c
        driver, aka CID-4d6636498c41.(CVE-2019-19529)
    
      - In the Linux kernel before 5.3.9, there is a
        use-after-free bug that can be caused by a malicious
        USB device in the drivers/nfc/pn533/usb.c driver, aka
        CID-6af3aa57a098.(CVE-2019-19526)
    
      - In the Linux kernel before 5.3.6, there is a
        use-after-free bug that can be caused by a malicious
        USB device in the drivers/net/ieee802154/atusb.c
        driver, aka CID-7fd25e6fc035.(CVE-2019-19525)
    
      - In the Linux kernel before 5.3.9, there are multiple
        out-of-bounds write bugs that can be caused by a
        malicious USB device in the Linux kernel HID drivers,
        aka CID-d9d4b1e46d95. This affects
        drivers/hid/hid-axff.c, drivers/hid/hid-dr.c,
        drivers/hid/hid-emsff.c, drivers/hid/hid-gaff.c,
        drivers/hid/hid-holtekff.c, drivers/hid/hid-lg2ff.c,
        drivers/hid/hid-lg3ff.c, drivers/hid/hid-lg4ff.c,
        drivers/hid/hid-lgff.c,
        drivers/hid/hid-logitech-hidpp.c,
        drivers/hid/hid-microsoft.c, drivers/hid/hid-sony.c,
        drivers/hid/hid-tmff.c, and
        drivers/hid/hid-zpff.c.(CVE-2019-19532)
    
      - In the Linux kernel before 5.2.10, there is a
        use-after-free bug that can be caused by a malicious
        USB device in the drivers/hid/usbhid/hiddev.c driver,
        aka CID-9c09b214f30e.(CVE-2019-19527)
    
      - ** DISPUTED ** The Linux kernel through 5.0.7, when
        CONFIG_IA32_AOUT is enabled and ia32_aout is loaded,
        allows local users to bypass ASLR on setuid a.out
        programs (if any exist) because install_exec_creds() is
        called too late in load_aout_binary() in
        fs/binfmt_aout.c, and thus the ptrace_may_access()
        check has a race condition when reading /proc/pid/stat.
        NOTE: the software maintainer disputes that this is a
        vulnerability because ASLR for a.out format executables
        has never been supported.(CVE-2019-11191)
    
      - In the Linux kernel before 5.3.12, there is a
        use-after-free bug that can be caused by a malicious
        USB device in the drivers/input/ff-memless.c driver,
        aka CID-fa3a5a1880c9.(CVE-2019-19524)
    
      - drivers/net/wireless/marvell/libertas/if_sdio.c in the
        Linux kernel 5.2.14 does not check the alloc_workqueue
        return value, leading to a NULL pointer
        dereference.(CVE-2019-16232)
    
      - drivers/net/fjes/fjes_main.c in the Linux kernel 5.2.14
        does not check the alloc_workqueue return value,
        leading to a NULL pointer dereference.(CVE-2019-16231)
    
      - ** DISPUTED **
        drivers/gpu/drm/amd/amdkfd/kfd_interrupt.c in the Linux
        kernel 5.2.14 does not check the alloc_workqueue return
        value, leading to a NULL pointer dereference. NOTE: The
        security community disputes this issues as not being
        serious enough to be deserving a CVE
        id.(CVE-2019-16229)
    
      - Linux kernel CIFS implementation, version 4.9.0 is
        vulnerable to a relative paths injection in directory
        entry lists.(CVE-2019-10220)
    
      - A heap overflow flaw was found in the Linux kernel, all
        versions 3.x.x and 4.x.x before 4.18.0, in Marvell WiFi
        chip driver. The vulnerability allows a remote attacker
        to cause a system crash, resulting in a denial of
        service, or execute arbitrary code. The highest threat
        with this vulnerability is with the availability of the
        system. If code execution occurs, the code will run
        with the permissions of root. This will affect both
        confidentiality and integrity of files on the
        system.(CVE-2019-14901)
    
      - The Linux kernel before 5.4.2 mishandles
        ext4_expand_extra_isize, as demonstrated by
        use-after-free errors in __ext4_expand_extra_isize and
        ext4_xattr_set_entry, related to fs/ext4/inode.c and
        fs/ext4/super.c, aka CID-4ea99936a163.(CVE-2019-19767)
    
