The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Tenable Nessus

computer vulnerability announce CVE-2017-18214

Node.js moment: denial of service via Regular Expression

Synthesis of the vulnerability

An attacker can generate a fatal error via Regular Expression of Node.js moment, in order to trigger a denial of service.
Impacted products: Nodejs Modules ~ not comprehensive, Nessus.
Severity: 2/4.
Consequences: denial of service on server, denial of service on service, denial of service on client.
Provenance: document.
Creation date: 28/11/2017.
Identifiers: CERTFR-2019-AVI-132, CVE-2017-18214, TNS-2019-02, VIGILANCE-VUL-24557.

Description of the vulnerability

An attacker can generate a fatal error via Regular Expression of Node.js moment, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2017-16932

libxml2: infinite loop via parser.c

Synthesis of the vulnerability

An attacker can generate an infinite loop via parser.c of libxml2, in order to trigger a denial of service.
Impacted products: Debian, libxml, Nessus, Ubuntu.
Severity: 1/4.
Consequences: denial of service on service, denial of service on client.
Provenance: document.
Creation date: 24/11/2017.
Identifiers: CERTFR-2018-AVI-288, CVE-2017-16932, DLA-1194-1, TNS-2018-08, USN-3504-1, USN-3504-2, VIGILANCE-VUL-24528.

Description of the vulnerability

An attacker can generate an infinite loop via parser.c of libxml2, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2017-16931

libxml2: denial of service via Parameter-entity References

Synthesis of the vulnerability

An attacker can generate a fatal error via Parameter-entity References of libxml2, in order to trigger a denial of service.
Impacted products: Debian, libxml, Nessus.
Severity: 2/4.
Consequences: denial of service on service, denial of service on client.
Provenance: document.
Creation date: 24/11/2017.
Identifiers: CERTFR-2018-AVI-288, CVE-2017-16931, DLA-1194-1, TNS-2018-08, VIGILANCE-VUL-24527.

Description of the vulnerability

An attacker can generate a fatal error via Parameter-entity References of libxml2, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2017-3735

OpenSSL: out-of-bounds memory reading via X.509 IPAddressFamily

Synthesis of the vulnerability

An attacker can force a read at an invalid address via X.509 IPAddressFamily of OpenSSL, in order to trigger a denial of service, or to obtain sensitive information.
Impacted products: Mac OS X, Blue Coat CAS, ProxyAV, ProxySG par Blue Coat, SGOS by Blue Coat, Debian, Fedora, FreeBSD, hMailServer, AIX, WebSphere MQ, Juniper J-Series, Junos OS, NSM Central Manager, NSMXpress, SRX-Series, MariaDB ~ precise, McAfee Web Gateway, MySQL Community, MySQL Enterprise, Nodejs Core, OpenSSL, openSUSE Leap, Oracle Communications, Oracle Directory Services Plus, Oracle Fusion Middleware, Oracle Internet Directory, Solaris, Tuxedo, WebLogic, Percona Server, pfSense, RHEL, stunnel, SUSE Linux Enterprise Desktop, SLES, Symantec Content Analysis, ProxySG by Symantec, SGOS by Symantec, Synology DSM, Synology DS***, Synology RS***, Nessus, Ubuntu, X2GoClient.
Severity: 2/4.
Consequences: data reading, denial of service on service, denial of service on client.
Provenance: document.
Creation date: 02/11/2017.
Identifiers: 2011879, 2013026, 2014367, bulletinapr2018, CERTFR-2017-AVI-391, cpuapr2018, cpuapr2019, cpujan2018, cpujan2019, cpujul2018, cpuoct2018, CVE-2017-3735, DSA-4017-1, DSA-4018-1, FEDORA-2017-4cf72e2c11, FEDORA-2017-512a6c5aae, FEDORA-2017-55a3247cfd, FEDORA-2017-7f30914972, FEDORA-2017-dbec196dd8, FreeBSD-SA-17:11.openssl, HT208331, HT208394, ibm10715641, ibm10738249, JSA10851, openSUSE-SU-2017:3192-1, openSUSE-SU-2018:0029-1, openSUSE-SU-2018:0315-1, RHSA-2018:3221-01, SA157, SB10211, SUSE-SU-2017:2968-1, SUSE-SU-2017:2981-1, SUSE-SU-2018:0112-1, TNS-2017-15, USN-3475-1, VIGILANCE-VUL-24317.

