Lucene search
This script is Copyright (C) 2021-2024 and is owned by Tenable, Inc. or an Affiliate thereof.REDHAT-RHSA-2021-1879.NASLHistoryMay 19, 2021 - 12:00 a.m.
RHEL 8 : python38:3.8 (RHSA-2021:1879)
2021-05-1900:00:00
This script is Copyright (C) 2021-2024 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
18
7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.5 High
AI Score
Confidence
High
0.038 Low
EPSS
Percentile
92.0%
The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:1879 advisory.
-
python: CRLF injection via HTTP request method in httplib/http.client (CVE-2020-26116)
-
python-lxml: mXSS due to the use of improper parser (CVE-2020-27783)
-
python: Stack-based buffer overflow in PyCArg_repr in _ctypes/callproc.c (CVE-2021-3177)
Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.
#%NASL_MIN_LEVEL 70300
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Red Hat Security Advisory RHSA-2021:1879. The text
# itself is copyright (C) Red Hat, Inc.
##
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(149708);
script_version("1.10");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/04/28");
script_cve_id("CVE-2020-26116", "CVE-2020-27783", "CVE-2021-3177");
script_xref(name:"IAVA", value:"2020-A-0340-S");
script_xref(name:"RHSA", value:"2021:1879");
script_xref(name:"IAVA", value:"2021-A-0052-S");
script_name(english:"RHEL 8 : python38:3.8 (RHSA-2021:1879)");
script_set_attribute(attribute:"synopsis", value:
"The remote Red Hat host is missing one or more security updates for python38:3.8.");
script_set_attribute(attribute:"description", value:
"The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as
referenced in the RHSA-2021:1879 advisory.
- python: CRLF injection via HTTP request method in httplib/http.client (CVE-2020-26116)
- python-lxml: mXSS due to the use of improper parser (CVE-2020-27783)
- python: Stack-based buffer overflow in PyCArg_repr in _ctypes/callproc.c (CVE-2021-3177)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
# https://access.redhat.com/security/data/csaf/v2/advisories/2021/rhsa-2021_1879.json
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?11a2564d");
# https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.4_release_notes/
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?862005a9");
script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/updates/classification/#moderate");
script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2021:1879");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=1868006");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=1883014");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=1886755");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=1901633");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=1918168");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=1920596");
script_set_attribute(attribute:"solution", value:
"Update the RHEL python38:3.8 package based on the guidance in RHSA-2021:1879.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2021-3177");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_cwe_id(79, 113, 120);
script_set_attribute(attribute:"vendor_severity", value:"Moderate");
script_set_attribute(attribute:"vuln_publication_date", value:"2020/07/30");
script_set_attribute(attribute:"patch_publication_date", value:"2021/05/18");
script_set_attribute(attribute:"plugin_publication_date", value:"2021/05/19");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:8");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:Cython");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:PyYAML");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:babel");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:mod_wsgi");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:numpy");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python-PyMySQL");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python-asn1crypto");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python-cffi");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python-chardet");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python-cryptography");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python-idna");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