Action not permitted
Modal body text goes here.
CVE-2014-0137
Vulnerability from cvelistv5
Published
2014-05-14 19:00
Modified
2024-08-06 09:05
Severity ?
EPSS score ?
Summary
SQL injection vulnerability in the saved_report_delete action in the ReportController in Red Hat CloudForms Management Engine (CFME) before 5.2.3.2 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors, related to MiqReportResult.exists.
References
▼ | URL | Tags | |
---|---|---|---|
secalert@redhat.com | http://rhn.redhat.com/errata/RHSA-2014-0469.html | Vendor Advisory |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-06T09:05:38.963Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "RHSA-2014:0469", "tags": [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred" ], "url": "http://rhn.redhat.com/errata/RHSA-2014-0469.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "n/a", "vendor": "n/a", "versions": [ { "status": "affected", "version": "n/a" } ] } ], "datePublic": "2014-05-12T00:00:00", "descriptions": [ { "lang": "en", "value": "SQL injection vulnerability in the saved_report_delete action in the ReportController in Red Hat CloudForms Management Engine (CFME) before 5.2.3.2 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors, related to MiqReportResult.exists." } ], "problemTypes": [ { "descriptions": [ { "description": "n/a", "lang": "en", "type": "text" } ] } ], "providerMetadata": { "dateUpdated": "2014-05-14T18:57:01", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat" }, "references": [ { "name": "RHSA-2014:0469", "tags": [ "vendor-advisory", "x_refsource_REDHAT" ], "url": "http://rhn.redhat.com/errata/RHSA-2014-0469.html" } ] } }, "cveMetadata": { "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2014-0137", "datePublished": "2014-05-14T19:00:00", "dateReserved": "2013-12-03T00:00:00", "dateUpdated": "2024-08-06T09:05:38.963Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1", "meta": { "nvd": "{\"cve\":{\"id\":\"CVE-2014-0137\",\"sourceIdentifier\":\"secalert@redhat.com\",\"published\":\"2014-05-14T19:55:10.747\",\"lastModified\":\"2023-02-13T00:32:42.450\",\"vulnStatus\":\"Modified\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"SQL injection vulnerability in the saved_report_delete action in the ReportController in Red Hat CloudForms Management Engine (CFME) before 5.2.3.2 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors, related to MiqReportResult.exists.\"},{\"lang\":\"es\",\"value\":\"Vulnerabilidad de inyecci\u00f3n SQL en la acci\u00f3n saved_report_delete en ReportController en Red Hat CloudForms Management Engine (CFME) anterior a 5.2.3.2 permite a usuarios remotos autenticados ejecutar comandos SQL arbitrarios a trav\u00e9s de vectores no especificados, relacionado con MiqReportResult.exists.\"}],\"metrics\":{\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:S/C:P/I:P/A:P\",\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\",\"baseScore\":6.5},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.0,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-89\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:cloudforms_3.0_management_engine:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"5.2.3\",\"matchCriteriaId\":\"25657755-FA72-4D27-93A1-45D61D22490E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:cloudforms_3.0_management_engine:5.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"D21CFAD1-5422-4595-841D-A80F940B1545\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:cloudforms_3.0_management_engine:5.2.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E38C4E54-BFA6-4CF7-A73E-E3890496BFA0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:cloudforms_3.0_management_engine:5.2.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"7F275AD8-24FA-4897-9BE4-D116A083D384\"}]}]}],\"references\":[{\"url\":\"http://rhn.redhat.com/errata/RHSA-2014-0469.html\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Vendor Advisory\"]}]}}" } }
rhsa-2014_0469
Vulnerability from csaf_redhat
Published
2014-05-12 18:12
Modified
2024-11-22 07:41
Summary
Red Hat Security Advisory: cfme security, bug fix, and enhancement update
Notes
Topic
Updated cfme packages that fix multiple security issues, several bugs, and
add various enhancements are now available for Red Hat CloudForms 3.0.
The Red Hat Security Response Team has rated this update as having
Important security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.
Details
Red Hat CloudForms Management Engine delivers the insight, control, and
automation needed to address the challenges of managing virtual
environments.
A flaw was found in the way Ruby on Rails' actionpack rubygem performed
JSON parameter parsing. An application using a third party library, which
uses the Rack::Request interface, or custom Rack middleware could bypass
the protection implemented to fix the CVE-2013-0155 vulnerability, causing
the application to receive unsafe parameters and become vulnerable to
CVE-2013-0155. (CVE-2013-6417)
An input sanitization flaw was found in the saved_report_delete action in
the ReportController. An authenticated Management Engine user could use
this flaw to perform an SQL injection attack on the Management Engine back
end database. (CVE-2014-0137)
It was found that Red Hat CloudForms Management Engine did not properly
check user role permissions for actions associated with catalogs.
An authenticated Management Engine user could use this flaw to delete
arbitrary catalogs regardless of the granted permissions. (CVE-2014-0078)
Multiple stack-based buffer overflow flaws were found in the date/time
implementation of PostgreSQL. An authenticated database user could provide
a specially crafted date/time value that, when processed, could cause
PostgreSQL to crash or, potentially, execute arbitrary code with the
permissions of the user running PostgreSQL. (CVE-2014-0063)
Multiple integer overflow flaws, leading to heap-based buffer overflows,
were found in various type input functions in PostgreSQL. An authenticated
database user could possibly use these flaws to crash PostgreSQL or,
potentially, execute arbitrary code with the permissions of the user
running PostgreSQL. (CVE-2014-0064, CVE-2014-2669)
Multiple potential buffer overflow flaws were found in PostgreSQL.
An authenticated database user could possibly use these flaws to crash
PostgreSQL or, potentially, execute arbitrary code with the permissions of
the user running PostgreSQL. (CVE-2014-0065)
It was found that granting an SQL role to a database user in a PostgreSQL
database without specifying the "ADMIN" option allowed the grantee to
remove other users from their granted role. An authenticated database user
could use this flaw to remove a user from an SQL role which they were
granted access to. (CVE-2014-0060)
A flaw was found in the validator functions provided by PostgreSQL's
procedural languages. An authenticated database user could possibly use
this flaw to escalate their privileges. (CVE-2014-0061)
A race condition was found in the way PostgreSQL's CREATE INDEX command
performed multiple independent lookups of a table that had to be indexed.
An authenticated database user could possibly use this flaw to escalate
their privileges. (CVE-2014-0062)
It was found that the chkpass extension of PostgreSQL did not check the
return value of the crypt() function. An authenticated database user could
possibly use this flaw to crash PostgreSQL via a null pointer dereference.
(CVE-2014-0066)
Red Hat would like to thank the Ruby on Rails project for reporting
CVE-2013-6417; upstream acknowledges Sudhir Rao as the original reporter
of this issue.
Red Hat would also like to thank the PostgreSQL project for reporting
CVE-2014-0060, CVE-2014-0061, CVE-2014-0062, CVE-2014-0063, CVE-2014-0064,
CVE-2014-0065, CVE-2014-0066, and CVE-2014-2669; upstream acknowledges Noah
Misch, Heikki Linnakangas, Peter Eisentraut, Jozef Mlich, Andres Freund,
Robert Haas, Honza Horak, and Bruce Momjian as the original reporters of
these issues.
