Action not permitted
Modal body text goes here.
CVE-2013-4491
Vulnerability from cvelistv5
Published
2013-12-07 00:00
Modified
2024-08-06 16:45
Severity ?
EPSS score ?
Summary
Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/translation_helper.rb in the internationalization component in Ruby on Rails 3.x before 3.2.16 and 4.x before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via a crafted string that triggers generation of a fallback string by the i18n gem.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T16:45:14.928Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "RHSA-2014:0008",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2014-0008.html"
},
{
"name": "openSUSE-SU-2013:1906",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-updates/2013-12/msg00081.html"
},
{
"name": "57836",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/57836"
},
{
"name": "openSUSE-SU-2014:0009",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-updates/2014-01/msg00003.html"
},
{
"name": "openSUSE-SU-2013:1907",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-updates/2013-12/msg00082.html"
},
{
"name": "64076",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/64076"
},
{
"name": "openSUSE-SU-2013:1904",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-updates/2013-12/msg00079.html"
},
{
"name": "[ruby-security-ann] 20131203 [CVE-2013-4491] Reflective XSS Vulnerability in Ruby on Rails",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/pLrh6DUw998/bLFEyIO4k_EJ"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://weblog.rubyonrails.org/2013/12/3/Rails_3_2_16_and_4_0_2_have_been_released/"
},
{
"name": "RHSA-2014:1863",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2014-1863.html"
},
{
"name": "RHSA-2013:1794",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-1794.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://www.getchef.com/blog/2014/04/09/enterprise-chef-11-1-3-release/"
},
{
"name": "DSA-2888",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2014/dsa-2888"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://puppet.com/security/cve/cve-2013-4491"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2013-12-03T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/translation_helper.rb in the internationalization component in Ruby on Rails 3.x before 3.2.16 and 4.x before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via a crafted string that triggers generation of a fallback string by the i18n gem."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-12-08T10:57:01",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "RHSA-2014:0008",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2014-0008.html"
},
{
"name": "openSUSE-SU-2013:1906",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-updates/2013-12/msg00081.html"
},
{
"name": "57836",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/57836"
},
{
"name": "openSUSE-SU-2014:0009",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-updates/2014-01/msg00003.html"
},
{
"name": "openSUSE-SU-2013:1907",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-updates/2013-12/msg00082.html"
},
{
"name": "64076",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/64076"
},
{
"name": "openSUSE-SU-2013:1904",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-updates/2013-12/msg00079.html"
},
{
"name": "[ruby-security-ann] 20131203 [CVE-2013-4491] Reflective XSS Vulnerability in Ruby on Rails",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/pLrh6DUw998/bLFEyIO4k_EJ"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://weblog.rubyonrails.org/2013/12/3/Rails_3_2_16_and_4_0_2_have_been_released/"
},
{
"name": "RHSA-2014:1863",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2014-1863.html"
},
{
"name": "RHSA-2013:1794",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-1794.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://www.getchef.com/blog/2014/04/09/enterprise-chef-11-1-3-release/"
},
{
"name": "DSA-2888",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2014/dsa-2888"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://puppet.com/security/cve/cve-2013-4491"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-4491",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/translation_helper.rb in the internationalization component in Ruby on Rails 3.x before 3.2.16 and 4.x before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via a crafted string that triggers generation of a fallback string by the i18n gem."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "RHSA-2014:0008",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2014-0008.html"
},
{
"name": "openSUSE-SU-2013:1906",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-updates/2013-12/msg00081.html"
},
{
"name": "57836",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/57836"
},
{
"name": "openSUSE-SU-2014:0009",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-updates/2014-01/msg00003.html"
},
{
"name": "openSUSE-SU-2013:1907",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-updates/2013-12/msg00082.html"
},
{
"name": "64076",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/64076"
},
{
"name": "openSUSE-SU-2013:1904",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-updates/2013-12/msg00079.html"
},
{
"name": "[ruby-security-ann] 20131203 [CVE-2013-4491] Reflective XSS Vulnerability in Ruby on Rails",
"refsource": "MLIST",
"url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/pLrh6DUw998/bLFEyIO4k_EJ"
},
{
"name": "http://weblog.rubyonrails.org/2013/12/3/Rails_3_2_16_and_4_0_2_have_been_released/",
"refsource": "CONFIRM",
"url": "http://weblog.rubyonrails.org/2013/12/3/Rails_3_2_16_and_4_0_2_have_been_released/"
},
{
"name": "RHSA-2014:1863",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2014-1863.html"
},
{
"name": "RHSA-2013:1794",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2013-1794.html"
},
{
"name": "http://www.getchef.com/blog/2014/04/09/enterprise-chef-11-1-3-release/",
"refsource": "CONFIRM",
"url": "http://www.getchef.com/blog/2014/04/09/enterprise-chef-11-1-3-release/"
},
{
"name": "DSA-2888",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2014/dsa-2888"
},
{
"name": "https://puppet.com/security/cve/cve-2013-4491",
"refsource": "CONFIRM",
"url": "https://puppet.com/security/cve/cve-2013-4491"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2013-4491",
"datePublished": "2013-12-07T00:00:00",
"dateReserved": "2013-06-12T00:00:00",
"dateUpdated": "2024-08-06T16:45:14.928Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2013-4491\",\"sourceIdentifier\":\"secalert@redhat.com\",\"published\":\"2013-12-07T00:55:03.553\",\"lastModified\":\"2019-08-08T15:42:45.623\",\"vulnStatus\":\"Modified\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/translation_helper.rb in the internationalization component in Ruby on Rails 3.x before 3.2.16 and 4.x before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via a crafted string that triggers generation of a fallback string by the i18n gem.\"},{\"lang\":\"es\",\"value\":\"Vulnerabilidad de cross-site scripting (XSS) en actionpack/lib/action_view/helpers/translation_helper.rb en el componente internationalization en Ruby on Rails 3.x anteriores a 3.2.16 y 4.x anteriores a 4.0.2 permite a atacantes remotos inyectar scripts web o HTML arbitrarios a trav\u00e9s de cadenas de texto manipuladas que activan la generaci\u00f3n de una cadena de fallback en la gema i18n.\"}],\"metrics\":{\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:N/I:P/A:N\",\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\",\"baseScore\":4.3},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:*:-:*:*:*:*:*:*\",\"versionEndIncluding\":\"4.0.1\",\"matchCriteriaId\":\"1FDABDDD-F2B1-4335-ABB9-76B58AEE9CCF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:4.0.0:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"2E950E33-CD03-45F5-83F9-F106060B4A8B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:4.0.0:beta:*:*:*:*:*:*\",\"matchCriteriaId\":\"547C62C8-4B3E-431B-AA73-5C42ED884671\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:4.0.0:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"4CDAD329-35F7-4C82-8019-A0CF6D069059\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:4.0.0:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"56D3858B-0FEE-4E8D-83C2-68AF0431F478\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:4.0.1:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"35FC7015-267C-403B-A23D-EDA6223D2104\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E3BE7DFE-BA20-434B-A1DE-AD038B255C60\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.0:beta:*:*:*:*:*:*\",\"matchCriteriaId\":\"DCEE5B21-C990-4705-8239-0D7B29DAEDA1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.0:beta2:*:*:*:*:*:*\",\"matchCriteriaId\":\"65EE33B1-B079-4CDE-B9C2-F1613A4610DC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.0:beta3:*:*:*:*:*:*\",\"matchCriteriaId\":\"5CAAA20B-824F-4448-99DC-9712FE628073\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.0:beta4:*:*:*:*:*:*\",\"matchCriteriaId\":\"D2BEBDFB-0F30-454A-B74C-F820C9D2708B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.0:rc:*:*:*:*:*:*\",\"matchCriteriaId\":\"1D7CD8C1-95D1-477E-AD96-6582EC33BA01\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.0:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"B6F00D98-3D0F-40AF-AE4F-090B1E6B660C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"9476CE55-69C0-45D3-B723-6F459C90BF05\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.1:pre:*:*:*:*:*:*\",\"matchCriteriaId\":\"486F5BA6-BCF7-4691-9754-19D364B4438D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"112FC73B-A8BC-4EEA-9F4B-CCE685EF2838\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.2:pre:*:*:*:*:*:*\",\"matchCriteriaId\":\"E4498383-6FCA-4E17-A1FD-B0CE7EE50F85\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"D26565B1-2BA6-4A3C-9264-7FC9A1820B59\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.4:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"644EF85E-6D3E-4F5C-96B0-49AD2A2D90CE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.5:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"392E2D58-CB39-4832-B4D9-9C2E23B8E14C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.5:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"1F2466EA-7039-46A1-B4A3-8DACD1953A59\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.6:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"0CAB4E72-0A15-4B26-9B69-074C278568D6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.6:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"A085E105-9375-440A-80CB-9B23E6D7EB4A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.6:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"25911E48-C5D7-4ED8-B4DB-7523A74CCF49\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.7:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"FE6EC1E5-3A4A-4751-9F77-28EF5AF681E3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.7:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"B29674E3-CC80-446B-9A43-82594AE7A058\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.7:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"FF34D8CB-2B6D-4CB8-A206-108293BCFFE7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.8:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"8E5187F6-E3AC-4E0D-B1D0-83DE76C20A4B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.8:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"272268EE-E3E8-4683-B679-55D748877A7E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.8:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"7B69FD33-61FE-4F10-BBE1-215F59035D30\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.8:rc3:*:*:*:*:*:*\",\"matchCriteriaId\":\"08D7CB5D-82EF-4A24-A792-938FAB40863D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.8:rc4:*:*:*:*:*:*\",\"matchCriteriaId\":\"8A044B21-47D5-468D-AF4A-06B3B5CC0824\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.9:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"2196F3D0-532A-40F9-843A-1DFBC8B63FDC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.9:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"CBEDA932-6CB5-438C-94E4-824732A91BE0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.9:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"903E5524-5E45-48CE-A804-EDAEBE3A79AD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.9:rc3:*:*:*:*:*:*\",\"matchCriteriaId\":\"08534AF2-F94E-4FB6-A572-4FB9827276D4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.9:rc4:*:*:*:*:*:*\",\"matchCriteriaId\":\"29E3B4A6-1346-4358-B7BC-84D00ED3ABBE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.9:rc5:*:*:*:*:*:*\",\"matchCriteriaId\":\"B52D7A6B-DD93-45F0-9186-18ABEFF28DF4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.10:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"1F07C641-48DF-43BE-9EB5-72B337C54846\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.10:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"A1CB1B12-99F5-430F-AE19-9A95C17FA123\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.11:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"D1A7C449-8F9A-4CE5-9C3D-375996BFAEE3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.12:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"05D5D58C-DB79-41EA-81AE-5D95C48211B0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.12:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"FE331D6D-99BA-4369-AD8B-B556DEE4955F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.13:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"58304E17-ADFD-4686-9CCF-C1CA31843B94\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.13:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"05108EF0-81AD-4378-9843-5C23F2AC79A3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.14:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"4EE7DA7E-23A5-42AF-9D5C-39240CE2FBDB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.16:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"0C448F62-8231-4221-ADA0-C9B848AE03D1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.17:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"5FBD11A1-51C7-4AF7-AA0B-3A14C5435E70\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.18:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"60255706-C44A-48CB-B98B-A1F0991CBC74\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.19:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"0456E2E8-EF06-414E-8A7D-8005F0EB46B7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.20:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"D9EE4763-2495-4B6A-B72F-344967E51C27\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.1.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"DB51F3E9-4899-49A9-9E7B-0DCA92A91DD8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.1.0:beta1:*:*:*:*:*:*\",\"matchCriteriaId\":\"F884F2F4-94F3-46CB-860B-1BCC0EEF408A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.1.0:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"88DFBB48-1C29-4639-9369-F5B413CA2337\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.1.0:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"D37696D7-BEE6-4587-9E33-A7FE24780409\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.1.0:rc3:*:*:*:*:*:*\",\"matchCriteriaId\":\"E95B5D44-0C8D-47BC-A89D-48A5BDEB84F4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.1.0:rc4:*:*:*:*:*:*\",\"matchCriteriaId\":\"1DFDAF6A-76AA-436F-A4F3-DA69892DE2B8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.1.0:rc5:*:*:*:*:*:*\",\"matchCriteriaId\":\"D3172982-3FA4-427F-BE3E-2321D804E49D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.1.0:rc6:*:*:*:*:*:*\",\"matchCriteriaId\":\"FD6EC85B-F092-48FF-966A-96B9227C8656\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.1.0:rc7:*:*:*:*:*:*\",\"matchCriteriaId\":\"9000F3C1-57A0-474C-9C82-E58688F29838\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.1.0:rc8:*:*:*:*:*:*\",\"matchCriteriaId\":\"6E55E42E-AB6A-4E47-AC69-DFDAEB0A8735\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.1.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A42F4E7A-6F6A-485C-8D30-95F3B0285922\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.1.1:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"30B9C0CB-F6E6-4233-84E4-D6E69104DD73\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.1.1:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"84309CC7-A8B7-4ADB-AEA1-964DA5F7B0E0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.1.1:rc3:*:*:*:*:*:*\",\"matchCriteriaId\":\"5343241F-274D-45FF-97C7-2BC2E920BAF0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.1.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"FED122B8-AF4C-4C48-B1E5-54F4A7A31A53\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.1.2:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"157ACCAD-0FB8-4CC9-9DFB-70835DE6506C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.1.2:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"3E50ACF6-7277-4C9A-B42A-E7EFDC317691\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.1.3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C191DC2B-1EC3-48E0-A586-867E6EE4431C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.1.4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"3AA51263-6680-42C6-B119-8241D6F76206\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.1.4:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"B4BC41E8-FEDA-4C31-B479-D49A59FC4D63\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.1.5:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"09C20971-53B5-43B0-AC45-5AA0FDF1B054\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.1.5:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"D1AEFA5D-A793-4BAB-8DED-3D3A31260AD8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.1.6:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"496902D6-409A-40D9-849F-C41264BE5B04\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.1.7:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"2482AB3F-8303-4F95-BE04-C5F06EEF2015\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.1.8:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"244C6952-377C-4AF0-8BA2-C34516A3EB5A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.1.9:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"98A79CC5-71EC-4E90-9E99-2DF62ABC0122\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.1.10:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"6562F3C3-D794-4107-95D4-1C0B0486940B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.2.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"2816C02C-E13E-4367-91F3-14756A90EC9E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.2.0:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"E82AF7C7-B725-40EF-8EE3-18F8E7FAEB29\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.2.0:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"1AE674DE-65DB-437E-A034-A2EE5C584B33\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.2.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"0524F3E3-BAD7-4CD3-A6E7-74CFBE4B46E6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.2.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"32EB2C3F-0F24-43DB-988E-BD2973598F71\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.2.2:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"EB32713D-FE64-445E-872E-B4678C243AB1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.2.3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C55E6B4A-2B9C-46C8-A739-109EA4BA7FD4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.2.3:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"89C618DC-38BC-4484-8C41-BC38B7EB636B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.2.3:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"FE1EF01A-F358-45D3-ADA2-51DD1D8CB6E2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.2.4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"AC2616BD-A4E8-42F3-BB5A-7517DC4EDA3D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.2.4:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"0E376782-98B0-4766-B6FC-67E032A00C62\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.2.5:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"96D08DC1-14E9-4DB9-BC95-3F73B454FBC4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.2.6:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F365C9E5-27DC-46C3-AFE4-4876EC7B352B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.2.7:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"6F0016A6-0ED6-443D-B969-CB1226D8E28C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.2.8:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E69470EA-5EBC-4FB9-A722-5B61C70C1140\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.2.9:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B13A8EBB-4211-4AB1-8872-244EEEE20ABD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.2.10:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C9AB2152-DED8-4CFD-B915-94A9F56FDD05\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.2.11:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C630AB60-DBAF-421E-B663-492BAE8A180F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.2.12:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"0F41CCF8-14EB-4327-A675-83BFDBB53196\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.2.13:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"75842F7D-B1B1-48BA-858F-01148867B3AA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.2.13:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"FE65D701-AA6E-48E4-B62B-C22DEE863503\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.2.13:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"17B1E475-C873-4561-9348-027721C08D79\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:ruby_on_rails:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"3.2.15\",\"matchCriteriaId\":\"38F53FB7-A292-4273-BFBE-E231235E845D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"224BD488-0D7E-4F8B-9012-DE872DEB544C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:ruby_on_rails:3.1.11:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"D8F0635C-4EBF-4EA3-9756-A85A3BB5026B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.14:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A325F57E-0055-4279-9ED7-A26E75FC38E5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.14:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"9A3BA4AE-B4F0-4204-AFA1-1016F0A6F7AB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.14:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"991F368C-CEB5-4DE6-A7EE-C341F358A4CE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.15:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"01DB164E-E08E-4649-84BD-15B4159A3AA0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.15:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"E0F7ECFB-86A1-4F00-AD47-971FA23C6D21\"}]}]}],\"references\":[{\"url\":\"http://lists.opensuse.org/opensuse-updates/2013-12/msg00079.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://lists.opensuse.org/opensuse-updates/2013-12/msg00081.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://lists.opensuse.org/opensuse-updates/2013-12/msg00082.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://lists.opensuse.org/opensuse-updates/2014-01/msg00003.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2013-1794.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2014-0008.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2014-1863.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://secunia.com/advisories/57836\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://weblog.rubyonrails.org/2013/12/3/Rails_3_2_16_and_4_0_2_have_been_released/\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www.debian.org/security/2014/dsa-2888\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www.getchef.com/blog/2014/04/09/enterprise-chef-11-1-3-release/\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www.securityfocus.com/bid/64076\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://groups.google.com/forum/message/raw?msg=ruby-security-ann/pLrh6DUw998/bLFEyIO4k_EJ\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://puppet.com/security/cve/cve-2013-4491\",\"source\":\"secalert@redhat.com\"}]}}"
}
}
rhsa-2014_1863
Vulnerability from csaf_redhat
Published
2014-11-17 17:08
Modified
2024-11-22 06:25
Summary
Red Hat Security Advisory: Subscription Asset Manager 1.4 security update
Notes
Topic
Updated Subscription Asset Manager 1.4 packages that fix multiple security
issues are now available.
Red Hat Product Security has rated this update as having Important security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
Details
Red Hat Subscription Asset Manager acts as a proxy for handling
subscription information and software updates on client machines. Red Hat
Subscription Asset Manager is built on Ruby on Rails, a
model-view-controller (MVC) framework for web application development.
Action Pack implements the controller and the view components.
A directory traversal flaw was found in the way Ruby on Rails handled
wildcard segments in routes with implicit rendering. A remote attacker
could use this flaw to retrieve arbitrary local files accessible to a Ruby
on Rails application using the aforementioned routes via a specially
crafted request. (CVE-2014-0130)
A flaw was found in the way Ruby on Rails handled hashes in certain
queries. A remote attacker could use this flaw to perform a denial of
service (resource consumption) attack by sending specially crafted queries
that would result in the creation of Ruby symbols, which were never garbage
collected. (CVE-2013-1854)
Two cross-site scripting (XSS) flaws were found in Action Pack. A remote
attacker could use these flaws to conduct XSS attacks against users of an
application using Action Pack. (CVE-2013-1855, CVE-2013-1857)
It was discovered that the internationalization component of Ruby on Rails
could, under certain circumstances, return a fallback HTML string that
contained user input. A remote attacker could possibly use this flaw to
perform a reflective cross-site scripting (XSS) attack by providing a
specially crafted input to an application using the aforementioned
component. (CVE-2013-4491)
A denial of service flaw was found in the header handling component of
Action View. A remote attacker could send strings in specially crafted
headers that would be cached indefinitely, which would result in all
available system memory eventually being consumed. (CVE-2013-6414)
It was found that the number_to_currency Action View helper did not
properly escape the unit parameter. An attacker could use this flaw to
perform a cross-site scripting (XSS) attack on an application that uses
data submitted by a user in the unit parameter. (CVE-2013-6415)
Red Hat would like to thank Ruby on Rails upstream for reporting these
issues. Upstream acknowledges Ben Murphy as the original reporter of
CVE-2013-1854, Charlie Somerville as the original reporter of
CVE-2013-1855, Alan Jenkins as the original reporter of CVE-2013-1857,
Peter McLarnan as the original reporter of CVE-2013-4491, Toby Hsieh as the
original reporter of CVE-2013-6414, and Ankit Gupta as the original
reporter of CVE-2013-6415.