python-jinja2");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python-lxml");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python-markupsafe");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python-ply");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python-psutil");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python-psycopg2");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python-pycparser");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python-pysocks");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python-requests");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python-urllib3");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python-wheel");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python38");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python38-Cython");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python38-PyMySQL");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python38-asn1crypto");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python38-babel");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python38-cffi");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python38-chardet");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python38-cryptography");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python38-debug");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python38-devel");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python38-idle");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python38-idna");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python38-jinja2");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python38-libs");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python38-lxml");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python38-markupsafe");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python38-mod_wsgi");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python38-numpy");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python38-numpy-doc");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python38-numpy-f2py");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python38-pip");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python38-pip-wheel");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python38-ply");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python38-psutil");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python38-psycopg2");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python38-psycopg2-doc");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python38-psycopg2-tests");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python38-pycparser");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python38-pysocks");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python38-pytz");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python38-pyyaml");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python38-requests");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python38-rpm-macros");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python38-scipy");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python38-setuptools");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python38-setuptools-wheel");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python38-six");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python38-test");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python38-tkinter");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python38-urllib3");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python38-wheel");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python38-wheel-wheel");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python3x-pip");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python3x-setuptools");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:python3x-six");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:pytz");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:scipy");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_set_attribute(attribute:"stig_severity", value:"I");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Red Hat Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2021-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl", "redhat_repos.nasl");
