Multiple security vulnerabilities have been identified in Nessus Network Monitor due to third-party components that could allow threat actors to perform remote code execution (RCE) and Denial of Service attacks on affected installations.
The details of the critical vulnerabilities identified are as follows;
- The security vulnerability, tracked as CVE-2022-24785, is due to an input validation error in the npm version of Moment.js. A remote threat actor can access files on the system by sending a specially crafted HTTP request. (Moment.js is a JavaScript date library for parsing, validating, manipulating, and formatting dates.)
- The security vulnerability, tracked as CVE-2021-23369, is due to incorrect login validation. A remote threat actor can run arbitrary code on the target system through a specially crafted request.
Tenable has released Nessus Network Monitor version 6.2.0, which fixes the vulnerabilities. Nessus Network Monitor 6.2.0 updates moment.js to version 2.29.4 and Handlebars to version 4.7.7 to fix identified security vulnerabilities. In this context, it is recommended to immediately upgrade to the current version published in order not to be the target of attacks that can be carried out using vulnerabilities.