The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - A path traversal vulnerability exists in filepath.Clean on Windows. On Windows, the filepath.Clean     function could transform an invalid path such as a/../c:/b into the valid path c:\b. This     transformation of a relative (if invalid) path into an absolute path could enable a directory traversal     attack. After fix, the filepath.Clean function transforms this path into the relative (but still invalid)     path .\c:\b. (CVE-2022-41722)

Note that Nessus relies on the presence of the package as reported by the vendor.

An update of the falco package has been released.

An update of the kubernetes package has been released.

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the 3d73e384-ad1f-11ed-983c-83fe35862e3a advisory.

  - A path traversal vulnerability exists in filepath.Clean on Windows. On Windows, the filepath.Clean     function could transform an invalid path such as a/../c:/b into the valid path c:\b. This     transformation of a relative (if invalid) path into an absolute path could enable a directory traversal     attack. After fix, the filepath.Clean function transforms this path into the relative (but still invalid)     path .\c:\b. (CVE-2022-41722)

  - A maliciously crafted HTTP/2 stream could cause excessive CPU consumption in the HPACK decoder, sufficient     to cause a denial of service from a small number of small requests. (CVE-2022-41723)

  - Large handshake records may cause panics in crypto/tls. Both clients and servers may send large TLS     handshake records which cause servers and clients, respectively, to panic when attempting to construct     responses. This affects all TLS 1.3 clients, TLS 1.2 clients which explicitly enable session resumption     (by setting Config.ClientSessionCache to a non-nil value), and TLS 1.3 servers which request client     certificates (by setting Config.ClientAuth >= RequestClientCert). (CVE-2022-41724)

  - A denial of service is possible from excessive resource consumption in net/http and mime/multipart.
    Multipart form parsing with mime/multipart.Reader.ReadForm can consume largely unlimited amounts of memory     and disk files. This also affects form parsing in the net/http package with the Request methods FormFile,     FormValue, ParseMultipartForm, and PostFormValue. ReadForm takes a maxMemory parameter, and is documented     as storing up to maxMemory bytes +10MB (reserved for non-file parts) in memory. File parts which cannot     be stored in memory are stored on disk in temporary files. The unconfigurable 10MB reserved for non-file     parts is excessively large and can potentially open a denial of service vector on its own. However,     ReadForm did not properly account for all memory consumed by a parsed form, such as map entry overhead,     part names, and MIME headers, permitting a maliciously crafted form to consume well over 10MB. In     addition, ReadForm contained no limit on the number of disk files created, permitting a relatively small     request body to create a large number of disk temporary files. With fix, ReadForm now properly accounts     for various forms of memory overhead, and should now stay within its documented limit of 10MB + maxMemory     bytes of memory consumption. Users should still be aware that this limit is high and may still be     hazardous. In addition, ReadForm now creates at most one on-disk temporary file, combining multiple form     parts into a single temporary file. The mime/multipart.File interface type's documentation states, If     stored on disk, the File's underlying concrete type will be an *os.File.. This is no longer the case when     a form contains more than one file part, due to this coalescing of parts into a single file. The previous     behavior of using distinct files for each form part may be reenabled with the environment variable     GODEBUG=multipartfiles=distinct. Users should be aware that multipart.ReadForm and the http.Request     methods that call it do not limit the amount of disk consumed by temporary files. Callers can limit the     size of form data with http.MaxBytesReader. (CVE-2022-41725)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

An update of the go package has been released.

The remote Redhat Enterprise Linux 8 / 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2023:3366 advisory.

    Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution     designed for on-premise or private cloud deployments.

    This advisory contains the RPM packages for Red Hat OpenShift Container Platform 4.13.2. See the following     advisory for the container images for this release:

    https://access.redhat.com/errata/RHSA-2023:3367

    Security Fix(es):

    * golang: html/template: improper handling of JavaScript whitespace (CVE-2023-24540)

    * golang: crash in a golang.org/x/crypto/ssh server (CVE-2022-27191)

    * golang: path/filepath: path-filepath filepath.Clean path traversal (CVE-2022-41722)

    * golang: crypto/tls: large handshake records may cause panics (CVE-2022-41724)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

    All OpenShift Container Platform 4.13 users are advised to upgrade to these updated packages and images     when they are available in the appropriate release channel. To check for available updates, use the     OpenShift CLI (oc) or web console. Instructions for upgrading a cluster are available at     https://docs.openshift.com/container-platform/4.13/updating/updating-cluster-cli.html

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of golang installed on the remote host is prior to 1.18.9-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2023-2015 advisory.