All Subscription Asset Manager users are advised to upgrade to these
updated packages, which contain backported patches to correct these issues.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Updated Subscription Asset Manager 1.4 packages that fix multiple security\nissues are now available.\n\nRed Hat Product Security has rated this update as having Important security\nimpact. Common Vulnerability Scoring System (CVSS) base scores, which give\ndetailed severity ratings, are available for each vulnerability from the\nCVE links in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat Subscription Asset Manager acts as a proxy for handling\nsubscription information and software updates on client machines. Red Hat\nSubscription Asset Manager is built on Ruby on Rails, a\nmodel-view-controller (MVC) framework for web application development.\nAction Pack implements the controller and the view components.\n\nA directory traversal flaw was found in the way Ruby on Rails handled\nwildcard segments in routes with implicit rendering. A remote attacker\ncould use this flaw to retrieve arbitrary local files accessible to a Ruby\non Rails application using the aforementioned routes via a specially\ncrafted request. (CVE-2014-0130)\n\nA flaw was found in the way Ruby on Rails handled hashes in certain\nqueries. A remote attacker could use this flaw to perform a denial of\nservice (resource consumption) attack by sending specially crafted queries\nthat would result in the creation of Ruby symbols, which were never garbage\ncollected. (CVE-2013-1854)\n\nTwo cross-site scripting (XSS) flaws were found in Action Pack. A remote\nattacker could use these flaws to conduct XSS attacks against users of an\napplication using Action Pack. (CVE-2013-1855, CVE-2013-1857)\n\nIt was discovered that the internationalization component of Ruby on Rails\ncould, under certain circumstances, return a fallback HTML string that\ncontained user input. A remote attacker could possibly use this flaw to\nperform a reflective cross-site scripting (XSS) attack by providing a\nspecially crafted input to an application using the aforementioned\ncomponent. (CVE-2013-4491)\n\nA denial of service flaw was found in the header handling component of\nAction View. A remote attacker could send strings in specially crafted\nheaders that would be cached indefinitely, which would result in all\navailable system memory eventually being consumed. (CVE-2013-6414)\n\nIt was found that the number_to_currency Action View helper did not\nproperly escape the unit parameter. An attacker could use this flaw to\nperform a cross-site scripting (XSS) attack on an application that uses\ndata submitted by a user in the unit parameter. (CVE-2013-6415)\n\nRed Hat would like to thank Ruby on Rails upstream for reporting these\nissues. Upstream acknowledges Ben Murphy as the original reporter of\nCVE-2013-1854, Charlie Somerville as the original reporter of\nCVE-2013-1855, Alan Jenkins as the original reporter of CVE-2013-1857,\nPeter McLarnan as the original reporter of CVE-2013-4491, Toby Hsieh as the\noriginal reporter of CVE-2013-6414, and Ankit Gupta as the original\nreporter of CVE-2013-6415.\n\nAll Subscription Asset Manager users are advised to upgrade to these\nupdated packages, which contain backported patches to correct these issues.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2014:1863",
"url": "https://access.redhat.com/errata/RHSA-2014:1863"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "921329",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=921329"
},
{
"category": "external",
"summary": "921331",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=921331"
},
{
"category": "external",
"summary": "921335",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=921335"
},
{
"category": "external",
"summary": "1036483",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1036483"
},
{
"category": "external",
"summary": "1036910",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1036910"
},
{
"category": "external",
"summary": "1036922",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1036922"
},
{
"category": "external",
"summary": "1095105",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1095105"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2014/rhsa-2014_1863.json"
}
],
"title": "Red Hat Security Advisory: Subscription Asset Manager 1.4 security update",
"tracking": {
"current_release_date": "2024-11-22T06:25:19+00:00",
"generator": {
"date": "2024-11-22T06:25:19+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2014:1863",
"initial_release_date": "2014-11-17T17:08:19+00:00",
"revision_history": [
{
"date": "2014-11-17T17:08:19+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2014-11-17T17:08:19+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-22T06:25:19+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Subscription Asset Manager for RHEL 6 Server",
"product": {
"name": "Red Hat Subscription Asset Manager for RHEL 6 Server",
"product_id": "6Server-SubscriptionAssetManager14",
"product_identification_helper": {
"cpe": "cpe:/a:rhel_sam:1.4::el6"
}
}
}
],
"category": "product_family",
"name": "Red Hat Subscription Asset Manager"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby193-rubygem-activemodel-1:3.2.17-1.el6sam.src",
"product": {
"name": "ruby193-rubygem-activemodel-1:3.2.17-1.el6sam.src",
"product_id": "ruby193-rubygem-activemodel-1:3.2.17-1.el6sam.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ruby193-rubygem-activemodel@3.2.17-1.el6sam?arch=src\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "ruby193-rubygem-activeresource-1:3.2.17-1.el6sam.src",
"product": {
"name": "ruby193-rubygem-activeresource-1:3.2.17-1.el6sam.src",
"product_id": "ruby193-rubygem-activeresource-1:3.2.17-1.el6sam.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ruby193-rubygem-activeresource@3.2.17-1.el6sam?arch=src\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "ruby193-rubygem-actionmailer-1:3.2.17-1.el6sam.src",
"product": {
"name": "ruby193-rubygem-actionmailer-1:3.2.17-1.el6sam.src",
"product_id": "ruby193-rubygem-actionmailer-1:3.2.17-1.el6sam.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ruby193-rubygem-actionmailer@3.2.17-1.el6sam?arch=src\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "ruby193-rubygem-actionpack-1:3.2.17-6.el6sam.src",
"product": {
"name": "ruby193-rubygem-actionpack-1:3.2.17-6.el6sam.src",
"product_id": "ruby193-rubygem-actionpack-1:3.2.17-6.el6sam.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ruby193-rubygem-actionpack@3.2.17-6.el6sam?arch=src\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "ruby193-rubygem-rails-1:3.2.17-1.el6sam.src",
"product": {
"name": "ruby193-rubygem-rails-1:3.2.17-1.el6sam.src",
"product_id": "ruby193-rubygem-rails-1:3.2.17-1.el6sam.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ruby193-rubygem-rails@3.2.17-1.el6sam?arch=src\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "ruby193-rubygem-rack-1:1.4.5-3.el6sam.src",
"product": {
"name": "ruby193-rubygem-rack-1:1.4.5-3.el6sam.src",
"product_id": "ruby193-rubygem-rack-1:1.4.5-3.el6sam.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ruby193-rubygem-rack@1.4.5-3.el6sam?arch=src\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "ruby193-rubygem-mail-0:2.5.4-1.el6sam.src",
"product": {
"name": "ruby193-rubygem-mail-0:2.5.4-1.el6sam.src",
"product_id": "ruby193-rubygem-mail-0:2.5.4-1.el6sam.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ruby193-rubygem-mail@2.5.4-1.el6sam?arch=src"
}
}
},
{
"category": "product_version",
"name": "ruby193-rubygem-i18n-0:0.6.9-1.el6sam.src",
"product": {
"name": "ruby193-rubygem-i18n-0:0.6.9-1.el6sam.src",
"product_id": "ruby193-rubygem-i18n-0:0.6.9-1.el6sam.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ruby193-rubygem-i18n@0.6.9-1.el6sam?arch=src"
}
}
},
{
"category": "product_version",
"name": "ruby193-rubygem-railties-1:3.2.17-1.el6sam.src",
"product": {
"name": "ruby193-rubygem-railties-1:3.2.17-1.el6sam.src",
"product_id": "ruby193-rubygem-railties-1:3.2.17-1.el6sam.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ruby193-rubygem-railties@3.2.17-1.el6sam?arch=src\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "ruby193-rubygem-activesupport-1:3.2.17-2.el6sam.src",
"product": {
"name": "ruby193-rubygem-activesupport-1:3.2.17-2.el6sam.src",
"product_id": "ruby193-rubygem-activesupport-1:3.2.17-2.el6sam.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ruby193-rubygem-activesupport@3.2.17-2.el6sam?arch=src\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "ruby193-rubygem-activerecord-1:3.2.17-5.el6sam.src",
"product": {
"name": "ruby193-rubygem-activerecord-1:3.2.17-5.el6sam.src",
"product_id": "ruby193-rubygem-activerecord-1:3.2.17-5.el6sam.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ruby193-rubygem-activerecord@3.2.17-5.el6sam?arch=src\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "katello-0:1.4.3.28-1.el6sam_splice.src",
"product": {
"name": "katello-0:1.4.3.28-1.el6sam_splice.src",
"product_id": "katello-0:1.4.3.28-1.el6sam_splice.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/katello@1.4.3.28-1.el6sam_splice?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby193-rubygem-activemodel-1:3.2.17-1.el6sam.noarch",
"product": {
"name": "ruby193-rubygem-activemodel-1:3.2.17-1.el6sam.noarch",
"product_id": "ruby193-rubygem-activemodel-1:3.2.17-1.el6sam.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ruby193-rubygem-activemodel@3.2.17-1.el6sam?arch=noarch\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "ruby193-rubygem-activeresource-1:3.2.17-1.el6sam.noarch",
"product": {
"name": "ruby193-rubygem-activeresource-1:3.2.17-1.el6sam.noarch",
"product_id": "ruby193-rubygem-activeresource-1:3.2.17-1.el6sam.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ruby193-rubygem-activeresource@3.2.17-1.el6sam?arch=noarch\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "ruby193-rubygem-actionmailer-1:3.2.17-1.el6sam.noarch",
"product": {
"name": "ruby193-rubygem-actionmailer-1:3.2.17-1.el6sam.noarch",
"product_id": "ruby193-rubygem-actionmailer-1:3.2.17-1.el6sam.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ruby193-rubygem-actionmailer@3.2.17-1.el6sam?arch=noarch\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "ruby193-rubygem-actionpack-1:3.2.17-6.el6sam.noarch",
"product": {
"name": "ruby193-rubygem-actionpack-1:3.2.17-6.el6sam.noarch",
"product_id": "ruby193-rubygem-actionpack-1:3.2.17-6.el6sam.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ruby193-rubygem-actionpack@3.2.17-6.el6sam?arch=noarch\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "ruby193-rubygem-rails-1:3.2.17-1.el6sam.noarch",
"product": {
"name": "ruby193-rubygem-rails-1:3.2.17-1.el6sam.noarch",
"product_id": "ruby193-rubygem-rails-1:3.2.17-1.el6sam.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ruby193-rubygem-rails@3.2.17-1.el6sam?arch=noarch\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "ruby193-rubygem-rack-1:1.4.5-3.el6sam.noarch",
"product": {
"name": "ruby193-rubygem-rack-1:1.4.5-3.el6sam.noarch",
"product_id": "ruby193-rubygem-rack-1:1.4.5-3.el6sam.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ruby193-rubygem-rack@1.4.5-3.el6sam?arch=noarch\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "ruby193-rubygem-mail-0:2.5.4-1.el6sam.noarch",
"product": {
"name": "ruby193-rubygem-mail-0:2.5.4-1.el6sam.noarch",
"product_id": "ruby193-rubygem-mail-0:2.5.4-1.el6sam.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ruby193-rubygem-mail@2.5.4-1.el6sam?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "ruby193-rubygem-i18n-0:0.6.9-1.el6sam.noarch",
"product": {
"name": "ruby193-rubygem-i18n-0:0.6.9-1.el6sam.noarch",
"product_id": "ruby193-rubygem-i18n-0:0.6.9-1.el6sam.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ruby193-rubygem-i18n@0.6.9-1.el6sam?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "ruby193-rubygem-railties-1:3.2.17-1.el6sam.noarch",
"product": {
"name": "ruby193-rubygem-railties-1:3.2.17-1.el6sam.noarch",
"product_id": "ruby193-rubygem-railties-1:3.2.17-1.el6sam.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ruby193-rubygem-railties@3.2.17-1.el6sam?arch=noarch\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "ruby193-rubygem-activesupport-1:3.2.17-2.el6sam.noarch",
"product": {
"name": "ruby193-rubygem-activesupport-1:3.2.17-2.el6sam.noarch",
"product_id": "ruby193-rubygem-activesupport-1:3.2.17-2.el6sam.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ruby193-rubygem-activesupport@3.2.17-2.el6sam?arch=noarch\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "ruby193-rubygem-activerecord-1:3.2.17-5.el6sam.noarch",
"product": {
"name": "ruby193-rubygem-activerecord-1:3.2.17-5.el6sam.noarch",
"product_id": "ruby193-rubygem-activerecord-1:3.2.17-5.el6sam.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ruby193-rubygem-activerecord@3.2.17-5.el6sam?arch=noarch\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "katello-headpin-all-0:1.4.3.28-1.el6sam_splice.noarch",
"product": {
"name": "katello-headpin-all-0:1.4.3.28-1.el6sam_splice.noarch",
"product_id": "katello-headpin-all-0:1.4.3.28-1.el6sam_splice.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/katello-headpin-all@1.4.3.28-1.el6sam_splice?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "katello-common-0:1.4.3.28-1.el6sam_splice.noarch",
"product": {
"name": "katello-common-0:1.4.3.28-1.el6sam_splice.noarch",
"product_id": "katello-common-0:1.4.3.28-1.el6sam_splice.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/katello-common@1.4.3.28-1.el6sam_splice?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "katello-headpin-0:1.4.3.28-1.el6sam_splice.noarch",
"product": {
"name": "katello-headpin-0:1.4.3.28-1.el6sam_splice.noarch",
"product_id": "katello-headpin-0:1.4.3.28-1.el6sam_splice.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/katello-headpin@1.4.3.28-1.el6sam_splice?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "katello-glue-candlepin-0:1.4.3.28-1.el6sam_splice.noarch",
"product": {
"name": "katello-glue-candlepin-0:1.4.3.28-1.el6sam_splice.noarch",
"product_id": "katello-glue-candlepin-0:1.4.3.28-1.el6sam_splice.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/katello-glue-candlepin@1.4.3.28-1.el6sam_splice?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "katello-glue-elasticsearch-0:1.4.3.28-1.el6sam_splice.noarch",
"product": {
"name": "katello-glue-elasticsearch-0:1.4.3.28-1.el6sam_splice.noarch",
"product_id": "katello-glue-elasticsearch-0:1.4.3.28-1.el6sam_splice.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/katello-glue-elasticsearch@1.4.3.28-1.el6sam_splice?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "katello-0:1.4.3.28-1.el6sam_splice.src as a component of Red Hat Subscription Asset Manager for RHEL 6 Server",
"product_id": "6Server-SubscriptionAssetManager14:katello-0:1.4.3.28-1.el6sam_splice.src"
},
"product_reference": "katello-0:1.4.3.28-1.el6sam_splice.src",
"relates_to_product_reference": "6Server-SubscriptionAssetManager14"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "katello-common-0:1.4.3.28-1.el6sam_splice.noarch as a component of Red Hat Subscription Asset Manager for RHEL 6 Server",
"product_id": "6Server-SubscriptionAssetManager14:katello-common-0:1.4.3.28-1.el6sam_splice.noarch"
},
"product_reference": "katello-common-0:1.4.3.28-1.el6sam_splice.noarch",
"relates_to_product_reference": "6Server-SubscriptionAssetManager14"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "katello-glue-candlepin-0:1.4.3.28-1.el6sam_splice.noarch as a component of Red Hat Subscription Asset Manager for RHEL 6 Server",
"product_id": "6Server-SubscriptionAssetManager14:katello-glue-candlepin-0:1.4.3.28-1.el6sam_splice.noarch"
},
"product_reference": "katello-glue-candlepin-0:1.4.3.28-1.el6sam_splice.noarch",
"relates_to_product_reference": "6Server-SubscriptionAssetManager14"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "katello-glue-elasticsearch-0:1.4.3.28-1.el6sam_splice.noarch as a component of Red Hat Subscription Asset Manager for RHEL 6 Server",
"product_id": "6Server-SubscriptionAssetManager14:katello-glue-elasticsearch-0:1.4.3.28-1.el6sam_splice.noarch"
},
"product_reference": "katello-glue-elasticsearch-0:1.4.3.28-1.el6sam_splice.noarch",
"relates_to_product_reference": "6Server-SubscriptionAssetManager14"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "katello-headpin-0:1.4.3.28-1.el6sam_splice.noarch as a component of Red Hat Subscription Asset Manager for RHEL 6 Server",
"product_id": "6Server-SubscriptionAssetManager14:katello-headpin-0:1.4.3.28-1.el6sam_splice.noarch"
},
"product_reference": "katello-headpin-0:1.4.3.28-1.el6sam_splice.noarch",
"relates_to_product_reference": "6Server-SubscriptionAssetManager14"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "katello-headpin-all-0:1.4.3.28-1.el6sam_splice.noarch as a component of Red Hat Subscription Asset Manager for RHEL 6 Server",
"product_id": "6Server-SubscriptionAssetManager14:katello-headpin-all-0:1.4.3.28-1.el6sam_splice.noarch"
},
"product_reference": "katello-headpin-all-0:1.4.3.28-1.el6sam_splice.noarch",
"relates_to_product_reference": "6Server-SubscriptionAssetManager14"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby193-rubygem-actionmailer-1:3.2.17-1.el6sam.noarch as a component of Red Hat Subscription Asset Manager for RHEL 6 Server",
"product_id": "6Server-SubscriptionAssetManager14:ruby193-rubygem-actionmailer-1:3.2.17-1.el6sam.noarch"
},
"product_reference": "ruby193-rubygem-actionmailer-1:3.2.17-1.el6sam.noarch",
"relates_to_product_reference": "6Server-SubscriptionAssetManager14"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby193-rubygem-actionmailer-1:3.2.17-1.el6sam.src as a component of Red Hat Subscription Asset Manager for RHEL 6 Server",
"product_id": "6Server-SubscriptionAssetManager14:ruby193-rubygem-actionmailer-1:3.2.17-1.el6sam.src"
},
"product_reference": "ruby193-rubygem-actionmailer-1:3.2.17-1.el6sam.src",
"relates_to_product_reference": "6Server-SubscriptionAssetManager14"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby193-rubygem-actionpack-1:3.2.17-6.el6sam.noarch as a component of Red Hat Subscription Asset Manager for RHEL 6 Server",
"product_id": "6Server-SubscriptionAssetManager14:ruby193-rubygem-actionpack-1:3.2.17-6.el6sam.noarch"
},
"product_reference": "ruby193-rubygem-actionpack-1:3.2.17-6.el6sam.noarch",
"relates_to_product_reference": "6Server-SubscriptionAssetManager14"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby193-rubygem-actionpack-1:3.2.17-6.el6sam.src as a component of Red Hat Subscription Asset Manager for RHEL 6 Server",
"product_id": "6Server-SubscriptionAssetManager14:ruby193-rubygem-actionpack-1:3.2.17-6.el6sam.src"
},
"product_reference": "ruby193-rubygem-actionpack-1:3.2.17-6.el6sam.src",
"relates_to_product_reference": "6Server-SubscriptionAssetManager14"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby193-rubygem-activemodel-1:3.2.17-1.el6sam.noarch as a component of Red Hat Subscription Asset Manager for RHEL 6 Server",
"product_id": "6Server-SubscriptionAssetManager14:ruby193-rubygem-activemodel-1:3.2.17-1.el6sam.noarch"
},
"product_reference": "ruby193-rubygem-activemodel-1:3.2.17-1.el6sam.noarch",
"relates_to_product_reference": "6Server-SubscriptionAssetManager14"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby193-rubygem-activemodel-1:3.2.17-1.el6sam.src as a component of Red Hat Subscription Asset Manager for RHEL 6 Server",
"product_id": "6Server-SubscriptionAssetManager14:ruby193-rubygem-activemodel-1:3.2.17-1.el6sam.src"
},
"product_reference": "ruby193-rubygem-activemodel-1:3.2.17-1.el6sam.src",
"relates_to_product_reference": "6Server-SubscriptionAssetManager14"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby193-rubygem-activerecord-1:3.2.17-5.el6sam.noarch as a component of Red Hat Subscription Asset Manager for RHEL 6 Server",
"product_id": "6Server-SubscriptionAssetManager14:ruby193-rubygem-activerecord-1:3.2.17-5.el6sam.noarch"
},
"product_reference": "ruby193-rubygem-activerecord-1:3.2.17-5.el6sam.noarch",
"relates_to_product_reference": "6Server-SubscriptionAssetManager14"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby193-rubygem-activerecord-1:3.2.17-5.el6sam.src as a component of Red Hat Subscription Asset Manager for RHEL 6 Server",
"product_id": "6Server-SubscriptionAssetManager14:ruby193-rubygem-activerecord-1:3.2.17-5.el6sam.src"
},
"product_reference": "ruby193-rubygem-activerecord-1:3.2.17-5.el6sam.src",
"relates_to_product_reference": "6Server-SubscriptionAssetManager14"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby193-rubygem-activeresource-1:3.2.17-1.el6sam.noarch as a component of Red Hat Subscription Asset Manager for RHEL 6 Server",
"product_id": "6Server-SubscriptionAssetManager14:ruby193-rubygem-activeresource-1:3.2.17-1.el6sam.noarch"
},
"product_reference": "ruby193-rubygem-activeresource-1:3.2.17-1.el6sam.noarch",
"relates_to_product_reference": "6Server-SubscriptionAssetManager14"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby193-rubygem-activeresource-1:3.2.17-1.el6sam.src as a component of Red Hat Subscription Asset Manager for RHEL 6 Server",
"product_id": "6Server-SubscriptionAssetManager14:ruby193-rubygem-activeresource-1:3.2.17-1.el6sam.src"
},
"product_reference": "ruby193-rubygem-activeresource-1:3.2.17-1.el6sam.src",
"relates_to_product_reference": "6Server-SubscriptionAssetManager14"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby193-rubygem-activesupport-1:3.2.17-2.el6sam.noarch as a component of Red Hat Subscription Asset Manager for RHEL 6 Server",
"product_id": "6Server-SubscriptionAssetManager14:ruby193-rubygem-activesupport-1:3.2.17-2.el6sam.noarch"
},
"product_reference": "ruby193-rubygem-activesupport-1:3.2.17-2.el6sam.noarch",
"relates_to_product_reference": "6Server-SubscriptionAssetManager14"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby193-rubygem-activesupport-1:3.2.17-2.el6sam.src as a component of Red Hat Subscription Asset Manager for RHEL 6 Server",
"product_id": "6Server-SubscriptionAssetManager14:ruby193-rubygem-activesupport-1:3.2.17-2.el6sam.src"
},
"product_reference": "ruby193-rubygem-activesupport-1:3.2.17-2.el6sam.src",
"relates_to_product_reference": "6Server-SubscriptionAssetManager14"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby193-rubygem-i18n-0:0.6.9-1.el6sam.noarch as a component of Red Hat Subscription Asset Manager for RHEL 6 Server",
"product_id": "6Server-SubscriptionAssetManager14:ruby193-rubygem-i18n-0:0.6.9-1.el6sam.noarch"
},
"product_reference": "ruby193-rubygem-i18n-0:0.6.9-1.el6sam.noarch",
"relates_to_product_reference": "6Server-SubscriptionAssetManager14"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby193-rubygem-i18n-0:0.6.9-1.el6sam.src as a component of Red Hat Subscription Asset Manager for RHEL 6 Server",
"product_id": "6Server-SubscriptionAssetManager14:ruby193-rubygem-i18n-0:0.6.9-1.el6sam.src"
},
"product_reference": "ruby193-rubygem-i18n-0:0.6.9-1.el6sam.src",
"relates_to_product_reference": "6Server-SubscriptionAssetManager14"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby193-rubygem-mail-0:2.5.4-1.el6sam.noarch as a component of Red Hat Subscription Asset Manager for RHEL 6 Server",
"product_id": "6Server-SubscriptionAssetManager14:ruby193-rubygem-mail-0:2.5.4-1.el6sam.noarch"
},
"product_reference": "ruby193-rubygem-mail-0:2.5.4-1.el6sam.noarch",
"relates_to_product_reference": "6Server-SubscriptionAssetManager14"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby193-rubygem-mail-0:2.5.4-1.el6sam.src as a component of Red Hat Subscription Asset Manager for RHEL 6 Server",
"product_id": "6Server-SubscriptionAssetManager14:ruby193-rubygem-mail-0:2.5.4-1.el6sam.src"
},
"product_reference": "ruby193-rubygem-mail-0:2.5.4-1.el6sam.src",
"relates_to_product_reference": "6Server-SubscriptionAssetManager14"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby193-rubygem-rack-1:1.4.5-3.el6sam.noarch as a component of Red Hat Subscription Asset Manager for RHEL 6 Server",
"product_id": "6Server-SubscriptionAssetManager14:ruby193-rubygem-rack-1:1.4.5-3.el6sam.noarch"
},
"product_reference": "ruby193-rubygem-rack-1:1.4.5-3.el6sam.noarch",
"relates_to_product_reference": "6Server-SubscriptionAssetManager14"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby193-rubygem-rack-1:1.4.5-3.el6sam.src as a component of Red Hat Subscription Asset Manager for RHEL 6 Server",
"product_id": "6Server-SubscriptionAssetManager14:ruby193-rubygem-rack-1:1.4.5-3.el6sam.src"
},
"product_reference": "ruby193-rubygem-rack-1:1.4.5-3.el6sam.src",
"relates_to_product_reference": "6Server-SubscriptionAssetManager14"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby193-rubygem-rails-1:3.2.17-1.el6sam.noarch as a component of Red Hat Subscription Asset Manager for RHEL 6 Server",
"product_id": "6Server-SubscriptionAssetManager14:ruby193-rubygem-rails-1:3.2.17-1.el6sam.noarch"
},
"product_reference": "ruby193-rubygem-rails-1:3.2.17-1.el6sam.noarch",
"relates_to_product_reference": "6Server-SubscriptionAssetManager14"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby193-rubygem-rails-1:3.2.17-1.el6sam.src as a component of Red Hat Subscription Asset Manager for RHEL 6 Server",
"product_id": "6Server-SubscriptionAssetManager14:ruby193-rubygem-rails-1:3.2.17-1.el6sam.src"
},
"product_reference": "ruby193-rubygem-rails-1:3.2.17-1.el6sam.src",
"relates_to_product_reference": "6Server-SubscriptionAssetManager14"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby193-rubygem-railties-1:3.2.17-1.el6sam.noarch as a component of Red Hat Subscription Asset Manager for RHEL 6 Server",
"product_id": "6Server-SubscriptionAssetManager14:ruby193-rubygem-railties-1:3.2.17-1.el6sam.noarch"
},
"product_reference": "ruby193-rubygem-railties-1:3.2.17-1.el6sam.noarch",
"relates_to_product_reference": "6Server-SubscriptionAssetManager14"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby193-rubygem-railties-1:3.2.17-1.el6sam.src as a component of Red Hat Subscription Asset Manager for RHEL 6 Server",
"product_id": "6Server-SubscriptionAssetManager14:ruby193-rubygem-railties-1:3.2.17-1.el6sam.src"
},
"product_reference": "ruby193-rubygem-railties-1:3.2.17-1.el6sam.src",
"relates_to_product_reference": "6Server-SubscriptionAssetManager14"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Ruby on Rails upstream"
]
},
{
"names": [
"Ben Murphy"
],
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2013-1854",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2013-03-13T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "921329"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the way Ruby on Rails handled hashes in certain queries. A remote attacker could use this flaw to perform a denial of service (resource consumption) attack by sending specially crafted queries that would result in the creation of Ruby symbols, which were never garbage collected.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "rubygem-activerecord: attribute_dos Symbol DoS vulnerability",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"6Server-SubscriptionAssetManager14:katello-0:1.4.3.28-1.el6sam_splice.src",
"6Server-SubscriptionAssetManager14:katello-common-0:1.4.3.28-1.el6sam_splice.noarch",
"6Server-SubscriptionAssetManager14:katello-glue-candlepin-0:1.4.3.28-1.el6sam_splice.noarch",
"6Server-SubscriptionAssetManager14:katello-glue-elasticsearch-0:1.4.3.28-1.el6sam_splice.noarch",
"6Server-SubscriptionAssetManager14:katello-headpin-0:1.4.3.28-1.el6sam_splice.noarch",
