CVE-2022-32974: 
Tenable Nessus vulnerability analysis and mitigation

CVE-2022-32974 is a security vulnerability discovered in Nessus Agent and Nessus scanner products. The vulnerability was disclosed on June 21, 2022, affecting Nessus Agent version 10.1.3 and earlier, as well as Nessus scanner version 10.1.2 and earlier. This vulnerability allows an authenticated attacker to read arbitrary files from the underlying operating system of the scanner using a custom crafted compliance audit file without providing valid SSH credentials (Tenable Advisory).

The vulnerability stems from improper validation in the custom Audit functionality of Nessus products. The issue has a CVSSv3 Base Score of 4.2 (Medium) with a temporal score of 3.8. The CVSSv3 vector string is AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C, indicating that while the vulnerability requires high privileges and user interaction, it can potentially lead to unauthorized file access (Tenable Advisory).

The vulnerability allows an authenticated attacker to read arbitrary files from the underlying operating system of the scanner. This could potentially lead to unauthorized access to sensitive information stored on the system running the Nessus scanner (Tenable Advisory).

Tenable has addressed this vulnerability by releasing Nessus Agent version 10.1.4 and Nessus scanner version 10.2.0. The fix includes enabling features to sign and verify custom audit files. Users are strongly encouraged to upgrade to these versions or later to mitigate the vulnerability (Tenable Advisory).