script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
exit(0);
}
include('rpm.inc');
include('rhel.inc');
if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/RedHat/release');
if (isnull(os_release) || 'Red Hat' >!< os_release) audit(AUDIT_OS_NOT, 'Red Hat');
var os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:os_release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');
os_ver = os_ver[1];
if (!rhel_check_release(operator: 'ge', os_version: os_ver, rhel_version: '8')) audit(AUDIT_OS_NOT, 'Red Hat 8.x', 'Red Hat ' + os_ver);
if (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu && 'ppc' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);
var appstreams = {
'python38:3.8': [
{
'repo_relative_urls': [
'content/dist/rhel8/8.10/aarch64/appstream/debug',
'content/dist/rhel8/8.10/aarch64/appstream/os',
'content/dist/rhel8/8.10/aarch64/appstream/source/SRPMS',
'content/dist/rhel8/8.10/ppc64le/appstream/debug',
'content/dist/rhel8/8.10/ppc64le/appstream/os',
'content/dist/rhel8/8.10/ppc64le/appstream/source/SRPMS',
'content/dist/rhel8/8.10/s390x/appstream/debug',
'content/dist/rhel8/8.10/s390x/appstream/os',
'content/dist/rhel8/8.10/s390x/appstream/source/SRPMS',
'content/dist/rhel8/8.10/x86_64/appstream/debug',
'content/dist/rhel8/8.10/x86_64/appstream/os',
'content/dist/rhel8/8.10/x86_64/appstream/source/SRPMS',
'content/dist/rhel8/8.6/aarch64/appstream/debug',
'content/dist/rhel8/8.6/aarch64/appstream/os',
'content/dist/rhel8/8.6/aarch64/appstream/source/SRPMS',
'content/dist/rhel8/8.6/ppc64le/appstream/debug',
'content/dist/rhel8/8.6/ppc64le/appstream/os',
'content/dist/rhel8/8.6/ppc64le/appstream/source/SRPMS',
'content/dist/rhel8/8.6/s390x/appstream/debug',
'content/dist/rhel8/8.6/s390x/appstream/os',
'content/dist/rhel8/8.6/s390x/appstream/source/SRPMS',
'content/dist/rhel8/8.6/x86_64/appstream/debug',
'content/dist/rhel8/8.6/x86_64/appstream/os',
'content/dist/rhel8/8.6/x86_64/appstream/source/SRPMS',
'content/dist/rhel8/8.8/aarch64/appstream/debug',
'content/dist/rhel8/8.8/aarch64/appstream/os',
'content/dist/rhel8/8.8/aarch64/appstream/source/SRPMS',
'content/dist/rhel8/8.8/ppc64le/appstream/debug',
'content/dist/rhel8/8.8/ppc64le/appstream/os',
'content/dist/rhel8/8.8/ppc64le/appstream/source/SRPMS',
'content/dist/rhel8/8.8/s390x/appstream/debug',
'content/dist/rhel8/8.8/s390x/appstream/os',
'content/dist/rhel8/8.8/s390x/appstream/source/SRPMS',
'content/dist/rhel8/8.8/x86_64/appstream/debug',
'content/dist/rhel8/8.8/x86_64/appstream/os',
'content/dist/rhel8/8.8/x86_64/appstream/source/SRPMS',
'content/dist/rhel8/8.9/aarch64/appstream/debug',
'content/dist/rhel8/8.9/aarch64/appstream/os',
'content/dist/rhel8/8.9/aarch64/appstream/source/SRPMS',
'content/dist/rhel8/8.9/ppc64le/appstream/debug',
'content/dist/rhel8/8.9/ppc64le/appstream/os',
'content/dist/rhel8/8.9/ppc64le/appstream/source/SRPMS',
'content/dist/rhel8/8.9/s390x/appstream/debug',
'content/dist/rhel8/8.9/s390x/appstream/os',
'content/dist/rhel8/8.9/s390x/appstream/source/SRPMS',
'content/dist/rhel8/8.9/x86_64/appstream/debug',
'content/dist/rhel8/8.9/x86_64/appstream/os',
'content/dist/rhel8/8.9/x86_64/appstream/source/SRPMS',
'content/dist/rhel8/8/aarch64/appstream/debug',
'content/dist/rhel8/8/aarch64/appstream/os',
'content/dist/rhel8/8/aarch64/appstream/source/SRPMS',
'content/dist/rhel8/8/ppc64le/appstream/debug',
'content/dist/rhel8/8/ppc64le/appstream/os',
'content/dist/rhel8/8/ppc64le/appstream/source/SRPMS',
'content/dist/rhel8/8/s390x/appstream/debug',
'content/dist/rhel8/8/s390x/appstream/os',
'content/dist/rhel8/8/s390x/appstream/source/SRPMS',
'content/dist/rhel8/8/x86_64/appstream/debug',
'content/dist/rhel8/8/x86_64/appstream/os',
'content/dist/rhel8/8/x86_64/appstream/source/SRPMS'
],
'pkgs': [
{'reference':'python38-3.8.6-3.module+el8.4.0+9579+e9717e18', 'release':'8', 'rpm_spec_vers_cmp':TRUE},
{'reference':'python38-asn1crypto-1.2.0-3.module+el8.4.0+8888+89bc7e79', 'release':'8', 'rpm_spec_vers_cmp':TRUE},
{'reference':'python38-babel-2.7.0-10.module+el8.4.0+8888+89bc7e79', 'release':'8', 'rpm_spec_vers_cmp':TRUE},
