The version of curl installed on the remote host is prior to 7.76.1-7. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2021-1700 advisory.

    A flaw was found in curl in the way curl handles a file hash mismatch after downloading content using the     Metalink feature. This flaw allows malicious actors controlling a hosting server to trick users into     downloading malicious content. The highest threat from this vulnerability is to integrity.
    (CVE-2021-22922)

    A flaw was found in curl in the way curl handles credentials when downloading content using the Metalink     feature. This flaw allows malicious actors controlling a hosting server to gain access to credentials     provided while downloading content without the user's knowledge. The highest threat from this     vulnerability is to confidentiality. (CVE-2021-22923)

    A flaw was found in libcurl in the way libcurl handles previously used connections without accounting for     'issuer cert' and comparing the involved paths case-insensitively. This flaw allows libcurl to use the     wrong connection. The highest threat from this vulnerability is to confidentiality. (CVE-2021-22924)

    A flaw was found in the way curl handled telnet protocol option for sending environment variables, which     could lead to sending of uninitialized data from a stack-based buffer to the server. This issue leads to     potentially revealing sensitive internal information to the server using a clear-text network protocol.
    (CVE-2021-22925)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

According to the versions of the curl packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - curl 7.1.1 to and including 7.75.0 is vulnerable to an 'Exposure of Private Personal Information to an     Unauthorized Actor' by leaking credentials in the HTTP Referer: header. libcurl does not strip off user     credentials from the URL when automatically populating the Referer: HTTP request header field in outgoing     HTTP requests, and therefore risks leaking sensitive data to the server that is the target of the second     HTTP request. (CVE-2021-22876)

  - libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse, if one of     them matches the setup.Due to errors in the logic, the config matching function did not take 'issuercert'     into account and it compared the involved paths *case insensitively*,which could lead to libcurl reusing     wrong connections.File paths are, or can be, case sensitive on many systems but not all, and caneven vary     depending on used file systems.The comparison also didn't include the 'issuer cert' which a transfer can     setto qualify how to verify the server certificate. (CVE-2021-22924)

  - curl supports the `-t` command line option, known as `CURLOPT_TELNETOPTIONS`in libcurl. This rarely used     option is used to send variable=content pairs toTELNET servers.Due to flaw in the option parser for     sending `NEW_ENV` variables, libcurlcould be made to pass on uninitialized data from a stack based buffer     to theserver. Therefore potentially revealing sensitive internal information to theserver using a clear-     text network protocol.This could happen because curl did not call and use sscanf() correctly whenparsing     the string provided by the application. (CVE-2021-22925)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the curl packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - When curl is instructed to download content using the metalink feature, thecontents is verified against a     hash provided in the metalink XML file.The metalink XML file points out to the client how to get the same     contentfrom a set of different URLs, potentially hosted by different servers and theclient can then     download the file from one or several of them. In a serial orparallel manner.If one of the servers hosting     the contents has been breached and the contentsof the specific file on that server is replaced with a     modified payload, curlshould detect this when the hash of the file mismatches after a completeddownload.
    It should remove the contents and instead try getting the contentsfrom another URL. This is not done, and     instead such a hash mismatch is onlymentioned in text and the potentially malicious content is kept in the     file ondisk. (CVE-2021-22922)

  - When curl is instructed to get content using the metalink feature, and a user name and password are used     to download the metalink XML file, those same credentials are then subsequently passed on to each of the     servers from which curl will download or try to download the contents from. Often contrary to the user's     expectations and intentions and without telling the user it happened. (CVE-2021-22923)

  - libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse, if one of     them matches the setup.Due to errors in the logic, the config matching function did not take 'issuercert'     into account and it compared the involved paths *case insensitively*,which could lead to libcurl reusing     wrong connections.File paths are, or can be, case sensitive on many systems but not all, and caneven vary     depending on used file systems.The comparison also didn't include the 'issuer cert' which a transfer can     setto qualify how to verify the server certificate. (CVE-2021-22924)