"6Server-SubscriptionAssetManager14:katello-headpin-all-0:1.4.3.28-1.el6sam_splice.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-actionmailer-1:3.2.17-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-actionmailer-1:3.2.17-1.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-actionpack-1:3.2.17-6.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-actionpack-1:3.2.17-6.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activemodel-1:3.2.17-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activemodel-1:3.2.17-1.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activerecord-1:3.2.17-5.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activerecord-1:3.2.17-5.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activeresource-1:3.2.17-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activeresource-1:3.2.17-1.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activesupport-1:3.2.17-2.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activesupport-1:3.2.17-2.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-i18n-0:0.6.9-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-i18n-0:0.6.9-1.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-mail-0:2.5.4-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-mail-0:2.5.4-1.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-rack-1:1.4.5-3.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-rack-1:1.4.5-3.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-rails-1:3.2.17-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-rails-1:3.2.17-1.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-railties-1:3.2.17-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-railties-1:3.2.17-1.el6sam.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2013-1854"
},
{
"category": "external",
"summary": "RHBZ#921329",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=921329"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2013-1854",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-1854"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-1854",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-1854"
}
],
"release_date": "2013-03-18T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-11-17T17:08:19+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to use the\nRed Hat Network to apply this update are available at\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"6Server-SubscriptionAssetManager14:katello-0:1.4.3.28-1.el6sam_splice.src",
"6Server-SubscriptionAssetManager14:katello-common-0:1.4.3.28-1.el6sam_splice.noarch",
"6Server-SubscriptionAssetManager14:katello-glue-candlepin-0:1.4.3.28-1.el6sam_splice.noarch",
"6Server-SubscriptionAssetManager14:katello-glue-elasticsearch-0:1.4.3.28-1.el6sam_splice.noarch",
"6Server-SubscriptionAssetManager14:katello-headpin-0:1.4.3.28-1.el6sam_splice.noarch",
"6Server-SubscriptionAssetManager14:katello-headpin-all-0:1.4.3.28-1.el6sam_splice.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-actionmailer-1:3.2.17-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-actionmailer-1:3.2.17-1.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-actionpack-1:3.2.17-6.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-actionpack-1:3.2.17-6.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activemodel-1:3.2.17-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activemodel-1:3.2.17-1.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activerecord-1:3.2.17-5.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activerecord-1:3.2.17-5.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activeresource-1:3.2.17-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activeresource-1:3.2.17-1.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activesupport-1:3.2.17-2.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activesupport-1:3.2.17-2.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-i18n-0:0.6.9-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-i18n-0:0.6.9-1.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-mail-0:2.5.4-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-mail-0:2.5.4-1.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-rack-1:1.4.5-3.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-rack-1:1.4.5-3.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-rails-1:3.2.17-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-rails-1:3.2.17-1.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-railties-1:3.2.17-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-railties-1:3.2.17-1.el6sam.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2014:1863"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"products": [
"6Server-SubscriptionAssetManager14:katello-0:1.4.3.28-1.el6sam_splice.src",
"6Server-SubscriptionAssetManager14:katello-common-0:1.4.3.28-1.el6sam_splice.noarch",
"6Server-SubscriptionAssetManager14:katello-glue-candlepin-0:1.4.3.28-1.el6sam_splice.noarch",
"6Server-SubscriptionAssetManager14:katello-glue-elasticsearch-0:1.4.3.28-1.el6sam_splice.noarch",
"6Server-SubscriptionAssetManager14:katello-headpin-0:1.4.3.28-1.el6sam_splice.noarch",
"6Server-SubscriptionAssetManager14:katello-headpin-all-0:1.4.3.28-1.el6sam_splice.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-actionmailer-1:3.2.17-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-actionmailer-1:3.2.17-1.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-actionpack-1:3.2.17-6.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-actionpack-1:3.2.17-6.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activemodel-1:3.2.17-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activemodel-1:3.2.17-1.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activerecord-1:3.2.17-5.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activerecord-1:3.2.17-5.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activeresource-1:3.2.17-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activeresource-1:3.2.17-1.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activesupport-1:3.2.17-2.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activesupport-1:3.2.17-2.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-i18n-0:0.6.9-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-i18n-0:0.6.9-1.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-mail-0:2.5.4-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-mail-0:2.5.4-1.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-rack-1:1.4.5-3.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-rack-1:1.4.5-3.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-rails-1:3.2.17-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-rails-1:3.2.17-1.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-railties-1:3.2.17-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-railties-1:3.2.17-1.el6sam.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "rubygem-activerecord: attribute_dos Symbol DoS vulnerability"
},
{
"acknowledgments": [
{
"names": [
"Ruby on Rails upstream"
]
},
{
"names": [
"Charlie Somerville"
],
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2013-1855",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2013-03-13T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "921331"
}
],
"notes": [
{
"category": "description",
"text": "A cross-site scripting (XSS) flaw was found in Action Pack. A remote attacker could use this flaw to conduct XSS attacks against users of an application using Action Pack.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "rubygem-actionpack: css_sanitization: XSS vulnerability in sanitize_css",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"6Server-SubscriptionAssetManager14:katello-0:1.4.3.28-1.el6sam_splice.src",
"6Server-SubscriptionAssetManager14:katello-common-0:1.4.3.28-1.el6sam_splice.noarch",
"6Server-SubscriptionAssetManager14:katello-glue-candlepin-0:1.4.3.28-1.el6sam_splice.noarch",
"6Server-SubscriptionAssetManager14:katello-glue-elasticsearch-0:1.4.3.28-1.el6sam_splice.noarch",
"6Server-SubscriptionAssetManager14:katello-headpin-0:1.4.3.28-1.el6sam_splice.noarch",
"6Server-SubscriptionAssetManager14:katello-headpin-all-0:1.4.3.28-1.el6sam_splice.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-actionmailer-1:3.2.17-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-actionmailer-1:3.2.17-1.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-actionpack-1:3.2.17-6.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-actionpack-1:3.2.17-6.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activemodel-1:3.2.17-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activemodel-1:3.2.17-1.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activerecord-1:3.2.17-5.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activerecord-1:3.2.17-5.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activeresource-1:3.2.17-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activeresource-1:3.2.17-1.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activesupport-1:3.2.17-2.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activesupport-1:3.2.17-2.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-i18n-0:0.6.9-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-i18n-0:0.6.9-1.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-mail-0:2.5.4-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-mail-0:2.5.4-1.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-rack-1:1.4.5-3.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-rack-1:1.4.5-3.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-rails-1:3.2.17-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-rails-1:3.2.17-1.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-railties-1:3.2.17-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-railties-1:3.2.17-1.el6sam.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2013-1855"
},
{
"category": "external",
"summary": "RHBZ#921331",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=921331"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2013-1855",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-1855"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-1855",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-1855"
}
],
"release_date": "2013-03-18T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-11-17T17:08:19+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to use the\nRed Hat Network to apply this update are available at\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"6Server-SubscriptionAssetManager14:katello-0:1.4.3.28-1.el6sam_splice.src",
"6Server-SubscriptionAssetManager14:katello-common-0:1.4.3.28-1.el6sam_splice.noarch",
"6Server-SubscriptionAssetManager14:katello-glue-candlepin-0:1.4.3.28-1.el6sam_splice.noarch",
"6Server-SubscriptionAssetManager14:katello-glue-elasticsearch-0:1.4.3.28-1.el6sam_splice.noarch",
"6Server-SubscriptionAssetManager14:katello-headpin-0:1.4.3.28-1.el6sam_splice.noarch",
"6Server-SubscriptionAssetManager14:katello-headpin-all-0:1.4.3.28-1.el6sam_splice.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-actionmailer-1:3.2.17-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-actionmailer-1:3.2.17-1.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-actionpack-1:3.2.17-6.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-actionpack-1:3.2.17-6.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activemodel-1:3.2.17-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activemodel-1:3.2.17-1.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activerecord-1:3.2.17-5.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activerecord-1:3.2.17-5.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activeresource-1:3.2.17-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activeresource-1:3.2.17-1.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activesupport-1:3.2.17-2.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activesupport-1:3.2.17-2.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-i18n-0:0.6.9-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-i18n-0:0.6.9-1.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-mail-0:2.5.4-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-mail-0:2.5.4-1.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-rack-1:1.4.5-3.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-rack-1:1.4.5-3.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-rails-1:3.2.17-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-rails-1:3.2.17-1.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-railties-1:3.2.17-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-railties-1:3.2.17-1.el6sam.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2014:1863"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"products": [
"6Server-SubscriptionAssetManager14:katello-0:1.4.3.28-1.el6sam_splice.src",
"6Server-SubscriptionAssetManager14:katello-common-0:1.4.3.28-1.el6sam_splice.noarch",
"6Server-SubscriptionAssetManager14:katello-glue-candlepin-0:1.4.3.28-1.el6sam_splice.noarch",
"6Server-SubscriptionAssetManager14:katello-glue-elasticsearch-0:1.4.3.28-1.el6sam_splice.noarch",
"6Server-SubscriptionAssetManager14:katello-headpin-0:1.4.3.28-1.el6sam_splice.noarch",
"6Server-SubscriptionAssetManager14:katello-headpin-all-0:1.4.3.28-1.el6sam_splice.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-actionmailer-1:3.2.17-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-actionmailer-1:3.2.17-1.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-actionpack-1:3.2.17-6.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-actionpack-1:3.2.17-6.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activemodel-1:3.2.17-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activemodel-1:3.2.17-1.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activerecord-1:3.2.17-5.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activerecord-1:3.2.17-5.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activeresource-1:3.2.17-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activeresource-1:3.2.17-1.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activesupport-1:3.2.17-2.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activesupport-1:3.2.17-2.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-i18n-0:0.6.9-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-i18n-0:0.6.9-1.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-mail-0:2.5.4-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-mail-0:2.5.4-1.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-rack-1:1.4.5-3.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-rack-1:1.4.5-3.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-rails-1:3.2.17-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-rails-1:3.2.17-1.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-railties-1:3.2.17-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-railties-1:3.2.17-1.el6sam.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "rubygem-actionpack: css_sanitization: XSS vulnerability in sanitize_css"
},
{
"acknowledgments": [
{
"names": [
"Ruby on Rails upstream"
]
},
{
"names": [
"Alan Jenkins"
],
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2013-1857",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2013-03-13T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "921335"
}
],
"notes": [
{
"category": "description",
"text": "A cross-site scripting (XSS) flaw was found in Action Pack. A remote attacker could use this flaw to conduct XSS attacks against users of an application using Action Pack.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "rubygem-actionpack: sanitize_protocol: XSS Vulnerability in the helper of Ruby on Rails",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"6Server-SubscriptionAssetManager14:katello-0:1.4.3.28-1.el6sam_splice.src",
"6Server-SubscriptionAssetManager14:katello-common-0:1.4.3.28-1.el6sam_splice.noarch",
"6Server-SubscriptionAssetManager14:katello-glue-candlepin-0:1.4.3.28-1.el6sam_splice.noarch",
"6Server-SubscriptionAssetManager14:katello-glue-elasticsearch-0:1.4.3.28-1.el6sam_splice.noarch",
"6Server-SubscriptionAssetManager14:katello-headpin-0:1.4.3.28-1.el6sam_splice.noarch",
"6Server-SubscriptionAssetManager14:katello-headpin-all-0:1.4.3.28-1.el6sam_splice.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-actionmailer-1:3.2.17-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-actionmailer-1:3.2.17-1.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-actionpack-1:3.2.17-6.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-actionpack-1:3.2.17-6.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activemodel-1:3.2.17-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activemodel-1:3.2.17-1.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activerecord-1:3.2.17-5.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activerecord-1:3.2.17-5.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activeresource-1:3.2.17-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activeresource-1:3.2.17-1.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activesupport-1:3.2.17-2.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activesupport-1:3.2.17-2.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-i18n-0:0.6.9-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-i18n-0:0.6.9-1.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-mail-0:2.5.4-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-mail-0:2.5.4-1.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-rack-1:1.4.5-3.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-rack-1:1.4.5-3.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-rails-1:3.2.17-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-rails-1:3.2.17-1.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-railties-1:3.2.17-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-railties-1:3.2.17-1.el6sam.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2013-1857"
},
{
"category": "external",
"summary": "RHBZ#921335",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=921335"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2013-1857",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-1857"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-1857",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-1857"
}
],
"release_date": "2013-03-18T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-11-17T17:08:19+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to use the\nRed Hat Network to apply this update are available at\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"6Server-SubscriptionAssetManager14:katello-0:1.4.3.28-1.el6sam_splice.src",
"6Server-SubscriptionAssetManager14:katello-common-0:1.4.3.28-1.el6sam_splice.noarch",
"6Server-SubscriptionAssetManager14:katello-glue-candlepin-0:1.4.3.28-1.el6sam_splice.noarch",
"6Server-SubscriptionAssetManager14:katello-glue-elasticsearch-0:1.4.3.28-1.el6sam_splice.noarch",
"6Server-SubscriptionAssetManager14:katello-headpin-0:1.4.3.28-1.el6sam_splice.noarch",
"6Server-SubscriptionAssetManager14:katello-headpin-all-0:1.4.3.28-1.el6sam_splice.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-actionmailer-1:3.2.17-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-actionmailer-1:3.2.17-1.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-actionpack-1:3.2.17-6.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-actionpack-1:3.2.17-6.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activemodel-1:3.2.17-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activemodel-1:3.2.17-1.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activerecord-1:3.2.17-5.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activerecord-1:3.2.17-5.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activeresource-1:3.2.17-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activeresource-1:3.2.17-1.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activesupport-1:3.2.17-2.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activesupport-1:3.2.17-2.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-i18n-0:0.6.9-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-i18n-0:0.6.9-1.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-mail-0:2.5.4-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-mail-0:2.5.4-1.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-rack-1:1.4.5-3.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-rack-1:1.4.5-3.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-rails-1:3.2.17-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-rails-1:3.2.17-1.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-railties-1:3.2.17-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-railties-1:3.2.17-1.el6sam.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2014:1863"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"products": [
"6Server-SubscriptionAssetManager14:katello-0:1.4.3.28-1.el6sam_splice.src",
"6Server-SubscriptionAssetManager14:katello-common-0:1.4.3.28-1.el6sam_splice.noarch",
"6Server-SubscriptionAssetManager14:katello-glue-candlepin-0:1.4.3.28-1.el6sam_splice.noarch",
"6Server-SubscriptionAssetManager14:katello-glue-elasticsearch-0:1.4.3.28-1.el6sam_splice.noarch",
"6Server-SubscriptionAssetManager14:katello-headpin-0:1.4.3.28-1.el6sam_splice.noarch",
"6Server-SubscriptionAssetManager14:katello-headpin-all-0:1.4.3.28-1.el6sam_splice.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-actionmailer-1:3.2.17-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-actionmailer-1:3.2.17-1.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-actionpack-1:3.2.17-6.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-actionpack-1:3.2.17-6.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activemodel-1:3.2.17-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activemodel-1:3.2.17-1.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activerecord-1:3.2.17-5.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activerecord-1:3.2.17-5.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activeresource-1:3.2.17-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activeresource-1:3.2.17-1.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activesupport-1:3.2.17-2.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activesupport-1:3.2.17-2.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-i18n-0:0.6.9-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-i18n-0:0.6.9-1.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-mail-0:2.5.4-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-mail-0:2.5.4-1.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-rack-1:1.4.5-3.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-rack-1:1.4.5-3.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-rails-1:3.2.17-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-rails-1:3.2.17-1.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-railties-1:3.2.17-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-railties-1:3.2.17-1.el6sam.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "rubygem-actionpack: sanitize_protocol: XSS Vulnerability in the helper of Ruby on Rails"
},
{
"acknowledgments": [
{
"names": [
"Ruby on Rails upstream"
]
},
{
"names": [
"Peter McLarnan"
],
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2013-4491",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2013-12-01T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1036922"
}
],
"notes": [
{
"category": "description",
"text": "It was discovered that the internationalization component of Ruby on Rails could, under certain circumstances, return a fallback HTML string that contained user input. A remote attacker could possibly use this flaw to perform a reflective cross-site scripting (XSS) attack by providing a specially crafted input to an application using the aforementioned component.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "rubygem-actionpack: i18n missing translation XSS",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"6Server-SubscriptionAssetManager14:katello-0:1.4.3.28-1.el6sam_splice.src",
"6Server-SubscriptionAssetManager14:katello-common-0:1.4.3.28-1.el6sam_splice.noarch",
"6Server-SubscriptionAssetManager14:katello-glue-candlepin-0:1.4.3.28-1.el6sam_splice.noarch",
"6Server-SubscriptionAssetManager14:katello-glue-elasticsearch-0:1.4.3.28-1.el6sam_splice.noarch",
"6Server-SubscriptionAssetManager14:katello-headpin-0:1.4.3.28-1.el6sam_splice.noarch",
"6Server-SubscriptionAssetManager14:katello-headpin-all-0:1.4.3.28-1.el6sam_splice.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-actionmailer-1:3.2.17-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-actionmailer-1:3.2.17-1.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-actionpack-1:3.2.17-6.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-actionpack-1:3.2.17-6.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activemodel-1:3.2.17-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activemodel-1:3.2.17-1.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activerecord-1:3.2.17-5.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activerecord-1:3.2.17-5.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activeresource-1:3.2.17-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activeresource-1:3.2.17-1.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activesupport-1:3.2.17-2.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activesupport-1:3.2.17-2.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-i18n-0:0.6.9-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-i18n-0:0.6.9-1.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-mail-0:2.5.4-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-mail-0:2.5.4-1.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-rack-1:1.4.5-3.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-rack-1:1.4.5-3.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-rails-1:3.2.17-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-rails-1:3.2.17-1.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-railties-1:3.2.17-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-railties-1:3.2.17-1.el6sam.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2013-4491"
},
{
"category": "external",
"summary": "RHBZ#1036922",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1036922"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2013-4491",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-4491"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-4491",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-4491"
}
],
"release_date": "2013-12-03T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-11-17T17:08:19+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to use the\nRed Hat Network to apply this update are available at\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"6Server-SubscriptionAssetManager14:katello-0:1.4.3.28-1.el6sam_splice.src",
"6Server-SubscriptionAssetManager14:katello-common-0:1.4.3.28-1.el6sam_splice.noarch",
"6Server-SubscriptionAssetManager14:katello-glue-candlepin-0:1.4.3.28-1.el6sam_splice.noarch",
"6Server-SubscriptionAssetManager14:katello-glue-elasticsearch-0:1.4.3.28-1.el6sam_splice.noarch",
"6Server-SubscriptionAssetManager14:katello-headpin-0:1.4.3.28-1.el6sam_splice.noarch",
"6Server-SubscriptionAssetManager14:katello-headpin-all-0:1.4.3.28-1.el6sam_splice.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-actionmailer-1:3.2.17-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-actionmailer-1:3.2.17-1.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-actionpack-1:3.2.17-6.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-actionpack-1:3.2.17-6.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activemodel-1:3.2.17-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activemodel-1:3.2.17-1.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activerecord-1:3.2.17-5.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activerecord-1:3.2.17-5.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activeresource-1:3.2.17-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activeresource-1:3.2.17-1.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activesupport-1:3.2.17-2.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activesupport-1:3.2.17-2.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-i18n-0:0.6.9-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-i18n-0:0.6.9-1.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-mail-0:2.5.4-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-mail-0:2.5.4-1.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-rack-1:1.4.5-3.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-rack-1:1.4.5-3.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-rails-1:3.2.17-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-rails-1:3.2.17-1.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-railties-1:3.2.17-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-railties-1:3.2.17-1.el6sam.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2014:1863"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"products": [