{'reference':'python38-cffi-1.13.2-3.module+el8.4.0+8888+89bc7e79', 'release':'8', 'rpm_spec_vers_cmp':TRUE},
{'reference':'python38-chardet-3.0.4-19.module+el8.4.0+8888+89bc7e79', 'release':'8', 'rpm_spec_vers_cmp':TRUE},
{'reference':'python38-cryptography-2.8-3.module+el8.4.0+8888+89bc7e79', 'release':'8', 'rpm_spec_vers_cmp':TRUE},
{'reference':'python38-Cython-0.29.14-4.module+el8.4.0+8888+89bc7e79', 'release':'8', 'rpm_spec_vers_cmp':TRUE},
{'reference':'python38-debug-3.8.6-3.module+el8.4.0+9579+e9717e18', 'release':'8', 'rpm_spec_vers_cmp':TRUE},
{'reference':'python38-devel-3.8.6-3.module+el8.4.0+9579+e9717e18', 'release':'8', 'rpm_spec_vers_cmp':TRUE},
{'reference':'python38-idle-3.8.6-3.module+el8.4.0+9579+e9717e18', 'release':'8', 'rpm_spec_vers_cmp':TRUE},
{'reference':'python38-idna-2.8-6.module+el8.4.0+8888+89bc7e79', 'release':'8', 'rpm_spec_vers_cmp':TRUE},
{'reference':'python38-jinja2-2.10.3-4.module+el8.4.0+8888+89bc7e79', 'release':'8', 'rpm_spec_vers_cmp':TRUE},
{'reference':'python38-libs-3.8.6-3.module+el8.4.0+9579+e9717e18', 'release':'8', 'rpm_spec_vers_cmp':TRUE},
{'reference':'python38-lxml-4.4.1-5.module+el8.4.0+9001+fc421f6c', 'release':'8', 'rpm_spec_vers_cmp':TRUE},
{'reference':'python38-markupsafe-1.1.1-6.module+el8.4.0+8888+89bc7e79', 'release':'8', 'rpm_spec_vers_cmp':TRUE},
{'reference':'python38-mod_wsgi-4.6.8-3.module+el8.4.0+8888+89bc7e79', 'release':'8', 'rpm_spec_vers_cmp':TRUE},
{'reference':'python38-numpy-1.17.3-5.module+el8.4.0+8888+89bc7e79', 'release':'8', 'rpm_spec_vers_cmp':TRUE},
{'reference':'python38-numpy-doc-1.17.3-5.module+el8.4.0+8888+89bc7e79', 'release':'8', 'rpm_spec_vers_cmp':TRUE},
{'reference':'python38-numpy-f2py-1.17.3-5.module+el8.4.0+8888+89bc7e79', 'release':'8', 'rpm_spec_vers_cmp':TRUE},
{'reference':'python38-pip-19.3.1-1.module+el8.4.0+8888+89bc7e79', 'release':'8', 'rpm_spec_vers_cmp':TRUE},
{'reference':'python38-pip-wheel-19.3.1-1.module+el8.4.0+8888+89bc7e79', 'release':'8', 'rpm_spec_vers_cmp':TRUE},
{'reference':'python38-ply-3.11-10.module+el8.4.0+9579+e9717e18', 'release':'8', 'rpm_spec_vers_cmp':TRUE},
{'reference':'python38-psutil-5.6.4-3.module+el8.4.0+8888+89bc7e79', 'release':'8', 'rpm_spec_vers_cmp':TRUE},
{'reference':'python38-psycopg2-2.8.4-4.module+el8.4.0+8888+89bc7e79', 'release':'8', 'rpm_spec_vers_cmp':TRUE},
{'reference':'python38-psycopg2-doc-2.8.4-4.module+el8.4.0+8888+89bc7e79', 'release':'8', 'rpm_spec_vers_cmp':TRUE},
{'reference':'python38-psycopg2-tests-2.8.4-4.module+el8.4.0+8888+89bc7e79', 'release':'8', 'rpm_spec_vers_cmp':TRUE},
{'reference':'python38-pycparser-2.19-3.module+el8.4.0+8888+89bc7e79', 'release':'8', 'rpm_spec_vers_cmp':TRUE},
{'reference':'python38-PyMySQL-0.10.1-1.module+el8.4.0+9692+8e86ab84', 'release':'8', 'rpm_spec_vers_cmp':TRUE},
{'reference':'python38-pysocks-1.7.1-4.module+el8.4.0+8888+89bc7e79', 'release':'8', 'rpm_spec_vers_cmp':TRUE},
{'reference':'python38-pytz-2019.3-3.module+el8.4.0+8888+89bc7e79', 'release':'8', 'rpm_spec_vers_cmp':TRUE},
{'reference':'python38-pyyaml-5.3.1-1.module+el8.4.0+8888+89bc7e79', 'release':'8', 'rpm_spec_vers_cmp':TRUE},
{'reference':'python38-requests-2.22.0-9.module+el8.4.0+8888+89bc7e79', 'release':'8', 'rpm_spec_vers_cmp':TRUE},
{'reference':'python38-rpm-macros-3.8.6-3.module+el8.4.0+9579+e9717e18', 'release':'8', 'rpm_spec_vers_cmp':TRUE},
{'reference':'python38-scipy-1.3.1-4.module+el8.4.0+8888+89bc7e79', 'release':'8', 'rpm_spec_vers_cmp':TRUE},
{'reference':'python38-setuptools-41.6.0-4.module+el8.4.0+8888+89bc7e79', 'release':'8', 'rpm_spec_vers_cmp':TRUE},
{'reference':'python38-setuptools-wheel-41.6.0-4.module+el8.4.0+8888+89bc7e79', 'release':'8', 'rpm_spec_vers_cmp':TRUE},
{'reference':'python38-six-1.12.0-10.module+el8.4.0+8888+89bc7e79', 'release':'8', 'rpm_spec_vers_cmp':TRUE},
{'reference':'python38-test-3.8.6-3.module+el8.4.0+9579+e9717e18', 'release':'8', 'rpm_spec_vers_cmp':TRUE},
{'reference':'python38-tkinter-3.8.6-3.module+el8.4.0+9579+e9717e18', 'release':'8', 'rpm_spec_vers_cmp':TRUE},
{'reference':'python38-urllib3-1.25.7-4.module+el8.4.0+8888+89bc7e79', 'release':'8', 'rpm_spec_vers_cmp':TRUE},
{'reference':'python38-wheel-0.33.6-5.module+el8.4.0+8888+89bc7e79', 'release':'8', 'rpm_spec_vers_cmp':TRUE},
