The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:2179 advisory.

    The ovirt-engine package provides the manager for virtualization environments.
    This manager enables admins to define hosts and networks, as well as to add     storage, create VMs and manage user permissions.

    A list of bugs fixed in this update is available in the Technical Notes     book:

    https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.4/html-single/technical_notes

    Security Fix(es):

    * nodejs-lodash: command injection via template (CVE-2021-23337)

    * nodejs-lodash: ReDoS via the toNumber, trim and trimEnd functions (CVE-2020-28500)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

    Bug Fix(es):

    * This release adds the queue attribute to the virtio-scsi driver in the virtual machine configuration.
    This improvement enables multi-queue performance with the virtio-scsi driver. (BZ#911394)

    * With this release, source-load-balancing has been added as a new sub-option for xmit_hash_policy. It can     be configured for bond modes balance-xor (2), 802.3ad (4) and balance-tlb (5), by specifying     xmit_hash_policy=vlan+srcmac. (BZ#1683987)

    * The default DataCenter/Cluster will be set to compatibility level 4.6 on new installations of Red Hat     Virtualization 4.4.6.; (BZ#1950348)

    * With this release, support has been added for copying disks between regular Storage Domains and Managed     Block Storage Domains.
    It is now possible to migrate disks between Managed Block Storage Domains and regular Storage Domains.
    (BZ#1906074)

    * Previously, the engine-config value LiveSnapshotPerformFreezeInEngine was set by default to false and     was supposed to be uses in cluster compatibility levels below 4.4. The value was set to general version.
    With this release, each cluster level has it's own value, defaulting to false for 4.4 and above. This will     reduce unnecessary overhead in removing time outs of the file system freeze command. (BZ#1932284)

    * With this release, running virtual machines is supported for up to 16TB of RAM on x86_64 architectures.
    (BZ#1944723)

    * This release adds the gathering of oVirt/RHV related certificates to allow easier debugging of issues     for faster customer help and issue resolution.
    Information from certificates is now included as part of the sosreport. Note that no corresponding private     key information is gathered, due to security considerations. (BZ#1845877)

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
    (CVE-2021-23337)

Note that Nessus relies on the presence of the package as reported by the vendor.

WordPress versions 5.8 < 5.8.1 / 5.7 < 5.7.3 / 5.6 < 5.6.5 / 5.5 < 5.5.6 / 5.4 < 5.4.7 / 5.2 < 5.2.12 are affected by one or more vulnerabilities

The version of F5 Networks BIG-IP installed on the remote host is prior to 15.1.8 / 16.1.3.2 / 17.0.0. It is, therefore, affected by multiple vulnerabilities as referenced in the K12492858 advisory.

  - Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
    (CVE-2021-23337)

  - Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the     toNumber, trim and trimEnd functions. (CVE-2020-28500)

  - Cross-site scripting (XSS) vulnerability in jQuery UI before 1.12.0 might allow remote attackers to inject     arbitrary web script or HTML via the closeText parameter of the dialog function. (CVE-2016-7103)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Primavera Unifier installed on the remote host is affected by multiple vulnerabilities as referenced in the October 2021 CPU advisory, including the following:

  - An easily exploitable vulnerability in the File Management component of Primavera Unifier that allows an     unauthenticated, remote attacker to compromise availability. (CVE-2021-36090)

  - An easily exploitable vulnerability in the Platform, UI (Lodash) component of Primavera Unifier that     allows a remote, high privileged attacker to compromise confidentiality, integrity, and availability.
    (CVE-2021-23337)

  - An easily exploitable vulnerability in the Platform (Apache Tika) component of Primavera unifier that     allows an unauthenticated attacker to compromise availability. (CVE-2021-28657)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Primavera Gateway installed on the remote host is affected by multiple vulnerabilities as referenced in the October 2021 CPU advisory, including the following:

  - Vulnerability in the Oracle Retail Store Inventory Management product of Oracle Retail Applications     (component: SIM Integration (JDBC)). Supported versions that are affected are 14.1, 15.0 and 16.0.
    Difficult to exploit vulnerability allows unauthenticated attacker with network access via Oracle Net to     compromise Oracle Retail Store Inventory Management. Successful attacks require human interaction from a     person other than the attacker and while the vulnerability is in Oracle Retail Store Inventory Management,     attacks may significantly impact additional products. Successful attacks of this vulnerability can result     in takeover of Oracle Retail Store Inventory Management. (CVE-2021-2351)

  - Vulnerability in the Primavera Unifier product of Oracle Construction and Engineering (component: File     Management (Apache Commons Compress)). Supported versions that are affected are 17.7-17.12, 18.8, 19.12     and 20.12. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP     to compromise Primavera Unifier. Successful attacks of this vulnerability can result in unauthorized     ability to cause a hang or frequently repeatable crash (complete DOS) of Primavera Unifier. (CVE-2021-36090)

  - Vulnerability in the Primavera Unifier product of Oracle Construction and Engineering (component:
    Platform, UI (Lodash)). Supported versions that are affected are 17.7-17.12, 18.8, 19.12 and 20.12. Easily     exploitable vulnerability allows high privileged attacker with network access via HTTP to compromise     Primavera Unifier. (CVE-2021-23337)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	名称	产品	系列	发布时间	最近更新时间	严重程度
150124	RHEL 8 : RHV Manager security update (ovirt-engine) [ovirt-4.4.6] (Moderate) (RHSA-2021:2179)	Nessus	Red Hat Local Security Checks	2021/6/1	2024/11/7	high
250988	Linux Distros Unpatched Vulnerability : CVE-2021-23337	Nessus	Misc.	2025/8/18	2026/4/28	high
153173	WordPress 5.8 < 5.8.1 / 5.7 < 5.7.3 / 5.6 < 5.6.5 / 5.5 < 5.5.6 / 5.4 < 5.4.7 / 5.2 < 5.2.12	Nessus	CGI abuses	2021/9/9	2025/5/14	high
184223	F5 Networks BIG-IP : Appliance mode authenticated F5 BIG-IP Guided Configuration third-party lodash and jQuery vulnerabilities (K12492858)	Nessus	F5 Networks Local Security Checks	2023/11/2	2026/3/2	high
154262	Oracle Primavera Unifier (Oct 2021 CPU)	Nessus	CGI abuses	2021/10/20	2023/11/28	high
154297	Oracle Primavera Gateway (Oct 2021 CPU)	Nessus	CGI abuses	2021/10/21	2023/10/24	high

检测

插件搜索

high

high

high

high

high

high