Vulnerability with multiple locations only shows first

PBSH · July 17, 2025, 10:11am

When you have a plugin which get’s triggered by a detection plugin, which is based on multiple locations, the plugin only shows the first location.

Example:

1.3.6.1.4.1.25623.1.0.117820 = Apache Log4j Detection Consolidation
1.3.6.1.4.1.25623.1.0.117842 = Apache Log4j 2.0.x Multiple Vulnerabilities (Windows, Log4Shell) - Version Check

The detection consolidation plugin detects Log4j at location A, B, and C.
Based on this detection, a vulnerability for plugin with OID ending with 117842 get’s created.

This vulnerability will only show location A as location for the vulnerability. However, location B and C are not shown, while they may be the real cause of the vulnerability.

Looking at the plugins, the location is retrieved by get_app_version_and_location_from_list().
Looking at that specific function, it retrieves the location only once via ap = get_app_details(...), which only returns one result.

Expected behavior:

Either show all locations for the specific vulnerability, or:
Create the vulnerability (plugin ending with oid 117842) for each related location.

cfi · July 30, 2025, 9:20am

I’m actually not sure what is getting reported here because:

None of the Log4j VTs are using get_app_version_and_location_from_list()
The actual used get_app_version_and_location() function is capable to handle and return multiple locations (see output below)

As this seems to be either some environmental problem, some misunderstanding or similar i’m moving this out of the VTs category as the NASL / VT side works as expected.

Detected Apache Log4j (JAR file)

Version:       2.12.1
Location:      C:\<redacted>\log4shell-test\2.12.x\log4j-core-2.12.1.jar
CPE:           cpe:/a:apache:log4j:2.12.1

Concluded from version/product identification result:
log4j-core-2.12.1.jar

Detected Apache Log4j (JAR file)

Version:       2.14.1
Location:      C:\<redacted>\log4shell-test\2.14.x\log4j-core-2.14.1.jar
CPE:           cpe:/a:apache:log4j:2.14.1

Concluded from version/product identification result:
log4j-core-2.14.1.jar

Detected Apache Log4j (JAR file)

Version:       2.14.1
Location:      C:\apache-log4j-2.14.1-bin\apache-log4j-2.14.1-bin\log4j-core-2.14.1.jar
CPE:           cpe:/a:apache:log4j:2.14.1

Concluded from version/product identification result:
log4j-2.14.1-bin\apache-log4j-2.14.1-bin\log4j-core-2.14.1.jar

Installed version: 2.14.1
Fixed version:     2.16.0
Installation
path / port:       C:\apache-log4j-2.14.1-bin\apache-log4j-2.14.1-bin\log4j-core-2.14.1.jar

Installed version: 2.14.1
Fixed version:     2.16.0
Installation
path / port:       C:\<redacted>\log4shell-test\2.14.x\log4j-core-2.14.1.jar

Installed version: 2.12.1
Fixed version:     2.12.2
Installation
path / port:       C:\<redacted>\log4shell-test\2.12.x\log4j-core-2.12.1.jar

system · October 15, 2025, 10:12am

This topic was automatically closed after 90 days. New replies are no longer allowed.