"6Server-SubscriptionAssetManager14:katello-0:1.4.3.28-1.el6sam_splice.src",
"6Server-SubscriptionAssetManager14:katello-common-0:1.4.3.28-1.el6sam_splice.noarch",
"6Server-SubscriptionAssetManager14:katello-glue-candlepin-0:1.4.3.28-1.el6sam_splice.noarch",
"6Server-SubscriptionAssetManager14:katello-glue-elasticsearch-0:1.4.3.28-1.el6sam_splice.noarch",
"6Server-SubscriptionAssetManager14:katello-headpin-0:1.4.3.28-1.el6sam_splice.noarch",
"6Server-SubscriptionAssetManager14:katello-headpin-all-0:1.4.3.28-1.el6sam_splice.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-actionmailer-1:3.2.17-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-actionmailer-1:3.2.17-1.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-actionpack-1:3.2.17-6.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-actionpack-1:3.2.17-6.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activemodel-1:3.2.17-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activemodel-1:3.2.17-1.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activerecord-1:3.2.17-5.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activerecord-1:3.2.17-5.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activeresource-1:3.2.17-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activeresource-1:3.2.17-1.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activesupport-1:3.2.17-2.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activesupport-1:3.2.17-2.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-i18n-0:0.6.9-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-i18n-0:0.6.9-1.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-mail-0:2.5.4-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-mail-0:2.5.4-1.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-rack-1:1.4.5-3.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-rack-1:1.4.5-3.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-rails-1:3.2.17-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-rails-1:3.2.17-1.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-railties-1:3.2.17-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-railties-1:3.2.17-1.el6sam.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "rubygem-actionpack: i18n missing translation XSS"
},
{
"acknowledgments": [
{
"names": [
"Ruby on Rails upstream"
]
},
{
"names": [
"Toby Hsieh"
],
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2013-6414",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2013-12-01T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1036483"
}
],
"notes": [
{
"category": "description",
"text": "A denial of service flaw was found in the header handling component of Action View. A remote attacker could send strings in specially crafted headers that would be cached indefinitely, which would result in all available system memory eventually being consumed.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "rubygem-actionpack: Action View DoS",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"6Server-SubscriptionAssetManager14:katello-0:1.4.3.28-1.el6sam_splice.src",
"6Server-SubscriptionAssetManager14:katello-common-0:1.4.3.28-1.el6sam_splice.noarch",
"6Server-SubscriptionAssetManager14:katello-glue-candlepin-0:1.4.3.28-1.el6sam_splice.noarch",
"6Server-SubscriptionAssetManager14:katello-glue-elasticsearch-0:1.4.3.28-1.el6sam_splice.noarch",
"6Server-SubscriptionAssetManager14:katello-headpin-0:1.4.3.28-1.el6sam_splice.noarch",
"6Server-SubscriptionAssetManager14:katello-headpin-all-0:1.4.3.28-1.el6sam_splice.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-actionmailer-1:3.2.17-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-actionmailer-1:3.2.17-1.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-actionpack-1:3.2.17-6.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-actionpack-1:3.2.17-6.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activemodel-1:3.2.17-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activemodel-1:3.2.17-1.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activerecord-1:3.2.17-5.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activerecord-1:3.2.17-5.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activeresource-1:3.2.17-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activeresource-1:3.2.17-1.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activesupport-1:3.2.17-2.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activesupport-1:3.2.17-2.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-i18n-0:0.6.9-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-i18n-0:0.6.9-1.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-mail-0:2.5.4-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-mail-0:2.5.4-1.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-rack-1:1.4.5-3.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-rack-1:1.4.5-3.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-rails-1:3.2.17-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-rails-1:3.2.17-1.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-railties-1:3.2.17-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-railties-1:3.2.17-1.el6sam.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2013-6414"
},
{
"category": "external",
"summary": "RHBZ#1036483",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1036483"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2013-6414",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-6414"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-6414",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-6414"
}
],
"release_date": "2013-12-03T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-11-17T17:08:19+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to use the\nRed Hat Network to apply this update are available at\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"6Server-SubscriptionAssetManager14:katello-0:1.4.3.28-1.el6sam_splice.src",
"6Server-SubscriptionAssetManager14:katello-common-0:1.4.3.28-1.el6sam_splice.noarch",
"6Server-SubscriptionAssetManager14:katello-glue-candlepin-0:1.4.3.28-1.el6sam_splice.noarch",
"6Server-SubscriptionAssetManager14:katello-glue-elasticsearch-0:1.4.3.28-1.el6sam_splice.noarch",
"6Server-SubscriptionAssetManager14:katello-headpin-0:1.4.3.28-1.el6sam_splice.noarch",
"6Server-SubscriptionAssetManager14:katello-headpin-all-0:1.4.3.28-1.el6sam_splice.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-actionmailer-1:3.2.17-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-actionmailer-1:3.2.17-1.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-actionpack-1:3.2.17-6.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-actionpack-1:3.2.17-6.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activemodel-1:3.2.17-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activemodel-1:3.2.17-1.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activerecord-1:3.2.17-5.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activerecord-1:3.2.17-5.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activeresource-1:3.2.17-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activeresource-1:3.2.17-1.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activesupport-1:3.2.17-2.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activesupport-1:3.2.17-2.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-i18n-0:0.6.9-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-i18n-0:0.6.9-1.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-mail-0:2.5.4-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-mail-0:2.5.4-1.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-rack-1:1.4.5-3.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-rack-1:1.4.5-3.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-rails-1:3.2.17-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-rails-1:3.2.17-1.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-railties-1:3.2.17-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-railties-1:3.2.17-1.el6sam.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2014:1863"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"products": [
"6Server-SubscriptionAssetManager14:katello-0:1.4.3.28-1.el6sam_splice.src",
"6Server-SubscriptionAssetManager14:katello-common-0:1.4.3.28-1.el6sam_splice.noarch",
"6Server-SubscriptionAssetManager14:katello-glue-candlepin-0:1.4.3.28-1.el6sam_splice.noarch",
"6Server-SubscriptionAssetManager14:katello-glue-elasticsearch-0:1.4.3.28-1.el6sam_splice.noarch",
"6Server-SubscriptionAssetManager14:katello-headpin-0:1.4.3.28-1.el6sam_splice.noarch",
"6Server-SubscriptionAssetManager14:katello-headpin-all-0:1.4.3.28-1.el6sam_splice.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-actionmailer-1:3.2.17-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-actionmailer-1:3.2.17-1.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-actionpack-1:3.2.17-6.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-actionpack-1:3.2.17-6.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activemodel-1:3.2.17-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activemodel-1:3.2.17-1.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activerecord-1:3.2.17-5.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activerecord-1:3.2.17-5.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activeresource-1:3.2.17-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activeresource-1:3.2.17-1.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activesupport-1:3.2.17-2.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activesupport-1:3.2.17-2.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-i18n-0:0.6.9-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-i18n-0:0.6.9-1.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-mail-0:2.5.4-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-mail-0:2.5.4-1.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-rack-1:1.4.5-3.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-rack-1:1.4.5-3.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-rails-1:3.2.17-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-rails-1:3.2.17-1.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-railties-1:3.2.17-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-railties-1:3.2.17-1.el6sam.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "rubygem-actionpack: Action View DoS"
},
{
"acknowledgments": [
{
"names": [
"Ruby on Rails upstream"
]
},
{
"names": [
"Ankit Gupta"
],
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2013-6415",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2013-12-01T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1036910"
}
],
"notes": [
{
"category": "description",
"text": "It was found that the number_to_currency Action View helper did not properly escape the unit parameter. An attacker could use this flaw to perform a cross-site scripting (XSS) attack on an application that uses data submitted by a user in the unit parameter.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "rubygem-actionpack: number_to_currency XSS",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"6Server-SubscriptionAssetManager14:katello-0:1.4.3.28-1.el6sam_splice.src",
"6Server-SubscriptionAssetManager14:katello-common-0:1.4.3.28-1.el6sam_splice.noarch",
"6Server-SubscriptionAssetManager14:katello-glue-candlepin-0:1.4.3.28-1.el6sam_splice.noarch",
"6Server-SubscriptionAssetManager14:katello-glue-elasticsearch-0:1.4.3.28-1.el6sam_splice.noarch",
"6Server-SubscriptionAssetManager14:katello-headpin-0:1.4.3.28-1.el6sam_splice.noarch",
"6Server-SubscriptionAssetManager14:katello-headpin-all-0:1.4.3.28-1.el6sam_splice.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-actionmailer-1:3.2.17-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-actionmailer-1:3.2.17-1.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-actionpack-1:3.2.17-6.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-actionpack-1:3.2.17-6.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activemodel-1:3.2.17-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activemodel-1:3.2.17-1.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activerecord-1:3.2.17-5.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activerecord-1:3.2.17-5.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activeresource-1:3.2.17-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activeresource-1:3.2.17-1.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activesupport-1:3.2.17-2.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activesupport-1:3.2.17-2.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-i18n-0:0.6.9-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-i18n-0:0.6.9-1.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-mail-0:2.5.4-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-mail-0:2.5.4-1.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-rack-1:1.4.5-3.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-rack-1:1.4.5-3.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-rails-1:3.2.17-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-rails-1:3.2.17-1.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-railties-1:3.2.17-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-railties-1:3.2.17-1.el6sam.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2013-6415"
},
{
"category": "external",
"summary": "RHBZ#1036910",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1036910"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2013-6415",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-6415"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-6415",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-6415"
}
],
"release_date": "2013-12-03T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-11-17T17:08:19+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to use the\nRed Hat Network to apply this update are available at\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"6Server-SubscriptionAssetManager14:katello-0:1.4.3.28-1.el6sam_splice.src",
"6Server-SubscriptionAssetManager14:katello-common-0:1.4.3.28-1.el6sam_splice.noarch",
"6Server-SubscriptionAssetManager14:katello-glue-candlepin-0:1.4.3.28-1.el6sam_splice.noarch",
"6Server-SubscriptionAssetManager14:katello-glue-elasticsearch-0:1.4.3.28-1.el6sam_splice.noarch",
"6Server-SubscriptionAssetManager14:katello-headpin-0:1.4.3.28-1.el6sam_splice.noarch",
"6Server-SubscriptionAssetManager14:katello-headpin-all-0:1.4.3.28-1.el6sam_splice.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-actionmailer-1:3.2.17-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-actionmailer-1:3.2.17-1.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-actionpack-1:3.2.17-6.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-actionpack-1:3.2.17-6.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activemodel-1:3.2.17-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activemodel-1:3.2.17-1.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activerecord-1:3.2.17-5.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activerecord-1:3.2.17-5.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activeresource-1:3.2.17-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activeresource-1:3.2.17-1.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activesupport-1:3.2.17-2.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activesupport-1:3.2.17-2.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-i18n-0:0.6.9-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-i18n-0:0.6.9-1.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-mail-0:2.5.4-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-mail-0:2.5.4-1.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-rack-1:1.4.5-3.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-rack-1:1.4.5-3.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-rails-1:3.2.17-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-rails-1:3.2.17-1.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-railties-1:3.2.17-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-railties-1:3.2.17-1.el6sam.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2014:1863"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"products": [
"6Server-SubscriptionAssetManager14:katello-0:1.4.3.28-1.el6sam_splice.src",
"6Server-SubscriptionAssetManager14:katello-common-0:1.4.3.28-1.el6sam_splice.noarch",
"6Server-SubscriptionAssetManager14:katello-glue-candlepin-0:1.4.3.28-1.el6sam_splice.noarch",
"6Server-SubscriptionAssetManager14:katello-glue-elasticsearch-0:1.4.3.28-1.el6sam_splice.noarch",
"6Server-SubscriptionAssetManager14:katello-headpin-0:1.4.3.28-1.el6sam_splice.noarch",
"6Server-SubscriptionAssetManager14:katello-headpin-all-0:1.4.3.28-1.el6sam_splice.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-actionmailer-1:3.2.17-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-actionmailer-1:3.2.17-1.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-actionpack-1:3.2.17-6.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-actionpack-1:3.2.17-6.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activemodel-1:3.2.17-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activemodel-1:3.2.17-1.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activerecord-1:3.2.17-5.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activerecord-1:3.2.17-5.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activeresource-1:3.2.17-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activeresource-1:3.2.17-1.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activesupport-1:3.2.17-2.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activesupport-1:3.2.17-2.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-i18n-0:0.6.9-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-i18n-0:0.6.9-1.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-mail-0:2.5.4-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-mail-0:2.5.4-1.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-rack-1:1.4.5-3.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-rack-1:1.4.5-3.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-rails-1:3.2.17-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-rails-1:3.2.17-1.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-railties-1:3.2.17-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-railties-1:3.2.17-1.el6sam.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "rubygem-actionpack: number_to_currency XSS"
},
{
"cve": "CVE-2014-0130",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2014-05-07T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1095105"
}
],
"notes": [
{
"category": "description",
"text": "A directory traversal flaw was found in the way Ruby on Rails handled wildcard segments in routes with implicit rendering. A remote attacker could use this flaw to retrieve arbitrary local files accessible to a Ruby on Rails application using the aforementioned routes via a specially crafted request.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "rubygem-actionpack: directory traversal issue",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"6Server-SubscriptionAssetManager14:katello-0:1.4.3.28-1.el6sam_splice.src",
"6Server-SubscriptionAssetManager14:katello-common-0:1.4.3.28-1.el6sam_splice.noarch",
"6Server-SubscriptionAssetManager14:katello-glue-candlepin-0:1.4.3.28-1.el6sam_splice.noarch",
"6Server-SubscriptionAssetManager14:katello-glue-elasticsearch-0:1.4.3.28-1.el6sam_splice.noarch",
"6Server-SubscriptionAssetManager14:katello-headpin-0:1.4.3.28-1.el6sam_splice.noarch",
"6Server-SubscriptionAssetManager14:katello-headpin-all-0:1.4.3.28-1.el6sam_splice.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-actionmailer-1:3.2.17-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-actionmailer-1:3.2.17-1.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-actionpack-1:3.2.17-6.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-actionpack-1:3.2.17-6.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activemodel-1:3.2.17-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activemodel-1:3.2.17-1.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activerecord-1:3.2.17-5.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activerecord-1:3.2.17-5.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activeresource-1:3.2.17-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activeresource-1:3.2.17-1.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activesupport-1:3.2.17-2.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activesupport-1:3.2.17-2.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-i18n-0:0.6.9-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-i18n-0:0.6.9-1.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-mail-0:2.5.4-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-mail-0:2.5.4-1.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-rack-1:1.4.5-3.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-rack-1:1.4.5-3.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-rails-1:3.2.17-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-rails-1:3.2.17-1.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-railties-1:3.2.17-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-railties-1:3.2.17-1.el6sam.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2014-0130"
},
{
"category": "external",
"summary": "RHBZ#1095105",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1095105"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2014-0130",
"url": "https://www.cve.org/CVERecord?id=CVE-2014-0130"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2014-0130",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0130"
},
{
"category": "external",
"summary": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
}
],
"release_date": "2014-05-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-11-17T17:08:19+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to use the\nRed Hat Network to apply this update are available at\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"6Server-SubscriptionAssetManager14:katello-0:1.4.3.28-1.el6sam_splice.src",
"6Server-SubscriptionAssetManager14:katello-common-0:1.4.3.28-1.el6sam_splice.noarch",
"6Server-SubscriptionAssetManager14:katello-glue-candlepin-0:1.4.3.28-1.el6sam_splice.noarch",
"6Server-SubscriptionAssetManager14:katello-glue-elasticsearch-0:1.4.3.28-1.el6sam_splice.noarch",
"6Server-SubscriptionAssetManager14:katello-headpin-0:1.4.3.28-1.el6sam_splice.noarch",
"6Server-SubscriptionAssetManager14:katello-headpin-all-0:1.4.3.28-1.el6sam_splice.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-actionmailer-1:3.2.17-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-actionmailer-1:3.2.17-1.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-actionpack-1:3.2.17-6.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-actionpack-1:3.2.17-6.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activemodel-1:3.2.17-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activemodel-1:3.2.17-1.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activerecord-1:3.2.17-5.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activerecord-1:3.2.17-5.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activeresource-1:3.2.17-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activeresource-1:3.2.17-1.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activesupport-1:3.2.17-2.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activesupport-1:3.2.17-2.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-i18n-0:0.6.9-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-i18n-0:0.6.9-1.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-mail-0:2.5.4-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-mail-0:2.5.4-1.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-rack-1:1.4.5-3.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-rack-1:1.4.5-3.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-rails-1:3.2.17-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-rails-1:3.2.17-1.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-railties-1:3.2.17-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-railties-1:3.2.17-1.el6sam.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2014:1863"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"products": [
"6Server-SubscriptionAssetManager14:katello-0:1.4.3.28-1.el6sam_splice.src",
"6Server-SubscriptionAssetManager14:katello-common-0:1.4.3.28-1.el6sam_splice.noarch",
"6Server-SubscriptionAssetManager14:katello-glue-candlepin-0:1.4.3.28-1.el6sam_splice.noarch",
"6Server-SubscriptionAssetManager14:katello-glue-elasticsearch-0:1.4.3.28-1.el6sam_splice.noarch",
"6Server-SubscriptionAssetManager14:katello-headpin-0:1.4.3.28-1.el6sam_splice.noarch",
"6Server-SubscriptionAssetManager14:katello-headpin-all-0:1.4.3.28-1.el6sam_splice.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-actionmailer-1:3.2.17-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-actionmailer-1:3.2.17-1.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-actionpack-1:3.2.17-6.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-actionpack-1:3.2.17-6.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activemodel-1:3.2.17-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activemodel-1:3.2.17-1.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activerecord-1:3.2.17-5.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activerecord-1:3.2.17-5.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activeresource-1:3.2.17-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activeresource-1:3.2.17-1.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activesupport-1:3.2.17-2.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-activesupport-1:3.2.17-2.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-i18n-0:0.6.9-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-i18n-0:0.6.9-1.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-mail-0:2.5.4-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-mail-0:2.5.4-1.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-rack-1:1.4.5-3.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-rack-1:1.4.5-3.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-rails-1:3.2.17-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-rails-1:3.2.17-1.el6sam.src",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-railties-1:3.2.17-1.el6sam.noarch",
"6Server-SubscriptionAssetManager14:ruby193-rubygem-railties-1:3.2.17-1.el6sam.src"
]
}
],
"threats": [
{
"category": "exploit_status",
"date": "2022-03-25T00:00:00+00:00",
"details": "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
},
{
"category": "impact",
"details": "Important"
}
],
"title": "rubygem-actionpack: directory traversal issue"
}
]
}
rhsa-2013_1794
Vulnerability from csaf_redhat
Published
2013-12-05 21:54
Modified
2024-11-14 14:24
Summary
Red Hat Security Advisory: ruby193-rubygem-actionpack security update
Notes
Topic
Updated ruby193-rubygem-actionpack packages that fix multiple security
issues are now available for Red Hat Software Collections 1.