      - A heap-based buffer overflow was discovered in the
        Linux kernel, all versions 3.x.x and 4.x.x before
        4.18.0, in Marvell WiFi chip driver. The flaw could
        occur when the station attempts a connection
        negotiation during the handling of the remote devices
        country settings. This could allow the remote device to
        cause a denial of service (system crash) or possibly
        execute arbitrary code.(CVE-2019-14895)
    
      - Linux Kernel could allow a local authenticated attacker
        to obtain sensitive information, caused by a
        Transaction Asynchronous Abort (TAA) h/w issue in KVM.
        By sending a specially-crafted request, an attacker
        could exploit this vulnerability to obtain sensitive
        information, and use this information to launch further
        attacks against the affected system.(CVE-2019-19338)
    
      - TSX Asynchronous Abort condition on some CPUs utilizing
        speculative execution may allow an authenticated user
        to potentially enable information disclosure via a side
        channel with local access.(CVE-2019-11135)
    
      - An out-of-bounds memory write issue was found in the
        Linux Kernel, version 3.13 through 5.4, in the way the
        Linux kernel's KVM hypervisor handled the
        'KVM_GET_EMULATED_CPUID' ioctl(2) request to get CPUID
        features emulated by the KVM hypervisor. A user or
        process able to access the '/dev/kvm' device could use
        this flaw to crash the system, resulting in a denial of
        service.(CVE-2019-19332)
    
      - kernel/sched/fair.c in the Linux kernel before 5.3.9,
        when cpu.cfs_quota_us is used (e.g., with Kubernetes),
        allows attackers to cause a denial of service against
        non-cpu-bound applications by generating a workload
        that triggers unwanted slice expiration, aka
        CID-de53fd7aedb1. (In other words, although this slice
        expiration would typically be seen with benign
        workloads, it is possible that an attacker could
        calculate how many stray requests are required to force
        an entire Kubernetes cluster into a low-performance
        state caused by slice expiration, and ensure that a
        DDoS attack sent that number of stray requests. An
        attack does not affect the stability of the kernel it
        only causes mismanagement of application
        execution.)(CVE-2019-19922)
    
      - A stack-based buffer overflow was found in the Linux
        kernel, version kernel-2.6.32, in Marvell WiFi chip
        driver. An attacker is able to cause a denial of
        service (system crash) or, possibly execute arbitrary
        code, when a STA works in IBSS mode (allows connecting
        stations together without the use of an AP) and
        connects to another STA.(CVE-2019-14897)
    
      - A heap-based buffer overflow vulnerability was found in
        the Linux kernel, version kernel-2.6.32, in Marvell
        WiFi chip driver. A remote attacker could cause a
        denial of service (system crash) or, possibly execute
        arbitrary code, when the lbs_ibss_join_existing
        function is called after a STA connects to an
        AP.(CVE-2019-14896)
    
      - In the Linux kernel through 5.4.6, there are
        information leaks of uninitialized memory to a USB
        device in the
        drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c
        driver, aka CID-da2311a6385c.(CVE-2019-19947)
    
      - In the Linux kernel before 5.1, there is a memory leak
        in __feat_register_sp() in net/dccp/feat.c, which may
        cause denial of service, aka
        CID-1d3ff0950e2b.(CVE-2019-20096)
    
      - mwifiex_tm_cmd in
        drivers/net/wireless/marvell/mwifiex/cfg80211.c in the
        Linux kernel before 5.1.6 has some error-handling cases
        that did not free allocated hostcmd memory, aka
        CID-003b686ace82. This will cause a memory leak and
        denial of service.(CVE-2019-20095)
    
      - An exploitable denial-of-service vulnerability exists
        in the Linux kernel prior to mainline 5.3. An attacker
        could exploit this vulnerability by triggering AP to
        send IAPP location updates for stations before the
        required authentication process has completed. This
        could lead to different denial-of-service scenarios,
        either by causing CAM table attacks, or by leading to
        traffic flapping if faking already existing clients in
        other nearby APs of the same wireless infrastructure.
        An attacker can forge Authentication and Association
        Request packets to trigger this
        vulnerability.(CVE-2019-5108)
    
      - In a Linux KVM guest that has PV TLB enabled, a process
        in the guest kernel may be able to read memory
        locations from another process in the same guest. This
        problem is limit to the host running linux kernel 4.10
        with a guest running linux kernel 4.16 or later. The
        problem mainly affects AMD processors but Intel CPUs
        cannot be ruled out.(CVE-2019-3016)
    
