The remote Redhat Enterprise Linux 10 / 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2026:1536 advisory.

    Red Hat Ceph Storage is a scalable, open, software-defined storage platform     that combines the most stable version of the Ceph storage system with a     Ceph management platform, deployment utilities, and support services.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Fedora 38 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2023-62ce942e75 advisory.

    Release of stargz snapshotter v0.14.2 https://github.com/containerd/stargz-     snapshotter/releases/tag/v0.14.2

    This release uses containerd v1.7.0-rc.1 so this release fixes GHSA-hmfx-3pcx-653p (CVE-2023-25173) and     GHSA-259w-8hf6-59c2 (CVE-2023-25153).
    This release uses Go 1.20.1 so this release fixes CVE-2022-41717 .



Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Fedora 37 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2023-ee472c698c advisory.

    Release of stargz snapshotter v0.14.2 https://github.com/containerd/stargz-     snapshotter/releases/tag/v0.14.2

    This release uses containerd v1.7.0-rc.1 which contains the fix for GHSA-hmfx-3pcx-653p (CVE-2023-25173)     and GHSA-259w-8hf6-59c2 (CVE-2023-25153).
    This release uses Go 1.20.1 which fixes CVE-2022-41717 .





    ----

    auto bump to v0.14.1

Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of containerd installed on the remote host is prior to 1.6.19-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2NITRO-ENCLAVES-2023-023 advisory.

    containerd is an open source container runtime. A bug was found in containerd's CRI implementation where a     user can exhaust memory on the host. In the CRI stream server, a goroutine is launched to handle terminal     resize events if a TTY is requested. If the user's process fails to launch due to, for example, a faulty     command, the goroutine will be stuck waiting to send without a receiver, resulting in a memory leak.
    Kubernetes and crictl can both be configured to use containerd's CRI implementation and the stream server     is used for handling container IO. This bug has been fixed in containerd 1.6.12 and 1.5.16. Users should     update to these versions to resolve the issue. Users unable to upgrade should ensure that only trusted     images and commands are used and that only trusted users have permissions to execute commands in running     containers. (CVE-2022-23471)

    containerd is an open source container runtime. Before versions 1.6.18 and 1.5.18, when importing an OCI     image, there was no limit on the number of bytes read for certain files. A maliciously crafted image with     a large file where a limit was not applied could cause a denial of service. This bug has been fixed in     containerd 1.6.18 and 1.5.18. Users should update to these versions to resolve the issue. As a workaround,     ensure that only trusted images are used and that only trusted users have permissions to import images.
    (CVE-2023-25153)

    containerd is an open source container runtime. A bug was found in containerd prior to versions 1.6.18 and     1.5.18 where supplementary groups are not set up properly inside a container. If an attacker has direct     access to a container and manipulates their supplementary group access, they may be able to use     supplementary group access to bypass primary group restrictions in some cases, potentially gaining access     to sensitive information or gaining the ability to execute code in that container. Downstream applications     that use the containerd client library may be affected as well. This bug has been fixed in containerd     v1.6.18 and v.1.5.18. Users should update to these versions and recreate containers to resolve this issue.
    Users who rely on a downstream application that uses containerd's client library should check that     application for a separate advisory and instructions. As a workaround, ensure that the `USER $USERNAME`     Dockerfile instruction is not used. Instead, set the container entrypoint to a value similar to     `ENTRYPOINT [su, -, user]` to allow `su` to properly set up supplementary groups. (CVE-2023-25173)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

According to the versions of the docker-engine package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - containerd is an open source container runtime. Before versions 1.6.18 and 1.5.18, when importing an OCI     image, there was no limit on the number of bytes read for certain files. A maliciously crafted image with     a large file where a limit was not applied could cause a denial of service. This bug has been fixed in     containerd 1.6.18 and 1.5.18. Users should update to these versions to resolve the issue. As a workaround,     ensure that only trusted images are used and that only trusted users have permissions to import images.
    (CVE-2023-25153)

