SB2021072292 - Multiple vulnerabilities in Tenable.sc

Description

This security bulletin contains information about 47 secuirty vulnerabilities.

1) Prototype pollution (CVE-ID: CVE-2019-19919)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data. Templates may alter an Object's __proto__ and __defineGetter__ properties, which may allow an attacker to execute arbitrary code through crafted payloads.

2) Infinite loop (CVE-ID: CVE-2019-19645)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to infinite loop in alter.c that can be triggered via certain types of self-referential views in conjunction with ALTER TABLE statements. A remote attacker can consume all available system resources and cause denial of service conditions.

3) Out-of-bounds read (CVE-ID: CVE-2020-7067)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition when processing untrusted input passed to urldecode() PHP function. A remote attacker can send specially crafted data to the application that uses the affected function and gain access to sensitive information on the system

4) Use-after-free (CVE-ID: CVE-2020-7068)

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error in the "phar_parse_zipfile" function. A remote attacker can can cause a denial of service (DoS) condition on the target system.

5) Cryptographic issues (CVE-ID: CVE-2020-7069)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to the openssl_encrypt() function generates a wrong ciphertext and a wrong tag for AES-CCM for a 12 bytes IV. As a result, a 7-byte nonce is used instead of 12 bytes. A remote attacker can abuse such behavior and decrypt data.

6) Input validation error (CVE-ID: CVE-2020-7070)

The vulnerability allows a remote attacker to perform a spoofing attack.

The vulnerability exists in the way PHP parser handles cookies with percent character (e.g. '%'). A remote attacker can send a crafted HTTP request with a `__%48ost-` or `__%53ecure-` cookie that will be processed before other cookies sent in the same request. As a result, an attacker can set malicious `__Host-` cookie on a subdomain and bypass origin restrictions, imposed by browsers.

Successful exploitation of the vulnerability may allow an attacker to perform a spoofing attack.

7) Input validation error (CVE-ID: CVE-2020-7071)

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to insufficient validation of URL performed via the "FILTER_VALIDATE_URL" setting. A remote attacker can use the "@" characters in the URL to bypass implemented filter and force the application to accept arbitrary URL instead of the defined by the option.

Example:

http://evel.website@trusted.website

8) NULL pointer dereference (CVE-ID: CVE-2021-21702)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error within the SoapClient in PHP. A remote attacker can pass specially crafted data to the application and perform a denial of service (DoS) attack.

9) Stack-based buffer overflow (CVE-ID: CVE-2021-21704)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

Multiple boundary errors exists within firebird_info_cb(), firebird_handle_doer(), firebird_stmt_execute(), and firebird_fetch_blob() function. A remote attacker can pass specially crafted input to the application, trigger a stack-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

10) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2021-21705)

The disclosed vulnerability allows a remote attacker to perform SSRF attacks.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can send a specially crafted HTTP request, bypass the FILTER_VALIDATE_URL and trick the application to initiate requests to arbitrary systems.

Successful exploitation of this vulnerability may allow a remote attacker gain access to sensitive data, located in the local network or send malicious requests to other servers from the vulnerable system.

11) Division by zero (CVE-ID: CVE-2019-16168)

The vulnerability allows a remote attacker to perform a denial of service attack.

The vulnerability exists due to a division by zero error within the whereLoopAddBtreeIndex in sqlite3.c due to improper input validation in the sqlite_stat1 sz field. A remote attacker can pass specially crafted data to the application, trigger division by zero error and crash the vulnerable application.

12) Input validation error (CVE-ID: CVE-2019-19646)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of NOT NULL in an integrity_check PRAGMA command in pragma.c when generating certain columns. A remote attacker can perform a denial of service attack.

13) Stack-based buffer overflow (CVE-ID: CVE-2020-7065)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error within php_unicode_tolower_full() function, as demonstrated by the mb_strtolower() call. A remote attacker can pass specially crafted data to the application that uses affected function, trigger stack-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

14) Input validation error (CVE-ID: CVE-2020-11655)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input when the AggInfo object's initialization is mishandled. A remote attacker can pass specially crafted input via a malformed window-function query to the application and perform a denial of service (DoS) attack.

