Information disclosure in Nessus Agent - CVE-2021-20077

 

Information disclosure in Nessus Agent - CVE-2021-20077

Published: March 19, 2021


Vulnerability identifier: #VU51578
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2021-20077
CWE-ID: CWE-200
Exploitation vector: Local access
Exploit availability: No public exploit available
Vendor: Tenable Network Security
Affected software:
Nessus Agent

Detailed vulnerability description

The vulnerability allows a local user to gain access to potentially sensitive information.

The vulnerability exists due to Nessus Agent inadvertently captures the IAM role security token on the local host during initial linking of the Nessus Agent when installed on an Amazon EC2 instance. A local privileged user can obtain the token.


How to mitigate CVE-2021-20077

Install updates from vendor's website.

Sources