RHEL 8:ruby: 2.6 (RHSA-2022: 0581)
high Nessus 插件 ID 158216
语言:
简介
远程 Red Hat 主机缺少一个或多个安全更新。描述
远程 Redhat Enterprise Linux 8 主机上安装的程序包受到 RHSA-2022: 0581 公告中提及的多个漏洞影响。- ruby:File.fnmatch 和 File.fnmatch? 中存在 NUL 注入漏洞。(CVE-2019-15845)
- ruby:WEBrick 摘要身份验证中存在正则表达式拒绝服务漏洞。 (CVE-2019-16201)
- ruby:WEBrick 中的 HTTP 响应拆分 (CVE-2019-16254)
- ruby:通过 Shell#test / Shell#[] 的命令参数进行代码注入 (CVE-2019-16255)
- rubygem-json:JSON 中存在不安全对象创建漏洞 (CVE-2020-10663)
- ruby:BasicSocket#read_nonblock 方法导致信息泄露 (CVE-2020-10933)
- ruby:WEBrick 中可能存在 HTTP 请求走私 (CVE-2020-25613)
- rubygem-bundler:可以从其他来源安装包含明确来源的 gem 依赖项 (CVE-2020-36327)
- ruby:REXML 中存在 XML 往返漏洞 (CVE-2021-28965)
- rubygem-rdoc:RDoc 中的命令注入漏洞 (CVE-2021-31799)
- ruby:FTP PASV 命令响应可造成 Net: : FTP 连接到任意主机 (CVE-2021-31810)
- ruby:Net: : IMAP 中的 StartTLS 剥离漏洞 (CVE-2021-32066)
- ruby:日期解析方法的正则表达式拒绝服务漏洞 (CVE-2021-41817)
- ruby:CGI: : Cookie.parse 中的 Cookie 前缀欺骗漏洞 (CVE-2021-41819)
请注意,Nessus 尚未测试这些问题,而是只依据应用程序自我报告的版本号进行判断。
解决方案
更新受影响的程序包。另见
https://bugzilla.redhat.com/1958999
https://bugzilla.redhat.com/1980126
https://bugzilla.redhat.com/1980128
https://bugzilla.redhat.com/1980132
https://bugzilla.redhat.com/2025104
https://bugzilla.redhat.com/2026757
https://access.redhat.com/security/cve/CVE-2019-15845
https://access.redhat.com/security/cve/CVE-2019-16201
https://access.redhat.com/security/cve/CVE-2019-16254
https://access.redhat.com/security/cve/CVE-2019-16255
https://access.redhat.com/security/cve/CVE-2020-10663
https://access.redhat.com/security/cve/CVE-2020-10933
https://access.redhat.com/security/cve/CVE-2020-25613
https://access.redhat.com/security/cve/CVE-2020-36327
https://access.redhat.com/security/cve/CVE-2021-28965
https://access.redhat.com/security/cve/CVE-2021-31799
https://access.redhat.com/security/cve/CVE-2021-31810
https://access.redhat.com/security/cve/CVE-2021-32066
https://access.redhat.com/security/cve/CVE-2021-41817
https://access.redhat.com/security/cve/CVE-2021-41819
https://access.redhat.com/errata/RHSA-2022:0581
https://bugzilla.redhat.com/1773728
https://bugzilla.redhat.com/1789407
https://bugzilla.redhat.com/1789556
https://bugzilla.redhat.com/1793683
https://bugzilla.redhat.com/1827500
https://bugzilla.redhat.com/1833291
插件详情
严重性: High
ID: 158216
文件名: redhat-RHSA-2022-0581.nasl
版本: 1.8
类型: local
代理: unix
发布时间: 2022/2/22
最近更新时间: 2023/11/7
支持的传感器: Agentless Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Nessus
风险信息
VPR
风险因素: Medium
分数: 6.7
CVSS v2
风险因素: High
基本分数: 9.3
时间分数: 7.3
矢量: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C
CVSS 分数来源: CVE-2020-36327
CVSS v3
风险因素: High
基本分数: 8.8
时间分数: 7.9
矢量: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
时间矢量: CVSS:3.0/E:P/RL:O/RC:C
漏洞信息
CPE: cpe:/o:redhat:rhel_e4s:8.1, p-cpe:/a:redhat:enterprise_linux:ruby, p-cpe:/a:redhat:enterprise_linux:ruby-devel, p-cpe:/a:redhat:enterprise_linux:ruby-doc, p-cpe:/a:redhat:enterprise_linux:ruby-libs, p-cpe:/a:redhat:enterprise_linux:rubygem-abrt, p-cpe:/a:redhat:enterprise_linux:rubygem-abrt-doc, p-cpe:/a:redhat:enterprise_linux:rubygem-bigdecimal, p-cpe:/a:redhat:enterprise_linux:rubygem-bson, p-cpe:/a:redhat:enterprise_linux:rubygem-bson-doc, p-cpe:/a:redhat:enterprise_linux:rubygem-bundler, p-cpe:/a:redhat:enterprise_linux:rubygem-did_you_mean, p-cpe:/a:redhat:enterprise_linux:rubygem-io-console, p-cpe:/a:redhat:enterprise_linux:rubygem-irb, p-cpe:/a:redhat:enterprise_linux:rubygem-json, p-cpe:/a:redhat:enterprise_linux:rubygem-minitest, p-cpe:/a:redhat:enterprise_linux:rubygem-mongo, p-cpe:/a:redhat:enterprise_linux:rubygem-mongo-doc, p-cpe:/a:redhat:enterprise_linux:rubygem-mysql2, p-cpe:/a:redhat:enterprise_linux:rubygem-mysql2-doc, p-cpe:/a:redhat:enterprise_linux:rubygem-net-telnet, p-cpe:/a:redhat:enterprise_linux:rubygem-openssl, p-cpe:/a:redhat:enterprise_linux:rubygem-pg, p-cpe:/a:redhat:enterprise_linux:rubygem-pg-doc, p-cpe:/a:redhat:enterprise_linux:rubygem-power_assert, p-cpe:/a:redhat:enterprise_linux:rubygem-psych, p-cpe:/a:redhat:enterprise_linux:rubygem-rake, p-cpe:/a:redhat:enterprise_linux:rubygem-rdoc, p-cpe:/a:redhat:enterprise_linux:rubygem-test-unit, p-cpe:/a:redhat:enterprise_linux:rubygem-xmlrpc, p-cpe:/a:redhat:enterprise_linux:rubygems, p-cpe:/a:redhat:enterprise_linux:rubygems-devel
必需的 KB 项: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list, Host/cpu
可利用: true
易利用性: Exploits are available
补丁发布日期: 2022/2/21
漏洞发布日期: 2019/11/26
参考资料信息
CVE: CVE-2019-15845, CVE-2019-16201, CVE-2019-16254, CVE-2019-16255, CVE-2020-10663, CVE-2020-10933, CVE-2020-25613, CVE-2020-36327, CVE-2021-28965, CVE-2021-31799, CVE-2021-31810, CVE-2021-32066, CVE-2021-41817, CVE-2021-41819