5
CVSSv2

CVE-2021-23840

Published: 16/02/2021 Updated: 22/10/2021
CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10
CVSS v3 Base Score: 7.5 | Impact Score: 3.6 | Exploitability Score: 3.9
Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P

Vulnerability Summary

Nessus Agent versions 7.2.0 up to and including 8.2.2 were found to inadvertently capture the IAM role security token on the local host during initial linking of the Nessus Agent when installed on an Amazon EC2 instance. This could allow a privileged malicious user to obtain the token. Additionally, one third-party component (OpenSSL) was found to contain vulnerabilities, and updated versions have been made available by the provider. Nessus Agent version 8.2.3 will update OpenSSL to 1.1.1j.

Most Upvoted Vulmon Research Post

There is no Researcher post for this vulnerability
Would you like to share something about it? Sign up now to share your knowledge with the community.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

openssl openssl

debian debian linux 10.0

tenable log correlation engine

tenable nessus network monitor 5.11.0

tenable nessus network monitor 5.11.1

tenable nessus network monitor 5.12.0

tenable nessus network monitor 5.12.1

tenable nessus network monitor 5.13.0

oracle enterprise manager ops center 12.4.0.0

oracle graalvm 19.3.5

oracle graalvm 20.3.1.2

oracle graalvm 21.0.0.2

oracle mysql server

oracle nosql database

Vendor Advisories

Multiple vulnerabilities have been discovered in OpenSSL, a Secure Sockets Layer toolkit An overflow bug in the x64_64 Montgomery squaring procedure, an integer overflow in CipherUpdate and a NULL pointer dereference flaw X509_issuer_and_serial_hash() were found, which could result in denial of service Additional details can be found in the upstr ...
OpenSSL vulnerabilities were disclosed on December 8, 2020 and February 16, 2021 by the OpenSSL Project OpenSSL, used by the IBM Spectrum Protect Backup-Archive Client for network connections with NetApp services, has addressed the applicable CVEs ...
Arch Linux Security Advisory ASA-202102-42 ========================================== Severity: Medium Date : 2021-02-27 CVE-ID : CVE-2021-23840 CVE-2021-23841 Package : openssl Type : multiple issues Remote : Yes Link : securityarchlinuxorg/AVG-1581 Summary ======= The package openssl before version 111j-1 is vulnerable ...
The z/TPF version of OpenSSL was updated to address the vulnerabilities described by CVE-2021-23840 and CVE-2021-23841 ...
IBM MQ for HP NonStop Server is affected by OpenSSL vulnerabilities CVE-2021-23839, CVE-2021-23840 and CVE-2021-23841 ...
Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative ...
A security vulnerability in Nodejs affects IBM Cloud Automation Manager ...
App Connect Enterprise Certified Container may be vulnerable to denial of service attacks due to CVE-2021-23840, CVE-2021-22883 and CVE-2021-22884 in the Nodejs runtime used by the Dashboard and Designer UIs and by the Integration Server runtime when running App Connect Enterprise flows ...
IBM Connect:Direct for HP NonStop is affected by OpenSSL vulnerabilities CVE-2021-23839, CVE-2021-23840, and CVE-2021-23841 OpenSSL is vulnerable to a denial of service, caused by an integer overflow in CipherUpdate By sending an overly long argument, an attacker could exploit this vulnerability to cause the application to crash ...
Nessus Agent versions 720 through 822 were found to inadvertently capture the IAM role security token on the local host during initial linking of the Nessus Agent when installed on an Amazon EC2 instance This could allow a privileged attacker to obtain the token Additionally, one third-party component (OpenSSL) was found to contain vulnerabi ...
Tenablesc and Tenablesc Core versions 5130 through 5170 were found to contain a vulnerability that could allow an authenticated, unprivileged user to perform Remote Code Execution (RCE) on the Tenablesc server via Hypertext Preprocessor unserialization Additionally, one third-party component (OpenSSL) was found to contain vulnerabilities, ...
A vulnerability (CVE-2021-23840) exists in Cosminexus HTTP Server Affected products and versions are listed below Please upgrade your version to the appropriate version ...
Multiple vulnerabilities have been found in Hitachi Ops Center Common Services CVE-2021-3449, CVE-2021-3450, CVE-2021-23840, CVE-2021-23841 Affected products and versions are listed below Please upgrade your version to the appropriate version ...
Nessus Network Monitor leverages third-party software to help provide underlying functionality One of the third-party components (OpenSSL) was found to contain vulnerabilities, and updated versions have been made available by the providers Out of caution and in line with good practice, Tenable opted to upgrade the bundled OpenSSL components to a ...
Tenable Log Correlation Engine leverages third-party software to help provide underlying functionality Two separate third-party components (OpenSSL, jQuery) were found to contain vulnerabilities, and updated versions have been made available by the providers Out of caution and in line with good practice, Tenable opted to upgrade the bundled Open ...
Multiple vulnerabilities have been found in Hitachi Ops Center Analyzer viewpoint CVE-2020-1971, CVE-2021-3393, CVE-2021-3449, CVE-2021-3450, CVE-2021-23840, CVE-2021-23841 Affected products and versions are listed below Please upgrade your version to the appropriate version ...
Multiple vulnerabiilities in XStream, Java, OpenSSL, WebSphere Application Server Liberty and Nodejs may affect IBM Spectrum Control The Java vulnerabilities were disclosed as part of the IBM Java SDK updates in October 2020 and January 2021 ...

Github Repositories

CVE-2021-23840 Exploit Calls to EVP_CipherUpdate, EVP_EncryptUpdate and EVP_DecryptUpdate may overflow the output length argument in some cases where the input length is close to the maximum permissable length for an integer on the platform In such cases the return value from the function call will be 1 (indicating success), but the output length value will be negative This c

Catlin Vulnerability Scanner This can be used to scan vulnerability in Tekton Tasks What is Trivy? Trivy (tri pronounced like trigger, vy pronounced like envy) is a simple and comprehensive vulnerability scanner for containers and other artifacts A software vulnerability is a glitch, flaw, or weakness present in the software or in an Operating System Trivy detects vulnerabi

TASSL-111k 新版本特性 1、基于开源openssl111k修改。相较于之前基于openssl111b版本的tassl,修复了以下漏洞: CVE-2019-1543 CVE-2019-1552 CVE-2019-1563 CVE-2019-1547 CVE-2019-1549 CVE-2020-1967 CVE-2020-1971 CVE-2021-23840 CVE-2021-23839 CVE-2021-23841 CVE-2021-3449 CVE-2021-3450 CVE-2021-3711 2、支持RFC 8998 ShangMi (SM) Cipher Suites for TLS