CVE-2022-4313: 
Tenable Nessus vulnerability analysis and mitigation

A critical vulnerability (CVE-2022-4313) was discovered in Tenable products that affects authenticated users with Scan Policy Configuration roles. The vulnerability was reported on August 25, 2022, and confirmed on September 1, 2022. The affected products include Tenable.sc, Tenable.io, and Nessus (Tenable Advisory).

The vulnerability has a CVSSv3 Base/Temporal Score of 9.1/8.2 with the vector AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C. The issue exists in built-in audits that are selected through product interfaces, but does not affect custom audits uploaded by customers. Through modifying scan variables, an authenticated user with Scan Policy Configuration roles could manipulate audit policy variables (Tenable Advisory).

The vulnerability allows authenticated users to execute arbitrary commands on credentialed scan targets, potentially leading to complete system compromise. This could result in unauthorized access to sensitive information and system control (Tenable Advisory).

Tenable has released updated compliance plugins and audit files that validate customer-entered values against defined variable types. The fixes were distributed via plugin feed 202212081952 or later. Tenable.io has been updated with necessary plugins and content. Tenable.sc updates are distributed in the feed and activated with new templates. Nessus users should upgrade to version 10.4.2 or later, or perform a manual update of the audit warehouse (Tenable Advisory).