The CVE-2014-0137 and CVE-2014-0078 issues were discovered by Jan Rusnacko
of the Red Hat Product Security Team.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "Updated cfme packages that fix multiple security issues, several bugs, and\nadd various enhancements are now available for Red Hat CloudForms 3.0.\n\nThe Red Hat Security Response Team has rated this update as having\nImportant security impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.", "title": "Topic" }, { "category": "general", "text": "Red Hat CloudForms Management Engine delivers the insight, control, and\nautomation needed to address the challenges of managing virtual\nenvironments.\n\nA flaw was found in the way Ruby on Rails\u0027 actionpack rubygem performed\nJSON parameter parsing. An application using a third party library, which\nuses the Rack::Request interface, or custom Rack middleware could bypass\nthe protection implemented to fix the CVE-2013-0155 vulnerability, causing\nthe application to receive unsafe parameters and become vulnerable to\nCVE-2013-0155. (CVE-2013-6417)\n\nAn input sanitization flaw was found in the saved_report_delete action in\nthe ReportController. An authenticated Management Engine user could use\nthis flaw to perform an SQL injection attack on the Management Engine back\nend database. (CVE-2014-0137)\n\nIt was found that Red Hat CloudForms Management Engine did not properly\ncheck user role permissions for actions associated with catalogs.\nAn authenticated Management Engine user could use this flaw to delete\narbitrary catalogs regardless of the granted permissions. (CVE-2014-0078)\n\nMultiple stack-based buffer overflow flaws were found in the date/time\nimplementation of PostgreSQL. An authenticated database user could provide\na specially crafted date/time value that, when processed, could cause\nPostgreSQL to crash or, potentially, execute arbitrary code with the\npermissions of the user running PostgreSQL. (CVE-2014-0063)\n\nMultiple integer overflow flaws, leading to heap-based buffer overflows,\nwere found in various type input functions in PostgreSQL. An authenticated\ndatabase user could possibly use these flaws to crash PostgreSQL or,\npotentially, execute arbitrary code with the permissions of the user\nrunning PostgreSQL. (CVE-2014-0064, CVE-2014-2669)\n\nMultiple potential buffer overflow flaws were found in PostgreSQL.\nAn authenticated database user could possibly use these flaws to crash\nPostgreSQL or, potentially, execute arbitrary code with the permissions of\nthe user running PostgreSQL. (CVE-2014-0065)\n\nIt was found that granting an SQL role to a database user in a PostgreSQL\ndatabase without specifying the \"ADMIN\" option allowed the grantee to\nremove other users from their granted role. An authenticated database user\ncould use this flaw to remove a user from an SQL role which they were\ngranted access to. (CVE-2014-0060)\n\nA flaw was found in the validator functions provided by PostgreSQL\u0027s\nprocedural languages. An authenticated database user could possibly use\nthis flaw to escalate their privileges. (CVE-2014-0061)\n\nA race condition was found in the way PostgreSQL\u0027s CREATE INDEX command\nperformed multiple independent lookups of a table that had to be indexed.\nAn authenticated database user could possibly use this flaw to escalate\ntheir privileges. (CVE-2014-0062)\n\nIt was found that the chkpass extension of PostgreSQL did not check the\nreturn value of the crypt() function. An authenticated database user could\npossibly use this flaw to crash PostgreSQL via a null pointer dereference.\n(CVE-2014-0066)\n\nRed Hat would like to thank the Ruby on Rails project for reporting\nCVE-2013-6417; upstream acknowledges Sudhir Rao as the original reporter\nof this issue.\n\nRed Hat would also like to thank the PostgreSQL project for reporting\nCVE-2014-0060, CVE-2014-0061, CVE-2014-0062, CVE-2014-0063, CVE-2014-0064,\nCVE-2014-0065, CVE-2014-0066, and CVE-2014-2669; upstream acknowledges Noah\nMisch, Heikki Linnakangas, Peter Eisentraut, Jozef Mlich, Andres Freund,\nRobert Haas, Honza Horak, and Bruce Momjian as the original reporters of\nthese issues.\n\nThe CVE-2014-0137 and CVE-2014-0078 issues were discovered by Jan Rusnacko\nof the Red Hat Product Security Team.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2014:0469", "url": "https://access.redhat.com/errata/RHSA-2014:0469" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "https://access.redhat.com/site/documentation/en-US/CloudForms/3.0/html/Management_Engine_5.2_Technical_Notes/index.html", "url": "https://access.redhat.com/site/documentation/en-US/CloudForms/3.0/html/Management_Engine_5.2_Technical_Notes/index.html" }, { "category": "external", "summary": "1036409", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1036409" }, { "category": "external", "summary": "1064556", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1064556" }, { "category": "external", "summary": "1065219", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1065219" }, { "category": "external", "summary": "1065220", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1065220" }, { "category": "external", "summary": "1065222", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1065222" }, { "category": "external", "summary": "1065226", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1065226" }, { "category": "external", "summary": "1065230", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1065230" }, { "category": "external", "summary": "1065235", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1065235" }, { "category": "external", "summary": "1065236", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1065236" }, { "category": "external", "summary": "1076688", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1076688" }, { "category": "external", "summary": "1082154", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1082154" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2014/rhsa-2014_0469.json" } ], "title": "Red Hat Security Advisory: cfme security, bug fix, and enhancement update", "tracking": { "current_release_date": "2024-11-22T07:41:57+00:00", "generator": { "date": "2024-11-22T07:41:57+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.1" } }, "id": "RHSA-2014:0469", "initial_release_date": "2014-05-12T18:12:35+00:00", "revision_history": [ { "date": "2014-05-12T18:12:35+00:00", "number": "1", "summary": "Initial version" }, { "date": "2014-05-12T18:12:35+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-22T07:41:57+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Management Engine", "product": { "name": "Management Engine", "product_id": "6Server-CFME", "product_identification_helper": { "cpe": "cpe:/a:redhat:cloudforms_managementengine:5::el6" } } } ], "category": "product_family", "name": "Red Hat CloudForms" }, { "branches": [ { "category": "product_version", "name": "postgresql92-postgresql-contrib-0:9.2.7-1.1.el6.x86_64", "product": { "name": "postgresql92-postgresql-contrib-0:9.2.7-1.1.el6.x86_64", "product_id": "postgresql92-postgresql-contrib-0:9.2.7-1.1.el6.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/postgresql92-postgresql-contrib@9.2.7-1.1.el6?arch=x86_64" } } }, { "category": "product_version", "name": "postgresql92-postgresql-plperl-0:9.2.7-1.1.el6.x86_64", "product": { "name": "postgresql92-postgresql-plperl-0:9.2.7-1.1.el6.x86_64", "product_id": "postgresql92-postgresql-plperl-0:9.2.7-1.1.el6.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/postgresql92-postgresql-plperl@9.2.7-1.1.el6?arch=x86_64" } } }, { "category": "product_version", "name": "postgresql92-postgresql-libs-0:9.2.7-1.1.el6.x86_64", "product": { "name": "postgresql92-postgresql-libs-0:9.2.7-1.1.el6.x86_64", "product_id": "postgresql92-postgresql-libs-0:9.2.7-1.1.el6.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/postgresql92-postgresql-libs@9.2.7-1.1.el6?arch=x86_64" } } }, { "category": "product_version", "name": "postgresql92-postgresql-debuginfo-0:9.2.7-1.1.el6.x86_64", "product": { "name": "postgresql92-postgresql-debuginfo-0:9.2.7-1.1.el6.x86_64", "product_id": "postgresql92-postgresql-debuginfo-0:9.2.7-1.1.el6.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/postgresql92-postgresql-debuginfo@9.2.7-1.1.el6?arch=x86_64" } } }, { "category": "product_version", "name": "postgresql92-postgresql-test-0:9.2.7-1.1.el6.x86_64", "product": { "name": "postgresql92-postgresql-test-0:9.2.7-1.1.el6.x86_64", "product_id": "postgresql92-postgresql-test-0:9.2.7-1.1.el6.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/postgresql92-postgresql-test@9.2.7-1.1.el6?arch=x86_64" } } }, { "category": "product_version", "name": "postgresql92-postgresql-docs-0:9.2.7-1.1.el6.x86_64", "product": { "name": "postgresql92-postgresql-docs-0:9.2.7-1.1.el6.x86_64", "product_id": "postgresql92-postgresql-docs-0:9.2.7-1.1.el6.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/postgresql92-postgresql-docs@9.2.7-1.1.el6?arch=x86_64" } } }, { "category": "product_version", "name": "postgresql92-postgresql-upgrade-0:9.2.7-1.1.el6.x86_64", "product": { "name": "postgresql92-postgresql-upgrade-0:9.2.7-1.1.el6.x86_64", "product_id": "postgresql92-postgresql-upgrade-0:9.2.7-1.1.el6.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/postgresql92-postgresql-upgrade@9.2.7-1.1.el6?arch=x86_64" } } }, { "category": "product_version", "name": "postgresql92-postgresql-devel-0:9.2.7-1.1.el6.x86_64", "product": { "name": "postgresql92-postgresql-devel-0:9.2.7-1.1.el6.x86_64", "product_id": "postgresql92-postgresql-devel-0:9.2.7-1.1.el6.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/postgresql92-postgresql-devel@9.2.7-1.1.el6?arch=x86_64" } } }, { "category": "product_version", "name": "postgresql92-postgresql-server-0:9.2.7-1.1.el6.x86_64", "product": { "name": "postgresql92-postgresql-server-0:9.2.7-1.1.el6.x86_64", "product_id": "postgresql92-postgresql-server-0:9.2.7-1.1.el6.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/postgresql92-postgresql-server@9.2.7-1.1.el6?arch=x86_64" } } }, { "category": "product_version", "name": "postgresql92-postgresql-plpython-0:9.2.7-1.1.el6.x86_64", "product": { "name": "postgresql92-postgresql-plpython-0:9.2.7-1.1.el6.x86_64", "product_id": "postgresql92-postgresql-plpython-0:9.2.7-1.1.el6.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/postgresql92-postgresql-plpython@9.2.7-1.1.el6?arch=x86_64" } } }, { "category": "product_version", "name": "postgresql92-postgresql-0:9.2.7-1.1.el6.x86_64", "product": { "name": "postgresql92-postgresql-0:9.2.7-1.1.el6.x86_64", "product_id": "postgresql92-postgresql-0:9.2.7-1.1.el6.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/postgresql92-postgresql@9.2.7-1.1.el6?arch=x86_64" } } }, { "category": "product_version", "name": "postgresql92-postgresql-pltcl-0:9.2.7-1.1.el6.x86_64", "product": { "name": "postgresql92-postgresql-pltcl-0:9.2.7-1.1.el6.x86_64", "product_id": "postgresql92-postgresql-pltcl-0:9.2.7-1.1.el6.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/postgresql92-postgresql-pltcl@9.2.7-1.1.el6?arch=x86_64" } } }, { "category": "product_version", "name": "prince-0:9.0r2-4.el6cf.x86_64", "product": { "name": "prince-0:9.0r2-4.el6cf.x86_64", "product_id": "prince-0:9.0r2-4.el6cf.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/prince@9.0r2-4.el6cf?arch=x86_64" } } }, { "category": "product_version", "name": "cfme-lib-0:5.2.3.2-1.el6cf.x86_64", "product": { "name": "cfme-lib-0:5.2.3.2-1.el6cf.x86_64", "product_id": "cfme-lib-0:5.2.3.2-1.el6cf.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/cfme-lib@5.2.3.2-1.el6cf?arch=x86_64" } } }, { "category": "product_version", "name": "cfme-debuginfo-0:5.2.3.2-1.el6cf.x86_64", "product": { "name": "cfme-debuginfo-0:5.2.3.2-1.el6cf.x86_64", "product_id": "cfme-debuginfo-0:5.2.3.2-1.el6cf.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/cfme-debuginfo@5.2.3.2-1.el6cf?arch=x86_64" } } }, { "category": "product_version", "name": "cfme-0:5.2.3.2-1.el6cf.x86_64", "product": { "name": "cfme-0:5.2.3.2-1.el6cf.x86_64", "product_id": "cfme-0:5.2.3.2-1.el6cf.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/cfme@5.2.3.2-1.el6cf?arch=x86_64" } } }, { "category": "product_version", "name": "mingw32-cfme-host-0:5.2.3.2-1.el6cf.x86_64", "product": { "name": "mingw32-cfme-host-0:5.2.3.2-1.el6cf.x86_64", "product_id": "mingw32-cfme-host-0:5.2.3.2-1.el6cf.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/mingw32-cfme-host@5.2.3.2-1.el6cf?arch=x86_64" } } }, { "category": "product_version", "name": "cfme-appliance-0:5.2.3.2-1.el6cf.x86_64", "product": { "name": "cfme-appliance-0:5.2.3.2-1.el6cf.x86_64", "product_id": "cfme-appliance-0:5.2.3.2-1.el6cf.x86_64", "product_identification_helper": { "purl": "pkg:rpm/redhat/cfme-appliance@5.2.3.2-1.el6cf?arch=x86_64" } } } ], "category": "architecture", "name": "x86_64" }, { "branches": [ { "category": "product_version", "name": "postgresql92-postgresql-0:9.2.7-1.1.el6.src", "product": { "name": "postgresql92-postgresql-0:9.2.7-1.1.el6.src", "product_id": "postgresql92-postgresql-0:9.2.7-1.1.el6.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/postgresql92-postgresql@9.2.7-1.1.el6?arch=src" } } }, { "category": "product_version", "name": "prince-0:9.0r2-4.el6cf.src", "product": { "name": "prince-0:9.0r2-4.el6cf.src", "product_id": "prince-0:9.0r2-4.el6cf.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/prince@9.0r2-4.el6cf?arch=src" } } }, { "category": "product_version", "name": "ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.src", "product": { "name": "ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.src", "product_id": "ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/ruby193-rubygem-actionpack@3.2.13-6.el6cf?arch=src\u0026epoch=1" } } }, { "category": "product_version", "name": "cfme-0:5.2.3.2-1.el6cf.src", "product": { "name": "cfme-0:5.2.3.2-1.el6cf.src", "product_id": "cfme-0:5.2.3.2-1.el6cf.