      - fs/namei.c in the Linux kernel before 5.5 has a
        may_create_in_sticky use-after-free, which allows local
        users to cause a denial of service (OOPS) or possibly
        obtain sensitive information from kernel memory, aka
        CID-d0cb50185ae9. One attack vector may be an open
        system call for a UNIX domain socket, if the socket is
        being moved to a new parent directory and its old
        parent directory is being removed.(CVE-2020-8428)
    
      - There is a use-after-free vulnerability in the Linux
        kernel through 5.5.2 in the n_tty_receive_buf_common
        function in drivers/tty/n_tty.c.(CVE-2020-8648)
    
      - An issue was discovered in the Linux kernel through
        5.5.6. set_fdc in drivers/block/floppy.c leads to a
        wait_til_ready out-of-bounds read because the FDC index
        is not checked for errors before assigning it, aka
        CID-2e90ca68b0d2.(CVE-2020-9383)
    
      - There is a use-after-free vulnerability in the Linux
        kernel through 5.5.2 in the vgacon_invert_region
        function in
        drivers/video/console/vgacon.c.(CVE-2020-8649)
    
      - There is a use-after-free vulnerability in the Linux
        kernel through 5.5.2 in the vc_do_resize function in
        drivers/tty/vt/vt.c.(CVE-2020-8647)
    
      - In the Linux kernel 5.0.21, mounting a crafted ext4
        filesystem image, performing some operations, and
        unmounting can lead to a use-after-free in
        ext4_put_super in fs/ext4/super.c, related to
        dump_orphan_list in fs/ext4/super.c.(CVE-2019-19447)
    
      - A flaw was discovered in the way that the KVM
        hypervisor handled instruction emulation for an L2
        guest when nested virtualisation is enabled. Under some
        circumstances, an L2 guest may trick the L0 guest into
        accessing sensitive L1 resources that should be
        inaccessible to the L2 guest.(CVE-2020-2732)
    
      - In the Linux kernel before 5.3.11, sound/core/timer.c
        has a use-after-free caused by erroneous code
        refactoring, aka CID-e7af6307a8a5. This is related to
        snd_timer_open and snd_timer_close_locked. The timeri
        variable was originally intended to be for a newly
        created timer instance, but was used for a different
        purpose after refactoring.(CVE-2019-19807)
    
      - In the Linux kernel 5.4.0-rc2, there is a
        use-after-free (read) in the __blk_add_trace function
        in kernel/trace/blktrace.c (which is used to fill out a
        blk_io_trace structure and place it in a per-cpu
        sub-buffer).(CVE-2019-19768)
    
      - In the Linux kernel 5.0.21, mounting a crafted f2fs
        filesystem image can cause a NULL pointer dereference
        in f2fs_recover_fsync_data in fs/f2fs/recovery.c. This
        is related to F2FS_P_SB in
        fs/f2fs/f2fs.h.(CVE-2019-19815)
    
      - ** DISPUTED ** __btrfs_free_extent in
        fs/btrfs/extent-tree.c in the Linux kernel through
        5.3.12 calls btrfs_print_leaf in a certain ENOENT case,
        which allows local users to obtain potentially
        sensitive information about register values via the
        dmesg program. NOTE: The BTRFS development team
        disputes this issues as not being a vulnerability
        because '1) The kernel provide facilities to restrict
        access to dmesg - dmesg_restrict=1 sysctl option. So
        it's really up to the system administrator to judge
        whether dmesg access shall be disallowed or not. 2)
        WARN/WARN_ON are widely used macros in the linux
        kernel. If this CVE is considered valid this would mean
        there are literally thousands CVE lurking in the kernel
        - something which clearly is not the
        case.'(CVE-2019-19039)
    
      - ext4_empty_dir in fs/ext4/namei.c in the Linux kernel
        through 5.3.12 allows a NULL pointer dereference
        because ext4_read_dirblock(inode,0,DIRENT_HTREE) can be
        zero.(CVE-2019-19037)
    
      - btrfs_root_node in fs/btrfs/ctree.c in the Linux kernel
        through 5.3.12 allows a NULL pointer dereference
        because rcu_dereference(root->node) can be
        zero.(CVE-2019-19036)
    
      - In the Linux kernel 4.19.83, there is a use-after-free
        (read) in the debugfs_remove function in
        fs/debugfs/inode.c (which is used to remove a file or
        directory in debugfs that was previously created with a
        call to another debugfs function such as
        debugfs_create_file).(CVE-2019-19770)
    
