- 249/2022
- Critical
Tenable Nessus has released an updated version (Nessus 10.3.1) to fix multiple vulnerabilities in the third-party components (moment.js, expat, datatables, libxml2, zlib).
The severity of the addressed vulnerabilities could allow the remote attacker to execute arbitrary code or cause a denial of service condition on the affected products by sending a specially-crafted request.
Sample of the addressed vulnerabilities:
1. libexpat code execution (CVE-2022-40674):
- CVSS: 9.8
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Consequences: Gain Access
2. Moment denial of service (CVE-2022-31129):
- CVSS: 7.5
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Consequences: Denial of Service
Vulnerabilities
- CVE-2020-28458
- CVE-2021-23445
- CVE-2022-31129
- CVE-2022-24785
- CVE-2022-40674
- CVE-2022-2309
- CVE-2022-29824
- CVE-2022-23308
- CVE-2022-37434
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.