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/cfme@5.2.3.2-1.el6cf?arch=src" } } } ], "category": "architecture", "name": "src" }, { "branches": [ { "category": "product_version", "name": "ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.noarch", "product": { "name": "ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.noarch", "product_id": "ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/ruby193-rubygem-actionpack@3.2.13-6.el6cf?arch=noarch\u0026epoch=1" } } } ], "category": "architecture", "name": "noarch" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "cfme-0:5.2.3.2-1.el6cf.src as a component of Management Engine", "product_id": "6Server-CFME:cfme-0:5.2.3.2-1.el6cf.src" }, "product_reference": "cfme-0:5.2.3.2-1.el6cf.src", "relates_to_product_reference": "6Server-CFME" }, { "category": "default_component_of", "full_product_name": { "name": "cfme-0:5.2.3.2-1.el6cf.x86_64 as a component of Management Engine", "product_id": "6Server-CFME:cfme-0:5.2.3.2-1.el6cf.x86_64" }, "product_reference": "cfme-0:5.2.3.2-1.el6cf.x86_64", "relates_to_product_reference": "6Server-CFME" }, { "category": "default_component_of", "full_product_name": { "name": "cfme-appliance-0:5.2.3.2-1.el6cf.x86_64 as a component of Management Engine", "product_id": "6Server-CFME:cfme-appliance-0:5.2.3.2-1.el6cf.x86_64" }, "product_reference": "cfme-appliance-0:5.2.3.2-1.el6cf.x86_64", "relates_to_product_reference": "6Server-CFME" }, { "category": "default_component_of", "full_product_name": { "name": "cfme-debuginfo-0:5.2.3.2-1.el6cf.x86_64 as a component of Management Engine", "product_id": "6Server-CFME:cfme-debuginfo-0:5.2.3.2-1.el6cf.x86_64" }, "product_reference": "cfme-debuginfo-0:5.2.3.2-1.el6cf.x86_64", "relates_to_product_reference": "6Server-CFME" }, { "category": "default_component_of", "full_product_name": { "name": "cfme-lib-0:5.2.3.2-1.el6cf.x86_64 as a component of Management Engine", "product_id": "6Server-CFME:cfme-lib-0:5.2.3.2-1.el6cf.x86_64" }, "product_reference": "cfme-lib-0:5.2.3.2-1.el6cf.x86_64", "relates_to_product_reference": "6Server-CFME" }, { "category": "default_component_of", "full_product_name": { "name": "mingw32-cfme-host-0:5.2.3.2-1.el6cf.x86_64 as a component of Management Engine", "product_id": "6Server-CFME:mingw32-cfme-host-0:5.2.3.2-1.el6cf.x86_64" }, "product_reference": "mingw32-cfme-host-0:5.2.3.2-1.el6cf.x86_64", "relates_to_product_reference": "6Server-CFME" }, { "category": "default_component_of", "full_product_name": { "name": "postgresql92-postgresql-0:9.2.7-1.1.el6.src as a component of Management Engine", "product_id": "6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.src" }, "product_reference": "postgresql92-postgresql-0:9.2.7-1.1.el6.src", "relates_to_product_reference": "6Server-CFME" }, { "category": "default_component_of", "full_product_name": { "name": "postgresql92-postgresql-0:9.2.7-1.1.el6.x86_64 as a component of Management Engine", "product_id": "6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.x86_64" }, "product_reference": "postgresql92-postgresql-0:9.2.7-1.1.el6.x86_64", "relates_to_product_reference": "6Server-CFME" }, { "category": "default_component_of", "full_product_name": { "name": "postgresql92-postgresql-contrib-0:9.2.7-1.1.el6.x86_64 as a component of Management Engine", "product_id": "6Server-CFME:postgresql92-postgresql-contrib-0:9.2.7-1.1.el6.x86_64" }, "product_reference": "postgresql92-postgresql-contrib-0:9.2.7-1.1.el6.x86_64", "relates_to_product_reference": "6Server-CFME" }, { "category": "default_component_of", "full_product_name": { "name": "postgresql92-postgresql-debuginfo-0:9.2.7-1.1.el6.x86_64 as a component of Management Engine", "product_id": "6Server-CFME:postgresql92-postgresql-debuginfo-0:9.2.7-1.1.el6.x86_64" }, "product_reference": "postgresql92-postgresql-debuginfo-0:9.2.7-1.1.el6.x86_64", "relates_to_product_reference": "6Server-CFME" }, { "category": "default_component_of", "full_product_name": { "name": "postgresql92-postgresql-devel-0:9.2.7-1.1.el6.x86_64 as a component of Management Engine", "product_id": "6Server-CFME:postgresql92-postgresql-devel-0:9.2.7-1.1.el6.x86_64" }, "product_reference": "postgresql92-postgresql-devel-0:9.2.7-1.1.el6.x86_64", "relates_to_product_reference": "6Server-CFME" }, { "category": "default_component_of", "full_product_name": { "name": "postgresql92-postgresql-docs-0:9.2.7-1.1.el6.x86_64 as a component of Management Engine", "product_id": "6Server-CFME:postgresql92-postgresql-docs-0:9.2.7-1.1.el6.x86_64" }, "product_reference": "postgresql92-postgresql-docs-0:9.2.7-1.1.el6.x86_64", "relates_to_product_reference": "6Server-CFME" }, { "category": "default_component_of", "full_product_name": { "name": "postgresql92-postgresql-libs-0:9.2.7-1.1.el6.x86_64 as a component of Management Engine", "product_id": "6Server-CFME:postgresql92-postgresql-libs-0:9.2.7-1.1.el6.x86_64" }, "product_reference": "postgresql92-postgresql-libs-0:9.2.7-1.1.el6.x86_64", "relates_to_product_reference": "6Server-CFME" }, { "category": "default_component_of", "full_product_name": { "name": "postgresql92-postgresql-plperl-0:9.2.7-1.1.el6.x86_64 as a component of Management Engine", "product_id": "6Server-CFME:postgresql92-postgresql-plperl-0:9.2.7-1.1.el6.x86_64" }, "product_reference": "postgresql92-postgresql-plperl-0:9.2.7-1.1.el6.x86_64", "relates_to_product_reference": "6Server-CFME" }, { "category": "default_component_of", "full_product_name": { "name": "postgresql92-postgresql-plpython-0:9.2.7-1.1.el6.x86_64 as a component of Management Engine", "product_id": "6Server-CFME:postgresql92-postgresql-plpython-0:9.2.7-1.1.el6.x86_64" }, "product_reference": "postgresql92-postgresql-plpython-0:9.2.7-1.1.el6.x86_64", "relates_to_product_reference": "6Server-CFME" }, { "category": "default_component_of", "full_product_name": { "name": "postgresql92-postgresql-pltcl-0:9.2.7-1.1.el6.x86_64 as a component of Management Engine", "product_id": "6Server-CFME:postgresql92-postgresql-pltcl-0:9.2.7-1.1.el6.x86_64" }, "product_reference": "postgresql92-postgresql-pltcl-0:9.2.7-1.1.el6.x86_64", "relates_to_product_reference": "6Server-CFME" }, { "category": "default_component_of", "full_product_name": { "name": "postgresql92-postgresql-server-0:9.2.7-1.1.el6.x86_64 as a component of Management Engine", "product_id": "6Server-CFME:postgresql92-postgresql-server-0:9.2.7-1.1.el6.x86_64" }, "product_reference": "postgresql92-postgresql-server-0:9.2.7-1.1.el6.x86_64", "relates_to_product_reference": "6Server-CFME" }, { "category": "default_component_of", "full_product_name": { "name": "postgresql92-postgresql-test-0:9.2.7-1.1.el6.x86_64 as a component of Management Engine", "product_id": "6Server-CFME:postgresql92-postgresql-test-0:9.2.7-1.1.el6.x86_64" }, "product_reference": "postgresql92-postgresql-test-0:9.2.7-1.1.el6.x86_64", "relates_to_product_reference": "6Server-CFME" }, { "category": "default_component_of", "full_product_name": { "name": "postgresql92-postgresql-upgrade-0:9.2.7-1.1.el6.x86_64 as a component of Management Engine", "product_id": "6Server-CFME:postgresql92-postgresql-upgrade-0:9.2.7-1.1.el6.x86_64" }, "product_reference": "postgresql92-postgresql-upgrade-0:9.2.7-1.1.el6.x86_64", "relates_to_product_reference": "6Server-CFME" }, { "category": "default_component_of", "full_product_name": { "name": "prince-0:9.0r2-4.el6cf.src as a component of Management Engine", "product_id": "6Server-CFME:prince-0:9.0r2-4.el6cf.src" }, "product_reference": "prince-0:9.0r2-4.el6cf.src", "relates_to_product_reference": "6Server-CFME" }, { "category": "default_component_of", "full_product_name": { "name": "prince-0:9.0r2-4.el6cf.x86_64 as a component of Management Engine", "product_id": "6Server-CFME:prince-0:9.0r2-4.el6cf.x86_64" }, "product_reference": "prince-0:9.0r2-4.el6cf.x86_64", "relates_to_product_reference": "6Server-CFME" }, { "category": "default_component_of", "full_product_name": { "name": "ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.noarch as a component of Management Engine", "product_id": "6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.noarch" }, "product_reference": "ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.noarch", "relates_to_product_reference": "6Server-CFME" }, { "category": "default_component_of", "full_product_name": { "name": "ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.src as a component of Management Engine", "product_id": "6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.src" }, "product_reference": "ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.src", "relates_to_product_reference": "6Server-CFME" } ] }, "vulnerabilities": [ { "acknowledgments": [ { "names": [ "Ruby on Rails project" ] } ], "cve": "CVE-2013-6417", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2013-12-01T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1036409" } ], "notes": [ { "category": "description", "text": "actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before 3.2.16 and 4.x before 4.0.2 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request that leverages (1) third-party Rack middleware or (2) custom Rack middleware. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-0155.", "title": "Vulnerability description" }, { "category": "summary", "text": "rubygem-actionpack: unsafe query generation risk (incomplete fix for CVE-2013- 0155)", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "6Server-CFME:cfme-0:5.2.3.2-1.el6cf.src", "6Server-CFME:cfme-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:cfme-appliance-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:cfme-debuginfo-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:cfme-lib-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:mingw32-cfme-host-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.src", "6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-contrib-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-debuginfo-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-devel-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-docs-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-libs-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-plperl-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-plpython-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-pltcl-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-server-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-test-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-upgrade-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:prince-0:9.0r2-4.el6cf.src", "6Server-CFME:prince-0:9.0r2-4.el6cf.x86_64", "6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.noarch", "6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2013-6417" }, { "category": "external", "summary": "RHBZ#1036409", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1036409" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2013-6417", "url": "https://www.cve.org/CVERecord?id=CVE-2013-6417" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-6417", "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-6417" } ], "release_date": "2013-12-03T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2014-05-12T18:12:35+00:00", "details": "These updated packages upgrade PostgreSQL to version 9.2.7, which fixes\nthese issues as well as several non-security issues. Refer to the\nPostgreSQL Release Notes for a full list of changes:\n\nhttp://www.postgresql.org/docs/9.2/static/release-9-2-7.html\n\nThis update also fixes several bugs and adds various enhancements.\nDocumentation for these changes will be available shortly from the\nTechnical Notes document linked to in the References section.\n\nAll users of Red Hat CloudForms 3.0 are advised to upgrade to these updated\npackages, which correct these issues and add these enhancements.\n\nBefore applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to use the\nRed Hat Network to apply this update are available at\nhttps://access.redhat.com/site/articles/11258", "product_ids": [ "6Server-CFME:cfme-0:5.2.3.2-1.el6cf.src", "6Server-CFME:cfme-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:cfme-appliance-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:cfme-debuginfo-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:cfme-lib-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:mingw32-cfme-host-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.src", "6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-contrib-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-debuginfo-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-devel-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-docs-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-libs-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-plperl-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-plpython-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-pltcl-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-server-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-test-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-upgrade-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:prince-0:9.0r2-4.el6cf.src", "6Server-CFME:prince-0:9.0r2-4.el6cf.x86_64", "6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.noarch", "6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2014:0469" } ], "scores": [ { "cvss_v2": { "accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 6.4, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0" }, "products": [ "6Server-CFME:cfme-0:5.2.3.2-1.el6cf.src", "6Server-CFME:cfme-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:cfme-appliance-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:cfme-debuginfo-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:cfme-lib-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:mingw32-cfme-host-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.src", "6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-contrib-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-debuginfo-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-devel-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-docs-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-libs-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-plperl-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-plpython-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-pltcl-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-server-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-test-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-upgrade-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:prince-0:9.0r2-4.el6cf.src", "6Server-CFME:prince-0:9.0r2-4.el6cf.x86_64", "6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.noarch", "6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "rubygem-actionpack: unsafe query generation risk (incomplete fix for CVE-2013- 0155)" }, { "acknowledgments": [ { "names": [ "PostgreSQL project" ] }, { "names": [ "Noah Misch" ], "summary": "Acknowledged by upstream." } ], "cve": "CVE-2014-0060", "discovery_date": "2014-02-10T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1065219" } ], "notes": [ { "category": "description", "text": "PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 does not properly enforce the ADMIN OPTION restriction, which allows remote authenticated members of a role to add or remove arbitrary users to that role by calling the SET ROLE command before the associated GRANT command.", "title": "Vulnerability description" }, { "category": "summary", "text": "postgresql: SET ROLE without ADMIN OPTION allows adding and removing group members", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "6Server-CFME:cfme-0:5.2.3.2-1.el6cf.src", "6Server-CFME:cfme-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:cfme-appliance-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:cfme-debuginfo-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:cfme-lib-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:mingw32-cfme-host-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.src", "6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-contrib-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-debuginfo-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-devel-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-docs-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-libs-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-plperl-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-plpython-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-pltcl-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-server-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-test-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-upgrade-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:prince-0:9.0r2-4.el6cf.src", "6Server-CFME:prince-0:9.0r2-4.el6cf.x86_64", "6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.noarch", "6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2014-0060" }, { "category": "external", "summary": "RHBZ#1065219", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1065219" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2014-0060", "url": "https://www.cve.org/CVERecord?id=CVE-2014-0060" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2014-0060", "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0060" } ], "release_date": "2014-02-17T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2014-05-12T18:12:35+00:00", "details": "These updated packages upgrade PostgreSQL to version 9.2.7, which fixes\nthese issues as well as several non-security issues. Refer to the\nPostgreSQL Release Notes for a full list of changes:\n\nhttp://www.postgresql.org/docs/9.2/static/release-9-2-7.html\n\nThis update also fixes several bugs and adds various enhancements.\nDocumentation for these changes will be available shortly from the\nTechnical Notes document linked to in the References section.\n\nAll users of Red Hat CloudForms 3.0 are advised to upgrade to these updated\npackages, which correct these issues and add these enhancements.\n\nBefore applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to use the\nRed Hat Network to apply this update are available at\nhttps://access.redhat.com/site/articles/11258", "product_ids": [ "6Server-CFME:cfme-0:5.2.3.2-1.el6cf.src", "6Server-CFME:cfme-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:cfme-appliance-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:cfme-debuginfo-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:cfme-lib-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:mingw32-cfme-host-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.src", "6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-contrib-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-debuginfo-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-devel-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-docs-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-libs-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-plperl-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-plpython-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-pltcl-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-server-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-test-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-upgrade-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:prince-0:9.0r2-4.el6cf.src", "6Server-CFME:prince-0:9.0r2-4.el6cf.x86_64", "6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.noarch", "6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2014:0469" } ], "scores": [ { "cvss_v2": { "accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 5.5, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:P", "version": "2.0" }, "products": [ "6Server-CFME:cfme-0:5.2.3.2-1.el6cf.src", "6Server-CFME:cfme-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:cfme-appliance-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:cfme-debuginfo-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:cfme-lib-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:mingw32-cfme-host-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.src", "6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-contrib-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-debuginfo-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-devel-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-docs-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-libs-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-plperl-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-plpython-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-pltcl-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-server-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-test-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-upgrade-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:prince-0:9.0r2-4.el6cf.src", "6Server-CFME:prince-0:9.0r2-4.el6cf.x86_64", "6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.noarch", "6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.src" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "postgresql: SET ROLE without ADMIN OPTION allows adding and removing group members" }, { "acknowledgments": [ { "names": [ "PostgreSQL project" ] }, { "names": [ "Andres Freund" ], "summary": "Acknowledged by upstream." } ], "cve": "CVE-2014-0061", "discovery_date": "2014-02-10T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1065220" } ], "notes": [ { "category": "description", "text": "The validator functions for the procedural languages (PLs) in PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 allow remote authenticated users to gain privileges via a function that is (1) defined in another language or (2) not allowed to be directly called by the user due to permissions.", "title": "Vulnerability description" }, { "category": "summary", "text": "postgresql: privilege escalation via procedural language validator functions", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "6Server-CFME:cfme-0:5.2.3.2-1.el6cf.src", "6Server-CFME:cfme-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:cfme-appliance-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:cfme-debuginfo-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:cfme-lib-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:mingw32-cfme-host-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.src", "6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-contrib-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-debuginfo-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-devel-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-docs-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-libs-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-plperl-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-plpython-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-pltcl-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-server-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-test-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-upgrade-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:prince-0:9.0r2-4.el6cf.src", "6Server-CFME:prince-0:9.0r2-4.el6cf.x86_64", "6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.noarch", "6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2014-0061" }, { "category": "external", "summary": "RHBZ#1065220", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1065220" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2014-0061", "url": "https://www.cve.org/CVERecord?id=CVE-2014-0061" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2014-0061", "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0061" } ], "release_date": "2014-02-17T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2014-05-12T18:12:35+00:00", "details": "These updated packages upgrade PostgreSQL to version 9.2.7, which fixes\nthese issues as well as several non-security issues. Refer to the\nPostgreSQL Release Notes for a full list of changes:\n\nhttp://www.postgresql.org/docs/9.2/static/release-9-2-7.html\n\nThis update also fixes several bugs and adds various enhancements.\nDocumentation for these changes will be available shortly from the\nTechnical Notes document linked to in the References section.\n\nAll users of Red Hat CloudForms 3.0 are advised to upgrade to these updated\npackages, which correct these issues and add these enhancements.\n\nBefore applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to use the\nRed Hat Network to apply this update are available at\nhttps://access.redhat.com/site/articles/11258", "product_ids": [ "6Server-CFME:cfme-0:5.2.3.2-1.el6cf.src", "6Server-CFME:cfme-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:cfme-appliance-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:cfme-debuginfo-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:cfme-lib-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:mingw32-cfme-host-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.src", "6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-contrib-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-debuginfo-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-devel-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-docs-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-libs-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-plperl-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-plpython-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-pltcl-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-server-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-test-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-upgrade-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:prince-0:9.0r2-4.el6cf.src", "6Server-CFME:prince-0:9.0r2-4.el6cf.x86_64", "6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.noarch", "6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2014:0469" } ], "scores": [ { "cvss_v2": { "accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0" }, "products": [ "6Server-CFME:cfme-0:5.2.3.2-1.el6cf.src", "6Server-CFME:cfme-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:cfme-appliance-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:cfme-debuginfo-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:cfme-lib-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:mingw32-cfme-host-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.src", "6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-contrib-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-debuginfo-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-devel-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-docs-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-libs-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-plperl-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-plpython-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-pltcl-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-server-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-test-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-upgrade-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:prince-0:9.0r2-4.el6cf.src", "6Server-CFME:prince-0:9.0r2-4.el6cf.x86_64", "6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.noarch", "6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.src" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "postgresql: privilege escalation via procedural language validator functions" }, { "acknowledgments": [ { "names": [ "PostgreSQL project" ] }, { "names": [ "Andres Freund", "Robert Haas" ], "summary": "Acknowledged by upstream." } ], "cve": "CVE-2014-0062", "discovery_date": "2014-02-10T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1065222" } ], "notes": [ { "category": "description", "text": "Race condition in the (1) CREATE INDEX and (2) unspecified ALTER TABLE commands in PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 allows remote authenticated users to create an unauthorized index or read portions of unauthorized tables by creating or deleting a table with the same name during the timing window.", "title": "Vulnerability description" }, { "category": "summary", "text": "postgresql: CREATE INDEX race condition possibly leading to privilege escalation", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "6Server-CFME:cfme-0:5.2.3.2-1.el6cf.src", "6Server-CFME:cfme-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:cfme-appliance-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:cfme-debuginfo-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:cfme-lib-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:mingw32-cfme-host-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.src", "6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-contrib-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-debuginfo-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-devel-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-docs-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-libs-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-plperl-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-plpython-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-pltcl-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-server-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-test-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-upgrade-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:prince-0:9.0r2-4.el6cf.src", "6Server-CFME:prince-0:9.0r2-4.el6cf.x86_64", "6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.noarch", "6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2014-0062" }, { "category": "external", "summary": "RHBZ#1065222", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1065222" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2014-0062", "url": "https://www.cve.org/CVERecord?id=CVE-2014-0062" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2014-0062", "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0062" } ], "release_date": "2014-02-17T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2014-05-12T18:12:35+00:00", "details": "These updated packages upgrade PostgreSQL to version 9.2.7, which fixes\nthese issues as well as several non-security issues. Refer to the\nPostgreSQL Release Notes for a full list of changes:\n\nhttp://www.postgresql.org/docs/9.2/static/release-9-2-7.html\n\nThis update also fixes several bugs and adds various enhancements.\nDocumentation for these changes will be available shortly from the\nTechnical Notes document linked to in the References section.\n\nAll users of Red Hat CloudForms 3.0 are advised to upgrade to these updated\npackages, which correct these issues and add these enhancements.\n\nBefore applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to use the\nRed Hat Network to apply this update are available at\nhttps://access.redhat.com/site/articles/11258", "product_ids": [ "6Server-CFME:cfme-0:5.2.3.2-1.el6cf.src", "6Server-CFME:cfme-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:cfme-appliance-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:cfme-debuginfo-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:cfme-lib-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:mingw32-cfme-host-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.src", "6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-contrib-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-debuginfo-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-devel-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-docs-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-libs-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-plperl-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-plpython-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-pltcl-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-server-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-test-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-upgrade-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:prince-0:9.0r2-4.el6cf.src", "6Server-CFME:prince-0:9.0r2-4.el6cf.x86_64", "6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.noarch", "6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2014:0469" } ], "scores": [ { "cvss_v2": { "accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:S/C:P/I:N/A:N", "version": "2.0" }, "products": [ "6Server-CFME:cfme-0:5.2.3.2-1.el6cf.src", "6Server-CFME:cfme-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:cfme-appliance-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:cfme-debuginfo-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:cfme-lib-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:mingw32-cfme-host-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.src", "6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-contrib-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-debuginfo-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-devel-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-docs-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-libs-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-plperl-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-plpython-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-pltcl-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-server-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-test-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-upgrade-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:prince-0:9.0r2-4.el6cf.src", "6Server-CFME:prince-0:9.0r2-4.el6cf.x86_64", "6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.noarch", "6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.src" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "postgresql: CREATE INDEX race condition possibly leading to privilege escalation" }, { "acknowledgments": [ { "names": [ "PostgreSQL project" ] }, { "names": [ "Noah Misch" ], "summary": "Acknowledged by upstream." } ], "cve": "CVE-2014-0063", "cwe": { "id": "CWE-121", "name": "Stack-based Buffer Overflow" }, "discovery_date": "2014-02-10T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1065226" } ], "notes": [ { "category": "description", "text": "Multiple stack-based buffer overflows in PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 allow remote authenticated users to cause a denial of service (crash) or possibly execute arbitrary code via vectors related to an incorrect MAXDATELEN constant and datetime values involving (1) intervals, (2) timestamps, or (3) timezones, a different vulnerability than CVE-2014-0065.", "title": "Vulnerability description" }, { "category": "summary", "text": "postgresql: stack-based buffer overflow in datetime input/output", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "6Server-CFME:cfme-0:5.2.3.2-1.el6cf.src", "6Server-CFME:cfme-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:cfme-appliance-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:cfme-debuginfo-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:cfme-lib-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:mingw32-cfme-host-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.src", "6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-contrib-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-debuginfo-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-devel-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-docs-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-libs-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-plperl-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-plpython-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-pltcl-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-server-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-test-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-upgrade-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:prince-0:9.0r2-4.el6cf.src", "6Server-CFME:prince-0:9.0r2-4.el6cf.x86_64", "6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.noarch", "6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2014-0063" }, { "category": "external", "summary": "RHBZ#1065226", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1065226" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2014-0063", "url": "https://www.cve.org/CVERecord?id=CVE-2014-0063" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2014-0063", "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0063" } ], "release_date": "2014-02-17T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2014-05-12T18:12:35+00:00", "details": "These updated packages upgrade PostgreSQL to version 9.2.7, which fixes\nthese issues as well as several non-security issues. Refer to the\nPostgreSQL Release Notes for a full list of changes:\n\nhttp://www.postgresql.org/docs/9.2/static/release-9-2-7.html\n\nThis update also fixes several bugs and adds various enhancements.\nDocumentation for these changes will be available shortly from the\nTechnical Notes document linked to in the References section.\n\nAll users of Red Hat CloudForms 3.0 are advised to upgrade to these updated\npackages, which correct these issues and add these enhancements.\n\nBefore applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to use the\nRed Hat Network to apply this update are available at\nhttps://access.redhat.com/site/articles/11258", "product_ids": [ "6Server-CFME:cfme-0:5.2.3.2-1.el6cf.src", "6Server-CFME:cfme-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:cfme-appliance-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:cfme-debuginfo-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:cfme-lib-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:mingw32-cfme-host-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.src", "6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-contrib-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-debuginfo-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-devel-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-docs-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-libs-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-plperl-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-plpython-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-pltcl-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-server-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-test-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-upgrade-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:prince-0:9.0r2-4.el6cf.src", "6Server-CFME:prince-0:9.0r2-4.el6cf.x86_64", "6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.noarch", "6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2014:0469" } ], "scores": [ { "cvss_v2": { "accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0" }, "products": [ "6Server-CFME:cfme-0:5.2.3.2-1.el6cf.src", "6Server-CFME:cfme-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:cfme-appliance-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:cfme-debuginfo-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:cfme-lib-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:mingw32-cfme-host-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.src", "6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-contrib-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-debuginfo-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-devel-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-docs-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-libs-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-plperl-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-plpython-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-pltcl-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-server-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-test-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-upgrade-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:prince-0:9.0r2-4.el6cf.src", "6Server-CFME:prince-0:9.0r2-4.el6cf.x86_64", "6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.noarch", "6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "postgresql: stack-based buffer overflow in datetime input/output" }, { "acknowledgments": [ { "names": [ "PostgreSQL project" ] }, { "names": [ "Heikki Linnakangas", "Noah Misch" ], "summary": "Acknowledged by upstream." } ], "cve": "CVE-2014-0064", "cwe": { "id": "CWE-190", "name": "Integer Overflow or Wraparound" }, "discovery_date": "2014-02-10T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1065230" } ], "notes": [ { "category": "description", "text": "Multiple integer overflows in the path_in and other unspecified functions in PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 allow remote authenticated users to have unspecified impact and attack vectors, which trigger a buffer overflow. NOTE: this identifier has been SPLIT due to different affected versions; use CVE-2014-2669 for the hstore vector.", "title": "Vulnerability description" }, { "category": "summary", "text": "postgresql: integer overflows leading to buffer overflows", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "6Server-CFME:cfme-0:5.2.3.2-1.el6cf.src", "6Server-CFME:cfme-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:cfme-appliance-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:cfme-debuginfo-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:cfme-lib-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:mingw32-cfme-host-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.src", "6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-contrib-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-debuginfo-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-devel-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-docs-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-libs-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-plperl-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-plpython-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-pltcl-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-server-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-test-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-upgrade-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:prince-0:9.0r2-4.el6cf.src", "6Server-CFME:prince-0:9.0r2-4.el6cf.x86_64", "6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.noarch", "6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2014-0064" }, { "category": "external", "summary": "RHBZ#1065230", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1065230" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2014-0064", "url": "https://www.cve.org/CVERecord?id=CVE-2014-0064" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2014-0064", "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0064" } ], "release_date": "2014-02-17T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2014-05-12T18:12:35+00:00", "details": "These updated packages upgrade PostgreSQL to version 9.2.7, which fixes\nthese issues as well as several non-security issues. Refer to the\nPostgreSQL Release Notes for a full list of changes:\n\nhttp://www.postgresql.org/docs/9.2/static/release-9-2-7.html\n\nThis update also fixes several bugs and adds various enhancements.