      - An issue was discovered in slc_bump in
        drivers/net/can/slcan.c in the Linux kernel through
        5.6.2. It allows attackers to read uninitialized
        can_frame data, potentially containing sensitive
        information from kernel stack memory, if the
        configuration lacks CONFIG_INIT_STACK_ALL, aka
        CID-b9258a2cece4.(CVE-2020-11494)
    
      - An issue was discovered in the Linux kernel through
        5.6.2. mpol_parse_str in mm/mempolicy.c has a
        stack-based out-of-bounds write because an empty
        nodelist is mishandled during mount option parsing, aka
        CID-aa9f7d5172fa.(CVE-2020-11565)
    
      - A flaw was found in the Linux kernel's implementation
        of some networking protocols in IPsec, such as VXLAN
        and GENEVE tunnels over IPv6. When an encrypted tunnel
        is created between two hosts, the kernel isn't
        correctly routing tunneled data over the encrypted link
        rather sending the data unencrypted. This would allow
        anyone in between the two endpoints to read the traffic
        unencrypted. The main threat from this vulnerability is
        to data confidentiality.(CVE-2020-1749)
    
      - An issue was discovered in the stv06xx subsystem in the
        Linux kernel before 5.6.1.
        drivers/media/usb/gspca/stv06xx/stv06xx.c and
        drivers/media/usb/gspca/stv06xx/stv06xx_pb0100.c
        mishandle invalid descriptors, as demonstrated by a
        NULL pointer dereference, aka
        CID-485b06aadb93.(CVE-2020-11609)
    
      - An issue was discovered in the Linux kernel before
        5.6.1. drivers/media/usb/gspca/ov519.c allows NULL
        pointer dereferences in ov511_mode_init_regs and
        ov518_mode_init_regs when there are zero endpoints, aka
        CID-998912346c0d.(CVE-2020-11608)
    
      - In the Linux kernel before 5.4.12,
        drivers/input/input.c has out-of-bounds writes via a
        crafted keycode table, as demonstrated by
        input_set_keycode, aka
        CID-cb222aed03d7.(CVE-2019-20636)
    
      - In the Linux kernel before 5.6.1,
        drivers/media/usb/gspca/xirlink_cit.c (aka the Xirlink
        camera USB driver) mishandles invalid descriptors, aka
        CID-a246b4d54770.(CVE-2020-11668)
    
      - An issue was discovered in the Linux kernel through
        5.6.2. mpol_parse_str in mm/mempolicy.c has a
        stack-based out-of-bounds write because an empty
        nodelist is mishandled during mount option parsing, aka
        CID-aa9f7d5172fa.(CVE-2020-0067)
    
      - An issue was discovered in the Linux kernel before 5.2
        on the powerpc platform.
        arch/powerpc/kernel/idle_book3s.S does not have
        save/restore functionality for PNV_POWERSAVE_AMR,
        PNV_POWERSAVE_UAMOR, and PNV_POWERSAVE_AMOR, aka
        CID-53a712bae5dd.(CVE-2020-11669)
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the EulerOS security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues.");
      # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-1536
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?a90e7d8e");
      script_set_attribute(attribute:"solution", value:
    "Update the affected kernel packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2020/04/30");
      script_set_attribute(attribute:"plugin_publication_date", value:"2020/05/01");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-headers");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:kernel-tools-libs-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:perf");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:python-perf");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:uvp:3.0.2.0");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Huawei Local Security Checks");
    
      script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/uvp_version");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/EulerOS/release");
    if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
    uvp = get_kb_item("Host/EulerOS/uvp_version");
    if (uvp != "3.0.2.0") audit(AUDIT_OS_NOT, "EulerOS Virtualization 3.0.2.0");
    if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
    if ("aarch64" >!< cpu) audit(AUDIT_ARCH_NOT, "aarch64", cpu);
    
    flag = 0;
    
    pkgs = ["kernel-4.19.36-vhulk1907.1.0.h729",
            "kernel-devel-4.19.36-vhulk1907.1.0.h729",
            "kernel-headers-4.19.36-vhulk1907.1.0.h729",
            "kernel-tools-4.19.36-vhulk1907.1.0.h729",
            "kernel-tools-libs-4.19.36-vhulk1907.1.0.h729",
            "kernel-tools-libs-devel-4.19.36-vhulk1907.1.0.h729",
            "perf-4.19.36-vhulk1907.1.0.h729",
            "python-perf-4.19.36-vhulk1907.1.0.h729"];
    
    foreach (pkg in pkgs)
      if (rpm_check(release:"EulerOS-2.0", reference:pkg)) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "kernel");
    }
    