The Red Hat Security Response Team has rated this update as having
important security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.
Details
Ruby on Rails is a model-view-controller (MVC) framework for web
application development. Action Pack implements the controller and the
view components.
A flaw was found in the way Ruby on Rails performed JSON parameter parsing.
An application using a third party library, which uses the Rack::Request
interface, or custom Rack middleware could bypass the protection
implemented to fix the CVE-2013-0155 vulnerability, causing the application
to receive unsafe parameters and become vulnerable to CVE-2013-0155.
(CVE-2013-6417)
It was discovered that the internationalization component of Ruby on Rails
could, under certain circumstances, return a fallback HTML string that
contained user input. A remote attacker could possibly use this flaw to
perform a reflective cross-site scripting (XSS) attack by providing a
specially crafted input to an application using the aforementioned
component. (CVE-2013-4491)
A denial of service flaw was found in the header handling component of
Action View. A remote attacker could send strings in specially crafted
headers that would be cached indefinitely, which would result in all
available system memory eventually being consumed. (CVE-2013-6414)
It was found that the number_to_currency Action View helper did not
properly escape the unit parameter. An attacker could use this flaw to
perform a cross-site scripting (XSS) attack on an application that uses
data submitted by a user in the unit parameter. (CVE-2013-6415)
All ruby193-rubygem-actionpack users are advised to upgrade to these
updated packages, which contain backported patches to correct these issues.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Updated ruby193-rubygem-actionpack packages that fix multiple security\nissues are now available for Red Hat Software Collections 1.\n\nThe Red Hat Security Response Team has rated this update as having\nimportant security impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Ruby on Rails is a model-view-controller (MVC) framework for web\napplication development. Action Pack implements the controller and the\nview components.\n\nA flaw was found in the way Ruby on Rails performed JSON parameter parsing.\nAn application using a third party library, which uses the Rack::Request\ninterface, or custom Rack middleware could bypass the protection\nimplemented to fix the CVE-2013-0155 vulnerability, causing the application\nto receive unsafe parameters and become vulnerable to CVE-2013-0155.\n(CVE-2013-6417)\n\nIt was discovered that the internationalization component of Ruby on Rails\ncould, under certain circumstances, return a fallback HTML string that\ncontained user input. A remote attacker could possibly use this flaw to\nperform a reflective cross-site scripting (XSS) attack by providing a\nspecially crafted input to an application using the aforementioned\ncomponent. (CVE-2013-4491)\n\nA denial of service flaw was found in the header handling component of\nAction View. A remote attacker could send strings in specially crafted\nheaders that would be cached indefinitely, which would result in all\navailable system memory eventually being consumed. (CVE-2013-6414)\n\nIt was found that the number_to_currency Action View helper did not\nproperly escape the unit parameter. An attacker could use this flaw to\nperform a cross-site scripting (XSS) attack on an application that uses\ndata submitted by a user in the unit parameter. (CVE-2013-6415)\n\nAll ruby193-rubygem-actionpack users are advised to upgrade to these\nupdated packages, which contain backported patches to correct these issues.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2013:1794",
"url": "https://access.redhat.com/errata/RHSA-2013:1794"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "1036409",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1036409"
},
{
"category": "external",
"summary": "1036483",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1036483"
},
{
"category": "external",
"summary": "1036910",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1036910"
},
{
"category": "external",
"summary": "1036922",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1036922"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2013/rhsa-2013_1794.json"
}
],
"title": "Red Hat Security Advisory: ruby193-rubygem-actionpack security update",
"tracking": {
"current_release_date": "2024-11-14T14:24:54+00:00",
"generator": {
"date": "2024-11-14T14:24:54+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.0"
}
},
"id": "RHSA-2013:1794",
"initial_release_date": "2013-12-05T21:54:00+00:00",
"revision_history": [
{
"date": "2013-12-05T21:54:00+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2013-12-05T22:00:44+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-14T14:24:54+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Software Collections 1 for Red Hat Enterprise Linux Server (v. 6)",
"product": {
"name": "Red Hat Software Collections 1 for Red Hat Enterprise Linux Server (v. 6)",
"product_id": "6Server-RHSCL-1.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_software_collections:1::el6"
}
}
},
{
"category": "product_name",
"name": "Red Hat Software Collections 1 for Red Hat Enterprise Linux Workstation (v. 6)",
"product": {
"name": "Red Hat Software Collections 1 for Red Hat Enterprise Linux Workstation (v. 6)",
"product_id": "6Workstation-RHSCL-1.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_software_collections:1::el6"
}
}
}
],
"category": "product_family",
"name": "Red Hat Software Collections"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby193-rubygem-actionpack-doc-1:3.2.8-5.1.el6.noarch",
"product": {
"name": "ruby193-rubygem-actionpack-doc-1:3.2.8-5.1.el6.noarch",
"product_id": "ruby193-rubygem-actionpack-doc-1:3.2.8-5.1.el6.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ruby193-rubygem-actionpack-doc@3.2.8-5.1.el6?arch=noarch\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.noarch",
"product": {
"name": "ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.noarch",
"product_id": "ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ruby193-rubygem-actionpack@3.2.8-5.1.el6?arch=noarch\u0026epoch=1"
}
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.src",
"product": {
"name": "ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.src",
"product_id": "ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ruby193-rubygem-actionpack@3.2.8-5.1.el6?arch=src\u0026epoch=1"
}
}
}
],
"category": "architecture",
"name": "src"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.noarch as a component of Red Hat Software Collections 1 for Red Hat Enterprise Linux Server (v. 6)",
"product_id": "6Server-RHSCL-1.0:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.noarch"
},
"product_reference": "ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.noarch",
"relates_to_product_reference": "6Server-RHSCL-1.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.src as a component of Red Hat Software Collections 1 for Red Hat Enterprise Linux Server (v. 6)",
"product_id": "6Server-RHSCL-1.0:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.src"
},
"product_reference": "ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.src",
"relates_to_product_reference": "6Server-RHSCL-1.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby193-rubygem-actionpack-doc-1:3.2.8-5.1.el6.noarch as a component of Red Hat Software Collections 1 for Red Hat Enterprise Linux Server (v. 6)",
"product_id": "6Server-RHSCL-1.0:ruby193-rubygem-actionpack-doc-1:3.2.8-5.1.el6.noarch"
},
"product_reference": "ruby193-rubygem-actionpack-doc-1:3.2.8-5.1.el6.noarch",
"relates_to_product_reference": "6Server-RHSCL-1.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.noarch as a component of Red Hat Software Collections 1 for Red Hat Enterprise Linux Workstation (v. 6)",
"product_id": "6Workstation-RHSCL-1.0:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.noarch"
},
"product_reference": "ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.noarch",
"relates_to_product_reference": "6Workstation-RHSCL-1.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.src as a component of Red Hat Software Collections 1 for Red Hat Enterprise Linux Workstation (v. 6)",
"product_id": "6Workstation-RHSCL-1.0:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.src"
},
"product_reference": "ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.src",
"relates_to_product_reference": "6Workstation-RHSCL-1.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby193-rubygem-actionpack-doc-1:3.2.8-5.1.el6.noarch as a component of Red Hat Software Collections 1 for Red Hat Enterprise Linux Workstation (v. 6)",
"product_id": "6Workstation-RHSCL-1.0:ruby193-rubygem-actionpack-doc-1:3.2.8-5.1.el6.noarch"
},
"product_reference": "ruby193-rubygem-actionpack-doc-1:3.2.8-5.1.el6.noarch",
"relates_to_product_reference": "6Workstation-RHSCL-1.0"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Ruby on Rails upstream"
]
},
{
"names": [
"Peter McLarnan"
],
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2013-4491",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2013-12-01T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1036922"
}
],
"notes": [
{
"category": "description",
"text": "It was discovered that the internationalization component of Ruby on Rails could, under certain circumstances, return a fallback HTML string that contained user input. A remote attacker could possibly use this flaw to perform a reflective cross-site scripting (XSS) attack by providing a specially crafted input to an application using the aforementioned component.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "rubygem-actionpack: i18n missing translation XSS",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"6Server-RHSCL-1.0:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.noarch",
"6Server-RHSCL-1.0:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.src",
"6Server-RHSCL-1.0:ruby193-rubygem-actionpack-doc-1:3.2.8-5.1.el6.noarch",
"6Workstation-RHSCL-1.0:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.noarch",
"6Workstation-RHSCL-1.0:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.src",
"6Workstation-RHSCL-1.0:ruby193-rubygem-actionpack-doc-1:3.2.8-5.1.el6.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2013-4491"
},
{
"category": "external",
"summary": "RHBZ#1036922",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1036922"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2013-4491",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-4491"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-4491",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-4491"
}
],
"release_date": "2013-12-03T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2013-12-05T21:54:00+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to use the\nRed Hat Network to apply this update are available at\nhttps://access.redhat.com/site/articles/11258",
"product_ids": [
"6Server-RHSCL-1.0:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.noarch",
"6Server-RHSCL-1.0:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.src",
"6Server-RHSCL-1.0:ruby193-rubygem-actionpack-doc-1:3.2.8-5.1.el6.noarch",
"6Workstation-RHSCL-1.0:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.noarch",
"6Workstation-RHSCL-1.0:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.src",
"6Workstation-RHSCL-1.0:ruby193-rubygem-actionpack-doc-1:3.2.8-5.1.el6.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2013:1794"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"products": [
"6Server-RHSCL-1.0:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.noarch",
"6Server-RHSCL-1.0:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.src",
"6Server-RHSCL-1.0:ruby193-rubygem-actionpack-doc-1:3.2.8-5.1.el6.noarch",
"6Workstation-RHSCL-1.0:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.noarch",
"6Workstation-RHSCL-1.0:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.src",
"6Workstation-RHSCL-1.0:ruby193-rubygem-actionpack-doc-1:3.2.8-5.1.el6.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "rubygem-actionpack: i18n missing translation XSS"
},
{
"acknowledgments": [
{
"names": [
"Ruby on Rails upstream"
]
},
{
"names": [
"Toby Hsieh"
],
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2013-6414",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2013-12-01T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1036483"
}
],
"notes": [
{
"category": "description",
"text": "A denial of service flaw was found in the header handling component of Action View. A remote attacker could send strings in specially crafted headers that would be cached indefinitely, which would result in all available system memory eventually being consumed.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "rubygem-actionpack: Action View DoS",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"6Server-RHSCL-1.0:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.noarch",
"6Server-RHSCL-1.0:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.src",
"6Server-RHSCL-1.0:ruby193-rubygem-actionpack-doc-1:3.2.8-5.1.el6.noarch",
"6Workstation-RHSCL-1.0:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.noarch",
"6Workstation-RHSCL-1.0:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.src",
"6Workstation-RHSCL-1.0:ruby193-rubygem-actionpack-doc-1:3.2.8-5.1.el6.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2013-6414"
},
{
"category": "external",
"summary": "RHBZ#1036483",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1036483"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2013-6414",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-6414"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-6414",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-6414"
}
],
"release_date": "2013-12-03T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2013-12-05T21:54:00+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to use the\nRed Hat Network to apply this update are available at\nhttps://access.redhat.com/site/articles/11258",
"product_ids": [
"6Server-RHSCL-1.0:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.noarch",
"6Server-RHSCL-1.0:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.src",
"6Server-RHSCL-1.0:ruby193-rubygem-actionpack-doc-1:3.2.8-5.1.el6.noarch",
"6Workstation-RHSCL-1.0:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.noarch",
"6Workstation-RHSCL-1.0:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.src",
"6Workstation-RHSCL-1.0:ruby193-rubygem-actionpack-doc-1:3.2.8-5.1.el6.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2013:1794"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"products": [
"6Server-RHSCL-1.0:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.noarch",
"6Server-RHSCL-1.0:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.src",
"6Server-RHSCL-1.0:ruby193-rubygem-actionpack-doc-1:3.2.8-5.1.el6.noarch",
"6Workstation-RHSCL-1.0:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.noarch",
"6Workstation-RHSCL-1.0:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.src",
"6Workstation-RHSCL-1.0:ruby193-rubygem-actionpack-doc-1:3.2.8-5.1.el6.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "rubygem-actionpack: Action View DoS"
},
{
"acknowledgments": [
{
"names": [
"Ruby on Rails upstream"
]
},
{
"names": [
"Ankit Gupta"
],
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2013-6415",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2013-12-01T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1036910"
}
],
"notes": [
{
"category": "description",
"text": "It was found that the number_to_currency Action View helper did not properly escape the unit parameter. An attacker could use this flaw to perform a cross-site scripting (XSS) attack on an application that uses data submitted by a user in the unit parameter.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "rubygem-actionpack: number_to_currency XSS",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"6Server-RHSCL-1.0:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.noarch",
"6Server-RHSCL-1.0:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.src",
"6Server-RHSCL-1.0:ruby193-rubygem-actionpack-doc-1:3.2.8-5.1.el6.noarch",
"6Workstation-RHSCL-1.0:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.noarch",
"6Workstation-RHSCL-1.0:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.src",
"6Workstation-RHSCL-1.0:ruby193-rubygem-actionpack-doc-1:3.2.8-5.1.el6.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2013-6415"
},
{
"category": "external",
"summary": "RHBZ#1036910",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1036910"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2013-6415",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-6415"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-6415",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-6415"
}
],
"release_date": "2013-12-03T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2013-12-05T21:54:00+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to use the\nRed Hat Network to apply this update are available at\nhttps://access.redhat.com/site/articles/11258",
"product_ids": [
"6Server-RHSCL-1.0:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.noarch",
"6Server-RHSCL-1.0:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.src",
"6Server-RHSCL-1.0:ruby193-rubygem-actionpack-doc-1:3.2.8-5.1.el6.noarch",
"6Workstation-RHSCL-1.0:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.noarch",
"6Workstation-RHSCL-1.0:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.src",
"6Workstation-RHSCL-1.0:ruby193-rubygem-actionpack-doc-1:3.2.8-5.1.el6.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2013:1794"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"products": [
"6Server-RHSCL-1.0:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.noarch",
"6Server-RHSCL-1.0:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.src",
"6Server-RHSCL-1.0:ruby193-rubygem-actionpack-doc-1:3.2.8-5.1.el6.noarch",
"6Workstation-RHSCL-1.0:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.noarch",
"6Workstation-RHSCL-1.0:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.src",
"6Workstation-RHSCL-1.0:ruby193-rubygem-actionpack-doc-1:3.2.8-5.1.el6.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "rubygem-actionpack: number_to_currency XSS"
},
{
"acknowledgments": [
{
"names": [
"Ruby on Rails project"
]
}
],
"cve": "CVE-2013-6417",
"cwe": {
"id": "CWE-89",
"name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)"
},
"discovery_date": "2013-12-01T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1036409"
}
],
"notes": [
{
"category": "description",
"text": "actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before 3.2.16 and 4.x before 4.0.2 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request that leverages (1) third-party Rack middleware or (2) custom Rack middleware. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-0155.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "rubygem-actionpack: unsafe query generation risk (incomplete fix for CVE-2013- 0155)",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"6Server-RHSCL-1.0:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.noarch",
"6Server-RHSCL-1.0:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.src",
"6Server-RHSCL-1.0:ruby193-rubygem-actionpack-doc-1:3.2.8-5.1.el6.noarch",
"6Workstation-RHSCL-1.0:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.noarch",
"6Workstation-RHSCL-1.0:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.src",
"6Workstation-RHSCL-1.0:ruby193-rubygem-actionpack-doc-1:3.2.8-5.1.el6.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2013-6417"
},
{
"category": "external",
"summary": "RHBZ#1036409",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1036409"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2013-6417",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-6417"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-6417",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-6417"
}
],
"release_date": "2013-12-03T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2013-12-05T21:54:00+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to use the\nRed Hat Network to apply this update are available at\nhttps://access.redhat.com/site/articles/11258",
"product_ids": [
"6Server-RHSCL-1.0:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.noarch",
"6Server-RHSCL-1.0:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.src",
"6Server-RHSCL-1.0:ruby193-rubygem-actionpack-doc-1:3.2.8-5.1.el6.noarch",
"6Workstation-RHSCL-1.0:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.noarch",
"6Workstation-RHSCL-1.0:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.src",
"6Workstation-RHSCL-1.0:ruby193-rubygem-actionpack-doc-1:3.2.8-5.1.el6.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2013:1794"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
"products": [
"6Server-RHSCL-1.0:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.noarch",
"6Server-RHSCL-1.0:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.src",
"6Server-RHSCL-1.0:ruby193-rubygem-actionpack-doc-1:3.2.8-5.1.el6.noarch",
"6Workstation-RHSCL-1.0:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.noarch",
"6Workstation-RHSCL-1.0:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.src",
"6Workstation-RHSCL-1.0:ruby193-rubygem-actionpack-doc-1:3.2.8-5.1.el6.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "rubygem-actionpack: unsafe query generation risk (incomplete fix for CVE-2013- 0155)"
}
]
}
rhsa-2014_0008
Vulnerability from csaf_redhat
Published
2014-01-06 18:02
Modified
2024-11-14 14:25
Summary
Red Hat Security Advisory: ruby193-rubygem-actionpack security update
Notes
Topic
Updated ruby193-rubygem-actionpack packages that fix multiple security
issues are now available for Red Hat OpenStack 3.0.
The Red Hat Security Response Team has rated this update as having
important security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.
Details
Ruby on Rails is a model-view-controller (MVC) framework for web
application development. Action Pack implements the controller and the
view components.
A flaw was found in the way Ruby on Rails performed JSON parameter parsing.
An application using a third party library, which uses the Rack::Request
interface, or custom Rack middleware could bypass the protection
implemented to fix the CVE-2013-0155 vulnerability, causing the application
to receive unsafe parameters and become vulnerable to CVE-2013-0155.