\nDocumentation for these changes will be available shortly from the\nTechnical Notes document linked to in the References section.\n\nAll users of Red Hat CloudForms 3.0 are advised to upgrade to these updated\npackages, which correct these issues and add these enhancements.\n\nBefore applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to use the\nRed Hat Network to apply this update are available at\nhttps://access.redhat.com/site/articles/11258", "product_ids": [ "6Server-CFME:cfme-0:5.2.3.2-1.el6cf.src", "6Server-CFME:cfme-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:cfme-appliance-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:cfme-debuginfo-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:cfme-lib-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:mingw32-cfme-host-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.src", "6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-contrib-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-debuginfo-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-devel-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-docs-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-libs-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-plperl-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-plpython-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-pltcl-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-server-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-test-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-upgrade-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:prince-0:9.0r2-4.el6cf.src", "6Server-CFME:prince-0:9.0r2-4.el6cf.x86_64", "6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.noarch", "6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2014:0469" } ], "scores": [ { "cvss_v2": { "accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0" }, "products": [ "6Server-CFME:cfme-0:5.2.3.2-1.el6cf.src", "6Server-CFME:cfme-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:cfme-appliance-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:cfme-debuginfo-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:cfme-lib-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:mingw32-cfme-host-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.src", "6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-contrib-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-debuginfo-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-devel-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-docs-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-libs-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-plperl-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-plpython-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-pltcl-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-server-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-test-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-upgrade-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:prince-0:9.0r2-4.el6cf.src", "6Server-CFME:prince-0:9.0r2-4.el6cf.x86_64", "6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.noarch", "6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "postgresql: integer overflows leading to buffer overflows" }, { "acknowledgments": [ { "names": [ "PostgreSQL project" ] }, { "names": [ "Peter Eisentraut", "Jozef Mlich" ], "summary": "Acknowledged by upstream." } ], "cve": "CVE-2014-0065", "discovery_date": "2014-02-10T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1065235" } ], "notes": [ { "category": "description", "text": "Multiple buffer overflows in PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 allow remote authenticated users to have unspecified impact and attack vectors, a different vulnerability than CVE-2014-0063.", "title": "Vulnerability description" }, { "category": "summary", "text": "postgresql: possible buffer overflow flaws", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "6Server-CFME:cfme-0:5.2.3.2-1.el6cf.src", "6Server-CFME:cfme-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:cfme-appliance-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:cfme-debuginfo-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:cfme-lib-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:mingw32-cfme-host-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.src", "6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-contrib-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-debuginfo-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-devel-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-docs-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-libs-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-plperl-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-plpython-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-pltcl-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-server-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-test-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-upgrade-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:prince-0:9.0r2-4.el6cf.src", "6Server-CFME:prince-0:9.0r2-4.el6cf.x86_64", "6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.noarch", "6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2014-0065" }, { "category": "external", "summary": "RHBZ#1065235", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1065235" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2014-0065", "url": "https://www.cve.org/CVERecord?id=CVE-2014-0065" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2014-0065", "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0065" } ], "release_date": "2014-02-17T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2014-05-12T18:12:35+00:00", "details": "These updated packages upgrade PostgreSQL to version 9.2.7, which fixes\nthese issues as well as several non-security issues. Refer to the\nPostgreSQL Release Notes for a full list of changes:\n\nhttp://www.postgresql.org/docs/9.2/static/release-9-2-7.html\n\nThis update also fixes several bugs and adds various enhancements.\nDocumentation for these changes will be available shortly from the\nTechnical Notes document linked to in the References section.\n\nAll users of Red Hat CloudForms 3.0 are advised to upgrade to these updated\npackages, which correct these issues and add these enhancements.\n\nBefore applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to use the\nRed Hat Network to apply this update are available at\nhttps://access.redhat.com/site/articles/11258", "product_ids": [ "6Server-CFME:cfme-0:5.2.3.2-1.el6cf.src", "6Server-CFME:cfme-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:cfme-appliance-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:cfme-debuginfo-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:cfme-lib-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:mingw32-cfme-host-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.src", "6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-contrib-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-debuginfo-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-devel-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-docs-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-libs-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-plperl-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-plpython-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-pltcl-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-server-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-test-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-upgrade-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:prince-0:9.0r2-4.el6cf.src", "6Server-CFME:prince-0:9.0r2-4.el6cf.x86_64", "6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.noarch", "6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2014:0469" } ], "scores": [ { "cvss_v2": { "accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0" }, "products": [ "6Server-CFME:cfme-0:5.2.3.2-1.el6cf.src", "6Server-CFME:cfme-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:cfme-appliance-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:cfme-debuginfo-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:cfme-lib-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:mingw32-cfme-host-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.src", "6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-contrib-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-debuginfo-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-devel-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-docs-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-libs-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-plperl-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-plpython-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-pltcl-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-server-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-test-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-upgrade-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:prince-0:9.0r2-4.el6cf.src", "6Server-CFME:prince-0:9.0r2-4.el6cf.x86_64", "6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.noarch", "6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "postgresql: possible buffer overflow flaws" }, { "acknowledgments": [ { "names": [ "PostgreSQL project" ] }, { "names": [ "Honza Horak", "Bruce Momjian" ], "summary": "Acknowledged by upstream." } ], "cve": "CVE-2014-0066", "cwe": { "id": "CWE-476", "name": "NULL Pointer Dereference" }, "discovery_date": "2014-02-10T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1065236" } ], "notes": [ { "category": "description", "text": "The chkpass extension in PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 does not properly check the return value of the crypt library function, which allows remote authenticated users to cause a denial of service (NULL pointer dereference and crash) via unspecified vectors.", "title": "Vulnerability description" }, { "category": "summary", "text": "postgresql: NULL pointer dereference", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "6Server-CFME:cfme-0:5.2.3.2-1.el6cf.src", "6Server-CFME:cfme-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:cfme-appliance-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:cfme-debuginfo-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:cfme-lib-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:mingw32-cfme-host-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.src", "6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-contrib-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-debuginfo-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-devel-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-docs-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-libs-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-plperl-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-plpython-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-pltcl-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-server-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-test-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-upgrade-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:prince-0:9.0r2-4.el6cf.src", "6Server-CFME:prince-0:9.0r2-4.el6cf.x86_64", "6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.noarch", "6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2014-0066" }, { "category": "external", "summary": "RHBZ#1065236", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1065236" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2014-0066", "url": "https://www.cve.org/CVERecord?id=CVE-2014-0066" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2014-0066", "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0066" } ], "release_date": "2014-02-17T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2014-05-12T18:12:35+00:00", "details": "These updated packages upgrade PostgreSQL to version 9.2.7, which fixes\nthese issues as well as several non-security issues. Refer to the\nPostgreSQL Release Notes for a full list of changes:\n\nhttp://www.postgresql.org/docs/9.2/static/release-9-2-7.html\n\nThis update also fixes several bugs and adds various enhancements.\nDocumentation for these changes will be available shortly from the\nTechnical Notes document linked to in the References section.