{'reference':'python38-wheel-wheel-0.33.6-5.module+el8.4.0+8888+89bc7e79', 'release':'8', 'rpm_spec_vers_cmp':TRUE}
]
}
]
};
var applicable_repo_urls = rhel_determine_applicable_repository_urls(constraints:appstreams, appstreams:TRUE);
if(applicable_repo_urls == RHEL_REPOS_NO_OVERLAP_MESSAGE) exit(0, RHEL_REPO_NOT_ENABLED);
var module_ver = get_kb_item('Host/RedHat/appstream/python38');
if (isnull(module_ver)) audit(AUDIT_PACKAGE_NOT_INSTALLED, 'Module python38:3.8');
if ('3.8' >!< module_ver) audit(AUDIT_PACKAGE_NOT_AFFECTED, 'Module python38:' + module_ver);
var flag = 0;
var appstreams_found = 0;
foreach var module (keys(appstreams)) {
var appstream = NULL;
var appstream_name = NULL;
var appstream_version = NULL;
var appstream_split = split(module, sep:':', keep:FALSE);
if (!empty_or_null(appstream_split)) {
appstream_name = appstream_split[0];
appstream_version = appstream_split[1];
if (!empty_or_null(appstream_name)) appstream = get_one_kb_item('Host/RedHat/appstream/' + appstream_name);
}
if (!empty_or_null(appstream) && appstream_version == appstream || appstream_name == 'all') {
appstreams_found++;
foreach var module_array ( appstreams[module] ) {
var repo_relative_urls = NULL;
if (!empty_or_null(module_array['repo_relative_urls'])) repo_relative_urls = module_array['repo_relative_urls'];
foreach var package_array ( module_array['pkgs'] ) {
var reference = NULL;
var _release = NULL;
var sp = NULL;
var _cpu = NULL;
var el_string = NULL;
var rpm_spec_vers_cmp = NULL;
var epoch = NULL;
var allowmaj = NULL;
var exists_check = NULL;
var cves = NULL;
if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
if (!empty_or_null(package_array['release'])) _release = 'RHEL' + package_array['release'];
if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];
if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];
if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];
if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];
if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];
if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];
if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];
if (!empty_or_null(package_array['cves'])) cves = package_array['cves'];
if (reference &&
_release &&
rhel_decide_repo_relative_url_check(required_repo_url_list:repo_relative_urls) &&
(applicable_repo_urls || (!exists_check || rpm_exists(release:_release, rpm:exists_check))) &&
rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
}
}
}
}
if (!appstreams_found) audit(AUDIT_PACKAGE_NOT_INSTALLED, 'Module python38:3.8');
if (flag)
{
var extra = NULL;
if (isnull(applicable_repo_urls) || !applicable_repo_urls) extra = rpm_report_get() + redhat_report_repo_caveat();
else extra = rpm_report_get();
security_report_v4(
port : 0,
severity : SECURITY_HOLE,
extra : extra
);
exit(0);
}
else
{
var tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'python38 / python38-Cython / python38-PyMySQL / python38-asn1crypto / etc');
}
| Vendor | Product | Version | CPE |
|---|---|---|---|
| redhat | enterprise_linux | 8 | cpe:/o:redhat:enterprise_linux:8 |
| redhat | enterprise_linux | cython | p-cpe:/a:redhat:enterprise_linux:cython |
| redhat | enterprise_linux | pyyaml | p-cpe:/a:redhat:enterprise_linux:pyyaml |
| redhat | enterprise_linux | babel | p-cpe:/a:redhat:enterprise_linux:babel |
| redhat | enterprise_linux | mod_wsgi | p-cpe:/a:redhat:enterprise_linux:mod_wsgi |
| redhat | enterprise_linux | numpy | p-cpe:/a:redhat:enterprise_linux:numpy |
| redhat | enterprise_linux | python-pymysql | p-cpe:/a:redhat:enterprise_linux:python-pymysql |
| redhat | enterprise_linux | python-asn1crypto | p-cpe:/a:redhat:enterprise_linux:python-asn1crypto |
| redhat | enterprise_linux | python-cffi | p-cpe:/a:redhat:enterprise_linux:python-cffi |
| redhat | enterprise_linux | python-chardet | p-cpe:/a:redhat:enterprise_linux:python-chardet |
References
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26116
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27783
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3177
www.nessus.org/u?11a2564d
www.nessus.org/u?862005a9
access.redhat.com/errata/RHSA-2021:1879
access.redhat.com/security/updates/classification/#moderate
bugzilla.redhat.com/show_bug.cgi?id=1868006