(CVE-2013-6417)
It was discovered that the internationalization component of Ruby on Rails
could, under certain circumstances, return a fallback HTML string that
contained user input. A remote attacker could possibly use this flaw to
perform a reflective cross-site scripting (XSS) attack by providing a
specially crafted input to an application using the aforementioned
component. (CVE-2013-4491)
A denial of service flaw was found in the header handling component of
Action View. A remote attacker could send strings in specially crafted
headers that would be cached indefinitely, which would result in all
available system memory eventually being consumed. (CVE-2013-6414)
It was found that the number_to_currency Action View helper did not
properly escape the unit parameter. An attacker could use this flaw to
perform a cross-site scripting (XSS) attack on an application that uses
data submitted by a user in the unit parameter. (CVE-2013-6415)
Users of Red Hat OpenStack 3.0 are advised to upgrade to these updated
packages, which correct these issues.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Updated ruby193-rubygem-actionpack packages that fix multiple security\nissues are now available for Red Hat OpenStack 3.0.\n\nThe Red Hat Security Response Team has rated this update as having\nimportant security impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Ruby on Rails is a model-view-controller (MVC) framework for web\napplication development. Action Pack implements the controller and the\nview components.\n\nA flaw was found in the way Ruby on Rails performed JSON parameter parsing.\nAn application using a third party library, which uses the Rack::Request\ninterface, or custom Rack middleware could bypass the protection\nimplemented to fix the CVE-2013-0155 vulnerability, causing the application\nto receive unsafe parameters and become vulnerable to CVE-2013-0155.\n(CVE-2013-6417)\n\nIt was discovered that the internationalization component of Ruby on Rails\ncould, under certain circumstances, return a fallback HTML string that\ncontained user input. A remote attacker could possibly use this flaw to\nperform a reflective cross-site scripting (XSS) attack by providing a\nspecially crafted input to an application using the aforementioned\ncomponent. (CVE-2013-4491)\n\nA denial of service flaw was found in the header handling component of\nAction View. A remote attacker could send strings in specially crafted\nheaders that would be cached indefinitely, which would result in all\navailable system memory eventually being consumed. (CVE-2013-6414)\n\nIt was found that the number_to_currency Action View helper did not\nproperly escape the unit parameter. An attacker could use this flaw to\nperform a cross-site scripting (XSS) attack on an application that uses\ndata submitted by a user in the unit parameter. (CVE-2013-6415)\n\nUsers of Red Hat OpenStack 3.0 are advised to upgrade to these updated\npackages, which correct these issues.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2014:0008",
"url": "https://access.redhat.com/errata/RHSA-2014:0008"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "1036409",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1036409"
},
{
"category": "external",
"summary": "1036483",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1036483"
},
{
"category": "external",
"summary": "1036910",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1036910"
},
{
"category": "external",
"summary": "1036922",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1036922"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2014/rhsa-2014_0008.json"
}
],
"title": "Red Hat Security Advisory: ruby193-rubygem-actionpack security update",
"tracking": {
"current_release_date": "2024-11-14T14:25:50+00:00",
"generator": {
"date": "2024-11-14T14:25:50+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.0"
}
},
"id": "RHSA-2014:0008",
"initial_release_date": "2014-01-06T18:02:24+00:00",
"revision_history": [
{
"date": "2014-01-06T18:02:24+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2014-01-06T18:02:25+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-14T14:25:50+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux OpenStack Platform 3.0",
"product": {
"name": "Red Hat Enterprise Linux OpenStack Platform 3.0",
"product_id": "6Server-Grizzly",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openstack:3::el6"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenStack Platform"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.src",
"product": {
"name": "ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.src",
"product_id": "ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ruby193-rubygem-actionpack@3.2.8-5.1.el6?arch=src\u0026epoch=1"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.noarch",
"product": {
"name": "ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.noarch",
"product_id": "ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ruby193-rubygem-actionpack@3.2.8-5.1.el6?arch=noarch\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "ruby193-rubygem-actionpack-doc-1:3.2.8-5.1.el6.noarch",
"product": {
"name": "ruby193-rubygem-actionpack-doc-1:3.2.8-5.1.el6.noarch",
"product_id": "ruby193-rubygem-actionpack-doc-1:3.2.8-5.1.el6.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ruby193-rubygem-actionpack-doc@3.2.8-5.1.el6?arch=noarch\u0026epoch=1"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 3.0",
"product_id": "6Server-Grizzly:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.noarch"
},
"product_reference": "ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.noarch",
"relates_to_product_reference": "6Server-Grizzly"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.src as a component of Red Hat Enterprise Linux OpenStack Platform 3.0",
"product_id": "6Server-Grizzly:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.src"
},
"product_reference": "ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.src",
"relates_to_product_reference": "6Server-Grizzly"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby193-rubygem-actionpack-doc-1:3.2.8-5.1.el6.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 3.0",
"product_id": "6Server-Grizzly:ruby193-rubygem-actionpack-doc-1:3.2.8-5.1.el6.noarch"
},
"product_reference": "ruby193-rubygem-actionpack-doc-1:3.2.8-5.1.el6.noarch",
"relates_to_product_reference": "6Server-Grizzly"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Ruby on Rails upstream"
]
},
{
"names": [
"Peter McLarnan"
],
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2013-4491",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2013-12-01T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1036922"
}
],
"notes": [
{
"category": "description",
"text": "It was discovered that the internationalization component of Ruby on Rails could, under certain circumstances, return a fallback HTML string that contained user input. A remote attacker could possibly use this flaw to perform a reflective cross-site scripting (XSS) attack by providing a specially crafted input to an application using the aforementioned component.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "rubygem-actionpack: i18n missing translation XSS",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"6Server-Grizzly:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.noarch",
"6Server-Grizzly:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.src",
"6Server-Grizzly:ruby193-rubygem-actionpack-doc-1:3.2.8-5.1.el6.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2013-4491"
},
{
"category": "external",
"summary": "RHBZ#1036922",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1036922"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2013-4491",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-4491"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-4491",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-4491"
}
],
"release_date": "2013-12-03T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-01-06T18:02:24+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/site/articles/11258",
"product_ids": [
"6Server-Grizzly:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.noarch",
"6Server-Grizzly:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.src",
"6Server-Grizzly:ruby193-rubygem-actionpack-doc-1:3.2.8-5.1.el6.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2014:0008"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"products": [
"6Server-Grizzly:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.noarch",
"6Server-Grizzly:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.src",
"6Server-Grizzly:ruby193-rubygem-actionpack-doc-1:3.2.8-5.1.el6.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "rubygem-actionpack: i18n missing translation XSS"
},
{
"acknowledgments": [
{
"names": [
"Ruby on Rails upstream"
]
},
{
"names": [
"Toby Hsieh"
],
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2013-6414",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2013-12-01T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1036483"
}
],
"notes": [
{
"category": "description",
"text": "A denial of service flaw was found in the header handling component of Action View. A remote attacker could send strings in specially crafted headers that would be cached indefinitely, which would result in all available system memory eventually being consumed.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "rubygem-actionpack: Action View DoS",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"6Server-Grizzly:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.noarch",
"6Server-Grizzly:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.src",
"6Server-Grizzly:ruby193-rubygem-actionpack-doc-1:3.2.8-5.1.el6.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2013-6414"
},
{
"category": "external",
"summary": "RHBZ#1036483",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1036483"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2013-6414",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-6414"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-6414",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-6414"
}
],
"release_date": "2013-12-03T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-01-06T18:02:24+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/site/articles/11258",
"product_ids": [
"6Server-Grizzly:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.noarch",
"6Server-Grizzly:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.src",
"6Server-Grizzly:ruby193-rubygem-actionpack-doc-1:3.2.8-5.1.el6.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2014:0008"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"products": [
"6Server-Grizzly:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.noarch",
"6Server-Grizzly:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.src",
"6Server-Grizzly:ruby193-rubygem-actionpack-doc-1:3.2.8-5.1.el6.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "rubygem-actionpack: Action View DoS"
},
{
"acknowledgments": [
{
"names": [
"Ruby on Rails upstream"
]
},
{
"names": [
"Ankit Gupta"
],
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2013-6415",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2013-12-01T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1036910"
}
],
"notes": [
{
"category": "description",
"text": "It was found that the number_to_currency Action View helper did not properly escape the unit parameter. An attacker could use this flaw to perform a cross-site scripting (XSS) attack on an application that uses data submitted by a user in the unit parameter.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "rubygem-actionpack: number_to_currency XSS",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"6Server-Grizzly:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.noarch",
"6Server-Grizzly:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.src",
"6Server-Grizzly:ruby193-rubygem-actionpack-doc-1:3.2.8-5.1.el6.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2013-6415"
},
{
"category": "external",
"summary": "RHBZ#1036910",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1036910"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2013-6415",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-6415"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-6415",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-6415"
}
],
"release_date": "2013-12-03T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-01-06T18:02:24+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/site/articles/11258",
"product_ids": [
"6Server-Grizzly:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.noarch",
"6Server-Grizzly:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.src",
"6Server-Grizzly:ruby193-rubygem-actionpack-doc-1:3.2.8-5.1.el6.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2014:0008"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"products": [
"6Server-Grizzly:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.noarch",
"6Server-Grizzly:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.src",
"6Server-Grizzly:ruby193-rubygem-actionpack-doc-1:3.2.8-5.1.el6.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "rubygem-actionpack: number_to_currency XSS"
},
{
"acknowledgments": [
{
"names": [
"Ruby on Rails project"
]
}
],
"cve": "CVE-2013-6417",
"cwe": {
"id": "CWE-89",
"name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)"
},
"discovery_date": "2013-12-01T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1036409"
}
],
"notes": [
{
"category": "description",
"text": "actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before 3.2.16 and 4.x before 4.0.2 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request that leverages (1) third-party Rack middleware or (2) custom Rack middleware. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-0155.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "rubygem-actionpack: unsafe query generation risk (incomplete fix for CVE-2013- 0155)",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"6Server-Grizzly:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.noarch",
"6Server-Grizzly:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.src",
"6Server-Grizzly:ruby193-rubygem-actionpack-doc-1:3.2.8-5.1.el6.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2013-6417"
},
{
"category": "external",
"summary": "RHBZ#1036409",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1036409"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2013-6417",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-6417"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-6417",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-6417"
}
],
"release_date": "2013-12-03T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-01-06T18:02:24+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/site/articles/11258",
"product_ids": [
"6Server-Grizzly:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.noarch",
"6Server-Grizzly:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.src",
"6Server-Grizzly:ruby193-rubygem-actionpack-doc-1:3.2.8-5.1.el6.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2014:0008"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
"products": [
"6Server-Grizzly:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.noarch",
"6Server-Grizzly:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.src",
"6Server-Grizzly:ruby193-rubygem-actionpack-doc-1:3.2.8-5.1.el6.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "rubygem-actionpack: unsafe query generation risk (incomplete fix for CVE-2013- 0155)"
}
]
}
gsd-2013-4491
Vulnerability from gsd
Modified
2013-12-03 00:00
Details
There is a vulnerability in the internationalization component of Ruby on
Rails. Under certain common configurations an attacker can provide specially
crafted input which will execute a reflective XSS attack.
The root cause of this issue is a vulnerability in the i18n gem which has
been assigned the identifier CVE-2013-4492.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2013-4491",
"description": "Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/translation_helper.rb in the internationalization component in Ruby on Rails 3.x before 3.2.16 and 4.x before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via a crafted string that triggers generation of a fallback string by the i18n gem.",
"id": "GSD-2013-4491",
"references": [
"https://www.suse.com/security/cve/CVE-2013-4491.html",
"https://www.debian.org/security/2014/dsa-2888",
"https://access.redhat.com/errata/RHSA-2014:1863",
"https://access.redhat.com/errata/RHSA-2014:0008",
"https://access.redhat.com/errata/RHSA-2013:1794"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "actionpack",
"purl": "pkg:gem/actionpack"
}
}
],
"aliases": [
"CVE-2013-4491",
"OSVDB-100528"
],
"details": "There is a vulnerability in the internationalization component of Ruby on\nRails. Under certain common configurations an attacker can provide specially\ncrafted input which will execute a reflective XSS attack.\n\nThe root cause of this issue is a vulnerability in the i18n gem which has\nbeen assigned the identifier CVE-2013-4492.\n",
"id": "GSD-2013-4491",
"modified": "2013-12-03T00:00:00.000Z",
"published": "2013-12-03T00:00:00.000Z",
"references": [
{
"type": "WEB",
"url": "https://groups.google.com/forum/#!topic/ruby-security-ann/pLrh6DUw998"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": 4.3,
"type": "CVSS_V2"
}
],
"summary": "Reflective XSS Vulnerability in Ruby on Rails"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-4491",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/translation_helper.rb in the internationalization component in Ruby on Rails 3.x before 3.2.16 and 4.x before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via a crafted string that triggers generation of a fallback string by the i18n gem."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "RHSA-2014:0008",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2014-0008.html"
},
{
"name": "openSUSE-SU-2013:1906",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-updates/2013-12/msg00081.html"
},
{
"name": "57836",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/57836"
},
{
"name": "openSUSE-SU-2014:0009",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-updates/2014-01/msg00003.html"
},
{
"name": "openSUSE-SU-2013:1907",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-updates/2013-12/msg00082.html"
},
{
"name": "64076",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/64076"
},
{
"name": "openSUSE-SU-2013:1904",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-updates/2013-12/msg00079.html"
},
{
"name": "[ruby-security-ann] 20131203 [CVE-2013-4491] Reflective XSS Vulnerability in Ruby on Rails",
"refsource": "MLIST",
"url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/pLrh6DUw998/bLFEyIO4k_EJ"
},
{
"name": "http://weblog.rubyonrails.org/2013/12/3/Rails_3_2_16_and_4_0_2_have_been_released/",
"refsource": "CONFIRM",
"url": "http://weblog.rubyonrails.org/2013/12/3/Rails_3_2_16_and_4_0_2_have_been_released/"
},
{
"name": "RHSA-2014:1863",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2014-1863.html"
},
{
"name": "RHSA-2013:1794",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2013-1794.html"
},
{
"name": "http://www.getchef.com/blog/2014/04/09/enterprise-chef-11-1-3-release/",
"refsource": "CONFIRM",
"url": "http://www.getchef.com/blog/2014/04/09/enterprise-chef-11-1-3-release/"
},
{
"name": "DSA-2888",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2014/dsa-2888"
},
{
"name": "https://puppet.com/security/cve/cve-2013-4491",
"refsource": "CONFIRM",
"url": "https://puppet.com/security/cve/cve-2013-4491"
}
]
}
},
"github.com/rubysec/ruby-advisory-db": {
"cve": "2013-4491",
"cvss_v2": 4.3,
"date": "2013-12-03",
"description": "There is a vulnerability in the internationalization component of Ruby on\nRails. Under certain common configurations an attacker can provide specially\ncrafted input which will execute a reflective XSS attack.\n\nThe root cause of this issue is a vulnerability in the i18n gem which has\nbeen assigned the identifier CVE-2013-4492.\n",
"framework": "rails",
"gem": "actionpack",
"osvdb": 100528,
"patched_versions": [
"~\u003e 3.2.16",
"\u003e= 4.0.2"
],
"title": "Reflective XSS Vulnerability in Ruby on Rails",
"url": "https://groups.google.com/forum/#!topic/ruby-security-ann/pLrh6DUw998"
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003e=3.0.6 \u003c3.2.16||\u003e=4.0.0.beta1 \u003c4.0.2",
"affected_versions": "All versions starting from 3.0.6 before 3.2.16, all versions starting from 4.0.0.beta1 before 4.0.2",
"credit": "Peter McLarnan of Matasano Security",
"cvss_v2": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-79",
"CWE-937"
],
"date": "2019-08-08",
"description": "There is a vulnerability in the internationalisation component of Ruby on Rails. When the i18n gem is unable to provide a translation for a given string, it creates a fallback HTML string. Under certain common configurations this string can contain user input which would allow an attacker to execute a reflective XSS attack. ",
"fixed_versions": [
"3.2.16",
"4.0.2"
],
"identifier": "CVE-2013-4491",
"identifiers": [
"CVE-2013-4491"
],
"not_impacted": "All versions before 3.0.6, all versions starting from 3.2.16 before 4.0.0.beta1, all versions starting from 4.0.2",
"package_slug": "gem/actionpack",
"pubdate": "2013-12-06",
"solution": "Upgrade to versions 3.2.16, 4.0.2 or above.",
"title": "Reflective XSS Vulnerability",
"urls": [
"http://seclists.org/oss-sec/2013/q4/401"
],
"uuid": "a10bad84-96c6-42ed-b841-655caa73024b"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.0.1:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:*:-:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "4.0.1",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.0.0:beta:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.0.0:rc2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.0.0:-:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.0.0:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.6:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.5:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.15:rc2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.13:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.12:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.9:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.8:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.2:rc2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc8:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.0:beta1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.9:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc4:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc3:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.6:rc2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.6:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.20:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.14:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.13:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.13:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.0:rc2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.8:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.7:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.2:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.13:rc2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.13:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.0:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.4:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.4:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.1:rc2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.1:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc3:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.7:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.7:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.4:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.17:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.16:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.10:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.1:pre:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.9:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.3:rc2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.3:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.14:rc2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.14:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.14:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.0:rc2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.5:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.5:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.10:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.1:rc3:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc5:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc4:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc4:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc3:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.8:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.7:rc2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.5:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.4:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.19:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.18:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.11:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.10:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta3:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.4:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.4:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.15:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:ruby_on_rails:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "3.2.15",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.11:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.10:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.7:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.6:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.2:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.1.11:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc7:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc6:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc5:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.6:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.5:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.2:pre:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.12:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.12:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.0:rc:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta4:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-4491"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/translation_helper.rb in the internationalization component in Ruby on Rails 3.x before 3.2.16 and 4.x before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via a crafted string that triggers generation of a fallback string by the i18n gem."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[ruby-security-ann] 20131203 [CVE-2013-4491] Reflective XSS Vulnerability in Ruby on Rails",
"refsource": "MLIST",
"tags": [],
"url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/pLrh6DUw998/bLFEyIO4k_EJ"
},
{
"name": "http://weblog.rubyonrails.org/2013/12/3/Rails_3_2_16_and_4_0_2_have_been_released/",
"refsource": "CONFIRM",
"tags": [],
"url": "http://weblog.rubyonrails.org/2013/12/3/Rails_3_2_16_and_4_0_2_have_been_released/"
},
{
"name": "RHSA-2013:1794",
"refsource": "REDHAT",
"tags": [],
"url": "http://rhn.redhat.com/errata/RHSA-2013-1794.html"
},
{
"name": "openSUSE-SU-2013:1904",
"refsource": "SUSE",
"tags": [],
"url": "http://lists.opensuse.org/opensuse-updates/2013-12/msg00079.html"
},
{
"name": "openSUSE-SU-2013:1906",
"refsource": "SUSE",
"tags": [],
"url": "http://lists.opensuse.org/opensuse-updates/2013-12/msg00081.html"
},
{
"name": "openSUSE-SU-2013:1907",
"refsource": "SUSE",
"tags": [],
"url": "http://lists.opensuse.org/opensuse-updates/2013-12/msg00082.html"
},
{
"name": "openSUSE-SU-2014:0009",
"refsource": "SUSE",
"tags": [],
"url": "http://lists.opensuse.org/opensuse-updates/2014-01/msg00003.html"
},
{
"name": "RHSA-2014:0008",
"refsource": "REDHAT",
"tags": [],
"url": "http://rhn.redhat.com/errata/RHSA-2014-0008.html"
},
{
"name": "DSA-2888",
"refsource": "DEBIAN",
"tags": [],
"url": "http://www.debian.org/security/2014/dsa-2888"
},
{
"name": "57836",
"refsource": "SECUNIA",
"tags": [],
"url": "http://secunia.com/advisories/57836"
},
{
"name": "http://www.getchef.com/blog/2014/04/09/enterprise-chef-11-1-3-release/",
"refsource": "CONFIRM",
"tags": [],
"url": "http://www.getchef.com/blog/2014/04/09/enterprise-chef-11-1-3-release/"
},
{
"name": "RHSA-2014:1863",
"refsource": "REDHAT",
"tags": [],
"url": "http://rhn.redhat.com/errata/RHSA-2014-1863.html"
},
{
"name": "64076",
"refsource": "BID",
"tags": [],
"url": "http://www.securityfocus.com/bid/64076"
},
{
"name": "https://puppet.com/security/cve/cve-2013-4491",
"refsource": "CONFIRM",
"tags": [],
"url": "https://puppet.com/security/cve/cve-2013-4491"
}
]
}
},
"impact": {
"baseMetricV2": {
"cvssV2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": true
}
},
"lastModifiedDate": "2019-08-08T15:42Z",
"publishedDate": "2013-12-07T00:55Z"
}
}
}
var-201312-0118
Vulnerability from variot
Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/translation_helper.rb in the internationalization component in Ruby on Rails 3.x before 3.2.16 and 4.x before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via a crafted string that triggers generation of a fallback string by the i18n gem. RubyGems i18n is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. Versions prior to RubyGems i18n 0.6.6, and 0.5.1 are vulnerable.
For the stable distribution (wheezy), these problems have been fixed in version 3.2.6-6+deb7u1.
For the unstable distribution (sid), this problem has been fixed in version 3.2.16-3+0 of the rails-3.2 source package.
We recommend that you upgrade your ruby-actionpack-3.2 packages. Relevant releases/architectures:
OpenStack 3 - noarch
- An application using a third party library, which uses the Rack::Request interface, or custom Rack middleware could bypass the protection implemented to fix the CVE-2013-0155 vulnerability, causing the application to receive unsafe parameters and become vulnerable to CVE-2013-0155. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
===================================================================== Red Hat Security Advisory
Synopsis: Important: Subscription Asset Manager 1.4 security update Advisory ID: RHSA-2014:1863-01 Product: Red Hat Subscription Asset Manager Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-1863.html Issue date: 2014-11-17 CVE Names: CVE-2013-1854 CVE-2013-1855 CVE-2013-1857 CVE-2013-4491 CVE-2013-6414 CVE-2013-6415 CVE-2014-0130 =====================================================================
- Summary:
Updated Subscription Asset Manager 1.4 packages that fix multiple security issues are now available.
Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.
- Relevant releases/architectures:
Red Hat Subscription Asset Manager for RHEL 6 Server - noarch
- Description:
Red Hat Subscription Asset Manager acts as a proxy for handling subscription information and software updates on client machines. Red Hat Subscription Asset Manager is built on Ruby on Rails, a model-view-controller (MVC) framework for web application development. Action Pack implements the controller and the view components.
A directory traversal flaw was found in the way Ruby on Rails handled wildcard segments in routes with implicit rendering. A remote attacker could use this flaw to retrieve arbitrary local files accessible to a Ruby on Rails application using the aforementioned routes via a specially crafted request. (CVE-2014-0130)
A flaw was found in the way Ruby on Rails handled hashes in certain queries. A remote attacker could use this flaw to perform a denial of service (resource consumption) attack by sending specially crafted queries that would result in the creation of Ruby symbols, which were never garbage collected. (CVE-2013-1854)
Two cross-site scripting (XSS) flaws were found in Action Pack. A remote attacker could use these flaws to conduct XSS attacks against users of an application using Action Pack. A remote attacker could possibly use this flaw to perform a reflective cross-site scripting (XSS) attack by providing a specially crafted input to an application using the aforementioned component. (CVE-2013-4491)
A denial of service flaw was found in the header handling component of Action View. A remote attacker could send strings in specially crafted headers that would be cached indefinitely, which would result in all available system memory eventually being consumed. (CVE-2013-6414)
It was found that the number_to_currency Action View helper did not properly escape the unit parameter. An attacker could use this flaw to perform a cross-site scripting (XSS) attack on an application that uses data submitted by a user in the unit parameter. (CVE-2013-6415)
Red Hat would like to thank Ruby on Rails upstream for reporting these issues. Upstream acknowledges Ben Murphy as the original reporter of CVE-2013-1854, Charlie Somerville as the original reporter of CVE-2013-1855, Alan Jenkins as the original reporter of CVE-2013-1857, Peter McLarnan as the original reporter of CVE-2013-4491, Toby Hsieh as the original reporter of CVE-2013-6414, and Ankit Gupta as the original reporter of CVE-2013-6415.