\n\nAll users of Red Hat CloudForms 3.0 are advised to upgrade to these updated\npackages, which correct these issues and add these enhancements.\n\nBefore applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to use the\nRed Hat Network to apply this update are available at\nhttps://access.redhat.com/site/articles/11258", "product_ids": [ "6Server-CFME:cfme-0:5.2.3.2-1.el6cf.src", "6Server-CFME:cfme-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:cfme-appliance-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:cfme-debuginfo-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:cfme-lib-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:mingw32-cfme-host-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.src", "6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-contrib-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-debuginfo-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-devel-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-docs-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-libs-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-plperl-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-plpython-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-pltcl-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-server-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-test-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-upgrade-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:prince-0:9.0r2-4.el6cf.src", "6Server-CFME:prince-0:9.0r2-4.el6cf.x86_64", "6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.noarch", "6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2014:0469" } ], "scores": [ { "cvss_v2": { "accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 4.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P", "version": "2.0" }, "products": [ "6Server-CFME:cfme-0:5.2.3.2-1.el6cf.src", "6Server-CFME:cfme-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:cfme-appliance-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:cfme-debuginfo-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:cfme-lib-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:mingw32-cfme-host-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.src", "6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-contrib-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-debuginfo-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-devel-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-docs-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-libs-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-plperl-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-plpython-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-pltcl-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-server-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-test-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-upgrade-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:prince-0:9.0r2-4.el6cf.src", "6Server-CFME:prince-0:9.0r2-4.el6cf.x86_64", "6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.noarch", "6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.src" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "postgresql: NULL pointer dereference" }, { "acknowledgments": [ { "names": [ "Jan Rusnacko" ], "organization": "Red Hat Product Security Team", "summary": "This issue was discovered by Red Hat." } ], "cve": "CVE-2014-0078", "cwe": { "id": "CWE-862", "name": "Missing Authorization" }, "discovery_date": "2014-02-12T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1064556" } ], "notes": [ { "category": "description", "text": "The CatalogController in Red Hat CloudForms Management Engine (CFME) before 5.2.3.2 allows remote authenticated users to delete arbitrary catalogs via vectors involving guessing the catalog ID.", "title": "Vulnerability description" }, { "category": "summary", "text": "CFME: multiple authorization bypass vulnerabilities in CatalogController", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "6Server-CFME:cfme-0:5.2.3.2-1.el6cf.src", "6Server-CFME:cfme-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:cfme-appliance-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:cfme-debuginfo-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:cfme-lib-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:mingw32-cfme-host-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.src", "6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-contrib-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-debuginfo-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-devel-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-docs-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-libs-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-plperl-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-plpython-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-pltcl-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-server-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-test-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-upgrade-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:prince-0:9.0r2-4.el6cf.src", "6Server-CFME:prince-0:9.0r2-4.el6cf.x86_64", "6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.noarch", "6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2014-0078" }, { "category": "external", "summary": "RHBZ#1064556", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1064556" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2014-0078", "url": "https://www.cve.org/CVERecord?id=CVE-2014-0078" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2014-0078", "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0078" } ], "release_date": "2014-05-12T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2014-05-12T18:12:35+00:00", "details": "These updated packages upgrade PostgreSQL to version 9.2.7, which fixes\nthese issues as well as several non-security issues. Refer to the\nPostgreSQL Release Notes for a full list of changes:\n\nhttp://www.postgresql.org/docs/9.2/static/release-9-2-7.html\n\nThis update also fixes several bugs and adds various enhancements.\nDocumentation for these changes will be available shortly from the\nTechnical Notes document linked to in the References section.\n\nAll users of Red Hat CloudForms 3.0 are advised to upgrade to these updated\npackages, which correct these issues and add these enhancements.\n\nBefore applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to use the\nRed Hat Network to apply this update are available at\nhttps://access.redhat.com/site/articles/11258", "product_ids": [ "6Server-CFME:cfme-0:5.2.3.2-1.el6cf.src", "6Server-CFME:cfme-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:cfme-appliance-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:cfme-debuginfo-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:cfme-lib-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:mingw32-cfme-host-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.src", "6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-contrib-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-debuginfo-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-devel-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-docs-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-libs-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-plperl-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-plpython-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-pltcl-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-server-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-test-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-upgrade-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:prince-0:9.0r2-4.el6cf.src", "6Server-CFME:prince-0:9.0r2-4.el6cf.x86_64", "6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.noarch", "6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2014:0469" } ], "scores": [ { "cvss_v2": { "accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 4.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P", "version": "2.0" }, "products": [ "6Server-CFME:cfme-0:5.2.3.2-1.el6cf.src", "6Server-CFME:cfme-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:cfme-appliance-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:cfme-debuginfo-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:cfme-lib-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:mingw32-cfme-host-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.src", "6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-contrib-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-debuginfo-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-devel-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-docs-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-libs-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-plperl-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-plpython-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-pltcl-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-server-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-test-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-upgrade-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:prince-0:9.0r2-4.el6cf.src", "6Server-CFME:prince-0:9.0r2-4.el6cf.x86_64", "6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.noarch", "6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.src" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "CFME: multiple authorization bypass vulnerabilities in CatalogController" }, { "acknowledgments": [ { "names": [ "Jan Rusnacko" ], "organization": "Red Hat Product Security Team", "summary": "This issue was discovered by Red Hat." } ], "cve": "CVE-2014-0137", "cwe": { "id": "CWE-89", "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)" }, "discovery_date": "2014-03-14T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1076688" } ], "notes": [ { "category": "description", "text": "SQL injection vulnerability in the saved_report_delete action in the ReportController in Red Hat CloudForms Management Engine (CFME) before 5.2.3.2 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors, related to MiqReportResult.exists.", "title": "Vulnerability description" }, { "category": "summary", "text": "CFME: ReportController SQL injection", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "6Server-CFME:cfme-0:5.2.3.2-1.el6cf.src", "6Server-CFME:cfme-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:cfme-appliance-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:cfme-debuginfo-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:cfme-lib-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:mingw32-cfme-host-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.src", "6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-contrib-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-debuginfo-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-devel-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-docs-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-libs-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-plperl-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-plpython-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-pltcl-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-server-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-test-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-upgrade-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:prince-0:9.0r2-4.el6cf.src", "6Server-CFME:prince-0:9.0r2-4.el6cf.x86_64", "6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.noarch", "6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2014-0137" }, { "category": "external", "summary": "RHBZ#1076688", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1076688" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2014-0137", "url": "https://www.cve.org/CVERecord?id=CVE-2014-0137" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2014-0137", "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0137" } ], "release_date": "2014-05-12T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2014-05-12T18:12:35+00:00", "details": "These updated packages upgrade PostgreSQL to version 9.2.7, which fixes\nthese issues as well as several non-security issues. Refer to the\nPostgreSQL Release Notes for a full list of changes:\n\nhttp://www.postgresql.org/docs/9.2/static/release-9-2-7.html\n\nThis update also fixes several bugs and adds various enhancements.\nDocumentation for these changes will be available shortly from the\nTechnical Notes document linked to in the References section.\n\nAll users of Red Hat CloudForms 3.0 are advised to upgrade to these updated\npackages, which correct these issues and add these enhancements.