bugzilla.redhat.com/show_bug.cgi?id=1883014
bugzilla.redhat.com/show_bug.cgi?id=1886755
bugzilla.redhat.com/show_bug.cgi?id=1901633
bugzilla.redhat.com/show_bug.cgi?id=1918168
bugzilla.redhat.com/show_bug.cgi?id=1920596
Related
osv
osv
Moderate: python38:3.8 security update
2021-05-18 06:18:31
Moderate: python38:3.8 security update
2021-05-18 06:18:31
Moderate: python27:2.7 security and bug fix update
2021-05-18 06:02:07
redhat
redhat
(RHSA-2021:1879) Moderate: python38:3.8 security update
2021-05-18 06:18:31
(RHSA-2021:1761) Moderate: python27:2.7 security and bug fix update
2021-05-18 06:02:07
(RHSA-2022:5235) Moderate: python security update
2022-06-28 07:52:39
nessus
nessus
CentOS 8 : python38:3.8 (CESA-2021:1879)
2021-05-28 00:00:00
Oracle Linux 8 : python38:3.8 (ELSA-2021-1879)
2021-11-12 00:00:00
Rocky Linux 8 : python38:3.8 (RLSA-2021:1879)
2023-11-06 00:00:00
almalinux
almalinux
Moderate: python38:3.8 security update
2021-05-18 06:18:31
Moderate: python27:2.7 security and bug fix update
2021-05-18 06:02:07
Moderate: python3 security update
2021-05-18 05:42:46
rocky
rocky
python38:3.8 security update
2021-05-18 06:18:31
python27:2.7 security and bug fix update
2021-05-18 06:02:07
python-lxml security update
2021-05-18 06:21:26
oraclelinux
oraclelinux
python38:3.8 security update
2021-05-25 00:00:00
python27:2.7 security and bug fix update
2021-05-25 00:00:00
python security update
2022-07-02 00:00:00
gentoo
gentoo
Python: Multiple vulnerabilities
2021-01-24 00:00:00
openvas
openvas
CentOS: Security Advisory for python (CESA-2022:5235)
2022-08-03 00:00:00
Huawei EulerOS: Security Advisory for python (EulerOS-SA-2021-2096)
2021-07-07 00:00:00
Huawei EulerOS: Security Advisory for python-lxml (EulerOS-SA-2021-1420)
2021-03-05 00:00:00
centos
centos
python, tkinter security update
2022-08-02 19:15:12
ubuntu
ubuntu
lxml vulnerability
2020-12-09 00:00:00
lxml vulnerability
2020-12-11 00:00:00
Python vulnerability
2020-10-14 00:00:00
fedora
fedora
[SECURITY] Fedora 32 Update: python-lxml-4.4.1-5.fc32
2021-01-14 01:43:47
[SECURITY] Fedora 33 Update: python-lxml-4.5.1-3.fc33
2021-01-14 01:39:59
[SECURITY] Fedora 33 Update: python2.7-2.7.18-6.fc33
2020-10-05 16:36:13
cbl_mariner
cbl_mariner
CVE-2020-27783 affecting package python-lxml 4.2.4-7
2021-08-11 06:39:25
CVE-2020-27783 affecting package python-lxml for versions less than 4.8.0-1
2022-04-26 19:57:36
CVE-2020-26116 affecting package python3 3.7.7-2
2021-07-08 21:56:42
prion
prion
Cross site scripting
2020-12-03 17:15:00
Crlf injection
2020-09-27 04:15:00
amazon
amazon
Medium: python-lxml
2021-06-16 20:37:00
Medium: python
2021-06-16 20:37:00
Medium: python27, python34, python35
2020-11-16 17:59:00
github
github
lxml vulnerable to Cross-site Scripting
2021-01-07 21:54:01
archlinux
archlinux
[ASA-202012-1] python-lxml: cross-site scripting
2020-12-05 00:00:00
cvelist
cvelist
redhatcve
redhatcve
CVE-2020-27783
2020-11-25 17:22:50
CVE-2020-26116
2020-10-02 02:06:52
ubuntucve
ubuntucve
CVE-2020-27783
2020-12-03 00:00:00
CVE-2020-26116
2020-09-27 00:00:00
veracode
veracode
Cross-site Scripting (XSS)
2020-11-30 02:54:37
CRLF Injection
2020-10-18 01:59:16
alpinelinux
alpinelinux
CVE-2020-27783
2020-12-03 17:15:13
mageia
mageia
Updated python-lxml packages fix a security vulnerability
2021-01-17 19:07:01
cve
cve
debian
debian
[SECURITY] [DLA 2467-2] lxml regression update
2020-12-18 13:14:42
[SECURITY] [DSA 4810-1] lxml security update
2020-12-13 18:19:20
nvd
nvd
CVE-2020-27783
2020-12-03 17:15:13
CVE-2020-26116
2020-09-27 04:15:11
debiancve
debiancve
CVE-2020-27783
2020-12-03 17:15:13
CVE-2020-26116
2020-09-27 04:15:11
f5
f5
K000133759 : Python vulnerability CVE-2020-26116
2023-05-08 00:00:00
K000133761 : Python vulnerability CVE-2021-3177
2023-05-10 00:00:00
suse
suse
Security update for python (moderate)
2020-11-21 00:00:00
Security update for python (moderate)
2020-11-07 00:00:00
cloudfoundry
cloudfoundry
USN-4581-1: Python vulnerability | Cloud Foundry
2020-11-19 00:00:00
photon
photon
hackerone
hackerone
Ruby: 'net/http': HTTP Header Injection in the set_content_type method
2021-04-19 09:25:39
7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.5 High
AI Score
Confidence
High
0.038 Low
EPSS
Percentile
92.0%
Related for REDHAT-RHSA-2021-1879.NASL