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_B17C86B9E52E11E986E9001B217B3468.NASL
    descriptionSO-AND-SO reports : XSS in Markdown Preview Using Mermaid Bypass Email Verification using Salesforce Authentication Account Takeover using SAML Uncontrolled Resource Consumption in Markdown using Mermaid Disclosure of Private Project Path and Labels Disclosure of Assignees via Milestones Disclosure of Project Path via Unsubscribe Link Disclosure of Project Milestones via Groups Disclosure of Private System Notes via GraphQL GIT Command Injection via API Bypass User Blocking via CI/CD token IDOR Adding Groups to Protected Environments Disclosure of Group Membership via Merge Request Approval Rules Disclosure of Head Pipeline via Blocking Merge Request Feature Grafana update
    last seen2020-06-01
    modified2020-06-02
    plugin id129546
    published2019-10-03
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/129546
    titleFreeBSD : Gitlab -- Multiple Vulnerabilities (b17c86b9-e52e-11e9-86e9-001b217b3468)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from the FreeBSD VuXML database :
    #
    # Copyright 2003-2019 Jacques Vidrine and contributors
    #
    # Redistribution and use in source (VuXML) and 'compiled' forms (SGML,
    # HTML, PDF, PostScript, RTF and so forth) with or without modification,
    # are permitted provided that the following conditions are met:
    # 1. Redistributions of source code (VuXML) must retain the above
    #    copyright notice, this list of conditions and the following
    #    disclaimer as the first lines of this file unmodified.
    # 2. Redistributions in compiled form (transformed to other DTDs,
    #    published online in any format, converted to PDF, PostScript,
    #    RTF and other formats) must reproduce the above copyright
    #    notice, this list of conditions and the following disclaimer
    #    in the documentation and/or other materials provided with the
    #    distribution.
    # 
    # THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS"
    # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
    # THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
    # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS
    # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
    # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
    # OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
    # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
    # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
    # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,
    # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(129546);
      script_version("1.3");
      script_cvs_date("Date: 2019/12/23");
    
      script_cve_id("CVE-2019-19039");
    
      script_name(english:"FreeBSD : Gitlab -- Multiple Vulnerabilities (b17c86b9-e52e-11e9-86e9-001b217b3468)");
      script_summary(english:"Checks for updated packages in pkg_info output");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote FreeBSD host is missing one or more security-related
    updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "SO-AND-SO reports :
    
    XSS in Markdown Preview Using Mermaid
    
    Bypass Email Verification using Salesforce Authentication
    
    Account Takeover using SAML
    
    Uncontrolled Resource Consumption in Markdown using Mermaid
    
    Disclosure of Private Project Path and Labels
    
    Disclosure of Assignees via Milestones
    
    Disclosure of Project Path via Unsubscribe Link
    
    Disclosure of Project Milestones via Groups
    
    Disclosure of Private System Notes via GraphQL
    
    GIT Command Injection via API
    
    Bypass User Blocking via CI/CD token
    
    IDOR Adding Groups to Protected Environments
    
    Disclosure of Group Membership via Merge Request Approval Rules
    
    Disclosure of Head Pipeline via Blocking Merge Request Feature
    
    Grafana update"
      );
      # https://about.gitlab.com/2019/09/30/security-release-gitlab-12-dot-3-dot-2-released/
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?17fb1c77"
      );
      # https://vuxml.freebsd.org/freebsd/b17c86b9-e52e-11e9-86e9-001b217b3468.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?5df84e38"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:P/I:N/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:gitlab-ce");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2019/09/30");
      script_set_attribute(attribute:"patch_publication_date", value:"2019/10/02");
      script_set_attribute(attribute:"plugin_publication_date", value:"2019/10/03");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"FreeBSD Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("freebsd_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD");
    if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    
    if (pkg_test(save_report:TRUE, pkg:"gitlab-ce>=12.3.0<12.3.2")) flag++;
    if (pkg_test(save_report:TRUE, pkg:"gitlab-ce>=12.2.0<12.2.6")) flag++;
    if (pkg_test(save_report:TRUE, pkg:"gitlab-ce>=7.12.0<12.1.12")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_note(port:0, extra:pkg_report_get());
      else security_note(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");