\n\nBefore applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to use the\nRed Hat Network to apply this update are available at\nhttps://access.redhat.com/site/articles/11258", "product_ids": [ "6Server-CFME:cfme-0:5.2.3.2-1.el6cf.src", "6Server-CFME:cfme-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:cfme-appliance-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:cfme-debuginfo-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:cfme-lib-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:mingw32-cfme-host-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.src", "6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-contrib-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-debuginfo-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-devel-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-docs-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-libs-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-plperl-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-plpython-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-pltcl-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-server-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-test-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-upgrade-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:prince-0:9.0r2-4.el6cf.src", "6Server-CFME:prince-0:9.0r2-4.el6cf.x86_64", "6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.noarch", "6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2014:0469" } ], "scores": [ { "cvss_v2": { "accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.9, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:N", "version": "2.0" }, "products": [ "6Server-CFME:cfme-0:5.2.3.2-1.el6cf.src", "6Server-CFME:cfme-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:cfme-appliance-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:cfme-debuginfo-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:cfme-lib-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:mingw32-cfme-host-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.src", "6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-contrib-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-debuginfo-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-devel-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-docs-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-libs-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-plperl-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-plpython-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-pltcl-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-server-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-test-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-upgrade-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:prince-0:9.0r2-4.el6cf.src", "6Server-CFME:prince-0:9.0r2-4.el6cf.x86_64", "6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.noarch", "6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "CFME: ReportController SQL injection" }, { "acknowledgments": [ { "names": [ "PostgreSQL project" ] }, { "names": [ "Heikki Linnakangas", "Noah Misch" ], "summary": "Acknowledged by upstream." } ], "cve": "CVE-2014-2669", "cwe": { "id": "CWE-190", "name": "Integer Overflow or Wraparound" }, "discovery_date": "2014-02-10T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "1082154" } ], "notes": [ { "category": "description", "text": "Multiple integer overflows in contrib/hstore/hstore_io.c in PostgreSQL 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 allow remote authenticated users to have unspecified impact via vectors related to the (1) hstore_recv, (2) hstore_from_arrays, and (3) hstore_from_array functions in contrib/hstore/hstore_io.c; and the (4) hstoreArrayToPairs function in contrib/hstore/hstore_op.c, which triggers a buffer overflow. NOTE: this issue was SPLIT from CVE-2014-0064 because it has a different set of affected versions.", "title": "Vulnerability description" }, { "category": "summary", "text": "postgresql: multiple integer overflows in hstore_io.c", "title": "Vulnerability summary" }, { "category": "other", "text": "Not vulnerable. This issue did not affect the versions of PostgreSQL as shipped with Red Hat Enterprise Linux 5 and 6.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "6Server-CFME:cfme-0:5.2.3.2-1.el6cf.src", "6Server-CFME:cfme-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:cfme-appliance-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:cfme-debuginfo-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:cfme-lib-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:mingw32-cfme-host-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.src", "6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-contrib-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-debuginfo-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-devel-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-docs-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-libs-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-plperl-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-plpython-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-pltcl-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-server-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-test-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-upgrade-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:prince-0:9.0r2-4.el6cf.src", "6Server-CFME:prince-0:9.0r2-4.el6cf.x86_64", "6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.noarch", "6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.src" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2014-2669" }, { "category": "external", "summary": "RHBZ#1082154", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1082154" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2014-2669", "url": "https://www.cve.org/CVERecord?id=CVE-2014-2669" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2014-2669", "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-2669" } ], "release_date": "2014-02-17T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2014-05-12T18:12:35+00:00", "details": "These updated packages upgrade PostgreSQL to version 9.2.7, which fixes\nthese issues as well as several non-security issues. Refer to the\nPostgreSQL Release Notes for a full list of changes:\n\nhttp://www.postgresql.org/docs/9.2/static/release-9-2-7.html\n\nThis update also fixes several bugs and adds various enhancements.\nDocumentation for these changes will be available shortly from the\nTechnical Notes document linked to in the References section.\n\nAll users of Red Hat CloudForms 3.0 are advised to upgrade to these updated\npackages, which correct these issues and add these enhancements.\n\nBefore applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to use the\nRed Hat Network to apply this update are available at\nhttps://access.redhat.com/site/articles/11258", "product_ids": [ "6Server-CFME:cfme-0:5.2.3.2-1.el6cf.src", "6Server-CFME:cfme-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:cfme-appliance-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:cfme-debuginfo-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:cfme-lib-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:mingw32-cfme-host-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.src", "6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-contrib-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-debuginfo-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-devel-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-docs-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-libs-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-plperl-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-plpython-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-pltcl-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-server-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-test-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-upgrade-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:prince-0:9.0r2-4.el6cf.src", "6Server-CFME:prince-0:9.0r2-4.el6cf.x86_64", "6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.noarch", "6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.src" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2014:0469" } ], "scores": [ { "cvss_v2": { "accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0" }, "products": [ "6Server-CFME:cfme-0:5.2.3.2-1.el6cf.src", "6Server-CFME:cfme-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:cfme-appliance-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:cfme-debuginfo-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:cfme-lib-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:mingw32-cfme-host-0:5.2.3.2-1.el6cf.x86_64", "6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.src", "6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-contrib-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-debuginfo-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-devel-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-docs-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-libs-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-plperl-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-plpython-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-pltcl-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-server-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-test-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:postgresql92-postgresql-upgrade-0:9.2.7-1.1.el6.x86_64", "6Server-CFME:prince-0:9.0r2-4.el6cf.src", "6Server-CFME:prince-0:9.0r2-4.el6cf.x86_64", "6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.noarch", "6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.src" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "postgresql: multiple integer overflows in hstore_io.c" } ] }
gsd-2014-0137
Vulnerability from gsd
Modified
2023-12-13 01:22
Details
SQL injection vulnerability in the saved_report_delete action in the ReportController in Red Hat CloudForms Management Engine (CFME) before 5.2.3.2 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors, related to MiqReportResult.exists.
Aliases
Aliases
{ "GSD": { "alias": "CVE-2014-0137", "description": "SQL injection vulnerability in the saved_report_delete action in the ReportController in Red Hat CloudForms Management Engine (CFME) before 5.2.3.2 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors, related to MiqReportResult.exists.", "id": "GSD-2014-0137", "references": [ "https://access.redhat.com/errata/RHSA-2014:0469" ] }, "gsd": { "metadata": { "exploitCode": "unknown", "remediation": "unknown", "reportConfidence": "confirmed", "type": "vulnerability" }, "osvSchema": { "aliases": [ "CVE-2014-0137" ], "details": "SQL injection vulnerability in the saved_report_delete action in the ReportController in Red Hat CloudForms Management Engine (CFME) before 5.2.3.2 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors, related to MiqReportResult.exists.", "id": "GSD-2014-0137", "modified": "2023-12-13T01:22:44.853959Z", "schema_version": "1.4.0" } }, "namespaces": { "cve.org": { "CVE_data_meta": { "ASSIGNER": "secalert@redhat.com", "ID": "CVE-2014-0137", "STATE": "PUBLIC" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "n/a", "version": { "version_data": [ { "version_affected": "=", "version_value": "n/a" } ] } } ] }, "vendor_name": "n/a" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "SQL injection vulnerability in the saved_report_delete action in the ReportController in Red Hat CloudForms Management Engine (CFME) before 5.2.3.2 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors, related to MiqReportResult.exists." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "n/a" } ] } ] }, "references": { "reference_data": [ { "name": "http://rhn.redhat.com/errata/RHSA-2014-0469.html", "refsource": "MISC", "url": "http://rhn.redhat.com/errata/RHSA-2014-0469.html" } ] } }, "nvd.nist.gov": { "configurations": { "CVE_data_version": "4.0", "nodes": [ { "children": [], "cpe_match": [ { "cpe23Uri": "cpe:2.3:a:redhat:cloudforms_3.0_management_engine:5.2.1:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:redhat:cloudforms_3.0_management_engine:*:*:*:*:*:*:*:*", "cpe_name": [], "versionEndIncluding": "5.2.3", "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:redhat:cloudforms_3.0_management_engine:5.2.2:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true }, { "cpe23Uri": "cpe:2.3:a:redhat:cloudforms_3.0_management_engine:5.2:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true } ], "operator": "OR" } ] }, "cve": { "CVE_data_meta": { "ASSIGNER": "secalert@redhat.com", "ID": "CVE-2014-0137" }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "en", "value": "SQL injection vulnerability in the saved_report_delete action in the ReportController in Red Hat CloudForms Management Engine (CFME) before 5.2.3.2 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors, related to MiqReportResult.exists." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "en", "value": "CWE-89" } ] } ] }, "references": { "reference_data": [ { "name": "RHSA-2014:0469", "refsource": "REDHAT", "tags": [ "Vendor Advisory" ], "url": "http://rhn.redhat.com/errata/RHSA-2014-0469.html" } ] } }, "impact": { "baseMetricV2": { "acInsufInfo": false, "cvssV2": { "accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0" }, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": false } }, "lastModifiedDate": "2023-02-13T00:32Z", "publishedDate": "2014-05-14T19:55Z" } } }
ghsa-vc39-w9gh-6rx2
Vulnerability from github
Published
2022-05-17 04:43
Modified
2022-05-17 04:43
Details
SQL injection vulnerability in the saved_report_delete action in the ReportController in Red Hat CloudForms Management Engine (CFME) before 5.2.3.2 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors, related to MiqReportResult.exists.
{ "affected": [], "aliases": [ "CVE-2014-0137" ], "database_specific": { "cwe_ids": [ "CWE-89" ], "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2014-05-14T19:55:00Z", "severity": "MODERATE" }, "details": "SQL injection vulnerability in the saved_report_delete action in the ReportController in Red Hat CloudForms Management Engine (CFME) before 5.2.3.2 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors, related to MiqReportResult.exists.", "id": "GHSA-vc39-w9gh-6rx2", "modified": "2022-05-17T04:43:50Z", "published": "2022-05-17T04:43:50Z", "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0137" }, { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2014:0469" }, { "type": "WEB", "url": "https://access.redhat.com/security/cve/CVE-2014-0137" }, { "type": "WEB", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1076688" }, { "type": "WEB", "url": "http://rhn.redhat.com/errata/RHSA-2014-0469.html" } ], "schema_version": "1.4.0", "severity": [] }
Loading…
Loading…
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.