    Requests forwarded by ReverseProxy include the raw query parameters from the inbound request, including     unparseable parameters rejected by net/http. This could permit query parameter smuggling when a Go proxy     forwards a parameter with an unparseable value. After fix, ReverseProxy sanitizes the query parameters in     the forwarded query when the outbound request's Form field is set after the ReverseProxy. Director     function returns, indicating that the proxy has parsed the query parameters. Proxies which do not parse     query parameters continue to forward the original query parameters unchanged. (CVE-2022-2880)

    Code injection in Cmd.Start in os/exec before Go 1.17.11 and Go 1.18.3 allows execution of any binaries in     the working directory named either ..com or ..exe by calling Cmd.Run, Cmd.Start, Cmd.Output, or     Cmd.CombinedOutput when Cmd.Path is unset. (CVE-2022-30580)

    Infinite loop in Read in crypto/rand before Go 1.17.11 and Go 1.18.3 on Windows allows attacker to cause     an indefinite hang by passing a buffer larger than 1 << 32 - 1 bytes. (CVE-2022-30634)

    The Go project has described this issue as follows:

    On Windows, the filepath.Clean function could transform an invalid path such as a/../c:/b into the valid     path c:\b. This transformation of a relative (if invalid) path into an absolute path could enable a     directory traversal attack. The filepath.Clean function will now transform this path into the relative     (but still invalid) path .\c:\b. (CVE-2022-41722)

    http2/hpack: avoid quadratic complexity in hpack decoding (CVE-2022-41723)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Splunk installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the SVD-2023-0808 advisory.

  - The go command may execute arbitrary code at build time when using cgo. This may occur when running go     get on a malicious module, or when running any other command which builds untrusted code. This is can by     triggered by linker flags, specified via a #cgo LDFLAGS directive. Flags containing embedded spaces are     mishandled, allowing disallowed flags to be smuggled through the LDFLAGS sanitization by including them in     the argument of another flag. This only affects usage of the gccgo compiler. (CVE-2023-29405)

  - When curl < 7.84.0 saves cookies, alt-svc and hsts data to local files, it makes the operation atomic by     finalizing the operation with a rename from a temporary name to the final target file name.In that rename     operation, it might accidentally *widen* the permissions for the target file, leaving the updated file     accessible to more users than intended. (CVE-2022-32207)

  - decode-uri-component 0.2.0 is vulnerable to Improper Input Validation resulting in DoS. (CVE-2022-38900)

  - The got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket.
    (CVE-2022-33987)

  - Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils via the     name variable in parseQuery.js. This affects all versions prior to 1.4.1 and 2.0.3. (CVE-2022-37601)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	名称	产品	系列	发布时间	最近更新时间	严重程度
224920	Linux Distros Unpatched Vulnerability : CVE-2022-41722	Nessus	Misc.	2025/3/5	2025/8/30	high
203948	Photon OS 3.0: Falco PHSA-2023-3.0-0611	Nessus	PhotonOS Local Security Checks	2024/7/24	2024/7/24	critical
204171	Photon OS 5.0: Kubernetes PHSA-2023-5.0-0043	Nessus	PhotonOS Local Security Checks	2024/7/24	2024/7/24	critical
171512	FreeBSD : go -- multiple vulnerabilities (3d73e384-ad1f-11ed-983c-83fe35862e3a)	Nessus	FreeBSD Local Security Checks	2023/2/15	2023/9/4	high
203872	Photon OS 3.0: Go PHSA-2023-3.0-0564	Nessus	PhotonOS Local Security Checks	2024/7/24	2024/7/24	high
204483	Photon OS 4.0: Go PHSA-2023-4.0-0362	Nessus	PhotonOS Local Security Checks	2024/7/24	2024/7/24	high
194248	RHEL 8 / 9 : OpenShift Container Platform 4.13.2 (RHSA-2023:3366)	Nessus	Red Hat Local Security Checks	2024/4/28	2025/8/15	critical
174580	Amazon Linux 2 : golang, --advisory ALAS2-2023-2015 (ALAS-2023-2015)	Nessus	Amazon Linux Local Security Checks	2023/4/20	2025/9/26	high
194928	Splunk Enterprise 8.2.0 < 8.2.12, 9.0.0 < 9.0.6, 9.1.0 < 9.1.1 (SVD-2023-0808)	Nessus	CGI abuses	2024/5/2	2024/7/29	critical

检测

插件搜索

high

critical

critical

high

high

high

critical

high

critical