Description of the vulnerability

An attacker can force a read at an invalid address via X.509 IPAddressFamily of OpenSSL, in order to trigger a denial of service, or to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2017-3736

OpenSSL: Man-in-the-Middle via bn_sqrx8x_internal

Synthesis of the vulnerability

An attacker can act as a Man-in-the-Middle and use a carry error of bn_sqrx8x_internal() on OpenSSL, in order to read or write data in the session.
Impacted products: SDS, SNS, Blue Coat CAS, ProxyAV, ProxySG par Blue Coat, SGOS by Blue Coat, Debian, BIG-IP Hardware, TMOS, Fedora, FreeBSD, hMailServer, Domino, Notes, IRAD, Rational ClearCase, QRadar SIEM, Tivoli Storage Manager, WebSphere AS Traditional, WebSphere MQ, Juniper J-Series, Junos OS, NSM Central Manager, NSMXpress, SRX-Series, MariaDB ~ precise, McAfee Email Gateway, McAfee NSP, McAfee NTBA, VirusScan, McAfee Web Gateway, MySQL Community, MySQL Enterprise, Nodejs Core, OpenSSL, openSUSE Leap, Oracle Communications, Oracle Directory Services Plus, Oracle Fusion Middleware, Oracle Internet Directory, Solaris, Tuxedo, WebLogic, Percona Server, pfSense, RHEL, Slackware, stunnel, SUSE Linux Enterprise Desktop, SLES, Symantec Content Analysis, ProxySG by Symantec, SGOS by Symantec, Synology DSM, Synology DS***, Synology RS***, Nessus, Ubuntu, X2GoClient.
Severity: 1/4.
Consequences: data reading, data creation/edition.
Provenance: internet client.
Creation date: 02/11/2017.
Identifiers: 2012827, 2013025, 2014202, 2014651, 2014669, 2015080, bulletinapr2018, bulletinjan2018, CERTFR-2017-AVI-391, cpuapr2018, cpuapr2019, cpujan2018, cpujan2019, cpujul2018, cpuoct2018, CVE-2017-3736, DSA-4017-1, DSA-4018-1, FEDORA-2017-4cf72e2c11, FEDORA-2017-512a6c5aae, FEDORA-2017-55a3247cfd, FEDORA-2017-7f30914972, FEDORA-2017-dbec196dd8, FreeBSD-SA-17:11.openssl, ibm10715641, ibm10719113, ibm10732391, ibm10733905, ibm10738249, ibm10738401, JSA10851, K14363514, openSUSE-SU-2017:3192-1, openSUSE-SU-2018:0029-1, openSUSE-SU-2018:0315-1, RHSA-2018:0998-01, RHSA-2018:2568-01, RHSA-2018:2575-01, SA157, SB10211, SB10220, SSA:2017-306-02, STORM-2017-006, SUSE-SU-2018:2839-1, SUSE-SU-2018:3082-1, TNS-2017-15, USN-3475-1, VIGILANCE-VUL-24316.

Description of the vulnerability

An attacker can act as a Man-in-the-Middle and use a carry error of bn_sqrx8x_internal() on OpenSSL, in order to read or write data in the session.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2017-3735

OpenSSL: out-of-bounds memory reading via X.509 IPAddressFamily

Synthesis of the vulnerability

An attacker can force a read at an invalid address via X.509 IPAddressFamily of OpenSSL, in order to trigger a denial of service, or to obtain sensitive information.
Impacted products: Mac OS X, Blue Coat CAS, ProxyAV, ProxySG par Blue Coat, SGOS by Blue Coat, Debian, BIG-IP Hardware, TMOS, Fedora, FreeBSD, AIX, WebSphere MQ, Juniper J-Series, Junos OS, NSM Central Manager, NSMXpress, SRX-Series, MariaDB ~ precise, McAfee Web Gateway, MySQL Community, MySQL Enterprise, Nodejs Core, OpenSSL, openSUSE Leap, Oracle Communications, Oracle Directory Services Plus, Oracle Fusion Middleware, Oracle Internet Directory, Solaris, Tuxedo, WebLogic, Percona Server, pfSense, RHEL, SUSE Linux Enterprise Desktop, SLES, Symantec Content Analysis, ProxySG by Symantec, SGOS by Symantec, Synology DSM, Synology DS***, Synology RS***, Nessus, Ubuntu, X2GoClient.
Severity: 1/4.
Consequences: data reading, denial of service on service, denial of service on client.
Provenance: user shell.
Creation date: 29/08/2017.
Identifiers: 2011879, 2013026, 2014367, bulletinapr2018, cpuapr2018, cpuapr2019, cpujan2018, cpujan2019, cpujul2018, cpuoct2018, CVE-2017-3735, DSA-4017-1, DSA-4018-1, FEDORA-2017-4cf72e2c11, FEDORA-2017-512a6c5aae, FEDORA-2017-55a3247cfd, FEDORA-2017-7f30914972, FEDORA-2017-dbec196dd8, FreeBSD-SA-17:11.openssl, HT208331, HT208394, ibm10715641, ibm10738249, JSA10851, K21462542, openSUSE-SU-2017:3192-1, openSUSE-SU-2018:0029-1, openSUSE-SU-2018:0315-1, RHSA-2018:3221-01, SA157, SB10211, SUSE-SU-2017:2968-1, SUSE-SU-2017:2981-1, SUSE-SU-2018:0112-1, TNS-2017-15, USN-3475-1, VIGILANCE-VUL-23636.