15) Use-after-free (CVE-ID: CVE-2020-11656)

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error in the ALTER TABLE implementation. A remote attacker can execute arbitrary code on the target system, as demonstrated by an ORDER BY clause that belongs to a compound SELECT statement.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

16) Integer overflow (CVE-ID: CVE-2020-13434)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to integer overflow within the sqlite3_str_vappendf() function in printf.c. A remote attacker can pass specially crafted data to the application, trigger integer overflow and crash the application.

17) Input validation error (CVE-ID: CVE-2020-13435)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input in sqlite3ExprCodeTarget() function in expr.c. A remote attacker can pass specially crafted input to the application and perform a denial of service (DoS) attack.

18) Use-after-free (CVE-ID: CVE-2020-13630)

The vulnerability allows a remote attacker to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within the fts3EvalNextRow() function in ext/fts3/fts3.c. A remote attacker can pass specially crafted data to application, trigger a use-after-free error and execute arbitrary code on the target system.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

19) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2020-13631)

The vulnerability allows a local user to bypass certain security restrictions.

The vulnerability exists due an error in alter.c and build.c files in SQLite that allows a local user to rename a virtual table into a shadow table. A local user with permissions to create virtual tables can renamed them and gain unauthorized access to the fronted application.

20) NULL pointer dereference (CVE-ID: CVE-2020-13632)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error in ext/fts3/fts3_snippet.c in SQLite. A local user can trigger denial of service conditions via a crafted matchinfo() query.

21) Out-of-bounds write (CVE-ID: CVE-2020-15358)

The vulnerability allows a local authenticated user to perform a denial of service (DoS) attack.

In SQLite before 3.32.3, select.c mishandles query-flattener optimization, leading to a multiSelectOrderBy heap overflow because of misuse of transitive properties for constant propagation.

22) Cross-site scripting (CVE-ID: CVE-2020-11022)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data in the regex operation in "jQuery.htmlPrefilter". A remote attacker can pass specially crafted data to the application that uses .html()</code>, <code>.append() or similar methods for it and execute arbitrary JavaScript code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

23) Input validation error (CVE-ID: CVE-2020-7066)

The vulnerability allows a remote attacker to bypass certain security restrictions.

The vulnerability exists due to get_headers() PHP function silently truncates headers after receiving a NULL byte character. A remote attacker can abuse this behavior to bypass implemented security restrictions with in the application.

24) Out-of-bounds read (CVE-ID: CVE-2020-7064)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition within exif_read_data() PHP function. A remote attacker can pass specially crafted data to the application that uses the vulnerable function, trigger one byte out-of-bounds read error and read contents of memory on the system.

25) Code Injection (CVE-ID: CVE-2021-23358)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to improper input validation. A remote attacker can send a specially crafted request and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

26) Buffer overflow (CVE-ID: CVE-2019-11043)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in env_path_info in PHP-FPM when processing untrusted input passed via URL. A remote attacker can send a specially crafted HTTP request to the affected server, trigger memory corruption and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system but requires that php-fpm is used with nginx and certain nginx configuration was applied:

1. The nginx location directive forwards requests to PHP-FPM
2. The fastcgi_split_path_info directive is present and includes a regular expression beginning with a ‘^’ symbol and ending with a ‘$’ symbol
3. The fastcgi_param directive is used to assign the PATH_INFO variable
4. There are no checks in place to determine whether or not a file exists (e.g., using try_files or an if statemen

27) Improper Restriction of XML External Entity Reference (CVE-ID: CVE-2017-5661)

The vulnerability allows a remote attacker to perform an XXE attack.

The vulnerability exists due to insufficient validation of user-supplied data when processing SVG files. A remote attacker can create a specially crafted SVG file, trick the victim into opening it with affected application and gain access to potentially sensitive information.

Successful exploitation of the vulnerability may lead to system compromise.