  - containerd is an open source container runtime. A bug was found in containerd prior to versions 1.6.18 and     1.5.18 where supplementary groups are not set up properly inside a container. If an attacker has direct     access to a container and manipulates their supplementary group access, they may be able to use     supplementary group access to bypass primary group restrictions in some cases, potentially gaining access     to sensitive information or gaining the ability to execute code in that container. Downstream applications     that use the containerd client library may be affected as well. This bug has been fixed in containerd     v1.6.18 and v.1.5.18. Users should update to these versions and recreate containers to resolve this issue.
    Users who rely on a downstream application that uses containerd's client library should check that     application for a separate advisory and instructions. As a workaround, ensure that the `'USER $USERNAME'`     Dockerfile instruction is not used. Instead, set the container entrypoint to a value similar to     `ENTRYPOINT ['su', '-', 'user']` to allow `su` to properly set up supplementary groups. (CVE-2023-25173)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the docker-engine package installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - Moby is an open-source project created by Docker to enable software containerization. A bug was found in     Moby (Docker Engine) where supplementary groups are not set up properly. If an attacker has direct access     to a container and manipulates their supplementary group access, they may be able to use supplementary     group access to bypass primary group restrictions in some cases, potentially gaining access to sensitive     information or gaining the ability to execute code in that container. This bug is fixed in Moby (Docker     Engine) 20.10.18. Running containers should be stopped and restarted for the permissions to be fixed. For     users unable to upgrade, this problem can be worked around by not using the `'USER $USERNAME'` Dockerfile     instruction. Instead by calling `ENTRYPOINT ['su', '-', 'user']` the supplementary groups will be set up     properly. (CVE-2022-36109)

  - containerd is an open source container runtime. Before versions 1.6.18 and 1.5.18, when importing an OCI     image, there was no limit on the number of bytes read for certain files. A maliciously crafted image with     a large file where a limit was not applied could cause a denial of service. This bug has been fixed in     containerd 1.6.18 and 1.5.18. Users should update to these versions to resolve the issue. As a workaround,     ensure that only trusted images are used and that only trusted users have permissions to import images.
    (CVE-2023-25153)

  - containerd is an open source container runtime. A bug was found in containerd prior to versions 1.6.18 and     1.5.18 where supplementary groups are not set up properly inside a container. If an attacker has direct     access to a container and manipulates their supplementary group access, they may be able to use     supplementary group access to bypass primary group restrictions in some cases, potentially gaining access     to sensitive information or gaining the ability to execute code in that container. Downstream applications     that use the containerd client library may be affected as well. This bug has been fixed in containerd     v1.6.18 and v.1.5.18. Users should update to these versions and recreate containers to resolve this issue.
    Users who rely on a downstream application that uses containerd's client library should check that     application for a separate advisory and instructions. As a workaround, ensure that the `'USER $USERNAME'`     Dockerfile instruction is not used. Instead, set the container entrypoint to a value similar to     `ENTRYPOINT ['su', '-', 'user']` to allow `su` to properly set up supplementary groups. (CVE-2023-25173)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

An update of the containerd package has been released.

An update of the fuse package has been released.

An update of the nerdctl package has been released.

An update of the telegraf package has been released.

ID	名称	产品	系列	发布时间	最近更新时间	严重程度
297118	RHEL 10 / 9 : Red Hat Ceph Storage 9.0 Security and Enhancement update (Moderate) (RHSA-2026:1536)	Nessus	Red Hat Local Security Checks	2026/1/29	2026/1/29	high
172455	Fedora 38 : stargz-snapshotter (2023-62ce942e75)	Nessus	Fedora Local Security Checks	2023/3/10	2024/11/14	high
172630	Fedora 37 : stargz-snapshotter (2023-ee472c698c)	Nessus	Fedora Local Security Checks	2023/3/16	2024/11/14	high
173937	Amazon Linux 2 : containerd (ALASNITRO-ENCLAVES-2023-023)	Nessus	Amazon Linux Local Security Checks	2023/4/6	2025/5/12	high
174209	EulerOS 2.0 SP8 : docker-engine (EulerOS-SA-2023-1591)	Nessus	Huawei Local Security Checks	2023/4/13	2023/4/19	high
175490	EulerOS 2.0 SP9 : docker-engine (EulerOS-SA-2023-1864)	Nessus	Huawei Local Security Checks	2023/5/13	2023/5/13	high
203275	Photon OS 4.0: Containerd PHSA-2023-4.0-0350	Nessus	PhotonOS Local Security Checks	2024/7/23	2025/5/12	high
203539	Photon OS 5.0: Fuse PHSA-2023-5.0-0044	Nessus	PhotonOS Local Security Checks	2024/7/23	2024/7/23	high
204563	Photon OS 4.0: Nerdctl PHSA-2023-4.0-0433	Nessus	PhotonOS Local Security Checks	2024/7/24	2024/7/24	high
204388	Photon OS 5.0: Telegraf PHSA-2023-5.0-0041	Nessus	PhotonOS Local Security Checks	2024/7/24	2025/8/21	high

检测

插件搜索

high

high

high

high

high

high

high

high

high

high