All Subscription Asset Manager users are advised to upgrade to these updated packages, which contain backported patches to correct these issues.
- Solution:
Before applying this update, make sure all previously released errata relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/articles/11258
- Bugs fixed (https://bugzilla.redhat.com/):
921329 - CVE-2013-1854 rubygem-activerecord: attribute_dos Symbol DoS vulnerability 921331 - CVE-2013-1855 rubygem-actionpack: css_sanitization: XSS vulnerability in sanitize_css 921335 - CVE-2013-1857 rubygem-actionpack: sanitize_protocol: XSS Vulnerability in the helper of Ruby on Rails 1036483 - CVE-2013-6414 rubygem-actionpack: Action View DoS 1036910 - CVE-2013-6415 rubygem-actionpack: number_to_currency XSS 1036922 - CVE-2013-4491 rubygem-actionpack: i18n missing translation XSS 1095105 - CVE-2014-0130 rubygem-actionpack: directory traversal issue
- Package List:
Red Hat Subscription Asset Manager for RHEL 6 Server:
Source: katello-1.4.3.28-1.el6sam_splice.src.rpm ruby193-rubygem-actionmailer-3.2.17-1.el6sam.src.rpm ruby193-rubygem-actionpack-3.2.17-6.el6sam.src.rpm ruby193-rubygem-activemodel-3.2.17-1.el6sam.src.rpm ruby193-rubygem-activerecord-3.2.17-5.el6sam.src.rpm ruby193-rubygem-activeresource-3.2.17-1.el6sam.src.rpm ruby193-rubygem-activesupport-3.2.17-2.el6sam.src.rpm ruby193-rubygem-i18n-0.6.9-1.el6sam.src.rpm ruby193-rubygem-mail-2.5.4-1.el6sam.src.rpm ruby193-rubygem-rack-1.4.5-3.el6sam.src.rpm ruby193-rubygem-rails-3.2.17-1.el6sam.src.rpm ruby193-rubygem-railties-3.2.17-1.el6sam.src.rpm
noarch: katello-common-1.4.3.28-1.el6sam_splice.noarch.rpm katello-glue-candlepin-1.4.3.28-1.el6sam_splice.noarch.rpm katello-glue-elasticsearch-1.4.3.28-1.el6sam_splice.noarch.rpm katello-headpin-1.4.3.28-1.el6sam_splice.noarch.rpm katello-headpin-all-1.4.3.28-1.el6sam_splice.noarch.rpm ruby193-rubygem-actionmailer-3.2.17-1.el6sam.noarch.rpm ruby193-rubygem-actionpack-3.2.17-6.el6sam.noarch.rpm ruby193-rubygem-activemodel-3.2.17-1.el6sam.noarch.rpm ruby193-rubygem-activerecord-3.2.17-5.el6sam.noarch.rpm ruby193-rubygem-activeresource-3.2.17-1.el6sam.noarch.rpm ruby193-rubygem-activesupport-3.2.17-2.el6sam.noarch.rpm ruby193-rubygem-i18n-0.6.9-1.el6sam.noarch.rpm ruby193-rubygem-mail-2.5.4-1.el6sam.noarch.rpm ruby193-rubygem-rack-1.4.5-3.el6sam.noarch.rpm ruby193-rubygem-rails-3.2.17-1.el6sam.noarch.rpm ruby193-rubygem-railties-3.2.17-1.el6sam.noarch.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/
- References:
https://access.redhat.com/security/cve/CVE-2013-1854 https://access.redhat.com/security/cve/CVE-2013-1855 https://access.redhat.com/security/cve/CVE-2013-1857 https://access.redhat.com/security/cve/CVE-2013-4491 https://access.redhat.com/security/cve/CVE-2013-6414 https://access.redhat.com/security/cve/CVE-2013-6415 https://access.redhat.com/security/cve/CVE-2014-0130 https://access.redhat.com/security/updates/classification/#important
- Contact:
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/
Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1
iD8DBQFUai7iXlSAg2UNWIIRAmtEAJ9m+ZUXuva81fLz9G1CLKYi5aJoHACfcd3y SoVal0zNgx0pwtSAkS1q5/0= =i5aK -----END PGP SIGNATURE-----
-- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201312-0118",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "ruby on rails",
"scope": "eq",
"trust": 1.6,
"vendor": "rubyonrails",
"version": "3.2.14"
},
{
"model": "ruby on rails",
"scope": "eq",
"trust": 1.6,
"vendor": "rubyonrails",
"version": "3.2.15"
},
{
"model": "rails",
"scope": "eq",
"trust": 1.0,
"vendor": "rubyonrails",
"version": "3.0.19"
},
{
"model": "rails",
"scope": "eq",
"trust": 1.0,
"vendor": "rubyonrails",
"version": "3.2.13"
},
{
"model": "rails",
"scope": "eq",
"trust": 1.0,
"vendor": "rubyonrails",
"version": "3.1.7"
},
{
"model": "rails",
"scope": "eq",
"trust": 1.0,
"vendor": "rubyonrails",
"version": "3.0.17"
},
{
"model": "rails",
"scope": "eq",
"trust": 1.0,
"vendor": "rubyonrails",
"version": "3.2.7"
},
{
"model": "rails",
"scope": "eq",
"trust": 1.0,
"vendor": "rubyonrails",
"version": "3.0.16"
},
{
"model": "rails",
"scope": "eq",
"trust": 1.0,
"vendor": "rubyonrails",
"version": "3.0.11"
},
{
"model": "rails",
"scope": "eq",
"trust": 1.0,
"vendor": "rubyonrails",
"version": "3.0.9"
},
{
"model": "rails",
"scope": "eq",
"trust": 1.0,
"vendor": "rubyonrails",
"version": "3.0.6"
},
{
"model": "rails",
"scope": "eq",
"trust": 1.0,
"vendor": "rubyonrails",
"version": "3.2.9"
},
{
"model": "rails",
"scope": "eq",
"trust": 1.0,
"vendor": "rubyonrails",
"version": "3.0.3"
},
{
"model": "rails",
"scope": "eq",
"trust": 1.0,
"vendor": "rubyonrails",
"version": "3.0.20"
},
{
"model": "rails",
"scope": "eq",
"trust": 1.0,
"vendor": "rubyonrails",
"version": "3.1.9"
},
{
"model": "rails",
"scope": "eq",
"trust": 1.0,
"vendor": "rubyonrails",
"version": "3.1.2"
},
{
"model": "rails",
"scope": "eq",
"trust": 1.0,
"vendor": "rubyonrails",
"version": "3.2.5"
},
{
"model": "rails",
"scope": "eq",
"trust": 1.0,
"vendor": "rubyonrails",
"version": "3.2.4"
},
{
"model": "rails",
"scope": "eq",
"trust": 1.0,
"vendor": "rubyonrails",
"version": "4.0.1"
},
{
"model": "rails",
"scope": "eq",
"trust": 1.0,
"vendor": "rubyonrails",
"version": "3.0.1"
},
{
"model": "rails",
"scope": "eq",
"trust": 1.0,
"vendor": "rubyonrails",
"version": "3.2.8"
},
{
"model": "rails",
"scope": "eq",
"trust": 1.0,
"vendor": "rubyonrails",
"version": "3.2.12"
},
{
"model": "ruby on rails",
"scope": "eq",
"trust": 1.0,
"vendor": "rubyonrails",
"version": "3.0.4"
},
{
"model": "ruby on rails",
"scope": "eq",
"trust": 1.0,
"vendor": "rubyonrails",
"version": "3.1.11"
},
{
"model": "rails",
"scope": "eq",
"trust": 1.0,
"vendor": "rubyonrails",
"version": "3.1.1"
},
{
"model": "rails",
"scope": "eq",
"trust": 1.0,
"vendor": "rubyonrails",
"version": "3.1.4"
},
{
"model": "rails",
"scope": "eq",
"trust": 1.0,
"vendor": "rubyonrails",
"version": "3.2.0"
},
{
"model": "rails",
"scope": "eq",
"trust": 1.0,
"vendor": "rubyonrails",
"version": "3.1.3"
},
{
"model": "rails",
"scope": "eq",
"trust": 1.0,
"vendor": "rubyonrails",
"version": "3.0.12"
},
{
"model": "rails",
"scope": "eq",
"trust": 1.0,
"vendor": "rubyonrails",
"version": "3.0.13"
},
{
"model": "rails",
"scope": "eq",
"trust": 1.0,
"vendor": "rubyonrails",
"version": "3.1.6"
},
{
"model": "rails",
"scope": "eq",
"trust": 1.0,
"vendor": "rubyonrails",
"version": "3.0.4"
},
{
"model": "ruby on rails",
"scope": "lte",
"trust": 1.0,
"vendor": "rubyonrails",
"version": "3.2.15"
},
{
"model": "rails",
"scope": "eq",
"trust": 1.0,
"vendor": "rubyonrails",
"version": "3.1.10"
},
{
"model": "rails",
"scope": "eq",
"trust": 1.0,
"vendor": "rubyonrails",
"version": "3.2.2"
},
{
"model": "rails",
"scope": "eq",
"trust": 1.0,
"vendor": "rubyonrails",
"version": "3.0.2"
},
{
"model": "rails",
"scope": "eq",
"trust": 1.0,
"vendor": "rubyonrails",
"version": "3.2.10"
},
{
"model": "rails",
"scope": "eq",
"trust": 1.0,
"vendor": "rubyonrails",
"version": "3.1.8"
},
{
"model": "rails",
"scope": "eq",
"trust": 1.0,
"vendor": "rubyonrails",
"version": "3.2.3"
},
{
"model": "rails",
"scope": "eq",
"trust": 1.0,
"vendor": "rubyonrails",
"version": "3.2.11"
},
{
"model": "rails",
"scope": "eq",
"trust": 1.0,
"vendor": "rubyonrails",
"version": "3.0.0"
},
{
"model": "rails",
"scope": "eq",
"trust": 1.0,
"vendor": "rubyonrails",
"version": "3.1.5"
},
{
"model": "rails",
"scope": "eq",
"trust": 1.0,
"vendor": "rubyonrails",
"version": "3.0.14"
},
{
"model": "rails",
"scope": "eq",
"trust": 1.0,
"vendor": "rubyonrails",
"version": "3.0.10"
},
{
"model": "rails",
"scope": "eq",
"trust": 1.0,
"vendor": "rubyonrails",
"version": "3.0.5"
},
{
"model": "rails",
"scope": "eq",
"trust": 1.0,
"vendor": "rubyonrails",
"version": "4.0.0"
},
{
"model": "rails",
"scope": "eq",
"trust": 1.0,
"vendor": "rubyonrails",
"version": "3.2.6"
},
{
"model": "rails",
"scope": "lte",
"trust": 1.0,
"vendor": "rubyonrails",
"version": "4.0.1"
},
{
"model": "rails",
"scope": "eq",
"trust": 1.0,
"vendor": "rubyonrails",
"version": "3.0.8"
},
{
"model": "rails",
"scope": "eq",
"trust": 1.0,
"vendor": "rubyonrails",
"version": "3.0.7"
},
{
"model": "rails",
"scope": "eq",
"trust": 1.0,
"vendor": "rubyonrails",
"version": "3.1.0"
},
{
"model": "rails",
"scope": "eq",
"trust": 1.0,
"vendor": "rubyonrails",
"version": "3.2.1"
},
{
"model": "rails",
"scope": "eq",
"trust": 1.0,
"vendor": "rubyonrails",
"version": "3.0.18"
},
{
"model": "rails",
"scope": "lt",
"trust": 0.8,
"vendor": "ruby on rails",
"version": "4.x"
},
{
"model": "rails",
"scope": "lt",
"trust": 0.8,
"vendor": "ruby on rails",
"version": "3.x"
},
{
"model": "rails",
"scope": "eq",
"trust": 0.8,
"vendor": "ruby on rails",
"version": "3.2.16"
},
{
"model": "rails",
"scope": "eq",
"trust": 0.8,
"vendor": "ruby on rails",
"version": "4.0.2"
},
{
"model": "ruby on rails",
"scope": "eq",
"trust": 0.6,
"vendor": "rubyonrails",
"version": "3.2.12"
},
{
"model": "ruby on rails",
"scope": "eq",
"trust": 0.6,
"vendor": "rubyonrails",
"version": "3.2.13"
},
{
"model": "webyast",
"scope": "eq",
"trust": 0.3,
"vendor": "suse",
"version": "1.3"
},
{
"model": "studio onsite",
"scope": "eq",
"trust": 0.3,
"vendor": "suse",
"version": "1.3"
},
{
"model": "lifecycle management server",
"scope": "eq",
"trust": 0.3,
"vendor": "suse",
"version": "1.3"
},
{
"model": "opensuse",
"scope": "eq",
"trust": 0.3,
"vendor": "s u s e",
"version": "13.1"
},
{
"model": "opensuse",
"scope": "eq",
"trust": 0.3,
"vendor": "s u s e",
"version": "12.3"
},
{
"model": "opensuse",
"scope": "eq",
"trust": 0.3,
"vendor": "s u s e",
"version": "12.2"
},
{
"model": "i18n",
"scope": "eq",
"trust": 0.3,
"vendor": "rubygems",
"version": "0.6.5"
},
{
"model": "i18n",
"scope": "eq",
"trust": 0.3,
"vendor": "rubygems",
"version": "0.5.0"
},
{
"model": "on rails ruby on rails",
"scope": "eq",
"trust": 0.3,
"vendor": "ruby",
"version": "4.0.1"
},
{
"model": "on rails ruby on rails",
"scope": "eq",
"trust": 0.3,
"vendor": "ruby",
"version": "4.0"
},
{
"model": "on rails ruby on rails",
"scope": "eq",
"trust": 0.3,
"vendor": "ruby",
"version": "3.2.13"
},
{
"model": "on rails ruby on rails",
"scope": "eq",
"trust": 0.3,
"vendor": "ruby",
"version": "3.2.12"
},
{
"model": "on rails ruby on rails",
"scope": "eq",
"trust": 0.3,
"vendor": "ruby",
"version": "3.2.11"
},
{
"model": "on rails ruby on rails",
"scope": "eq",
"trust": 0.3,
"vendor": "ruby",
"version": "3.2.10"
},
{
"model": "on rails ruby on rails",
"scope": "eq",
"trust": 0.3,
"vendor": "ruby",
"version": "3.2.8"
},
{
"model": "on rails ruby on rails",
"scope": "eq",
"trust": 0.3,
"vendor": "ruby",
"version": "3.2.7"
},
{
"model": "on rails ruby on rails",
"scope": "eq",
"trust": 0.3,
"vendor": "ruby",
"version": "3.2.6"
},
{
"model": "on rails ruby on rails",
"scope": "eq",
"trust": 0.3,
"vendor": "ruby",
"version": "3.2.4"
},
{
"model": "on rails ruby on rails",
"scope": "eq",
"trust": 0.3,
"vendor": "ruby",
"version": "3.2.2"
},
{
"model": "on rails ruby on rails",
"scope": "eq",
"trust": 0.3,
"vendor": "ruby",
"version": "3.1.12"
},
{
"model": "on rails ruby on rails",
"scope": "eq",
"trust": 0.3,
"vendor": "ruby",
"version": "3.1.11"
},
{
"model": "on rails ruby on rails",
"scope": "eq",
"trust": 0.3,
"vendor": "ruby",
"version": "3.1.9"
},
{
"model": "on rails ruby on rails",
"scope": "eq",
"trust": 0.3,
"vendor": "ruby",
"version": "3.1.8"
},
{
"model": "on rails ruby on rails",
"scope": "eq",
"trust": 0.3,
"vendor": "ruby",
"version": "3.1.7"
},
{
"model": "on rails ruby on rails",
"scope": "eq",
"trust": 0.3,
"vendor": "ruby",
"version": "3.1.6"
},
{
"model": "on rails ruby on rails",
"scope": "eq",
"trust": 0.3,
"vendor": "ruby",
"version": "3.1.5"
},
{
"model": "on rails ruby on rails",
"scope": "eq",
"trust": 0.3,
"vendor": "ruby",
"version": "3.1.4"
},
{
"model": "on rails ruby on rails",
"scope": "eq",
"trust": 0.3,
"vendor": "ruby",
"version": "3.1.2"
},
{
"model": "on rails ruby on rails",
"scope": "eq",
"trust": 0.3,
"vendor": "ruby",
"version": "3.1"
},
{
"model": "on rails ruby on rails",
"scope": "eq",
"trust": 0.3,
"vendor": "ruby",
"version": "3.0.6"
},
{
"model": "on rails ruby on rails",
"scope": "eq",
"trust": 0.3,
"vendor": "ruby",
"version": "3.2.15"
},
{
"model": "on rails ruby on rails",
"scope": "eq",
"trust": 0.3,
"vendor": "ruby",
"version": "3.2"
},
{
"model": "on rails ruby on rails",
"scope": "eq",
"trust": 0.3,
"vendor": "ruby",
"version": "3.0.8"
},
{
"model": "on rails ruby on rails",
"scope": "eq",
"trust": 0.3,
"vendor": "ruby",
"version": "3.0.7"
},
{
"model": "software collections for rhel",
"scope": "eq",
"trust": 0.3,
"vendor": "redhat",
"version": "0"
},
{
"model": "openstack",
"scope": "eq",
"trust": 0.3,
"vendor": "redhat",
"version": "3.0"
},
{
"model": "puppet enterprise",
"scope": "eq",
"trust": 0.3,
"vendor": "puppetlabs",
"version": "3.1"
},
{
"model": "chef",
"scope": "eq",
"trust": 0.3,
"vendor": "opscode",
"version": "11.1.2"
},
{
"model": "security network protection xgs",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "51005.1.1"
},
{
"model": "security network protection xgs",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "51005.1"
},
{
"model": "security network protection xgs",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "5.1.2"
},
{
"model": "linux sparc",
"scope": "eq",
"trust": 0.3,
"vendor": "debian",
"version": "6.0"
},
{
"model": "linux s/390",
"scope": "eq",
"trust": 0.3,
"vendor": "debian",
"version": "6.0"
},
{
"model": "linux powerpc",
"scope": "eq",
"trust": 0.3,
"vendor": "debian",
"version": "6.0"
},
{
"model": "linux mips",
"scope": "eq",
"trust": 0.3,
"vendor": "debian",
"version": "6.0"
},
{
"model": "linux ia-64",
"scope": "eq",
"trust": 0.3,
"vendor": "debian",
"version": "6.0"
},
{
"model": "linux ia-32",
"scope": "eq",
"trust": 0.3,
"vendor": "debian",
"version": "6.0"
},
{
"model": "linux arm",
"scope": "eq",
"trust": 0.3,
"vendor": "debian",
"version": "6.0"
},
{
"model": "linux amd64",
"scope": "eq",
"trust": 0.3,
"vendor": "debian",
"version": "6.0"
},
{
"model": "i18n",
"scope": "ne",
"trust": 0.3,
"vendor": "rubygems",
"version": "0.6.6"
},
{
"model": "i18n",
"scope": "ne",
"trust": 0.3,
"vendor": "rubygems",
"version": "0.5.1"
},
{
"model": "on rails ruby on rails",
"scope": "ne",
"trust": 0.3,
"vendor": "ruby",
"version": "4.0.2"
},
{
"model": "on rails ruby on rails",
"scope": "ne",
"trust": 0.3,
"vendor": "ruby",
"version": "3.2.16"
},
{
"model": "puppet enterprise",
"scope": "ne",
"trust": 0.3,
"vendor": "puppetlabs",
"version": "3.1.1"
},
{
"model": "chef",
"scope": "ne",
"trust": 0.3,
"vendor": "opscode",
"version": "11.1.3"
}
],
"sources": [
{
"db": "BID",
"id": "64076"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-005367"
},
{
"db": "NVD",
"id": "CVE-2013-4491"
},
{
"db": "CNNVD",
"id": "CNNVD-201312-123"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.0.1:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:*:-:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "4.0.1",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.0.0:beta:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.0.0:rc2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.0.0:-:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.0.0:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.6:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.5:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.15:rc2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.13:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.12:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.9:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.8:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.2:rc2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc8:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.0:beta1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.9:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc4:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc3:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.6:rc2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.6:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.20:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.14:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.13:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.13:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.0:rc2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.8:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.7:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.2:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.13:rc2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.13:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.0:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.4:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.4:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.1:rc2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.1:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc3:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.7:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.7:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.4:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.17:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.16:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.10:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.1:pre:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.9:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.3:rc2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.3:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.14:rc2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.14:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.14:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.0:rc2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.5:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.5:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.10:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.1:rc3:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc5:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc4:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc4:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc3:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.8:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.7:rc2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.5:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.4:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.19:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.18:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.11:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.10:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta3:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.4:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.4:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.15:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:ruby_on_rails:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "3.2.15",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.11:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.10:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.7:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.6:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.2:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.1.11:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc7:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc6:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc5:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.6:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.5:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.2:pre:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.12:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.12:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.0:rc:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta4:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2013-4491"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Peter McLarnan of Matasano Security.",
"sources": [
{
"db": "BID",
"id": "64076"
}
],
"trust": 0.3
},
"cve": "CVE-2013-4491",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"integrityImpact": "PARTIAL",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"trust": 1.0,
"userInteractionRequired": true,
