Detections
Analytics
CVE-2022-3498
low
Description
Nessus leverages third-party software to help provide underlying functionality. Several of the third-party components (select2.js, jQuery UI) were found to contain vulnerabilities, and updated versions have been made available by the providers. Additionally, two separate vulnerabilities (Client Side Validation Bypass and Improper Access Control) were discovered, reported and fixed. 1. CVE-2022-3498 - An authenticated attacker could modify the client-side behavior to bypass the protection mechanisms resulting in potentially unexpected interactions between the client and server. 2. CVE-2022-3499 - An authenticated attacker could utilize the identical agent and cluster node linking keys to potentially allow for a scenario where unauthorized disclosure of agent logs and data is present. Out of caution and in line with good practice, Tenable has opted to upgrade these components to address the potential impact of the issues. Nessus 10.4.0 fixes the reported Client Side Validation Bypass and Improper Access Control vulnerabilities, updates jquery-ui to version 1.13.2 and select2.js to version 4.0.13 to address the remaining identified vulnerabilities. Tenable has released Nessus 10.4.0 to address these issues. The installation files can be obtained from the Tenable Downloads Portal (https://www.tenable.com/downloads/nessus).