SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Security)  >   Tenable Nessus Vendors:   Deraison, Renaud et al, Tenable Network Security
Tenable Nessus Access Control Flaw in Web UI Lets Remote Users Obtain Potentially Sensitive Information
SecurityTracker Alert ID:  1030614
SecurityTracker URL:  http://securitytracker.com/id/1030614
CVE Reference:   CVE-2014-4980   (Links to External Site)
Date:  Jul 21 2014
Impact:   Disclosure of system information, Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 5.2.3 - 5.2.7; Web UI 2.3.4
Description:   A vulnerability was reported in Tenable Nessus. A remote user can obtain potentially sensitive information.

A remote user can send a specially crafted request to the '/server/properties' URL to obtain potentially sensitive information without authenticating.

The vendor was notified on June 24, 2014.

The following data can be obtained:

Plugin Set
Server uuid
Web Server Version
Nessus UI Version
Nessus Type
Notifications
MSP
Capabilities
Multi Scanner
Multi User
Tags
Reset Password
Report Diff
Report Email Config
Report Email
PCI Upload
Plugin Rules
Plugin Set
Idle Timeout
Scanner Boot time
Server Version
Feed
Status

The original advisory is available at:

http://www.halock.com/blog/cve-2014-4980-parameter-tampering-nessus-web-ui/

Robert Gilbert of HALOCK Security Labs reported this vulnerability.

Impact:   A remote user can obtain potentially sensitive information.
Solution:   The vendor has issued a fix (Web UI 2.3.5).

The vendor's advisory is available at:

http://www.tenable.com/security/tns-2014-05

Vendor URL:  www.tenable.com/security/tns-2014-05 (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC