CVE-2011-0018
published 2011-01-28CVE-2011-0018: The email function in manage_sql.c in OpenVAS Manager 1.0.x through 1.0.3 and 2.0.x through 2.0rc2 allows remote authenticated users to execute arbitrary…
PriorityP258critical9CVSS 2.0
AVNACLAuSCCICAC
EXPLOIT
EPSS
9.27%
94.7th percentile
The email function in manage_sql.c in OpenVAS Manager 1.0.x through 1.0.3 and 2.0.x through 2.0rc2 allows remote authenticated users to execute arbitrary commands via the (1) To or (2) From e-mail address in an OMP request to the Greenbone Security Assistant (GSA).
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| greenbone | greenbone_security_assistant | <= 2.0 | — |
| openvas | openvas_manager | — | — |
| openvas | openvas_manager | — | — |
| openvas | openvas_manager | — | — |
| openvas | openvas_manager | — | — |
| openvas | openvas_manager | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor OMP requests (to OpenVAS Manager) where the 'to_address' or 'from_address' fields contain shell metacharacters (e.g., '>', '|', ';', '`') indicating command injection attempts via the email escalator function. ↗
- →Detect HTTP POST requests to the Greenbone Security Assistant (GSA) where the form field 'method_data:to_address' contains path traversal or shell redirection characters, e.g., values like 'none@none>/var/lib/openvas/users/<username>/isadmin'. ↗
- →Alert on unexpected creation of 'isadmin' files under /var/lib/openvas/users/ directories, as the exploit achieves privilege escalation by writing this file via shell redirection in the email To/From fields. ↗
- →The vulnerable code path is reachable via cross-site request forgery through the GSA web application; monitor for unauthenticated or cross-origin POST requests to GSA escalator creation endpoints. ↗
- ·The vulnerability is only exploitable by authenticated users of OpenVAS Manager; unauthenticated exploitation requires chaining with a CSRF attack via the GSA web application. ↗
- ·The CSRF vector in the Greenbone Security Assistant web application was NOT patched in the initial fix; only the direct OMP injection was resolved in OpenVAS Manager 1.0.4 and 2.0rc3. ↗
- ·The injected commands execute with the privileges of the OpenVAS Manager process, which is typically root, making this a high-impact privilege escalation. ↗
CVSS provenance
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
vendor_redhat7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-6pf5-h6gw-hqjw: Cross-site request forgery (CSRF) vulnerability in Greenbone Security Assistant (GSA) before 2
ghsa_unreviewed·2022-05-14·CVSS 9.0
CVE-2011-0650 [CRITICAL] CWE-352 GHSA-6pf5-h6gw-hqjw: Cross-site request forgery (CSRF) vulnerability in Greenbone Security Assistant (GSA) before 2
Cross-site request forgery (CSRF) vulnerability in Greenbone Security Assistant (GSA) before 2.0+rc3 allows remote attackers to hijack the authentication of users for requests that send email via an OMP request to OpenVAS Manager. NOTE: this issue can be leveraged to bypass authentication requirements for exploiting CVE-2011-0018.
GHSA
GHSA-6x34-cqqf-xp2p: The email function in manage_sql
ghsa_unreviewed·2022-05-03
CVE-2011-0018 [HIGH] CWE-20 GHSA-6x34-cqqf-xp2p: The email function in manage_sql
The email function in manage_sql.c in OpenVAS Manager 1.0.x through 1.0.3 and 2.0.x through 2.0rc2 allows remote authenticated users to execute arbitrary commands via the (1) To or (2) From e-mail address in an OMP request to the Greenbone Security Assistant (GSA).
Red Hat
libxml2: Heap-based buffer overflow when decoding an entity reference with a long name
vendor_redhat·2012-01-06·CVSS 7.5
CVE-2011-3919 [HIGH] CWE-122 libxml2: Heap-based buffer overflow when decoding an entity reference with a long name
libxml2: Heap-based buffer overflow when decoding an entity reference with a long name
Heap-based buffer overflow in libxml2, as used in Google Chrome before 16.0.912.75, allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors.
Statement: This issue affected the versions of libxml2 as shipped with Red Hat Enterprise Linux 4, 5 and 6 and has been addressed via RHSA-2012:0016, RHSA-2012:0017 and RHSA-2012:0018 respectively.
Red Hat
libxml2 out of bounds read
vendor_redhat·2011-12-13·CVSS 5.0
CVE-2011-3905 [MEDIUM] CWE-125 libxml2 out of bounds read
libxml2 out of bounds read
libxml2, as used in Google Chrome before 16.0.912.63, allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors.
Statement: This issue affects the version of libxml2 as shipped with Red Hat Enterprise
Linux 4, 5 and 6 and has been addressed via RHSA-2012:0016, RHSA-2012:0017 and
RHSA-2012:0018 respectively. This issue affects the version of mingw32-libxml2
as shipped with Red Hat Enterprise Linux 6. The Red Hat Security Response Team
has rated this issue as having low security impact. A future update may address
this issue in Red Hat Enterprise Linux 6.
No detection rules found.
No writeups or analysis indexed.
http://osvdb.org/70639http://secunia.com/advisories/43037http://www.exploit-db.com/exploits/16086http://www.openvas.org/OVSA20110118.htmlhttp://www.securityfocus.com/archive/1/515971/100/0/threadedhttp://www.securityfocus.com/bid/45987http://www.vupen.com/english/advisories/2011/0208https://exchange.xforce.ibmcloud.com/vulnerabilities/65011http://osvdb.org/70639http://secunia.com/advisories/43037http://www.exploit-db.com/exploits/16086http://www.openvas.org/OVSA20110118.htmlhttp://www.securityfocus.com/archive/1/515971/100/0/threadedhttp://www.securityfocus.com/bid/45987http://www.vupen.com/english/advisories/2011/0208https://exchange.xforce.ibmcloud.com/vulnerabilities/65011
2011-01-28
Published