- 273/2023
- High
Tenable has released a security update to fix multiple vulnerabilities in several third-party components (OpenSSL, curl, chosen, datatables) affecting Nessus Network Monitor (NNM) version 6.2.3 and earlier.
The addressed vulnerabilities could allow the attacker to escalate privileges to NT AUTHORITY\SYSTEM on Windows hosts, perform denial of service attacks, or perform blind SQL injection and manipulate data on the affected system.
Sample of the addressed vulnerabilities:
1. Tenable Nessus SQL Injection Vulnerability (CVE- 2023-5624):
- CVSS: 7.2
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: High
- User Interaction: None
- Consequences: Data Manipulation
2. Tenable Nessus Privilege Escalation Vulnerability (CVE-2023-5622):
- CVSS: 7.1
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Consequences: Gain Privilege
Vulnerabilities
- CVE-2023-5622
- CVE-2023-5623
- CVE-2023-5624
- CVE-2018-25050
- CVE-2021-23445
- CVE-2023-0465
- CVE-2023-0466
- CVE-2023-1255
- CVE-2023-2650
- CVE-2023-3817
- CVE-2023-3446
- CVE-2023-38039
- CVE-2023-4807
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.