  - curl supports the `-t` command line option, known as `CURLOPT_TELNETOPTIONS`in libcurl. This rarely used     option is used to send variable=content pairs toTELNET servers.Due to flaw in the option parser for     sending `NEW_ENV` variables, libcurlcould be made to pass on uninitialized data from a stack based buffer     to theserver. Therefore potentially revealing sensitive internal information to theserver using a clear-     text network protocol.This could happen because curl did not call and use sscanf() correctly whenparsing     the string provided by the application. (CVE-2021-22925)

  - libcurl-using applications can ask for a specific client certificate to be used in a transfer. This is     done with the `CURLOPT_SSLCERT` option (`--cert` with the command line tool).When libcurl is built to use     the macOS native TLS library Secure Transport, an application can ask for the client certificate by name     or with a file name - using the same option. If the name exists as a file, it will be used instead of by     name.If the appliction runs with a current working directory that is writable by other users (like     `/tmp`), a malicious user can create a file name with the same name as the app wants to use by name, and     thereby trick the application to use the file based cert instead of the one referred to by name making     libcurl send the wrong client certificate in the TLS connection handshake. (CVE-2021-22926)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote Ubuntu 16.04 ESM host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-5021-2 advisory.

    USN-5021-1 fixed vulnerabilities in curl. This update provides the corresponding updates for Ubuntu 16.04     ESM.



Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

According to the versions of the curl packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - curl 7.1.1 to and including 7.75.0 is vulnerable to an 'Exposure of Private Personal Information to an     Unauthorized Actor' by leaking credentials in the HTTP Referer: header. libcurl does not strip off user     credentials from the URL when automatically populating the Referer: HTTP request header field in outgoing     HTTP requests, and therefore risks leaking sensitive data to the server that is the target of the second     HTTP request. (CVE-2021-22876)

  - curl 7.61.0 through 7.76.1 suffers from exposure of data element to wrong session due to a mistake in the     code for CURLOPT_SSL_CIPHER_LIST when libcurl is built to use the Schannel TLS library. The selected     cipher set was stored in a single 'static' variable in the library, which has the surprising side-effect     that if an application sets up multiple concurrent transfers, the last one that sets the ciphers will     accidentally control the set used by all transfers. In a worst-case scenario, this weakens transport     security significantly. (CVE-2021-22897)

  - curl 7.7 through 7.76.1 suffers from an information disclosure when the `-t` command line option, known as     `CURLOPT_TELNETOPTIONS` in libcurl, is used to send variable=content pairs to TELNET servers. Due to a     flaw in the option parser for sending NEW_ENV variables, libcurl could be made to pass on uninitialized     data from a stack based buffer to the server, resulting in potentially revealing sensitive internal     information to the server using a clear-text network protocol. (CVE-2021-22898)

  - When curl is instructed to download content using the metalink feature, thecontents is verified against a     hash provided in the metalink XML file.The metalink XML file points out to the client how to get the same     contentfrom a set of different URLs, potentially hosted by different servers and theclient can then     download the file from one or several of them. In a serial orparallel manner.If one of the servers hosting     the contents has been breached and the contentsof the specific file on that server is replaced with a     modified payload, curlshould detect this when the hash of the file mismatches after a completeddownload.
    It should remove the contents and instead try getting the contentsfrom another URL. This is not done, and     instead such a hash mismatch is onlymentioned in text and the potentially malicious content is kept in the     file ondisk. (CVE-2021-22922)

  - When curl is instructed to get content using the metalink feature, and a user name and password are used     to download the metalink XML file, those same credentials are then subsequently passed on to each of the     servers from which curl will download or try to download the contents from. Often contrary to the user's     expectations and intentions and without telling the user it happened. (CVE-2021-22923)

  - libcurl keeps previously used connections in a connection pool for subsequenttransfers to reuse, if one of     them matches the setup.Due to errors in the logic, the config matching function did not take 'issuercert'     into account and it compared the involved paths *case insensitively*,which could lead to libcurl reusing     wrong connections.File paths are, or can be, case sensitive on many systems but not all, and caneven vary     depending on used file systems.The comparison also didn't include the 'issuer cert' which a transfer can     setto qualify how to verify the server certificate. (CVE-2021-22924)