28) Cross-site scripting (CVE-ID: CVE-2019-8331)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

29) Cross-site scripting (CVE-ID: CVE-2018-20676)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists in the tooltip data-viewport attribute due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

30) Cross-site scripting (CVE-ID: CVE-2018-20677)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists in the affix configuration target property due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

31) Cross-site scripting (CVE-ID: CVE-2018-14040)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists in the data-parent attribute of the collapse plugin due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

32) Cross-site scripting (CVE-ID: CVE-2018-14042)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists in the data-container property of the tooltip plugin due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

33) Cross-site scripting (CVE-ID: CVE-2016-10735)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data passed via the "data-target" attribute. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

34) Out-of-bounds read (CVE-ID: CVE-2019-11041)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition within the exif_read_data() function. A remote attacker can create a specially crafted image file, pass it to the application, trigger out-of-bounds read error and read contents of memory on the system.

35) Out-of-bounds read (CVE-ID: CVE-2019-11042)

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition within the exif_read_data() function in PHP EXIF extention. A remote attacker can create a specially crafted image file, pass it to the application, trigger out-of-bounds read error and read contents of memory on the system.

36) Input validation error (CVE-ID: CVE-2019-11044)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0 on Windows, PHP link() function accepts filenames with embedded byte and treats them as terminating at that byte. This could lead to security vulnerabilities, e.g. in applications checking paths that the code is allowed to access.

37) Incorrect default permissions (CVE-ID: CVE-2020-7063)

The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due to incorrect default permissions for files and folders that are set during the Phar::buildFromIterator() call when adding files into tar archive. A local user can extract files from tar archive and gain access to otherwise restricted information.

38) Input validation error (CVE-ID: CVE-2019-11045)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0, PHP DirectoryIterator class accepts filenames with embedded byte and treats them as terminating at that byte. This could lead to security vulnerabilities, e.g. in applications checking paths that the code is allowed to access.

39) Out-of-bounds read (CVE-ID: CVE-2019-11046)

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0, PHP bcmath extension functions on some systems, including Windows, can be tricked into reading beyond the allocated space by supplying it with string containing characters that are identified as numeric by the OS but aren't ASCII numbers. This can read to disclosure of the content of some memory locations.

40) Out-of-bounds read (CVE-ID: CVE-2019-11047)

The vulnerability allows a remote non-authenticated attacker to #BASIC_IMPACT#.

When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0 it is possible to supply it with data what will cause it to read past the allocated buffer. This may lead to information disclosure or crash.

41) Resource exhaustion (CVE-ID: CVE-2019-11048)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to the way PHP handles long filenames or field names during file upload. A remote attacker can supply an overly long filename to the application that will lead PHP engine to try to allocate oversized memory storage, hit the memory limit and stop processing the request, without cleaning up temporary files created by upload request. This will lead to accumulation of uncleaned temporary files exhausting the disk space on the target server.

42) Double Free (CVE-ID: CVE-2019-11049)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error within mail() function implementation. A remote attacker can pass specially crafted header in lowercase, trigger double free error and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

43) Use-after-free (CVE-ID: CVE-2019-11050)

The vulnerability allows a remote non-authenticated attacker to #BASIC_IMPACT#.

When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0 it is possible to supply it with data what will cause it to read past the allocated buffer. This may lead to information disclosure or crash.

44) Out-of-bounds read (CVE-ID: CVE-2020-7059)

The vulnerability allows a remote attacker to gain access to potentially sensitive information or perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary condition when using the "fgetss()" function to read data with stripping tags. A remote attacker can supply data that will cause this function to read past the allocated buffer, trigger out-of-bounds read error and read contents of memory on the system or crash the application.

45) Out-of-bounds read (CVE-ID: CVE-2020-7060)

The vulnerability allows a remote attacker to gain access to potentially sensitive information or perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary condition when using certain "mbstring" functions to convert multibyte encodings. A remote attacker can supply data that will cause function "mbfl_filt_conv_big5_wchar" to read past the allocated buffer, trigger out-of-bounds read error and read contents of memory on the system or crash the application.

46) Heap-based buffer overflow (CVE-ID: CVE-2020-7061)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error within the phar_extract_file() function. A remote attacker can pass specially crafted file to the application, trigger a heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

47) NULL pointer dereference (CVE-ID: CVE-2020-7062)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error in session.c when handling file uploads. A remote attacker can send a specially crafted HTTP POST request to the affected application and perform a denial of service (DoS) attack.

Remediation

Install update from vendor's website.

References

• https://www.tenable.com/security/tns-2021-14