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Medium",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 4.3,
"confidentialityImpact": "None",
"exploitabilityScore": null,
"id": "CVE-2013-4491",
"impactScore": null,
"integrityImpact": "Partial",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "Medium",
"trust": 0.8,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
}
],
"cvssV3": [],
"severity": [
{
"author": "NVD",
"id": "CVE-2013-4491",
"trust": 1.8,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-201312-123",
"trust": 0.6,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2013-005367"
},
{
"db": "NVD",
"id": "CVE-2013-4491"
},
{
"db": "CNNVD",
"id": "CNNVD-201312-123"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/translation_helper.rb in the internationalization component in Ruby on Rails 3.x before 3.2.16 and 4.x before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via a crafted string that triggers generation of a fallback string by the i18n gem. RubyGems i18n is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input. \nAn attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. \nVersions prior to RubyGems i18n 0.6.6, and 0.5.1 are vulnerable. \n\nFor the stable distribution (wheezy), these problems have been fixed in\nversion 3.2.6-6+deb7u1. \n\nFor the unstable distribution (sid), this problem has been fixed in\nversion 3.2.16-3+0 of the rails-3.2 source package. \n\nWe recommend that you upgrade your ruby-actionpack-3.2 packages. Relevant releases/architectures:\n\nOpenStack 3 - noarch\n\n3. \nAn application using a third party library, which uses the Rack::Request\ninterface, or custom Rack middleware could bypass the protection\nimplemented to fix the CVE-2013-0155 vulnerability, causing the application\nto receive unsafe parameters and become vulnerable to CVE-2013-0155. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA1\n\n=====================================================================\n Red Hat Security Advisory\n\nSynopsis: Important: Subscription Asset Manager 1.4 security update\nAdvisory ID: RHSA-2014:1863-01\nProduct: Red Hat Subscription Asset Manager\nAdvisory URL: https://rhn.redhat.com/errata/RHSA-2014-1863.html\nIssue date: 2014-11-17\nCVE Names: CVE-2013-1854 CVE-2013-1855 CVE-2013-1857 \n CVE-2013-4491 CVE-2013-6414 CVE-2013-6415 \n CVE-2014-0130 \n=====================================================================\n\n1. Summary:\n\nUpdated Subscription Asset Manager 1.4 packages that fix multiple security\nissues are now available. \n\nRed Hat Product Security has rated this update as having Important security\nimpact. Common Vulnerability Scoring System (CVSS) base scores, which give\ndetailed severity ratings, are available for each vulnerability from the\nCVE links in the References section. \n\n2. Relevant releases/architectures:\n\nRed Hat Subscription Asset Manager for RHEL 6 Server - noarch\n\n3. Description:\n\nRed Hat Subscription Asset Manager acts as a proxy for handling\nsubscription information and software updates on client machines. Red Hat\nSubscription Asset Manager is built on Ruby on Rails, a\nmodel-view-controller (MVC) framework for web application development. \nAction Pack implements the controller and the view components. \n\nA directory traversal flaw was found in the way Ruby on Rails handled\nwildcard segments in routes with implicit rendering. A remote attacker\ncould use this flaw to retrieve arbitrary local files accessible to a Ruby\non Rails application using the aforementioned routes via a specially\ncrafted request. (CVE-2014-0130)\n\nA flaw was found in the way Ruby on Rails handled hashes in certain\nqueries. A remote attacker could use this flaw to perform a denial of\nservice (resource consumption) attack by sending specially crafted queries\nthat would result in the creation of Ruby symbols, which were never garbage\ncollected. (CVE-2013-1854)\n\nTwo cross-site scripting (XSS) flaws were found in Action Pack. A remote\nattacker could use these flaws to conduct XSS attacks against users of an\napplication using Action Pack. A remote attacker could possibly use this flaw to\nperform a reflective cross-site scripting (XSS) attack by providing a\nspecially crafted input to an application using the aforementioned\ncomponent. (CVE-2013-4491)\n\nA denial of service flaw was found in the header handling component of\nAction View. A remote attacker could send strings in specially crafted\nheaders that would be cached indefinitely, which would result in all\navailable system memory eventually being consumed. (CVE-2013-6414)\n\nIt was found that the number_to_currency Action View helper did not\nproperly escape the unit parameter. An attacker could use this flaw to\nperform a cross-site scripting (XSS) attack on an application that uses\ndata submitted by a user in the unit parameter. (CVE-2013-6415)\n\nRed Hat would like to thank Ruby on Rails upstream for reporting these\nissues. Upstream acknowledges Ben Murphy as the original reporter of\nCVE-2013-1854, Charlie Somerville as the original reporter of\nCVE-2013-1855, Alan Jenkins as the original reporter of CVE-2013-1857,\nPeter McLarnan as the original reporter of CVE-2013-4491, Toby Hsieh as the\noriginal reporter of CVE-2013-6414, and Ankit Gupta as the original\nreporter of CVE-2013-6415. \n\nAll Subscription Asset Manager users are advised to upgrade to these\nupdated packages, which contain backported patches to correct these issues. \n\n4. Solution:\n\nBefore applying this update, make sure all previously released errata\nrelevant to your system have been applied. \n\nThis update is available via the Red Hat Network. Details on how to use the\nRed Hat Network to apply this update are available at\nhttps://access.redhat.com/articles/11258\n\n5. Bugs fixed (https://bugzilla.redhat.com/):\n\n921329 - CVE-2013-1854 rubygem-activerecord: attribute_dos Symbol DoS vulnerability\n921331 - CVE-2013-1855 rubygem-actionpack: css_sanitization: XSS vulnerability in sanitize_css\n921335 - CVE-2013-1857 rubygem-actionpack: sanitize_protocol: XSS Vulnerability in the helper of Ruby on Rails\n1036483 - CVE-2013-6414 rubygem-actionpack: Action View DoS\n1036910 - CVE-2013-6415 rubygem-actionpack: number_to_currency XSS\n1036922 - CVE-2013-4491 rubygem-actionpack: i18n missing translation XSS\n1095105 - CVE-2014-0130 rubygem-actionpack: directory traversal issue\n\n6. Package List:\n\nRed Hat Subscription Asset Manager for RHEL 6 Server:\n\nSource:\nkatello-1.4.3.28-1.el6sam_splice.src.rpm\nruby193-rubygem-actionmailer-3.2.17-1.el6sam.src.rpm\nruby193-rubygem-actionpack-3.2.17-6.el6sam.src.rpm\nruby193-rubygem-activemodel-3.2.17-1.el6sam.src.rpm\nruby193-rubygem-activerecord-3.2.17-5.el6sam.src.rpm\nruby193-rubygem-activeresource-3.2.17-1.el6sam.src.rpm\nruby193-rubygem-activesupport-3.2.17-2.el6sam.src.rpm\nruby193-rubygem-i18n-0.6.9-1.el6sam.src.rpm\nruby193-rubygem-mail-2.5.4-1.el6sam.src.rpm\nruby193-rubygem-rack-1.4.5-3.el6sam.src.rpm\nruby193-rubygem-rails-3.2.17-1.el6sam.src.rpm\nruby193-rubygem-railties-3.2.17-1.el6sam.src.rpm\n\nnoarch:\nkatello-common-1.4.3.28-1.el6sam_splice.noarch.rpm\nkatello-glue-candlepin-1.4.3.28-1.el6sam_splice.noarch.rpm\nkatello-glue-elasticsearch-1.4.3.28-1.el6sam_splice.noarch.rpm\nkatello-headpin-1.4.3.28-1.el6sam_splice.noarch.rpm\nkatello-headpin-all-1.4.3.28-1.el6sam_splice.noarch.rpm\nruby193-rubygem-actionmailer-3.2.17-1.el6sam.noarch.rpm\nruby193-rubygem-actionpack-3.2.17-6.el6sam.noarch.rpm\nruby193-rubygem-activemodel-3.2.17-1.el6sam.noarch.rpm\nruby193-rubygem-activerecord-3.2.17-5.el6sam.noarch.rpm\nruby193-rubygem-activeresource-3.2.17-1.el6sam.noarch.rpm\nruby193-rubygem-activesupport-3.2.17-2.el6sam.noarch.rpm\nruby193-rubygem-i18n-0.6.9-1.el6sam.noarch.rpm\nruby193-rubygem-mail-2.5.4-1.el6sam.noarch.rpm\nruby193-rubygem-rack-1.4.5-3.el6sam.noarch.rpm\nruby193-rubygem-rails-3.2.17-1.el6sam.noarch.rpm\nruby193-rubygem-railties-3.2.17-1.el6sam.noarch.rpm\n\nThese packages are GPG signed by Red Hat for security. Our key and\ndetails on how to verify the signature are available from\nhttps://access.redhat.com/security/team/key/\n\n7. References:\n\nhttps://access.redhat.com/security/cve/CVE-2013-1854\nhttps://access.redhat.com/security/cve/CVE-2013-1855\nhttps://access.redhat.com/security/cve/CVE-2013-1857\nhttps://access.redhat.com/security/cve/CVE-2013-4491\nhttps://access.redhat.com/security/cve/CVE-2013-6414\nhttps://access.redhat.com/security/cve/CVE-2013-6415\nhttps://access.redhat.com/security/cve/CVE-2014-0130\nhttps://access.redhat.com/security/updates/classification/#important\n\n8. Contact:\n\nThe Red Hat security contact is \u003csecalert@redhat.com\u003e. More contact\ndetails at https://access.redhat.com/security/team/contact/\n\nCopyright 2014 Red Hat, Inc. \n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1\n\niD8DBQFUai7iXlSAg2UNWIIRAmtEAJ9m+ZUXuva81fLz9G1CLKYi5aJoHACfcd3y\nSoVal0zNgx0pwtSAkS1q5/0=\n=i5aK\n-----END PGP SIGNATURE-----\n\n\n--\nRHSA-announce mailing list\nRHSA-announce@redhat.com\nhttps://www.redhat.com/mailman/listinfo/rhsa-announce\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2013-4491"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-005367"
},
{
"db": "BID",
"id": "64076"
},
{
"db": "PACKETSTORM",
"id": "125923"
},
{
"db": "PACKETSTORM",
"id": "124669"
},
{
"db": "PACKETSTORM",
"id": "124305"
},
{
"db": "PACKETSTORM",
"id": "129131"
}
],
"trust": 2.25
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2013-4491",
"trust": 3.1
},
{
"db": "BID",
"id": "64076",
"trust": 1.9
},
{
"db": "SECUNIA",
"id": "57836",
"trust": 1.6
},
{
"db": "JVNDB",
"id": "JVNDB-2013-005367",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201312-123",
"trust": 0.6
},
{
"db": "PACKETSTORM",
"id": "125923",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "124669",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "124305",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "129131",
"trust": 0.1
}
],
"sources": [
{
"db": "BID",
"id": "64076"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-005367"
},
{
"db": "PACKETSTORM",
"id": "125923"
},
{
"db": "PACKETSTORM",
"id": "124669"
},
{
"db": "PACKETSTORM",
"id": "124305"
},
{
"db": "PACKETSTORM",
"id": "129131"
},
{
"db": "NVD",
"id": "CVE-2013-4491"
},
{
"db": "CNNVD",
"id": "CNNVD-201312-123"
}
]
},
"id": "VAR-201312-0118",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VARIoT devices database",
"id": null
}
],
"trust": 0.24090908
},
"last_update_date": "2023-12-18T11:02:55.991000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Enterprise Chef 11.1.3 Release",
"trust": 0.8,
"url": "https://www.chef.io/blog/2014/04/09/enterprise-chef-11-1-3-release/"
},
{
"title": "[CVE-2013-4491] Reflective XSS Vulnerability in Ruby on Rails",
"trust": 0.8,
"url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/plrh6duw998/blfeyio4k_ej"
},
{
"title": "openSUSE-SU-2013:1904",
"trust": 0.8,
"url": "http://lists.opensuse.org/opensuse-updates/2013-12/msg00079.html"
},
{
"title": "openSUSE-SU-2013:1906",
"trust": 0.8,
"url": "http://lists.opensuse.org/opensuse-updates/2013-12/msg00081.html"
},
{
"title": "openSUSE-SU-2013:1907",
"trust": 0.8,
"url": "http://lists.opensuse.org/opensuse-updates/2013-12/msg00082.html"
},
{
"title": "Rails 3.2.16 and 4.0.2 have been released!",
"trust": 0.8,
"url": "http://weblog.rubyonrails.org/2013/12/3/rails_3_2_16_and_4_0_2_have_been_released/"
},
{
"title": "RHSA-2014:1863",
"trust": 0.8,
"url": "https://rhn.redhat.com/errata/rhsa-2014-1863.html"
},
{
"title": "RHSA-2014:0008",
"trust": 0.8,
"url": "https://rhn.redhat.com/errata/rhsa-2014-0008.html"
},
{
"title": "RHSA-2013:1794",
"trust": 0.8,
"url": "http://rhn.redhat.com/errata/rhsa-2013-1794.html"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2013-005367"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-79",
"trust": 1.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2013-005367"
},
{
"db": "NVD",
"id": "CVE-2013-4491"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.0,
"url": "http://rhn.redhat.com/errata/rhsa-2014-0008.html"
},
{
"trust": 2.0,
"url": "http://rhn.redhat.com/errata/rhsa-2013-1794.html"
},
{
"trust": 1.9,
"url": "http://www.getchef.com/blog/2014/04/09/enterprise-chef-11-1-3-release/"
},
{
"trust": 1.7,
"url": "http://rhn.redhat.com/errata/rhsa-2014-1863.html"
},
{
"trust": 1.6,
"url": "http://lists.opensuse.org/opensuse-updates/2013-12/msg00079.html"
},
{
"trust": 1.6,
"url": "http://lists.opensuse.org/opensuse-updates/2013-12/msg00081.html"
},
{
"trust": 1.6,
"url": "http://lists.opensuse.org/opensuse-updates/2013-12/msg00082.html"
},
{
"trust": 1.6,
"url": "http://lists.opensuse.org/opensuse-updates/2014-01/msg00003.html"
},
{
"trust": 1.6,
"url": "http://secunia.com/advisories/57836"
},
{
"trust": 1.6,
"url": "http://weblog.rubyonrails.org/2013/12/3/rails_3_2_16_and_4_0_2_have_been_released/"
},
{
"trust": 1.6,
"url": "http://www.debian.org/security/2014/dsa-2888"
},
{
"trust": 1.6,
"url": "http://www.securityfocus.com/bid/64076"
},
{
"trust": 1.6,
"url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/plrh6duw998/blfeyio4k_ej"
},
{
"trust": 1.6,
"url": "https://puppet.com/security/cve/cve-2013-4491"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2013-4491"
},
{
"trust": 0.8,
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2013-4491"
},
{
"trust": 0.4,
"url": "https://nvd.nist.gov/vuln/detail/cve-2013-6414"
},
{
"trust": 0.4,
"url": "https://nvd.nist.gov/vuln/detail/cve-2013-4491"
},
{
"trust": 0.4,
"url": "https://nvd.nist.gov/vuln/detail/cve-2013-6415"
},
{
"trust": 0.3,
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1036922"
},
{
"trust": 0.3,
"url": "http://www.getchef.com/blog/2014/04/09/chef-server-heartbleed-cve-2014-0160-releases/"
},
{
"trust": 0.3,
"url": "http://puppetlabs.com/security/cve/cve-2013-4491"
},
{
"trust": 0.3,
"url": "http://www.rubyonrails.com/"
},
{
"trust": 0.3,
"url": "rubygems.org/gems/i18n"
},
{
"trust": 0.3,
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21665279"
},
{
"trust": 0.3,
"url": "https://www.suse.com/support/update/announcement/2014/suse-su-20140734-1.html"
},
{
"trust": 0.3,
"url": "https://nvd.nist.gov/vuln/detail/cve-2013-6417"
},
{
"trust": 0.3,
"url": "https://www.redhat.com/mailman/listinfo/rhsa-announce"
},
{
"trust": 0.3,
"url": "https://bugzilla.redhat.com/):"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/security/team/contact/"
},
{
"trust": 0.3,
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"trust": 0.2,
"url": "https://www.redhat.com/security/data/cve/cve-2013-6414.html"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/security/team/key/#package"
},
{
"trust": 0.2,
"url": "https://www.redhat.com/security/data/cve/cve-2013-6417.html"
},
{
"trust": 0.2,
"url": "https://access.redhat.com/site/articles/11258"
},
{
"trust": 0.2,
"url": "https://www.redhat.com/security/data/cve/cve-2013-4491.html"
},
{
"trust": 0.2,
"url": "https://www.redhat.com/security/data/cve/cve-2013-6415.html"
},
{
"trust": 0.1,
"url": "http://www.debian.org/security/faq"
},
{
"trust": 0.1,
"url": "http://www.debian.org/security/"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2013-4389"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2013-1855"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2013-1857"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2013-1857"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2013-4491"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2013-1854"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/articles/11258"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2014-0130"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2014-0130"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2013-6415"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2013-1854"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2013-1855"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/team/key/"
},
{
"trust": 0.1,
"url": "https://access.redhat.com/security/cve/cve-2013-6414"
}
],
"sources": [
{
"db": "BID",
"id": "64076"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-005367"
},
{
"db": "PACKETSTORM",
"id": "125923"
},
{
"db": "PACKETSTORM",
"id": "124669"
},
{
"db": "PACKETSTORM",
"id": "124305"
},
{
"db": "PACKETSTORM",
"id": "129131"
},
{
"db": "NVD",
"id": "CVE-2013-4491"
},
{
"db": "CNNVD",
"id": "CNNVD-201312-123"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "BID",
"id": "64076"
},
{
"db": "JVNDB",
"id": "JVNDB-2013-005367"
},
{
"db": "PACKETSTORM",
"id": "125923"
},
{
"db": "PACKETSTORM",
"id": "124669"
},
{
"db": "PACKETSTORM",
"id": "124305"
},
{
"db": "PACKETSTORM",
"id": "129131"
},
{
"db": "NVD",
"id": "CVE-2013-4491"
},
{
"db": "CNNVD",
"id": "CNNVD-201312-123"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2013-12-03T00:00:00",
"db": "BID",
"id": "64076"
},
{
"date": "2013-12-10T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2013-005367"
},
{
"date": "2014-03-28T19:44:00",
"db": "PACKETSTORM",
"id": "125923"
},
{
"date": "2014-01-06T23:18:51",
"db": "PACKETSTORM",
"id": "124669"
},
{
"date": "2013-12-06T01:04:06",
"db": "PACKETSTORM",
"id": "124305"
},
{
"date": "2014-11-17T23:30:56",
"db": "PACKETSTORM",
"id": "129131"
},
{
"date": "2013-12-07T00:55:03.553000",
"db": "NVD",
"id": "CVE-2013-4491"
},
{
"date": "2013-12-09T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201312-123"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2015-04-13T21:56:00",
"db": "BID",
"id": "64076"
},
{
"date": "2015-08-10T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2013-005367"
},
{
"date": "2019-08-08T15:42:45.623000",
"db": "NVD",
"id": "CVE-2013-4491"
},
{
"date": "2019-08-09T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201312-123"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201312-123"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Ruby on Rails of internationalization Component cross-site scripting vulnerability",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2013-005367"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "xss",
"sources": [
{
"db": "PACKETSTORM",
"id": "125923"
},
{
"db": "CNNVD",
"id": "CNNVD-201312-123"
}
],
"trust": 0.7
}
}
ghsa-699m-mcjm-9cw8
Vulnerability from github
Published
2017-10-24 18:33
Modified
2023-08-25 19:05
Summary
actionpack vulnerable to Cross-site Scripting
Details
Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/translation_helper.rb in the internationalization component in Ruby on Rails 3.x before 3.2.16 and 4.x before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via a crafted string that triggers generation of a fallback string by the i18n gem.
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "actionpack"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.0"
},
{
"fixed": "3.2.16"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "actionpack"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0"
},
{
"fixed": "4.0.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2013-4491"
],
"database_specific": {
"cwe_ids": [
"CWE-79"
],
"github_reviewed": true,
"github_reviewed_at": "2020-06-16T21:18:44Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "Cross-site scripting (XSS) vulnerability in `actionpack/lib/action_view/helpers/translation_helper.rb` in the internationalization component in Ruby on Rails 3.x before 3.2.16 and 4.x before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via a crafted string that triggers generation of a fallback string by the i18n gem.",
"id": "GHSA-699m-mcjm-9cw8",
"modified": "2023-08-25T19:05:47Z",
"published": "2017-10-24T18:33:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-4491"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-699m-mcjm-9cw8"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2013-4491.yml"
},
{
"type": "WEB",
"url": "https://groups.google.com/forum/#!topic/ruby-security-ann/pLrh6DUw998"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2013-1794.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2014-0008.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2014-1863.html"
},
{
"type": "WEB",
"url": "http://weblog.rubyonrails.org/2013/12/3/Rails_3_2_16_and_4_0_2_have_been_released"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2014/dsa-2888"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "actionpack vulnerable to Cross-site Scripting"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.