  - curl supports the `-t` command line option, known as `CURLOPT_TELNETOPTIONS`in libcurl. This rarely used     option is used to send variable=content pairs toTELNET servers.Due to flaw in the option parser for     sending `NEW_ENV` variables, libcurlcould be made to pass on uninitialized data from a stack based buffer     to theserver. Therefore potentially revealing sensitive internal information to theserver using a clear-     text network protocol.This could happen because curl did not call and use sscanf() correctly whenparsing     the string provided by the application. (CVE-2021-22925)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote MiracleLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2021-2762:06 advisory.

    * curl: Leak of authentication credentials in URL via automatic Referer (CVE-2021-22876)
      * curl: TELNET stack contents disclosure (CVE-2021-22898)
      * curl: Incorrect fix for CVE-2021-22898 TELNET stack contents disclosure (CVE-2021-22925)

Tenable has extracted the preceding description block directly from the MiracleLinux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Splunk installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the SVD-2023-0808 advisory.

  - The go command may execute arbitrary code at build time when using cgo. This may occur when running go     get on a malicious module, or when running any other command which builds untrusted code. This is can by     triggered by linker flags, specified via a #cgo LDFLAGS directive. Flags containing embedded spaces are     mishandled, allowing disallowed flags to be smuggled through the LDFLAGS sanitization by including them in     the argument of another flag. This only affects usage of the gccgo compiler. (CVE-2023-29405)

  - When curl < 7.84.0 saves cookies, alt-svc and hsts data to local files, it makes the operation atomic by     finalizing the operation with a rename from a temporary name to the final target file name.In that rename     operation, it might accidentally *widen* the permissions for the target file, leaving the updated file     accessible to more users than intended. (CVE-2022-32207)

  - decode-uri-component 0.2.0 is vulnerable to Improper Input Validation resulting in DoS. (CVE-2022-38900)

  - The got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket.
    (CVE-2022-33987)

  - Prototype pollution vulnerability in function parseQuery in parseQuery.js in webpack loader-utils via the     name variable in parseQuery.js. This affects all versions prior to 1.4.1 and 2.0.3. (CVE-2022-37601)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	名称	产品	系列	发布时间	最近更新时间	严重程度
153416	Amazon Linux 2 : curl, --advisory ALAS2-2021-1700 (ALAS-2021-1700)	Nessus	Amazon Linux Local Security Checks	2021/9/16	2025/9/26	medium
153633	EulerOS 2.0 SP8 : curl (EulerOS-SA-2021-2457)	Nessus	Huawei Local Security Checks	2021/9/24	2023/11/29	medium
155489	EulerOS Virtualization 2.9.1 : curl (EulerOS-SA-2021-2751)	Nessus	Huawei Local Security Checks	2021/11/17	2023/11/23	medium
156918	Ubuntu 16.04 ESM : curl vulnerability (USN-5021-2)	Nessus	Ubuntu Local Security Checks	2022/1/20	2024/10/29	medium
157964	EulerOS Virtualization 3.0.6.0 : curl (EulerOS-SA-2022-1062)	Nessus	Huawei Local Security Checks	2022/2/12	2023/11/9	medium
294365	MiracleLinux 8 : curl-7.61.1-22.el8 (AXSA:2021-2762:06)	Nessus	Miracle Linux Local Security Checks	2026/1/20	2026/1/20	medium
194926	Universal Forwarder 8.2.0 < 8.2.12, 9.0.0 < 9.0.6, 9.1.0 < 9.1.1 (SVD-2023-0809)	Nessus	CGI abuses	2024/5/2	2024/5/30	critical
194928	Splunk Enterprise 8.2.0 < 8.2.12, 9.0.0 < 9.0.6, 9.1.0 < 9.1.1 (SVD-2023-0808)	Nessus	CGI abuses	2024/5/2	2024/7/29	critical

检测

插件搜索

medium

medium

medium

medium

medium

medium

critical

critical