Description of the vulnerability

An attacker can force a read at an invalid address via X.509 IPAddressFamily of OpenSSL, in order to trigger a denial of service, or to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2017-7244 CVE-2017-7245 CVE-2017-7246

PCRE: three vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of PCRE.
Impacted products: Fedora, Solaris, Nessus.
Severity: 2/4.
Consequences: denial of service on service, denial of service on client.
Provenance: document.
Number of vulnerabilities in this bulletin: 3.
Creation date: 21/08/2017.
Identifiers: bulletinjul2017, CERTFR-2018-AVI-288, CVE-2017-7244, CVE-2017-7245, CVE-2017-7246, FEDORA-2018-3238d4da59, TNS-2018-08, VIGILANCE-VUL-23592.

Description of the vulnerability

An attacker can use several vulnerabilities of PCRE.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2017-1000061

XML Security Library: external XML entity injection

Synthesis of the vulnerability

An attacker can transmit malicious XML data to XML Security Library (xmlsec), in order to read a file, scan sites, or trigger a denial of service.
Impacted products: RHEL, Nessus.
Severity: 2/4.
Consequences: data reading, denial of service on service.
Provenance: document.
Creation date: 21/08/2017.
Identifiers: CERTFR-2018-AVI-288, CVE-2017-1000061, RHSA-2017:2492-01, TNS-2018-08, VIGILANCE-VUL-23586.

Description of the vulnerability

XML data can contain external entities (DTD):
  <!ENTITY name SYSTEM "file">
  <!ENTITY name SYSTEM "http://server/file">
A program which reads these XML data can replace these entities by data coming from the indicated file. When the program uses XML data coming from an untrusted source, this behavior leads to:
 - content disclosure from files of the server
 - private web site scan
 - a denial of service by opening a blocking file
This feature must be disabled to process XML data coming from an untrusted source.

However, the XML Security Library parser allows external entities.

An attacker can therefore transmit malicious XML data to XML Security Library (xmlsec), in order to read a file, scan sites, or trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2017-11506

Nessus: Man-in-the-Middle

Synthesis of the vulnerability

An attacker can act as a Man-in-the-Middle on Nessus, in order to read or write data in the session.
Impacted products: Nessus.
Severity: 2/4.
Consequences: data reading, data creation/edition.
Provenance: internet server.
Creation date: 09/08/2017.
Identifiers: CVE-2017-11506, TNS-2017-11, VIGILANCE-VUL-23486.

Description of the vulnerability

The Nessus product uses the TLS protocol, in order to create secure sessions.

However, the X.509 certificate and the service identity are not correctly checked.

An attacker can therefore act as a Man-in-the-Middle on Nessus, in order to read or write data in the session.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2016-9063

expat: integer overflow via XML_Parse

Synthesis of the vulnerability

An attacker can generate an integer overflow via XML_Parse() of expat, in order to trigger a denial of service, and possibly to run code.
Impacted products: iOS by Apple, iPhone, Mac OS X, Fedora, openSUSE Leap, Python, Slackware, Nessus.
Severity: 2/4.
Consequences: user access/rights, denial of service on service, denial of service on client.
Provenance: document.
Creation date: 12/07/2017.
Identifiers: APPLE-SA-2017-09-19-1, APPLE-SA-2017-09-25-1, APPLE-SA-2017-09-25-4, CERTFR-2018-AVI-288, CVE-2016-9063, FEDORA-2017-18601ad5d2, FEDORA-2017-2c5635cd97, FEDORA-2017-a44f9aa38b, HT208144, openSUSE-SU-2017:2336-1, SSA:2017-266-02, SSA:2018-124-01, TNS-2018-08, VIGILANCE-VUL-23211.

Description of the vulnerability

An attacker can generate an integer overflow via XML_Parse() of expat, in order to trigger a denial of service, and possibly to run code.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Tenable Nessus: