Action not permitted
Modal body text goes here.
Modal Title
Modal Body
cve-2012-5486
Vulnerability from cvelistv5
Published
2014-09-30 14:00
Modified
2024-08-06 21:05
Severity ?
EPSS score ?
Summary
ZPublisher.HTTPRequest._scrubHeader in Zope 2 before 2.13.19, as used in Plone before 4.3 beta 1, allows remote attackers to inject arbitrary HTTP headers via a linefeed (LF) character.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T21:05:47.236Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugs.launchpad.net/zope2/+bug/930812"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://plone.org/products/plone/security/advisories/20121106/02"
},
{
"name": "[oss-security] 20121109 Re: Re: CVE Request - Zope / Plone: Multiple vectors corrected within 20121106 fix",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2012/11/10/1"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://plone.org/products/plone-hotfix/releases/20121106"
},
{
"name": "RHSA-2014:1194",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2014-1194.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2012-11-06T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "ZPublisher.HTTPRequest._scrubHeader in Zope 2 before 2.13.19, as used in Plone before 4.3 beta 1, allows remote attackers to inject arbitrary HTTP headers via a linefeed (LF) character."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2014-10-06T13:57:01",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugs.launchpad.net/zope2/+bug/930812"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://plone.org/products/plone/security/advisories/20121106/02"
},
{
"name": "[oss-security] 20121109 Re: Re: CVE Request - Zope / Plone: Multiple vectors corrected within 20121106 fix",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2012/11/10/1"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://plone.org/products/plone-hotfix/releases/20121106"
},
{
"name": "RHSA-2014:1194",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2014-1194.html"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2012-5486",
"datePublished": "2014-09-30T14:00:00",
"dateReserved": "2012-10-24T00:00:00",
"dateUpdated": "2024-08-06T21:05:47.236Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:plone:plone:*:*:*:*:*:*:*:*\", \"versionEndIncluding\": \"4.2.2\", \"matchCriteriaId\": \"17D1DF1B-1EAE-4B2E-89D5-A97301AE3164\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:plone:plone:1.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"6A2A9AE1-47C9-4073-BC2C-08C62874FFF1\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:plone:plone:1.0.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"3802A1E1-0816-449E-858E-20039F4ED5DF\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:plone:plone:1.0.2:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"BC1E9D9C-97A0-4093-9492-493B1B4CD4B0\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:plone:plone:1.0.3:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"4099B8D1-1F79-4BFB-943E-158E7394D90B\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:plone:plone:1.0.4:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"FA0E119C-876F-4226-AF5F-44763EEBA29A\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:plone:plone:1.0.5:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"B4937F4A-147C-4AD8-BB88-C3C3C9C8ADBA\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:plone:plone:1.0.6:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"035E2851-A3D4-4E90-8602-F500DC469C3E\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:plone:plone:2.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"2BDEAEAC-3B26-4C95-865C-326ACD793133\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:plone:plone:2.0.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"BA5D3643-BFBB-48BE-802C-D6CD940945F1\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:plone:plone:2.0.2:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"E3FC29D0-66F9-4A1A-86A6-8FD427825112\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:plone:plone:2.0.3:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"78E33FEC-33DA-45AC-8095-0D3C74FADC9B\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:plone:plone:2.0.4:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"4FC93EC3-FE5D-410E-8DE5-2346D839F56C\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:plone:plone:2.0.5:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"67D4EB7F-BC46-4F2E-B065-303961C47B1E\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:plone:plone:2.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"08747064-EC22-40B4-92EF-4640788FE55D\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:plone:plone:2.1.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"A4EB85E3-9A76-4B79-AF7D-91484784A2EF\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:plone:plone:2.1.2:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"78755057-2613-4D5E-8F59-2C117EE282B6\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:plone:plone:2.1.3:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"D49359CD-63EF-4D3A-92DC-C16DEE88138B\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:plone:plone:2.1.4:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"9DE940BA-B784-4193-AB77-333F15B6C32D\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:plone:plone:2.5:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"9762C674-380B-4831-BBA1-3B27742121B0\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:plone:plone:2.5.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"3D938645-80CE-4287-830E-A3BD0C5C84FB\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:plone:plone:2.5.2:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"BB0F7BFC-DC20-46B3-90E7-264E3A8A7886\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:plone:plone:2.5.3:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"F2C09C10-AEA0-41F4-B964-507B40580BE9\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:plone:plone:2.5.4:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"7B60568E-A688-46AF-B627-062A029A7324\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:plone:plone:2.5.5:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"8B635DAD-AC53-4484-8750-200B662DAFD1\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:plone:plone:3.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"0B647E76-E8B8-4329-8848-3B90EB262807\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:plone:plone:3.0.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"0D0A6B8F-4018-44DC-9862-45309619DC6D\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:plone:plone:3.0.2:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"0F10374F-2BB3-48D2-B19F-9B2D038A8E35\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:plone:plone:3.0.3:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"FEAC4F93-D26C-48F3-A7FF-8DC008FC2671\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:plone:plone:3.0.4:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"552661B7-093D-4B3C-8770-FCDE6032AA17\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:plone:plone:3.0.5:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"5180F9D2-E44B-455D-968C-792026AC832A\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:plone:plone:3.0.6:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"636226E4-B880-41FE-A727-EF56CF8E6249\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:plone:plone:3.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"BF6E934A-C344-4861-8CD4-D18D52672D5C\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:plone:plone:3.1.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"25780BBE-8013-4100-9EA8-7EFC244399A0\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:plone:plone:3.1.2:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"A089ED64-07E6-4F4C-97AE-AF74269A4DB1\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:plone:plone:3.1.3:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"EF2334C9-9B34-4C7D-93A2-172E596E05C6\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:plone:plone:3.1.4:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"354046F4-FA55-4AFC-935A-C803D36CDE86\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:plone:plone:3.1.5.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"DF1496A7-6D0A-4970-B0BF-83758065BC6A\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:plone:plone:3.1.6:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"47DEF57C-92F0-4999-AF8E-CEE27EE92CD6\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:plone:plone:3.1.7:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"4BED4241-D823-402A-A389-7E52C410E2F7\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:plone:plone:3.2:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"CE9A55E6-F265-4BB8-8683-3E0CFA01EC73\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:plone:plone:3.2.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"970FD910-50A4-478A-ADE6-EB912C261DAD\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:plone:plone:3.2.2:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"0A490523-1063-44E4-A72A-C23070279181\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:plone:plone:3.2.3:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"D8559F17-63D1-45DB-8A28-47F729DC6686\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:plone:plone:3.3:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"FDC93803-6506-4382-A013-18010EE7E06B\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:plone:plone:3.3.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"E65977FD-A880-4D16-B56B-94A72774F42D\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:plone:plone:3.3.2:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"4EA5B4F8-2155-403D-97D8-1272285D508B\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:plone:plone:3.3.3:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"A3CA2943-77E5-4384-A019-415BBCE62F94\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:plone:plone:3.3.4:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"B7FF63F6-F1DC-4A97-A2E6-11CF613A31E8\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:plone:plone:3.3.5:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"538A3519-5B04-4FE5-A3C0-FD26EFA32705\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:plone:plone:4.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"F3306D84-0F5B-46BA-9BCC-DCD0A1CDD604\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:plone:plone:4.0.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"E08F4534-A588-463F-A745-39E559AB1CB8\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:plone:plone:4.0.2:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"B64341BA-5722-415E-9771-9837168AB7C0\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:plone:plone:4.0.3:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"E2929227-AE19-428D-9AC3-D312A559039B\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:plone:plone:4.0.4:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"3B6DC866-0FEE-475B-855C-A69E004810CD\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:plone:plone:4.0.5:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"50BF3E8E-152C-4E89-BAA2-A952D10F4611\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:plone:plone:4.0.6.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"49DB97A7-89DD-43C0-A490-84AA7069764B\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:plone:plone:4.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"7C44B53B-953B-4522-A5B4-11573850D2CD\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:plone:plone:4.1.4:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"47321B60-67DA-4543-B173-D629A9569B45\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:plone:plone:4.1.5:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"58B36EB2-723F-4E25-8018-EEB2BE806D9D\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:plone:plone:4.1.6:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"7962EF74-6AC1-424C-A202-163AFDADA971\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:plone:plone:4.2:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"1F1818BB-E23A-4136-898D-1D0C80C08728\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:plone:plone:4.2:a1:*:*:*:*:*:*\", \"matchCriteriaId\": \"4E75A96E-2471-442A-8502-8F34EF18A477\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:plone:plone:4.2:a2:*:*:*:*:*:*\", \"matchCriteriaId\": \"7971F6D6-8885-4D2A-BCDF-96D3D0C78841\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:plone:plone:4.2:b1:*:*:*:*:*:*\", \"matchCriteriaId\": \"0489DDC0-E65A-4EAD-854B-033307C2945C\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:plone:plone:4.2:b2:*:*:*:*:*:*\", \"matchCriteriaId\": \"659407BA-C011-4632-A355-41BD418EFA90\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:plone:plone:4.2:rc1:*:*:*:*:*:*\", \"matchCriteriaId\": \"42729F4A-C726-4955-80DB-68A18F774F05\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:plone:plone:4.2:rc2:*:*:*:*:*:*\", \"matchCriteriaId\": \"9C9F5C87-AD89-4E99-BA1D-E922CD0D7691\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:plone:plone:4.2.0.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"9E59B50E-FF75-4A97-B76A-288A2981D4FC\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:plone:plone:4.2.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"5CB06627-133A-40D1-8816-E31E0A9BAD22\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:plone:plone:4.2.1.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"3FE6B05A-1655-4FC1-AB07-0DF71F0021A2\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:plone:plone:4.3:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"CE168A35-1A46-4A6F-8A08-25CDD886066D\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:zope:zope:2.5.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"484BD5DA-B3D7-41C4-8E02-AE8C4EBEC5A2\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:zope:zope:2.6.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"60254EFC-026C-41A9-8587-ED22B2570CCF\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:zope:zope:2.6.4:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"98388A7B-2DE4-4C40-9135-EB4BAD6BC69E\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:zope:zope:2.7.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"E296CD1C-2601-4A63-9E9D-38A39C84BF5D\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:zope:zope:2.7.3:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"EAA38381-4C32-4C55-8116-341028D1888A\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:zope:zope:2.7.4:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"1B294E38-65FD-474D-BABC-9447EF33202A\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:zope:zope:2.7.5:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"685805FD-1A33-480E-A313-255EDF0B5266\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:zope:zope:2.7.6:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"D827148D-4A8A-41DB-91B6-0049706D53D8\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:zope:zope:2.7.7:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"0273EF1B-BC64-432F-8966-68547DFAD6BC\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:zope:zope:2.7.8:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"5A52CDCE-172C-4FAC-9015-ACF362E8E8A0\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:zope:zope:2.8.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"244107E5-42B0-4695-BBC9-5B90AD0A1336\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:zope:zope:2.8.4:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"9A40B0D1-1812-4BC7-AC7D-CCE6184A9DB1\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:zope:zope:2.8.6:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"62BCE60F-9081-44D3-87FC-396D1A954626\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:zope:zope:2.8.8:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"B2759CCE-3A1F-4E3F-9832-8BF3AA4F20F9\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:zope:zope:2.9.2:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"C0279FD6-9E30-429A-BB70-9B7AF7055160\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:zope:zope:2.9.3:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"78E8ABCF-A7BE-4AB7-BFE9-CF29F7E02860\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:zope:zope:2.9.4:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"6561FF26-91C5-40AF-8AA6-E98D295AC33F\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:zope:zope:2.9.5:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"DAF323F8-6F93-46CB-A94C-B0774C54188F\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:zope:zope:2.9.6:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"0EF07C5D-DE44-409F-87B6-FB713BAF2547\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:zope:zope:2.9.7:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"AACD00C8-F451-4B27-855F-57B6F38A28E6\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:zope:zope:2.10.3:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"0A85B5F4-C731-45F7-801F-8399B06EE135\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:zope:zope:2.10.8:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"52629E94-50DC-4F00-8F96-217F4F2B82B3\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:zope:zope:2.11.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"92CC66BD-4B63-4CA5-9F4E-A5F1FC6A86DC\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:zope:zope:2.11.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"68155E38-F337-42CE-AE30-9482EBED8EA6\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:zope:zope:2.11.2:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"E7994032-FEBB-4FD3-9808-A7B277CAD8A7\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:zope:zope:2.11.3:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"C675DA8E-D981-4CFE-8EF7-04FD187DC5CB\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:zope:zope:2.13.18:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"DFE141CF-0196-4DCA-B328-84F8EA3D6804\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"ZPublisher.HTTPRequest._scrubHeader in Zope 2 before 2.13.19, as used in Plone before 4.3 beta 1, allows remote attackers to inject arbitrary HTTP headers via a linefeed (LF) character.\"}, {\"lang\": \"es\", \"value\": \"ZPublisher.HTTPRequest._scrubHeader en Zope 2 anterior a 2.13.19, utilizado en Plone anterior a 4.3 beta 1, permite a atacantes remotos inyectar cabeceras HTTP arbitrarias a trav\\u00e9s de un caracter \u0027linefeed\u0027 (LF).\"}]",
"evaluatorComment": "\u003ca href = \"http://cwe.mitre.org/data/definitions/113.html\"\u003e CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers (\u0027HTTP Response Splitting\u0027) \u003c/a\u003e",
"id": "CVE-2012-5486",
"lastModified": "2024-11-21T01:44:44.650",
"metrics": "{\"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:N/C:N/I:P/A:P\", \"baseScore\": 6.4, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 10.0, \"impactScore\": 4.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
"published": "2014-09-30T14:55:05.843",
"references": "[{\"url\": \"http://rhn.redhat.com/errata/RHSA-2014-1194.html\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://www.openwall.com/lists/oss-security/2012/11/10/1\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://bugs.launchpad.net/zope2/+bug/930812\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://plone.org/products/plone-hotfix/releases/20121106\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Patch\"]}, {\"url\": \"https://plone.org/products/plone/security/advisories/20121106/02\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2014-1194.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www.openwall.com/lists/oss-security/2012/11/10/1\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://bugs.launchpad.net/zope2/+bug/930812\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://plone.org/products/plone-hotfix/releases/20121106\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\"]}, {\"url\": \"https://plone.org/products/plone/security/advisories/20121106/02\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}]",
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"NVD-CWE-Other\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2012-5486\",\"sourceIdentifier\":\"secalert@redhat.com\",\"published\":\"2014-09-30T14:55:05.843\",\"lastModified\":\"2024-11-21T01:44:44.650\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"ZPublisher.HTTPRequest._scrubHeader in Zope 2 before 2.13.19, as used in Plone before 4.3 beta 1, allows remote attackers to inject arbitrary HTTP headers via a linefeed (LF) character.\"},{\"lang\":\"es\",\"value\":\"ZPublisher.HTTPRequest._scrubHeader en Zope 2 anterior a 2.13.19, utilizado en Plone anterior a 4.3 beta 1, permite a atacantes remotos inyectar cabeceras HTTP arbitrarias a trav\u00e9s de un caracter \u0027linefeed\u0027 (LF).\"}],\"metrics\":{\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:N/I:P/A:P\",\"baseScore\":6.4,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":10.0,\"impactScore\":4.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-Other\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:plone:plone:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"4.2.2\",\"matchCriteriaId\":\"17D1DF1B-1EAE-4B2E-89D5-A97301AE3164\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:plone:plone:1.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"6A2A9AE1-47C9-4073-BC2C-08C62874FFF1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:plone:plone:1.0.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"3802A1E1-0816-449E-858E-20039F4ED5DF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:plone:plone:1.0.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"BC1E9D9C-97A0-4093-9492-493B1B4CD4B0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:plone:plone:1.0.3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"4099B8D1-1F79-4BFB-943E-158E7394D90B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:plone:plone:1.0.4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"FA0E119C-876F-4226-AF5F-44763EEBA29A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:plone:plone:1.0.5:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B4937F4A-147C-4AD8-BB88-C3C3C9C8ADBA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:plone:plone:1.0.6:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"035E2851-A3D4-4E90-8602-F500DC469C3E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:plone:plone:2.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"2BDEAEAC-3B26-4C95-865C-326ACD793133\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:plone:plone:2.0.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"BA5D3643-BFBB-48BE-802C-D6CD940945F1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:plone:plone:2.0.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E3FC29D0-66F9-4A1A-86A6-8FD427825112\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:plone:plone:2.0.3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"78E33FEC-33DA-45AC-8095-0D3C74FADC9B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:plone:plone:2.0.4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"4FC93EC3-FE5D-410E-8DE5-2346D839F56C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:plone:plone:2.0.5:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"67D4EB7F-BC46-4F2E-B065-303961C47B1E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:plone:plone:2.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"08747064-EC22-40B4-92EF-4640788FE55D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:plone:plone:2.1.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A4EB85E3-9A76-4B79-AF7D-91484784A2EF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:plone:plone:2.1.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"78755057-2613-4D5E-8F59-2C117EE282B6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:plone:plone:2.1.3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"D49359CD-63EF-4D3A-92DC-C16DEE88138B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:plone:plone:2.1.4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"9DE940BA-B784-4193-AB77-333F15B6C32D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:plone:plone:2.5:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"9762C674-380B-4831-BBA1-3B27742121B0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:plone:plone:2.5.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"3D938645-80CE-4287-830E-A3BD0C5C84FB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:plone:plone:2.5.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"BB0F7BFC-DC20-46B3-90E7-264E3A8A7886\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:plone:plone:2.5.3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F2C09C10-AEA0-41F4-B964-507B40580BE9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:plone:plone:2.5.4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"7B60568E-A688-46AF-B627-062A029A7324\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:plone:plone:2.5.5:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"8B635DAD-AC53-4484-8750-200B662DAFD1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:plone:plone:3.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"0B647E76-E8B8-4329-8848-3B90EB262807\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:plone:plone:3.0.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"0D0A6B8F-4018-44DC-9862-45309619DC6D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:plone:plone:3.0.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"0F10374F-2BB3-48D2-B19F-9B2D038A8E35\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:plone:plone:3.0.3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"FEAC4F93-D26C-48F3-A7FF-8DC008FC2671\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:plone:plone:3.0.4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"552661B7-093D-4B3C-8770-FCDE6032AA17\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:plone:plone:3.0.5:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"5180F9D2-E44B-455D-968C-792026AC832A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:plone:plone:3.0.6:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"636226E4-B880-41FE-A727-EF56CF8E6249\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:plone:plone:3.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"BF6E934A-C344-4861-8CD4-D18D52672D5C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:plone:plone:3.1.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"25780BBE-8013-4100-9EA8-7EFC244399A0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:plone:plone:3.1.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A089ED64-07E6-4F4C-97AE-AF74269A4DB1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:plone:plone:3.1.3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"EF2334C9-9B34-4C7D-93A2-172E596E05C6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:plone:plone:3.1.4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"354046F4-FA55-4AFC-935A-C803D36CDE86\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:plone:plone:3.1.5.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"DF1496A7-6D0A-4970-B0BF-83758065BC6A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:plone:plone:3.1.6:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"47DEF57C-92F0-4999-AF8E-CEE27EE92CD6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:plone:plone:3.1.7:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"4BED4241-D823-402A-A389-7E52C410E2F7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:plone:plone:3.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"CE9A55E6-F265-4BB8-8683-3E0CFA01EC73\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:plone:plone:3.2.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"970FD910-50A4-478A-ADE6-EB912C261DAD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:plone:plone:3.2.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"0A490523-1063-44E4-A72A-C23070279181\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:plone:plone:3.2.3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"D8559F17-63D1-45DB-8A28-47F729DC6686\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:plone:plone:3.3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"FDC93803-6506-4382-A013-18010EE7E06B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:plone:plone:3.3.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E65977FD-A880-4D16-B56B-94A72774F42D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:plone:plone:3.3.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"4EA5B4F8-2155-403D-97D8-1272285D508B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:plone:plone:3.3.3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A3CA2943-77E5-4384-A019-415BBCE62F94\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:plone:plone:3.3.4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B7FF63F6-F1DC-4A97-A2E6-11CF613A31E8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:plone:plone:3.3.5:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"538A3519-5B04-4FE5-A3C0-FD26EFA32705\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:plone:plone:4.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F3306D84-0F5B-46BA-9BCC-DCD0A1CDD604\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:plone:plone:4.0.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E08F4534-A588-463F-A745-39E559AB1CB8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:plone:plone:4.0.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B64341BA-5722-415E-9771-9837168AB7C0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:plone:plone:4.0.3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E2929227-AE19-428D-9AC3-D312A559039B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:plone:plone:4.0.4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"3B6DC866-0FEE-475B-855C-A69E004810CD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:plone:plone:4.0.5:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"50BF3E8E-152C-4E89-BAA2-A952D10F4611\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:plone:plone:4.0.6.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"49DB97A7-89DD-43C0-A490-84AA7069764B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:plone:plone:4.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"7C44B53B-953B-4522-A5B4-11573850D2CD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:plone:plone:4.1.4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"47321B60-67DA-4543-B173-D629A9569B45\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:plone:plone:4.1.5:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"58B36EB2-723F-4E25-8018-EEB2BE806D9D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:plone:plone:4.1.6:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"7962EF74-6AC1-424C-A202-163AFDADA971\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:plone:plone:4.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"1F1818BB-E23A-4136-898D-1D0C80C08728\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:plone:plone:4.2:a1:*:*:*:*:*:*\",\"matchCriteriaId\":\"4E75A96E-2471-442A-8502-8F34EF18A477\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:plone:plone:4.2:a2:*:*:*:*:*:*\",\"matchCriteriaId\":\"7971F6D6-8885-4D2A-BCDF-96D3D0C78841\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:plone:plone:4.2:b1:*:*:*:*:*:*\",\"matchCriteriaId\":\"0489DDC0-E65A-4EAD-854B-033307C2945C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:plone:plone:4.2:b2:*:*:*:*:*:*\",\"matchCriteriaId\":\"659407BA-C011-4632-A355-41BD418EFA90\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:plone:plone:4.2:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"42729F4A-C726-4955-80DB-68A18F774F05\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:plone:plone:4.2:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"9C9F5C87-AD89-4E99-BA1D-E922CD0D7691\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:plone:plone:4.2.0.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"9E59B50E-FF75-4A97-B76A-288A2981D4FC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:plone:plone:4.2.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"5CB06627-133A-40D1-8816-E31E0A9BAD22\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:plone:plone:4.2.1.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"3FE6B05A-1655-4FC1-AB07-0DF71F0021A2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:plone:plone:4.3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"CE168A35-1A46-4A6F-8A08-25CDD886066D\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:zope:zope:2.5.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"484BD5DA-B3D7-41C4-8E02-AE8C4EBEC5A2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:zope:zope:2.6.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"60254EFC-026C-41A9-8587-ED22B2570CCF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:zope:zope:2.6.4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"98388A7B-2DE4-4C40-9135-EB4BAD6BC69E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:zope:zope:2.7.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E296CD1C-2601-4A63-9E9D-38A39C84BF5D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:zope:zope:2.7.3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"EAA38381-4C32-4C55-8116-341028D1888A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:zope:zope:2.7.4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"1B294E38-65FD-474D-BABC-9447EF33202A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:zope:zope:2.7.5:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"685805FD-1A33-480E-A313-255EDF0B5266\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:zope:zope:2.7.6:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"D827148D-4A8A-41DB-91B6-0049706D53D8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:zope:zope:2.7.7:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"0273EF1B-BC64-432F-8966-68547DFAD6BC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:zope:zope:2.7.8:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"5A52CDCE-172C-4FAC-9015-ACF362E8E8A0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:zope:zope:2.8.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"244107E5-42B0-4695-BBC9-5B90AD0A1336\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:zope:zope:2.8.4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"9A40B0D1-1812-4BC7-AC7D-CCE6184A9DB1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:zope:zope:2.8.6:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"62BCE60F-9081-44D3-87FC-396D1A954626\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:zope:zope:2.8.8:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B2759CCE-3A1F-4E3F-9832-8BF3AA4F20F9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:zope:zope:2.9.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C0279FD6-9E30-429A-BB70-9B7AF7055160\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:zope:zope:2.9.3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"78E8ABCF-A7BE-4AB7-BFE9-CF29F7E02860\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:zope:zope:2.9.4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"6561FF26-91C5-40AF-8AA6-E98D295AC33F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:zope:zope:2.9.5:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"DAF323F8-6F93-46CB-A94C-B0774C54188F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:zope:zope:2.9.6:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"0EF07C5D-DE44-409F-87B6-FB713BAF2547\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:zope:zope:2.9.7:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"AACD00C8-F451-4B27-855F-57B6F38A28E6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:zope:zope:2.10.3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"0A85B5F4-C731-45F7-801F-8399B06EE135\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:zope:zope:2.10.8:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"52629E94-50DC-4F00-8F96-217F4F2B82B3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:zope:zope:2.11.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"92CC66BD-4B63-4CA5-9F4E-A5F1FC6A86DC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:zope:zope:2.11.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"68155E38-F337-42CE-AE30-9482EBED8EA6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:zope:zope:2.11.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E7994032-FEBB-4FD3-9808-A7B277CAD8A7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:zope:zope:2.11.3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C675DA8E-D981-4CFE-8EF7-04FD187DC5CB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:zope:zope:2.13.18:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"DFE141CF-0196-4DCA-B328-84F8EA3D6804\"}]}]}],\"references\":[{\"url\":\"http://rhn.redhat.com/errata/RHSA-2014-1194.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www.openwall.com/lists/oss-security/2012/11/10/1\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://bugs.launchpad.net/zope2/+bug/930812\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://plone.org/products/plone-hotfix/releases/20121106\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://plone.org/products/plone/security/advisories/20121106/02\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2014-1194.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.openwall.com/lists/oss-security/2012/11/10/1\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://bugs.launchpad.net/zope2/+bug/930812\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://plone.org/products/plone-hotfix/releases/20121106\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://plone.org/products/plone/security/advisories/20121106/02\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}],\"evaluatorComment\":\"\u003ca href = \\\"http://cwe.mitre.org/data/definitions/113.html\\\"\u003e CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers (\u0027HTTP Response Splitting\u0027) \u003c/a\u003e\"}}"
}
}
rhsa-2014:1194
Vulnerability from csaf_redhat
Published
2014-09-16 05:28
Modified
2024-11-14 14:29
Summary
Red Hat Security Advisory: conga security and bug fix update
Notes
Topic
Updated conga packages that fix multiple security issues and several bugs
are now available for Red Hat Enterprise Linux 5.
Red Hat Product Security has rated this update as having Moderate security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
Details
The Conga project is a management system for remote workstations.
It consists of luci, which is a secure web-based front end, and ricci,
which is a secure daemon that dispatches incoming messages to underlying
management modules.
It was discovered that Plone, included as a part of luci, did not properly
protect the administrator interface (control panel). A remote attacker
could use this flaw to inject a specially crafted Python statement or
script into Plone's restricted Python sandbox that, when the administrator
interface was accessed, would be executed with the privileges of that
administrator user. (CVE-2012-5485)
It was discovered that Plone, included as a part of luci, did not properly
sanitize HTTP headers provided within certain URL requests. A remote
attacker could use a specially crafted URL that, when processed, would
cause the injected HTTP headers to be returned as a part of the Plone HTTP
response, potentially allowing the attacker to perform other more advanced
attacks. (CVE-2012-5486)
Multiple information leak flaws were found in the way conga processed luci
site extension-related URL requests. A remote, unauthenticated attacker
could issue a specially crafted HTTP request that, when processed, would
result in unauthorized information disclosure. (CVE-2013-6496)
It was discovered that various components in the luci site
extension-related URLs were not properly restricted to administrative
users. A remote, authenticated attacker could escalate their privileges to
perform certain actions that should be restricted to administrative users,
such as adding users and systems, and viewing log data. (CVE-2014-3521)
It was discovered that Plone, included as a part of luci, did not properly
protect the privilege of running RestrictedPython scripts. A remote
attacker could use a specially crafted URL that, when processed, would
allow the attacker to submit and perform expensive computations or, in
conjunction with other attacks, be able to access or alter privileged
information. (CVE-2012-5488)
It was discovered that Plone, included as a part of luci, did not properly
enforce permissions checks on the membership database. A remote attacker
could use a specially crafted URL that, when processed, could allow the
attacker to enumerate user account names. (CVE-2012-5497)
It was discovered that Plone, included as a part of luci, did not properly
handle the processing of requests for certain collections. A remote
attacker could use a specially crafted URL that, when processed, would lead
to excessive I/O and/or cache resource consumption. (CVE-2012-5498)
It was discovered that Plone, included as a part of luci, did not properly
handle the processing of very large values passed to an internal utility
function. A remote attacker could use a specially crafted URL that, when
processed, would lead to excessive memory consumption. (CVE-2012-5499)
It was discovered that Plone, included as a part of luci, allowed a remote
anonymous user to change titles of content items due to improper
permissions checks. (CVE-2012-5500)
The CVE-2014-3521 issue was discovered by Radek Steiger of Red Hat, and the
CVE-2013-6496 issue was discovered by Jan Pokorny of Red Hat.
In addition, these updated conga packages include several bug fixes.
Space precludes documenting all of these changes in this advisory.
Users are directed to the Red Hat Enterprise Linux 5.11 Technical Notes,
linked to in the References section, for information on the most
significant of these changes
All conga users are advised to upgrade to these updated packages, which
contain backported patches to correct these issues. After installing this
update, the luci and ricci services will be restarted automatically.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Updated conga packages that fix multiple security issues and several bugs\nare now available for Red Hat Enterprise Linux 5.\n\nRed Hat Product Security has rated this update as having Moderate security\nimpact. Common Vulnerability Scoring System (CVSS) base scores, which give\ndetailed severity ratings, are available for each vulnerability from the\nCVE links in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "The Conga project is a management system for remote workstations.\nIt consists of luci, which is a secure web-based front end, and ricci,\nwhich is a secure daemon that dispatches incoming messages to underlying\nmanagement modules.\n\nIt was discovered that Plone, included as a part of luci, did not properly\nprotect the administrator interface (control panel). A remote attacker\ncould use this flaw to inject a specially crafted Python statement or\nscript into Plone\u0027s restricted Python sandbox that, when the administrator\ninterface was accessed, would be executed with the privileges of that\nadministrator user. (CVE-2012-5485)\n\nIt was discovered that Plone, included as a part of luci, did not properly\nsanitize HTTP headers provided within certain URL requests. A remote\nattacker could use a specially crafted URL that, when processed, would\ncause the injected HTTP headers to be returned as a part of the Plone HTTP\nresponse, potentially allowing the attacker to perform other more advanced\nattacks. (CVE-2012-5486)\n\nMultiple information leak flaws were found in the way conga processed luci\nsite extension-related URL requests. A remote, unauthenticated attacker\ncould issue a specially crafted HTTP request that, when processed, would\nresult in unauthorized information disclosure. (CVE-2013-6496)\n\nIt was discovered that various components in the luci site\nextension-related URLs were not properly restricted to administrative\nusers. A remote, authenticated attacker could escalate their privileges to\nperform certain actions that should be restricted to administrative users,\nsuch as adding users and systems, and viewing log data. (CVE-2014-3521)\n\nIt was discovered that Plone, included as a part of luci, did not properly\nprotect the privilege of running RestrictedPython scripts. A remote\nattacker could use a specially crafted URL that, when processed, would\nallow the attacker to submit and perform expensive computations or, in\nconjunction with other attacks, be able to access or alter privileged\ninformation. (CVE-2012-5488)\n\nIt was discovered that Plone, included as a part of luci, did not properly\nenforce permissions checks on the membership database. A remote attacker\ncould use a specially crafted URL that, when processed, could allow the\nattacker to enumerate user account names. (CVE-2012-5497)\n\nIt was discovered that Plone, included as a part of luci, did not properly\nhandle the processing of requests for certain collections. A remote\nattacker could use a specially crafted URL that, when processed, would lead\nto excessive I/O and/or cache resource consumption. (CVE-2012-5498)\n\nIt was discovered that Plone, included as a part of luci, did not properly\nhandle the processing of very large values passed to an internal utility\nfunction. A remote attacker could use a specially crafted URL that, when\nprocessed, would lead to excessive memory consumption. (CVE-2012-5499)\n\nIt was discovered that Plone, included as a part of luci, allowed a remote\nanonymous user to change titles of content items due to improper\npermissions checks. (CVE-2012-5500)\n\nThe CVE-2014-3521 issue was discovered by Radek Steiger of Red Hat, and the\nCVE-2013-6496 issue was discovered by Jan Pokorny of Red Hat.\n\nIn addition, these updated conga packages include several bug fixes.\nSpace precludes documenting all of these changes in this advisory.\nUsers are directed to the Red Hat Enterprise Linux 5.11 Technical Notes,\nlinked to in the References section, for information on the most\nsignificant of these changes\n\nAll conga users are advised to upgrade to these updated packages, which\ncontain backported patches to correct these issues. After installing this\nupdate, the luci and ricci services will be restarted automatically.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2014:1194",
"url": "https://access.redhat.com/errata/RHSA-2014:1194"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/5/html/5.11_Technical_Notes/index.html",
"url": "https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/5/html/5.11_Technical_Notes/index.html"
},
{
"category": "external",
"summary": "874649",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=874649"
},
{
"category": "external",
"summary": "874657",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=874657"
},
{
"category": "external",
"summary": "874665",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=874665"
},
{
"category": "external",
"summary": "874681",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=874681"
},
{
"category": "external",
"summary": "878934",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=878934"
},
{
"category": "external",
"summary": "878939",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=878939"
},
{
"category": "external",
"summary": "878945",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=878945"
},
{
"category": "external",
"summary": "970288",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=970288"
},
{
"category": "external",
"summary": "971541",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=971541"
},
{
"category": "external",
"summary": "1065263",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1065263"
},
{
"category": "external",
"summary": "1072075",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1072075"
},
{
"category": "external",
"summary": "1076711",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1076711"
},
{
"category": "external",
"summary": "1112813",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1112813"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2014/rhsa-2014_1194.json"
}
],
"title": "Red Hat Security Advisory: conga security and bug fix update",
"tracking": {
"current_release_date": "2024-11-14T14:29:52+00:00",
"generator": {
"date": "2024-11-14T14:29:52+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.0"
}
},
"id": "RHSA-2014:1194",
"initial_release_date": "2014-09-16T05:28:53+00:00",
"revision_history": [
{
"date": "2014-09-16T05:28:53+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2014-09-16T05:28:53+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-14T14:29:52+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux Clustering (v. 5 server)",
"product": {
"name": "Red Hat Enterprise Linux Clustering (v. 5 server)",
"product_id": "5Server-Cluster",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_cluster:5"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "ricci-0:0.12.2-81.el5.ppc",
"product": {
"name": "ricci-0:0.12.2-81.el5.ppc",
"product_id": "ricci-0:0.12.2-81.el5.ppc",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ricci@0.12.2-81.el5?arch=ppc"
}
}
},
{
"category": "product_version",
"name": "conga-debuginfo-0:0.12.2-81.el5.ppc",
"product": {
"name": "conga-debuginfo-0:0.12.2-81.el5.ppc",
"product_id": "conga-debuginfo-0:0.12.2-81.el5.ppc",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/conga-debuginfo@0.12.2-81.el5?arch=ppc"
}
}
},
{
"category": "product_version",
"name": "luci-0:0.12.2-81.el5.ppc",
"product": {
"name": "luci-0:0.12.2-81.el5.ppc",
"product_id": "luci-0:0.12.2-81.el5.ppc",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/luci@0.12.2-81.el5?arch=ppc"
}
}
}
],
"category": "architecture",
"name": "ppc"
},
{
"branches": [
{
"category": "product_version",
"name": "ricci-0:0.12.2-81.el5.i386",
"product": {
"name": "ricci-0:0.12.2-81.el5.i386",
"product_id": "ricci-0:0.12.2-81.el5.i386",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ricci@0.12.2-81.el5?arch=i386"
}
}
},
{
"category": "product_version",
"name": "conga-debuginfo-0:0.12.2-81.el5.i386",
"product": {
"name": "conga-debuginfo-0:0.12.2-81.el5.i386",
"product_id": "conga-debuginfo-0:0.12.2-81.el5.i386",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/conga-debuginfo@0.12.2-81.el5?arch=i386"
}
}
},
{
"category": "product_version",
"name": "luci-0:0.12.2-81.el5.i386",
"product": {
"name": "luci-0:0.12.2-81.el5.i386",
"product_id": "luci-0:0.12.2-81.el5.i386",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/luci@0.12.2-81.el5?arch=i386"
}
}
}
],
"category": "architecture",
"name": "i386"
},
{
"branches": [
{
"category": "product_version",
"name": "ricci-0:0.12.2-81.el5.x86_64",
"product": {
"name": "ricci-0:0.12.2-81.el5.x86_64",
"product_id": "ricci-0:0.12.2-81.el5.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ricci@0.12.2-81.el5?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "conga-debuginfo-0:0.12.2-81.el5.x86_64",
"product": {
"name": "conga-debuginfo-0:0.12.2-81.el5.x86_64",
"product_id": "conga-debuginfo-0:0.12.2-81.el5.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/conga-debuginfo@0.12.2-81.el5?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "luci-0:0.12.2-81.el5.x86_64",
"product": {
"name": "luci-0:0.12.2-81.el5.x86_64",
"product_id": "luci-0:0.12.2-81.el5.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/luci@0.12.2-81.el5?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "ricci-0:0.12.2-81.el5.ia64",
"product": {
"name": "ricci-0:0.12.2-81.el5.ia64",
"product_id": "ricci-0:0.12.2-81.el5.ia64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ricci@0.12.2-81.el5?arch=ia64"
}
}
},
{
"category": "product_version",
"name": "conga-debuginfo-0:0.12.2-81.el5.ia64",
"product": {
"name": "conga-debuginfo-0:0.12.2-81.el5.ia64",
"product_id": "conga-debuginfo-0:0.12.2-81.el5.ia64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/conga-debuginfo@0.12.2-81.el5?arch=ia64"
}
}
},
{
"category": "product_version",
"name": "luci-0:0.12.2-81.el5.ia64",
"product": {
"name": "luci-0:0.12.2-81.el5.ia64",
"product_id": "luci-0:0.12.2-81.el5.ia64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/luci@0.12.2-81.el5?arch=ia64"
}
}
}
],
"category": "architecture",
"name": "ia64"
},
{
"branches": [
{
"category": "product_version",
"name": "conga-0:0.12.2-81.el5.src",
"product": {
"name": "conga-0:0.12.2-81.el5.src",
"product_id": "conga-0:0.12.2-81.el5.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/conga@0.12.2-81.el5?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "conga-0:0.12.2-81.el5.src as a component of Red Hat Enterprise Linux Clustering (v. 5 server)",
"product_id": "5Server-Cluster:conga-0:0.12.2-81.el5.src"
},
"product_reference": "conga-0:0.12.2-81.el5.src",
"relates_to_product_reference": "5Server-Cluster"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "conga-debuginfo-0:0.12.2-81.el5.i386 as a component of Red Hat Enterprise Linux Clustering (v. 5 server)",
"product_id": "5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.i386"
},
"product_reference": "conga-debuginfo-0:0.12.2-81.el5.i386",
"relates_to_product_reference": "5Server-Cluster"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "conga-debuginfo-0:0.12.2-81.el5.ia64 as a component of Red Hat Enterprise Linux Clustering (v. 5 server)",
"product_id": "5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ia64"
},
"product_reference": "conga-debuginfo-0:0.12.2-81.el5.ia64",
"relates_to_product_reference": "5Server-Cluster"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "conga-debuginfo-0:0.12.2-81.el5.ppc as a component of Red Hat Enterprise Linux Clustering (v. 5 server)",
"product_id": "5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ppc"
},
"product_reference": "conga-debuginfo-0:0.12.2-81.el5.ppc",
"relates_to_product_reference": "5Server-Cluster"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "conga-debuginfo-0:0.12.2-81.el5.x86_64 as a component of Red Hat Enterprise Linux Clustering (v. 5 server)",
"product_id": "5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.x86_64"
},
"product_reference": "conga-debuginfo-0:0.12.2-81.el5.x86_64",
"relates_to_product_reference": "5Server-Cluster"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "luci-0:0.12.2-81.el5.i386 as a component of Red Hat Enterprise Linux Clustering (v. 5 server)",
"product_id": "5Server-Cluster:luci-0:0.12.2-81.el5.i386"
},
"product_reference": "luci-0:0.12.2-81.el5.i386",
"relates_to_product_reference": "5Server-Cluster"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "luci-0:0.12.2-81.el5.ia64 as a component of Red Hat Enterprise Linux Clustering (v. 5 server)",
"product_id": "5Server-Cluster:luci-0:0.12.2-81.el5.ia64"
},
"product_reference": "luci-0:0.12.2-81.el5.ia64",
"relates_to_product_reference": "5Server-Cluster"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "luci-0:0.12.2-81.el5.ppc as a component of Red Hat Enterprise Linux Clustering (v. 5 server)",
"product_id": "5Server-Cluster:luci-0:0.12.2-81.el5.ppc"
},
"product_reference": "luci-0:0.12.2-81.el5.ppc",
"relates_to_product_reference": "5Server-Cluster"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "luci-0:0.12.2-81.el5.x86_64 as a component of Red Hat Enterprise Linux Clustering (v. 5 server)",
"product_id": "5Server-Cluster:luci-0:0.12.2-81.el5.x86_64"
},
"product_reference": "luci-0:0.12.2-81.el5.x86_64",
"relates_to_product_reference": "5Server-Cluster"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ricci-0:0.12.2-81.el5.i386 as a component of Red Hat Enterprise Linux Clustering (v. 5 server)",
"product_id": "5Server-Cluster:ricci-0:0.12.2-81.el5.i386"
},
"product_reference": "ricci-0:0.12.2-81.el5.i386",
"relates_to_product_reference": "5Server-Cluster"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ricci-0:0.12.2-81.el5.ia64 as a component of Red Hat Enterprise Linux Clustering (v. 5 server)",
"product_id": "5Server-Cluster:ricci-0:0.12.2-81.el5.ia64"
},
"product_reference": "ricci-0:0.12.2-81.el5.ia64",
"relates_to_product_reference": "5Server-Cluster"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ricci-0:0.12.2-81.el5.ppc as a component of Red Hat Enterprise Linux Clustering (v. 5 server)",
"product_id": "5Server-Cluster:ricci-0:0.12.2-81.el5.ppc"
},
"product_reference": "ricci-0:0.12.2-81.el5.ppc",
"relates_to_product_reference": "5Server-Cluster"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ricci-0:0.12.2-81.el5.x86_64 as a component of Red Hat Enterprise Linux Clustering (v. 5 server)",
"product_id": "5Server-Cluster:ricci-0:0.12.2-81.el5.x86_64"
},
"product_reference": "ricci-0:0.12.2-81.el5.x86_64",
"relates_to_product_reference": "5Server-Cluster"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2012-5485",
"cwe": {
"id": "CWE-306",
"name": "Missing Authentication for Critical Function"
},
"discovery_date": "2012-11-06T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "878934"
}
],
"notes": [
{
"category": "description",
"text": "It was discovered that Plone, included as a part of luci, did not properly protect the administrator interface (control panel). A remote attacker could use this flaw to inject a specially crafted Python statement or script into Plone\u0027s restricted Python sandbox that, when the administrator interface was accessed, would be executed with the privileges of that administrator user.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "(Plone): Restricted Python injection",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"5Server-Cluster:conga-0:0.12.2-81.el5.src",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.i386",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ia64",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ppc",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:luci-0:0.12.2-81.el5.i386",
"5Server-Cluster:luci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:luci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:luci-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.i386",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:ricci-0:0.12.2-81.el5.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2012-5485"
},
{
"category": "external",
"summary": "RHBZ#878934",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=878934"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2012-5485",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-5485"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2012-5485",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-5485"
}
],
"release_date": "2012-11-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-09-16T05:28:53+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to use the\nRed Hat Network to apply this update are available at\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"5Server-Cluster:conga-0:0.12.2-81.el5.src",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.i386",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ia64",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ppc",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:luci-0:0.12.2-81.el5.i386",
"5Server-Cluster:luci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:luci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:luci-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.i386",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:ricci-0:0.12.2-81.el5.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2014:1194"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"products": [
"5Server-Cluster:conga-0:0.12.2-81.el5.src",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.i386",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ia64",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ppc",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:luci-0:0.12.2-81.el5.i386",
"5Server-Cluster:luci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:luci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:luci-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.i386",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:ricci-0:0.12.2-81.el5.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "(Plone): Restricted Python injection"
},
{
"cve": "CVE-2012-5486",
"cwe": {
"id": "CWE-113",
"name": "Improper Neutralization of CRLF Sequences in HTTP Headers (\u0027HTTP Request/Response Splitting\u0027)"
},
"discovery_date": "2012-11-06T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "878939"
}
],
"notes": [
{
"category": "description",
"text": "It was discovered that Plone, included as a part of luci, did not properly sanitize HTTP headers provided within certain URL requests. A remote attacker could use a specially crafted URL that, when processed, would cause the injected HTTP headers to be returned as a part of the Plone HTTP response, potentially allowing the attacker to perform other more advanced attacks.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "(Plone): Reflexive HTTP header injection",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"5Server-Cluster:conga-0:0.12.2-81.el5.src",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.i386",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ia64",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ppc",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:luci-0:0.12.2-81.el5.i386",
"5Server-Cluster:luci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:luci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:luci-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.i386",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:ricci-0:0.12.2-81.el5.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2012-5486"
},
{
"category": "external",
"summary": "RHBZ#878939",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=878939"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2012-5486",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-5486"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2012-5486",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-5486"
}
],
"release_date": "2012-11-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-09-16T05:28:53+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to use the\nRed Hat Network to apply this update are available at\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"5Server-Cluster:conga-0:0.12.2-81.el5.src",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.i386",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ia64",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ppc",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:luci-0:0.12.2-81.el5.i386",
"5Server-Cluster:luci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:luci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:luci-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.i386",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:ricci-0:0.12.2-81.el5.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2014:1194"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"products": [
"5Server-Cluster:conga-0:0.12.2-81.el5.src",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.i386",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ia64",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ppc",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:luci-0:0.12.2-81.el5.i386",
"5Server-Cluster:luci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:luci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:luci-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.i386",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:ricci-0:0.12.2-81.el5.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "(Plone): Reflexive HTTP header injection"
},
{
"cve": "CVE-2012-5488",
"cwe": {
"id": "CWE-95",
"name": "Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)"
},
"discovery_date": "2012-11-06T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "878945"
}
],
"notes": [
{
"category": "description",
"text": "It was discovered that Plone, included as a part of luci, did not properly protect the privilege of running RestrictedPython scripts. A remote attacker could use a specially crafted URL that, when processed, would allow the attacker to submit and perform expensive computations or, in conjunction with other attacks, be able to access or alter privileged information.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "(Plone): Restricted Python injection",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"5Server-Cluster:conga-0:0.12.2-81.el5.src",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.i386",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ia64",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ppc",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:luci-0:0.12.2-81.el5.i386",
"5Server-Cluster:luci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:luci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:luci-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.i386",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:ricci-0:0.12.2-81.el5.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2012-5488"
},
{
"category": "external",
"summary": "RHBZ#878945",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=878945"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2012-5488",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-5488"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2012-5488",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-5488"
}
],
"release_date": "2012-11-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-09-16T05:28:53+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to use the\nRed Hat Network to apply this update are available at\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"5Server-Cluster:conga-0:0.12.2-81.el5.src",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.i386",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ia64",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ppc",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:luci-0:0.12.2-81.el5.i386",
"5Server-Cluster:luci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:luci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:luci-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.i386",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:ricci-0:0.12.2-81.el5.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2014:1194"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "HIGH",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.6,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:H/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"products": [
"5Server-Cluster:conga-0:0.12.2-81.el5.src",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.i386",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ia64",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ppc",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:luci-0:0.12.2-81.el5.i386",
"5Server-Cluster:luci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:luci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:luci-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.i386",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:ricci-0:0.12.2-81.el5.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "(Plone): Restricted Python injection"
},
{
"cve": "CVE-2012-5497",
"cwe": {
"id": "CWE-200",
"name": "Exposure of Sensitive Information to an Unauthorized Actor"
},
"discovery_date": "2012-11-06T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "874681"
}
],
"notes": [
{
"category": "description",
"text": "It was discovered that Plone, included as a part of luci, did not properly enforce permissions checks on the membership database. A remote attacker could use a specially crafted URL that, when processed, could allow the attacker to enumerate user account names.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "(Plone): Anonymous users can list user account names",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"5Server-Cluster:conga-0:0.12.2-81.el5.src",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.i386",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ia64",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ppc",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:luci-0:0.12.2-81.el5.i386",
"5Server-Cluster:luci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:luci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:luci-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.i386",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:ricci-0:0.12.2-81.el5.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2012-5497"
},
{
"category": "external",
"summary": "RHBZ#874681",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=874681"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2012-5497",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-5497"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2012-5497",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-5497"
}
],
"release_date": "2012-11-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-09-16T05:28:53+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to use the\nRed Hat Network to apply this update are available at\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"5Server-Cluster:conga-0:0.12.2-81.el5.src",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.i386",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ia64",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ppc",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:luci-0:0.12.2-81.el5.i386",
"5Server-Cluster:luci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:luci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:luci-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.i386",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:ricci-0:0.12.2-81.el5.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2014:1194"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"products": [
"5Server-Cluster:conga-0:0.12.2-81.el5.src",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.i386",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ia64",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ppc",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:luci-0:0.12.2-81.el5.i386",
"5Server-Cluster:luci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:luci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:luci-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.i386",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:ricci-0:0.12.2-81.el5.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "(Plone): Anonymous users can list user account names"
},
{
"cve": "CVE-2012-5498",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2012-11-06T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "874665"
}
],
"notes": [
{
"category": "description",
"text": "It was discovered that Plone, included as a part of luci, did not properly handle the processing of requests for certain collections. A remote attacker could use a specially crafted URL that, when processed, would lead to excessive I/O and/or cache resource consumption.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "(Plone): Partial denial of service through Collections functionality",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"5Server-Cluster:conga-0:0.12.2-81.el5.src",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.i386",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ia64",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ppc",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:luci-0:0.12.2-81.el5.i386",
"5Server-Cluster:luci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:luci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:luci-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.i386",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:ricci-0:0.12.2-81.el5.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2012-5498"
},
{
"category": "external",
"summary": "RHBZ#874665",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=874665"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2012-5498",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-5498"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2012-5498",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-5498"
}
],
"release_date": "2012-11-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-09-16T05:28:53+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to use the\nRed Hat Network to apply this update are available at\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"5Server-Cluster:conga-0:0.12.2-81.el5.src",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.i386",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ia64",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ppc",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:luci-0:0.12.2-81.el5.i386",
"5Server-Cluster:luci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:luci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:luci-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.i386",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:ricci-0:0.12.2-81.el5.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2014:1194"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"products": [
"5Server-Cluster:conga-0:0.12.2-81.el5.src",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.i386",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ia64",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ppc",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:luci-0:0.12.2-81.el5.i386",
"5Server-Cluster:luci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:luci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:luci-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.i386",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:ricci-0:0.12.2-81.el5.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "(Plone): Partial denial of service through Collections functionality"
},
{
"cve": "CVE-2012-5499",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2012-11-06T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "874657"
}
],
"notes": [
{
"category": "description",
"text": "It was discovered that Plone, included as a part of luci, did not properly handle the processing of very large values passed to an internal utility function. A remote attacker could use a specially crafted URL that, when processed, would lead to excessive memory consumption.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "(Plone): Partial denial of service through internal function",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"5Server-Cluster:conga-0:0.12.2-81.el5.src",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.i386",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ia64",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ppc",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:luci-0:0.12.2-81.el5.i386",
"5Server-Cluster:luci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:luci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:luci-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.i386",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:ricci-0:0.12.2-81.el5.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2012-5499"
},
{
"category": "external",
"summary": "RHBZ#874657",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=874657"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2012-5499",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-5499"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2012-5499",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-5499"
}
],
"release_date": "2012-11-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-09-16T05:28:53+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to use the\nRed Hat Network to apply this update are available at\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"5Server-Cluster:conga-0:0.12.2-81.el5.src",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.i386",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ia64",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ppc",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:luci-0:0.12.2-81.el5.i386",
"5Server-Cluster:luci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:luci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:luci-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.i386",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:ricci-0:0.12.2-81.el5.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2014:1194"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"products": [
"5Server-Cluster:conga-0:0.12.2-81.el5.src",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.i386",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ia64",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ppc",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:luci-0:0.12.2-81.el5.i386",
"5Server-Cluster:luci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:luci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:luci-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.i386",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:ricci-0:0.12.2-81.el5.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "(Plone): Partial denial of service through internal function"
},
{
"cve": "CVE-2012-5500",
"cwe": {
"id": "CWE-284",
"name": "Improper Access Control"
},
"discovery_date": "2012-11-06T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "874649"
}
],
"notes": [
{
"category": "description",
"text": "It was discovered that Plone, included as a part of luci, allowed a remote anonymous user to change titles of content items due to improper permissions checks.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "(Plone): Anonymous users can batch change titles of content items",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"5Server-Cluster:conga-0:0.12.2-81.el5.src",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.i386",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ia64",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ppc",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:luci-0:0.12.2-81.el5.i386",
"5Server-Cluster:luci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:luci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:luci-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.i386",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:ricci-0:0.12.2-81.el5.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2012-5500"
},
{
"category": "external",
"summary": "RHBZ#874649",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=874649"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2012-5500",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-5500"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2012-5500",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-5500"
}
],
"release_date": "2012-11-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-09-16T05:28:53+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to use the\nRed Hat Network to apply this update are available at\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"5Server-Cluster:conga-0:0.12.2-81.el5.src",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.i386",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ia64",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ppc",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:luci-0:0.12.2-81.el5.i386",
"5Server-Cluster:luci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:luci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:luci-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.i386",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:ricci-0:0.12.2-81.el5.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2014:1194"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "HIGH",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 2.6,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:H/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"products": [
"5Server-Cluster:conga-0:0.12.2-81.el5.src",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.i386",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ia64",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ppc",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:luci-0:0.12.2-81.el5.i386",
"5Server-Cluster:luci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:luci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:luci-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.i386",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:ricci-0:0.12.2-81.el5.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "(Plone): Anonymous users can batch change titles of content items"
},
{
"acknowledgments": [
{
"names": [
"Jan Pokorny"
],
"organization": "Red Hat",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2013-6496",
"cwe": {
"id": "CWE-200",
"name": "Exposure of Sensitive Information to an Unauthorized Actor"
},
"discovery_date": "2013-06-06T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "971541"
}
],
"notes": [
{
"category": "description",
"text": "Multiple information leak flaws were found in the way conga processed luci site extension-related URL requests. A remote, unauthenticated attacker could issue a specially crafted HTTP request that, when processed, would result in unauthorized information disclosure.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "conga: Multiple information leak flaws in various luci site extensions",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"5Server-Cluster:conga-0:0.12.2-81.el5.src",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.i386",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ia64",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ppc",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:luci-0:0.12.2-81.el5.i386",
"5Server-Cluster:luci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:luci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:luci-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.i386",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:ricci-0:0.12.2-81.el5.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2013-6496"
},
{
"category": "external",
"summary": "RHBZ#971541",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=971541"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2013-6496",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-6496"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-6496",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-6496"
}
],
"release_date": "2014-09-16T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-09-16T05:28:53+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to use the\nRed Hat Network to apply this update are available at\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"5Server-Cluster:conga-0:0.12.2-81.el5.src",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.i386",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ia64",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ppc",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:luci-0:0.12.2-81.el5.i386",
"5Server-Cluster:luci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:luci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:luci-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.i386",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:ricci-0:0.12.2-81.el5.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2014:1194"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"products": [
"5Server-Cluster:conga-0:0.12.2-81.el5.src",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.i386",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ia64",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ppc",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:luci-0:0.12.2-81.el5.i386",
"5Server-Cluster:luci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:luci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:luci-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.i386",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:ricci-0:0.12.2-81.el5.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "conga: Multiple information leak flaws in various luci site extensions"
},
{
"acknowledgments": [
{
"names": [
"Radek Steiger"
],
"organization": "Red Hat",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2014-3521",
"cwe": {
"id": "CWE-862",
"name": "Missing Authorization"
},
"discovery_date": "2014-04-18T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1112813"
}
],
"notes": [
{
"category": "description",
"text": "It was discovered that various components in the luci site extension-related URLs were not properly restricted to administrative users. A remote, authenticated attacker could escalate their privileges to perform certain actions that should be restricted to administrative users, such as adding users and systems, and viewing log data.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "luci: unauthorized administrative access granted to non-administrative users",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"5Server-Cluster:conga-0:0.12.2-81.el5.src",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.i386",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ia64",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ppc",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:luci-0:0.12.2-81.el5.i386",
"5Server-Cluster:luci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:luci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:luci-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.i386",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:ricci-0:0.12.2-81.el5.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2014-3521"
},
{
"category": "external",
"summary": "RHBZ#1112813",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1112813"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2014-3521",
"url": "https://www.cve.org/CVERecord?id=CVE-2014-3521"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2014-3521",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-3521"
}
],
"release_date": "2014-09-16T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-09-16T05:28:53+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to use the\nRed Hat Network to apply this update are available at\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"5Server-Cluster:conga-0:0.12.2-81.el5.src",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.i386",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ia64",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ppc",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:luci-0:0.12.2-81.el5.i386",
"5Server-Cluster:luci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:luci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:luci-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.i386",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:ricci-0:0.12.2-81.el5.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2014:1194"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:N",
"version": "2.0"
},
"products": [
"5Server-Cluster:conga-0:0.12.2-81.el5.src",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.i386",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ia64",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ppc",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:luci-0:0.12.2-81.el5.i386",
"5Server-Cluster:luci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:luci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:luci-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.i386",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:ricci-0:0.12.2-81.el5.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "luci: unauthorized administrative access granted to non-administrative users"
}
]
}
RHSA-2014:1194
Vulnerability from csaf_redhat
Published
2014-09-16 05:28
Modified
2024-11-14 14:29
Summary
Red Hat Security Advisory: conga security and bug fix update
Notes
Topic
Updated conga packages that fix multiple security issues and several bugs
are now available for Red Hat Enterprise Linux 5.
Red Hat Product Security has rated this update as having Moderate security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
Details
The Conga project is a management system for remote workstations.
It consists of luci, which is a secure web-based front end, and ricci,
which is a secure daemon that dispatches incoming messages to underlying
management modules.
It was discovered that Plone, included as a part of luci, did not properly
protect the administrator interface (control panel). A remote attacker
could use this flaw to inject a specially crafted Python statement or
script into Plone's restricted Python sandbox that, when the administrator
interface was accessed, would be executed with the privileges of that
administrator user. (CVE-2012-5485)
It was discovered that Plone, included as a part of luci, did not properly
sanitize HTTP headers provided within certain URL requests. A remote
attacker could use a specially crafted URL that, when processed, would
cause the injected HTTP headers to be returned as a part of the Plone HTTP
response, potentially allowing the attacker to perform other more advanced
attacks. (CVE-2012-5486)
Multiple information leak flaws were found in the way conga processed luci
site extension-related URL requests. A remote, unauthenticated attacker
could issue a specially crafted HTTP request that, when processed, would
result in unauthorized information disclosure. (CVE-2013-6496)
It was discovered that various components in the luci site
extension-related URLs were not properly restricted to administrative
users. A remote, authenticated attacker could escalate their privileges to
perform certain actions that should be restricted to administrative users,
such as adding users and systems, and viewing log data. (CVE-2014-3521)
It was discovered that Plone, included as a part of luci, did not properly
protect the privilege of running RestrictedPython scripts. A remote
attacker could use a specially crafted URL that, when processed, would
allow the attacker to submit and perform expensive computations or, in
conjunction with other attacks, be able to access or alter privileged
information. (CVE-2012-5488)
It was discovered that Plone, included as a part of luci, did not properly
enforce permissions checks on the membership database. A remote attacker
could use a specially crafted URL that, when processed, could allow the
attacker to enumerate user account names. (CVE-2012-5497)
It was discovered that Plone, included as a part of luci, did not properly
handle the processing of requests for certain collections. A remote
attacker could use a specially crafted URL that, when processed, would lead
to excessive I/O and/or cache resource consumption. (CVE-2012-5498)
It was discovered that Plone, included as a part of luci, did not properly
handle the processing of very large values passed to an internal utility
function. A remote attacker could use a specially crafted URL that, when
processed, would lead to excessive memory consumption. (CVE-2012-5499)
It was discovered that Plone, included as a part of luci, allowed a remote
anonymous user to change titles of content items due to improper
permissions checks. (CVE-2012-5500)
The CVE-2014-3521 issue was discovered by Radek Steiger of Red Hat, and the
CVE-2013-6496 issue was discovered by Jan Pokorny of Red Hat.
In addition, these updated conga packages include several bug fixes.
Space precludes documenting all of these changes in this advisory.
Users are directed to the Red Hat Enterprise Linux 5.11 Technical Notes,
linked to in the References section, for information on the most
significant of these changes
All conga users are advised to upgrade to these updated packages, which
contain backported patches to correct these issues. After installing this
update, the luci and ricci services will be restarted automatically.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Updated conga packages that fix multiple security issues and several bugs\nare now available for Red Hat Enterprise Linux 5.\n\nRed Hat Product Security has rated this update as having Moderate security\nimpact. Common Vulnerability Scoring System (CVSS) base scores, which give\ndetailed severity ratings, are available for each vulnerability from the\nCVE links in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "The Conga project is a management system for remote workstations.\nIt consists of luci, which is a secure web-based front end, and ricci,\nwhich is a secure daemon that dispatches incoming messages to underlying\nmanagement modules.\n\nIt was discovered that Plone, included as a part of luci, did not properly\nprotect the administrator interface (control panel). A remote attacker\ncould use this flaw to inject a specially crafted Python statement or\nscript into Plone\u0027s restricted Python sandbox that, when the administrator\ninterface was accessed, would be executed with the privileges of that\nadministrator user. (CVE-2012-5485)\n\nIt was discovered that Plone, included as a part of luci, did not properly\nsanitize HTTP headers provided within certain URL requests. A remote\nattacker could use a specially crafted URL that, when processed, would\ncause the injected HTTP headers to be returned as a part of the Plone HTTP\nresponse, potentially allowing the attacker to perform other more advanced\nattacks. (CVE-2012-5486)\n\nMultiple information leak flaws were found in the way conga processed luci\nsite extension-related URL requests. A remote, unauthenticated attacker\ncould issue a specially crafted HTTP request that, when processed, would\nresult in unauthorized information disclosure. (CVE-2013-6496)\n\nIt was discovered that various components in the luci site\nextension-related URLs were not properly restricted to administrative\nusers. A remote, authenticated attacker could escalate their privileges to\nperform certain actions that should be restricted to administrative users,\nsuch as adding users and systems, and viewing log data. (CVE-2014-3521)\n\nIt was discovered that Plone, included as a part of luci, did not properly\nprotect the privilege of running RestrictedPython scripts. A remote\nattacker could use a specially crafted URL that, when processed, would\nallow the attacker to submit and perform expensive computations or, in\nconjunction with other attacks, be able to access or alter privileged\ninformation. (CVE-2012-5488)\n\nIt was discovered that Plone, included as a part of luci, did not properly\nenforce permissions checks on the membership database. A remote attacker\ncould use a specially crafted URL that, when processed, could allow the\nattacker to enumerate user account names. (CVE-2012-5497)\n\nIt was discovered that Plone, included as a part of luci, did not properly\nhandle the processing of requests for certain collections. A remote\nattacker could use a specially crafted URL that, when processed, would lead\nto excessive I/O and/or cache resource consumption. (CVE-2012-5498)\n\nIt was discovered that Plone, included as a part of luci, did not properly\nhandle the processing of very large values passed to an internal utility\nfunction. A remote attacker could use a specially crafted URL that, when\nprocessed, would lead to excessive memory consumption. (CVE-2012-5499)\n\nIt was discovered that Plone, included as a part of luci, allowed a remote\nanonymous user to change titles of content items due to improper\npermissions checks. (CVE-2012-5500)\n\nThe CVE-2014-3521 issue was discovered by Radek Steiger of Red Hat, and the\nCVE-2013-6496 issue was discovered by Jan Pokorny of Red Hat.\n\nIn addition, these updated conga packages include several bug fixes.\nSpace precludes documenting all of these changes in this advisory.\nUsers are directed to the Red Hat Enterprise Linux 5.11 Technical Notes,\nlinked to in the References section, for information on the most\nsignificant of these changes\n\nAll conga users are advised to upgrade to these updated packages, which\ncontain backported patches to correct these issues. After installing this\nupdate, the luci and ricci services will be restarted automatically.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2014:1194",
"url": "https://access.redhat.com/errata/RHSA-2014:1194"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/5/html/5.11_Technical_Notes/index.html",
"url": "https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/5/html/5.11_Technical_Notes/index.html"
},
{
"category": "external",
"summary": "874649",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=874649"
},
{
"category": "external",
"summary": "874657",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=874657"
},
{
"category": "external",
"summary": "874665",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=874665"
},
{
"category": "external",
"summary": "874681",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=874681"
},
{
"category": "external",
"summary": "878934",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=878934"
},
{
"category": "external",
"summary": "878939",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=878939"
},
{
"category": "external",
"summary": "878945",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=878945"
},
{
"category": "external",
"summary": "970288",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=970288"
},
{
"category": "external",
"summary": "971541",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=971541"
},
{
"category": "external",
"summary": "1065263",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1065263"
},
{
"category": "external",
"summary": "1072075",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1072075"
},
{
"category": "external",
"summary": "1076711",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1076711"
},
{
"category": "external",
"summary": "1112813",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1112813"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2014/rhsa-2014_1194.json"
}
],
"title": "Red Hat Security Advisory: conga security and bug fix update",
"tracking": {
"current_release_date": "2024-11-14T14:29:52+00:00",
"generator": {
"date": "2024-11-14T14:29:52+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.0"
}
},
"id": "RHSA-2014:1194",
"initial_release_date": "2014-09-16T05:28:53+00:00",
"revision_history": [
{
"date": "2014-09-16T05:28:53+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2014-09-16T05:28:53+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-14T14:29:52+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux Clustering (v. 5 server)",
"product": {
"name": "Red Hat Enterprise Linux Clustering (v. 5 server)",
"product_id": "5Server-Cluster",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_cluster:5"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "ricci-0:0.12.2-81.el5.ppc",
"product": {
"name": "ricci-0:0.12.2-81.el5.ppc",
"product_id": "ricci-0:0.12.2-81.el5.ppc",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ricci@0.12.2-81.el5?arch=ppc"
}
}
},
{
"category": "product_version",
"name": "conga-debuginfo-0:0.12.2-81.el5.ppc",
"product": {
"name": "conga-debuginfo-0:0.12.2-81.el5.ppc",
"product_id": "conga-debuginfo-0:0.12.2-81.el5.ppc",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/conga-debuginfo@0.12.2-81.el5?arch=ppc"
}
}
},
{
"category": "product_version",
"name": "luci-0:0.12.2-81.el5.ppc",
"product": {
"name": "luci-0:0.12.2-81.el5.ppc",
"product_id": "luci-0:0.12.2-81.el5.ppc",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/luci@0.12.2-81.el5?arch=ppc"
}
}
}
],
"category": "architecture",
"name": "ppc"
},
{
"branches": [
{
"category": "product_version",
"name": "ricci-0:0.12.2-81.el5.i386",
"product": {
"name": "ricci-0:0.12.2-81.el5.i386",
"product_id": "ricci-0:0.12.2-81.el5.i386",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ricci@0.12.2-81.el5?arch=i386"
}
}
},
{
"category": "product_version",
"name": "conga-debuginfo-0:0.12.2-81.el5.i386",
"product": {
"name": "conga-debuginfo-0:0.12.2-81.el5.i386",
"product_id": "conga-debuginfo-0:0.12.2-81.el5.i386",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/conga-debuginfo@0.12.2-81.el5?arch=i386"
}
}
},
{
"category": "product_version",
"name": "luci-0:0.12.2-81.el5.i386",
"product": {
"name": "luci-0:0.12.2-81.el5.i386",
"product_id": "luci-0:0.12.2-81.el5.i386",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/luci@0.12.2-81.el5?arch=i386"
}
}
}
],
"category": "architecture",
"name": "i386"
},
{
"branches": [
{
"category": "product_version",
"name": "ricci-0:0.12.2-81.el5.x86_64",
"product": {
"name": "ricci-0:0.12.2-81.el5.x86_64",
"product_id": "ricci-0:0.12.2-81.el5.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ricci@0.12.2-81.el5?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "conga-debuginfo-0:0.12.2-81.el5.x86_64",
"product": {
"name": "conga-debuginfo-0:0.12.2-81.el5.x86_64",
"product_id": "conga-debuginfo-0:0.12.2-81.el5.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/conga-debuginfo@0.12.2-81.el5?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "luci-0:0.12.2-81.el5.x86_64",
"product": {
"name": "luci-0:0.12.2-81.el5.x86_64",
"product_id": "luci-0:0.12.2-81.el5.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/luci@0.12.2-81.el5?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "ricci-0:0.12.2-81.el5.ia64",
"product": {
"name": "ricci-0:0.12.2-81.el5.ia64",
"product_id": "ricci-0:0.12.2-81.el5.ia64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ricci@0.12.2-81.el5?arch=ia64"
}
}
},
{
"category": "product_version",
"name": "conga-debuginfo-0:0.12.2-81.el5.ia64",
"product": {
"name": "conga-debuginfo-0:0.12.2-81.el5.ia64",
"product_id": "conga-debuginfo-0:0.12.2-81.el5.ia64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/conga-debuginfo@0.12.2-81.el5?arch=ia64"
}
}
},
{
"category": "product_version",
"name": "luci-0:0.12.2-81.el5.ia64",
"product": {
"name": "luci-0:0.12.2-81.el5.ia64",
"product_id": "luci-0:0.12.2-81.el5.ia64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/luci@0.12.2-81.el5?arch=ia64"
}
}
}
],
"category": "architecture",
"name": "ia64"
},
{
"branches": [
{
"category": "product_version",
"name": "conga-0:0.12.2-81.el5.src",
"product": {
"name": "conga-0:0.12.2-81.el5.src",
"product_id": "conga-0:0.12.2-81.el5.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/conga@0.12.2-81.el5?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "conga-0:0.12.2-81.el5.src as a component of Red Hat Enterprise Linux Clustering (v. 5 server)",
"product_id": "5Server-Cluster:conga-0:0.12.2-81.el5.src"
},
"product_reference": "conga-0:0.12.2-81.el5.src",
"relates_to_product_reference": "5Server-Cluster"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "conga-debuginfo-0:0.12.2-81.el5.i386 as a component of Red Hat Enterprise Linux Clustering (v. 5 server)",
"product_id": "5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.i386"
},
"product_reference": "conga-debuginfo-0:0.12.2-81.el5.i386",
"relates_to_product_reference": "5Server-Cluster"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "conga-debuginfo-0:0.12.2-81.el5.ia64 as a component of Red Hat Enterprise Linux Clustering (v. 5 server)",
"product_id": "5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ia64"
},
"product_reference": "conga-debuginfo-0:0.12.2-81.el5.ia64",
"relates_to_product_reference": "5Server-Cluster"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "conga-debuginfo-0:0.12.2-81.el5.ppc as a component of Red Hat Enterprise Linux Clustering (v. 5 server)",
"product_id": "5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ppc"
},
"product_reference": "conga-debuginfo-0:0.12.2-81.el5.ppc",
"relates_to_product_reference": "5Server-Cluster"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "conga-debuginfo-0:0.12.2-81.el5.x86_64 as a component of Red Hat Enterprise Linux Clustering (v. 5 server)",
"product_id": "5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.x86_64"
},
"product_reference": "conga-debuginfo-0:0.12.2-81.el5.x86_64",
"relates_to_product_reference": "5Server-Cluster"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "luci-0:0.12.2-81.el5.i386 as a component of Red Hat Enterprise Linux Clustering (v. 5 server)",
"product_id": "5Server-Cluster:luci-0:0.12.2-81.el5.i386"
},
"product_reference": "luci-0:0.12.2-81.el5.i386",
"relates_to_product_reference": "5Server-Cluster"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "luci-0:0.12.2-81.el5.ia64 as a component of Red Hat Enterprise Linux Clustering (v. 5 server)",
"product_id": "5Server-Cluster:luci-0:0.12.2-81.el5.ia64"
},
"product_reference": "luci-0:0.12.2-81.el5.ia64",
"relates_to_product_reference": "5Server-Cluster"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "luci-0:0.12.2-81.el5.ppc as a component of Red Hat Enterprise Linux Clustering (v. 5 server)",
"product_id": "5Server-Cluster:luci-0:0.12.2-81.el5.ppc"
},
"product_reference": "luci-0:0.12.2-81.el5.ppc",
"relates_to_product_reference": "5Server-Cluster"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "luci-0:0.12.2-81.el5.x86_64 as a component of Red Hat Enterprise Linux Clustering (v. 5 server)",
"product_id": "5Server-Cluster:luci-0:0.12.2-81.el5.x86_64"
},
"product_reference": "luci-0:0.12.2-81.el5.x86_64",
"relates_to_product_reference": "5Server-Cluster"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ricci-0:0.12.2-81.el5.i386 as a component of Red Hat Enterprise Linux Clustering (v. 5 server)",
"product_id": "5Server-Cluster:ricci-0:0.12.2-81.el5.i386"
},
"product_reference": "ricci-0:0.12.2-81.el5.i386",
"relates_to_product_reference": "5Server-Cluster"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ricci-0:0.12.2-81.el5.ia64 as a component of Red Hat Enterprise Linux Clustering (v. 5 server)",
"product_id": "5Server-Cluster:ricci-0:0.12.2-81.el5.ia64"
},
"product_reference": "ricci-0:0.12.2-81.el5.ia64",
"relates_to_product_reference": "5Server-Cluster"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ricci-0:0.12.2-81.el5.ppc as a component of Red Hat Enterprise Linux Clustering (v. 5 server)",
"product_id": "5Server-Cluster:ricci-0:0.12.2-81.el5.ppc"
},
"product_reference": "ricci-0:0.12.2-81.el5.ppc",
"relates_to_product_reference": "5Server-Cluster"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ricci-0:0.12.2-81.el5.x86_64 as a component of Red Hat Enterprise Linux Clustering (v. 5 server)",
"product_id": "5Server-Cluster:ricci-0:0.12.2-81.el5.x86_64"
},
"product_reference": "ricci-0:0.12.2-81.el5.x86_64",
"relates_to_product_reference": "5Server-Cluster"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2012-5485",
"cwe": {
"id": "CWE-306",
"name": "Missing Authentication for Critical Function"
},
"discovery_date": "2012-11-06T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "878934"
}
],
"notes": [
{
"category": "description",
"text": "It was discovered that Plone, included as a part of luci, did not properly protect the administrator interface (control panel). A remote attacker could use this flaw to inject a specially crafted Python statement or script into Plone\u0027s restricted Python sandbox that, when the administrator interface was accessed, would be executed with the privileges of that administrator user.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "(Plone): Restricted Python injection",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"5Server-Cluster:conga-0:0.12.2-81.el5.src",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.i386",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ia64",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ppc",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:luci-0:0.12.2-81.el5.i386",
"5Server-Cluster:luci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:luci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:luci-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.i386",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:ricci-0:0.12.2-81.el5.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2012-5485"
},
{
"category": "external",
"summary": "RHBZ#878934",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=878934"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2012-5485",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-5485"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2012-5485",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-5485"
}
],
"release_date": "2012-11-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-09-16T05:28:53+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to use the\nRed Hat Network to apply this update are available at\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"5Server-Cluster:conga-0:0.12.2-81.el5.src",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.i386",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ia64",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ppc",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:luci-0:0.12.2-81.el5.i386",
"5Server-Cluster:luci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:luci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:luci-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.i386",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:ricci-0:0.12.2-81.el5.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2014:1194"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"products": [
"5Server-Cluster:conga-0:0.12.2-81.el5.src",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.i386",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ia64",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ppc",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:luci-0:0.12.2-81.el5.i386",
"5Server-Cluster:luci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:luci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:luci-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.i386",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:ricci-0:0.12.2-81.el5.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "(Plone): Restricted Python injection"
},
{
"cve": "CVE-2012-5486",
"cwe": {
"id": "CWE-113",
"name": "Improper Neutralization of CRLF Sequences in HTTP Headers (\u0027HTTP Request/Response Splitting\u0027)"
},
"discovery_date": "2012-11-06T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "878939"
}
],
"notes": [
{
"category": "description",
"text": "It was discovered that Plone, included as a part of luci, did not properly sanitize HTTP headers provided within certain URL requests. A remote attacker could use a specially crafted URL that, when processed, would cause the injected HTTP headers to be returned as a part of the Plone HTTP response, potentially allowing the attacker to perform other more advanced attacks.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "(Plone): Reflexive HTTP header injection",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"5Server-Cluster:conga-0:0.12.2-81.el5.src",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.i386",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ia64",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ppc",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:luci-0:0.12.2-81.el5.i386",
"5Server-Cluster:luci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:luci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:luci-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.i386",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:ricci-0:0.12.2-81.el5.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2012-5486"
},
{
"category": "external",
"summary": "RHBZ#878939",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=878939"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2012-5486",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-5486"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2012-5486",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-5486"
}
],
"release_date": "2012-11-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-09-16T05:28:53+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to use the\nRed Hat Network to apply this update are available at\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"5Server-Cluster:conga-0:0.12.2-81.el5.src",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.i386",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ia64",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ppc",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:luci-0:0.12.2-81.el5.i386",
"5Server-Cluster:luci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:luci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:luci-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.i386",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:ricci-0:0.12.2-81.el5.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2014:1194"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"products": [
"5Server-Cluster:conga-0:0.12.2-81.el5.src",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.i386",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ia64",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ppc",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:luci-0:0.12.2-81.el5.i386",
"5Server-Cluster:luci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:luci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:luci-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.i386",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:ricci-0:0.12.2-81.el5.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "(Plone): Reflexive HTTP header injection"
},
{
"cve": "CVE-2012-5488",
"cwe": {
"id": "CWE-95",
"name": "Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)"
},
"discovery_date": "2012-11-06T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "878945"
}
],
"notes": [
{
"category": "description",
"text": "It was discovered that Plone, included as a part of luci, did not properly protect the privilege of running RestrictedPython scripts. A remote attacker could use a specially crafted URL that, when processed, would allow the attacker to submit and perform expensive computations or, in conjunction with other attacks, be able to access or alter privileged information.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "(Plone): Restricted Python injection",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"5Server-Cluster:conga-0:0.12.2-81.el5.src",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.i386",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ia64",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ppc",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:luci-0:0.12.2-81.el5.i386",
"5Server-Cluster:luci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:luci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:luci-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.i386",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:ricci-0:0.12.2-81.el5.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2012-5488"
},
{
"category": "external",
"summary": "RHBZ#878945",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=878945"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2012-5488",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-5488"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2012-5488",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-5488"
}
],
"release_date": "2012-11-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-09-16T05:28:53+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to use the\nRed Hat Network to apply this update are available at\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"5Server-Cluster:conga-0:0.12.2-81.el5.src",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.i386",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ia64",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ppc",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:luci-0:0.12.2-81.el5.i386",
"5Server-Cluster:luci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:luci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:luci-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.i386",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:ricci-0:0.12.2-81.el5.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2014:1194"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "HIGH",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.6,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:H/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"products": [
"5Server-Cluster:conga-0:0.12.2-81.el5.src",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.i386",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ia64",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ppc",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:luci-0:0.12.2-81.el5.i386",
"5Server-Cluster:luci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:luci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:luci-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.i386",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:ricci-0:0.12.2-81.el5.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "(Plone): Restricted Python injection"
},
{
"cve": "CVE-2012-5497",
"cwe": {
"id": "CWE-200",
"name": "Exposure of Sensitive Information to an Unauthorized Actor"
},
"discovery_date": "2012-11-06T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "874681"
}
],
"notes": [
{
"category": "description",
"text": "It was discovered that Plone, included as a part of luci, did not properly enforce permissions checks on the membership database. A remote attacker could use a specially crafted URL that, when processed, could allow the attacker to enumerate user account names.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "(Plone): Anonymous users can list user account names",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"5Server-Cluster:conga-0:0.12.2-81.el5.src",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.i386",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ia64",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ppc",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:luci-0:0.12.2-81.el5.i386",
"5Server-Cluster:luci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:luci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:luci-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.i386",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:ricci-0:0.12.2-81.el5.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2012-5497"
},
{
"category": "external",
"summary": "RHBZ#874681",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=874681"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2012-5497",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-5497"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2012-5497",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-5497"
}
],
"release_date": "2012-11-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-09-16T05:28:53+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to use the\nRed Hat Network to apply this update are available at\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"5Server-Cluster:conga-0:0.12.2-81.el5.src",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.i386",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ia64",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ppc",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:luci-0:0.12.2-81.el5.i386",
"5Server-Cluster:luci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:luci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:luci-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.i386",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:ricci-0:0.12.2-81.el5.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2014:1194"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"products": [
"5Server-Cluster:conga-0:0.12.2-81.el5.src",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.i386",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ia64",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ppc",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:luci-0:0.12.2-81.el5.i386",
"5Server-Cluster:luci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:luci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:luci-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.i386",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:ricci-0:0.12.2-81.el5.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "(Plone): Anonymous users can list user account names"
},
{
"cve": "CVE-2012-5498",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2012-11-06T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "874665"
}
],
"notes": [
{
"category": "description",
"text": "It was discovered that Plone, included as a part of luci, did not properly handle the processing of requests for certain collections. A remote attacker could use a specially crafted URL that, when processed, would lead to excessive I/O and/or cache resource consumption.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "(Plone): Partial denial of service through Collections functionality",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"5Server-Cluster:conga-0:0.12.2-81.el5.src",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.i386",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ia64",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ppc",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:luci-0:0.12.2-81.el5.i386",
"5Server-Cluster:luci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:luci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:luci-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.i386",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:ricci-0:0.12.2-81.el5.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2012-5498"
},
{
"category": "external",
"summary": "RHBZ#874665",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=874665"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2012-5498",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-5498"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2012-5498",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-5498"
}
],
"release_date": "2012-11-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-09-16T05:28:53+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to use the\nRed Hat Network to apply this update are available at\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"5Server-Cluster:conga-0:0.12.2-81.el5.src",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.i386",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ia64",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ppc",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:luci-0:0.12.2-81.el5.i386",
"5Server-Cluster:luci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:luci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:luci-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.i386",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:ricci-0:0.12.2-81.el5.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2014:1194"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"products": [
"5Server-Cluster:conga-0:0.12.2-81.el5.src",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.i386",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ia64",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ppc",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:luci-0:0.12.2-81.el5.i386",
"5Server-Cluster:luci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:luci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:luci-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.i386",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:ricci-0:0.12.2-81.el5.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "(Plone): Partial denial of service through Collections functionality"
},
{
"cve": "CVE-2012-5499",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2012-11-06T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "874657"
}
],
"notes": [
{
"category": "description",
"text": "It was discovered that Plone, included as a part of luci, did not properly handle the processing of very large values passed to an internal utility function. A remote attacker could use a specially crafted URL that, when processed, would lead to excessive memory consumption.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "(Plone): Partial denial of service through internal function",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"5Server-Cluster:conga-0:0.12.2-81.el5.src",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.i386",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ia64",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ppc",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:luci-0:0.12.2-81.el5.i386",
"5Server-Cluster:luci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:luci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:luci-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.i386",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:ricci-0:0.12.2-81.el5.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2012-5499"
},
{
"category": "external",
"summary": "RHBZ#874657",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=874657"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2012-5499",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-5499"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2012-5499",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-5499"
}
],
"release_date": "2012-11-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-09-16T05:28:53+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to use the\nRed Hat Network to apply this update are available at\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"5Server-Cluster:conga-0:0.12.2-81.el5.src",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.i386",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ia64",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ppc",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:luci-0:0.12.2-81.el5.i386",
"5Server-Cluster:luci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:luci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:luci-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.i386",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:ricci-0:0.12.2-81.el5.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2014:1194"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"products": [
"5Server-Cluster:conga-0:0.12.2-81.el5.src",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.i386",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ia64",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ppc",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:luci-0:0.12.2-81.el5.i386",
"5Server-Cluster:luci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:luci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:luci-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.i386",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:ricci-0:0.12.2-81.el5.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "(Plone): Partial denial of service through internal function"
},
{
"cve": "CVE-2012-5500",
"cwe": {
"id": "CWE-284",
"name": "Improper Access Control"
},
"discovery_date": "2012-11-06T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "874649"
}
],
"notes": [
{
"category": "description",
"text": "It was discovered that Plone, included as a part of luci, allowed a remote anonymous user to change titles of content items due to improper permissions checks.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "(Plone): Anonymous users can batch change titles of content items",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"5Server-Cluster:conga-0:0.12.2-81.el5.src",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.i386",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ia64",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ppc",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:luci-0:0.12.2-81.el5.i386",
"5Server-Cluster:luci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:luci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:luci-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.i386",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:ricci-0:0.12.2-81.el5.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2012-5500"
},
{
"category": "external",
"summary": "RHBZ#874649",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=874649"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2012-5500",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-5500"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2012-5500",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-5500"
}
],
"release_date": "2012-11-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-09-16T05:28:53+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to use the\nRed Hat Network to apply this update are available at\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"5Server-Cluster:conga-0:0.12.2-81.el5.src",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.i386",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ia64",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ppc",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:luci-0:0.12.2-81.el5.i386",
"5Server-Cluster:luci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:luci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:luci-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.i386",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:ricci-0:0.12.2-81.el5.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2014:1194"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "HIGH",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 2.6,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:H/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"products": [
"5Server-Cluster:conga-0:0.12.2-81.el5.src",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.i386",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ia64",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ppc",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:luci-0:0.12.2-81.el5.i386",
"5Server-Cluster:luci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:luci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:luci-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.i386",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:ricci-0:0.12.2-81.el5.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "(Plone): Anonymous users can batch change titles of content items"
},
{
"acknowledgments": [
{
"names": [
"Jan Pokorny"
],
"organization": "Red Hat",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2013-6496",
"cwe": {
"id": "CWE-200",
"name": "Exposure of Sensitive Information to an Unauthorized Actor"
},
"discovery_date": "2013-06-06T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "971541"
}
],
"notes": [
{
"category": "description",
"text": "Multiple information leak flaws were found in the way conga processed luci site extension-related URL requests. A remote, unauthenticated attacker could issue a specially crafted HTTP request that, when processed, would result in unauthorized information disclosure.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "conga: Multiple information leak flaws in various luci site extensions",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"5Server-Cluster:conga-0:0.12.2-81.el5.src",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.i386",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ia64",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ppc",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:luci-0:0.12.2-81.el5.i386",
"5Server-Cluster:luci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:luci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:luci-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.i386",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:ricci-0:0.12.2-81.el5.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2013-6496"
},
{
"category": "external",
"summary": "RHBZ#971541",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=971541"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2013-6496",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-6496"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-6496",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-6496"
}
],
"release_date": "2014-09-16T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-09-16T05:28:53+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to use the\nRed Hat Network to apply this update are available at\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"5Server-Cluster:conga-0:0.12.2-81.el5.src",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.i386",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ia64",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ppc",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:luci-0:0.12.2-81.el5.i386",
"5Server-Cluster:luci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:luci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:luci-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.i386",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:ricci-0:0.12.2-81.el5.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2014:1194"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"products": [
"5Server-Cluster:conga-0:0.12.2-81.el5.src",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.i386",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ia64",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ppc",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:luci-0:0.12.2-81.el5.i386",
"5Server-Cluster:luci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:luci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:luci-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.i386",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:ricci-0:0.12.2-81.el5.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "conga: Multiple information leak flaws in various luci site extensions"
},
{
"acknowledgments": [
{
"names": [
"Radek Steiger"
],
"organization": "Red Hat",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2014-3521",
"cwe": {
"id": "CWE-862",
"name": "Missing Authorization"
},
"discovery_date": "2014-04-18T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1112813"
}
],
"notes": [
{
"category": "description",
"text": "It was discovered that various components in the luci site extension-related URLs were not properly restricted to administrative users. A remote, authenticated attacker could escalate their privileges to perform certain actions that should be restricted to administrative users, such as adding users and systems, and viewing log data.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "luci: unauthorized administrative access granted to non-administrative users",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"5Server-Cluster:conga-0:0.12.2-81.el5.src",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.i386",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ia64",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ppc",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:luci-0:0.12.2-81.el5.i386",
"5Server-Cluster:luci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:luci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:luci-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.i386",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:ricci-0:0.12.2-81.el5.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2014-3521"
},
{
"category": "external",
"summary": "RHBZ#1112813",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1112813"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2014-3521",
"url": "https://www.cve.org/CVERecord?id=CVE-2014-3521"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2014-3521",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-3521"
}
],
"release_date": "2014-09-16T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-09-16T05:28:53+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to use the\nRed Hat Network to apply this update are available at\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"5Server-Cluster:conga-0:0.12.2-81.el5.src",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.i386",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ia64",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ppc",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:luci-0:0.12.2-81.el5.i386",
"5Server-Cluster:luci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:luci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:luci-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.i386",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:ricci-0:0.12.2-81.el5.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2014:1194"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:N",
"version": "2.0"
},
"products": [
"5Server-Cluster:conga-0:0.12.2-81.el5.src",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.i386",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ia64",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ppc",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:luci-0:0.12.2-81.el5.i386",
"5Server-Cluster:luci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:luci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:luci-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.i386",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:ricci-0:0.12.2-81.el5.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "luci: unauthorized administrative access granted to non-administrative users"
}
]
}
rhsa-2014_1194
Vulnerability from csaf_redhat
Published
2014-09-16 05:28
Modified
2024-11-14 14:29
Summary
Red Hat Security Advisory: conga security and bug fix update
Notes
Topic
Updated conga packages that fix multiple security issues and several bugs
are now available for Red Hat Enterprise Linux 5.
Red Hat Product Security has rated this update as having Moderate security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
Details
The Conga project is a management system for remote workstations.
It consists of luci, which is a secure web-based front end, and ricci,
which is a secure daemon that dispatches incoming messages to underlying
management modules.
It was discovered that Plone, included as a part of luci, did not properly
protect the administrator interface (control panel). A remote attacker
could use this flaw to inject a specially crafted Python statement or
script into Plone's restricted Python sandbox that, when the administrator
interface was accessed, would be executed with the privileges of that
administrator user. (CVE-2012-5485)
It was discovered that Plone, included as a part of luci, did not properly
sanitize HTTP headers provided within certain URL requests. A remote
attacker could use a specially crafted URL that, when processed, would
cause the injected HTTP headers to be returned as a part of the Plone HTTP
response, potentially allowing the attacker to perform other more advanced
attacks. (CVE-2012-5486)
Multiple information leak flaws were found in the way conga processed luci
site extension-related URL requests. A remote, unauthenticated attacker
could issue a specially crafted HTTP request that, when processed, would
result in unauthorized information disclosure. (CVE-2013-6496)
It was discovered that various components in the luci site
extension-related URLs were not properly restricted to administrative
users. A remote, authenticated attacker could escalate their privileges to
perform certain actions that should be restricted to administrative users,
such as adding users and systems, and viewing log data. (CVE-2014-3521)
It was discovered that Plone, included as a part of luci, did not properly
protect the privilege of running RestrictedPython scripts. A remote
attacker could use a specially crafted URL that, when processed, would
allow the attacker to submit and perform expensive computations or, in
conjunction with other attacks, be able to access or alter privileged
information. (CVE-2012-5488)
It was discovered that Plone, included as a part of luci, did not properly
enforce permissions checks on the membership database. A remote attacker
could use a specially crafted URL that, when processed, could allow the
attacker to enumerate user account names. (CVE-2012-5497)
It was discovered that Plone, included as a part of luci, did not properly
handle the processing of requests for certain collections. A remote
attacker could use a specially crafted URL that, when processed, would lead
to excessive I/O and/or cache resource consumption. (CVE-2012-5498)
It was discovered that Plone, included as a part of luci, did not properly
handle the processing of very large values passed to an internal utility
function. A remote attacker could use a specially crafted URL that, when
processed, would lead to excessive memory consumption. (CVE-2012-5499)
It was discovered that Plone, included as a part of luci, allowed a remote
anonymous user to change titles of content items due to improper
permissions checks. (CVE-2012-5500)
The CVE-2014-3521 issue was discovered by Radek Steiger of Red Hat, and the
CVE-2013-6496 issue was discovered by Jan Pokorny of Red Hat.
In addition, these updated conga packages include several bug fixes.
Space precludes documenting all of these changes in this advisory.
Users are directed to the Red Hat Enterprise Linux 5.11 Technical Notes,
linked to in the References section, for information on the most
significant of these changes
All conga users are advised to upgrade to these updated packages, which
contain backported patches to correct these issues. After installing this
update, the luci and ricci services will be restarted automatically.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Updated conga packages that fix multiple security issues and several bugs\nare now available for Red Hat Enterprise Linux 5.\n\nRed Hat Product Security has rated this update as having Moderate security\nimpact. Common Vulnerability Scoring System (CVSS) base scores, which give\ndetailed severity ratings, are available for each vulnerability from the\nCVE links in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "The Conga project is a management system for remote workstations.\nIt consists of luci, which is a secure web-based front end, and ricci,\nwhich is a secure daemon that dispatches incoming messages to underlying\nmanagement modules.\n\nIt was discovered that Plone, included as a part of luci, did not properly\nprotect the administrator interface (control panel). A remote attacker\ncould use this flaw to inject a specially crafted Python statement or\nscript into Plone\u0027s restricted Python sandbox that, when the administrator\ninterface was accessed, would be executed with the privileges of that\nadministrator user. (CVE-2012-5485)\n\nIt was discovered that Plone, included as a part of luci, did not properly\nsanitize HTTP headers provided within certain URL requests. A remote\nattacker could use a specially crafted URL that, when processed, would\ncause the injected HTTP headers to be returned as a part of the Plone HTTP\nresponse, potentially allowing the attacker to perform other more advanced\nattacks. (CVE-2012-5486)\n\nMultiple information leak flaws were found in the way conga processed luci\nsite extension-related URL requests. A remote, unauthenticated attacker\ncould issue a specially crafted HTTP request that, when processed, would\nresult in unauthorized information disclosure. (CVE-2013-6496)\n\nIt was discovered that various components in the luci site\nextension-related URLs were not properly restricted to administrative\nusers. A remote, authenticated attacker could escalate their privileges to\nperform certain actions that should be restricted to administrative users,\nsuch as adding users and systems, and viewing log data. (CVE-2014-3521)\n\nIt was discovered that Plone, included as a part of luci, did not properly\nprotect the privilege of running RestrictedPython scripts. A remote\nattacker could use a specially crafted URL that, when processed, would\nallow the attacker to submit and perform expensive computations or, in\nconjunction with other attacks, be able to access or alter privileged\ninformation. (CVE-2012-5488)\n\nIt was discovered that Plone, included as a part of luci, did not properly\nenforce permissions checks on the membership database. A remote attacker\ncould use a specially crafted URL that, when processed, could allow the\nattacker to enumerate user account names. (CVE-2012-5497)\n\nIt was discovered that Plone, included as a part of luci, did not properly\nhandle the processing of requests for certain collections. A remote\nattacker could use a specially crafted URL that, when processed, would lead\nto excessive I/O and/or cache resource consumption. (CVE-2012-5498)\n\nIt was discovered that Plone, included as a part of luci, did not properly\nhandle the processing of very large values passed to an internal utility\nfunction. A remote attacker could use a specially crafted URL that, when\nprocessed, would lead to excessive memory consumption. (CVE-2012-5499)\n\nIt was discovered that Plone, included as a part of luci, allowed a remote\nanonymous user to change titles of content items due to improper\npermissions checks. (CVE-2012-5500)\n\nThe CVE-2014-3521 issue was discovered by Radek Steiger of Red Hat, and the\nCVE-2013-6496 issue was discovered by Jan Pokorny of Red Hat.\n\nIn addition, these updated conga packages include several bug fixes.\nSpace precludes documenting all of these changes in this advisory.\nUsers are directed to the Red Hat Enterprise Linux 5.11 Technical Notes,\nlinked to in the References section, for information on the most\nsignificant of these changes\n\nAll conga users are advised to upgrade to these updated packages, which\ncontain backported patches to correct these issues. After installing this\nupdate, the luci and ricci services will be restarted automatically.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2014:1194",
"url": "https://access.redhat.com/errata/RHSA-2014:1194"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/5/html/5.11_Technical_Notes/index.html",
"url": "https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/5/html/5.11_Technical_Notes/index.html"
},
{
"category": "external",
"summary": "874649",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=874649"
},
{
"category": "external",
"summary": "874657",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=874657"
},
{
"category": "external",
"summary": "874665",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=874665"
},
{
"category": "external",
"summary": "874681",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=874681"
},
{
"category": "external",
"summary": "878934",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=878934"
},
{
"category": "external",
"summary": "878939",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=878939"
},
{
"category": "external",
"summary": "878945",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=878945"
},
{
"category": "external",
"summary": "970288",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=970288"
},
{
"category": "external",
"summary": "971541",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=971541"
},
{
"category": "external",
"summary": "1065263",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1065263"
},
{
"category": "external",
"summary": "1072075",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1072075"
},
{
"category": "external",
"summary": "1076711",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1076711"
},
{
"category": "external",
"summary": "1112813",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1112813"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2014/rhsa-2014_1194.json"
}
],
"title": "Red Hat Security Advisory: conga security and bug fix update",
"tracking": {
"current_release_date": "2024-11-14T14:29:52+00:00",
"generator": {
"date": "2024-11-14T14:29:52+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.0"
}
},
"id": "RHSA-2014:1194",
"initial_release_date": "2014-09-16T05:28:53+00:00",
"revision_history": [
{
"date": "2014-09-16T05:28:53+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2014-09-16T05:28:53+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-14T14:29:52+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux Clustering (v. 5 server)",
"product": {
"name": "Red Hat Enterprise Linux Clustering (v. 5 server)",
"product_id": "5Server-Cluster",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_cluster:5"
}
}
}
],
"category": "product_family",
"name": "Red Hat Enterprise Linux"
},
{
"branches": [
{
"category": "product_version",
"name": "ricci-0:0.12.2-81.el5.ppc",
"product": {
"name": "ricci-0:0.12.2-81.el5.ppc",
"product_id": "ricci-0:0.12.2-81.el5.ppc",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ricci@0.12.2-81.el5?arch=ppc"
}
}
},
{
"category": "product_version",
"name": "conga-debuginfo-0:0.12.2-81.el5.ppc",
"product": {
"name": "conga-debuginfo-0:0.12.2-81.el5.ppc",
"product_id": "conga-debuginfo-0:0.12.2-81.el5.ppc",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/conga-debuginfo@0.12.2-81.el5?arch=ppc"
}
}
},
{
"category": "product_version",
"name": "luci-0:0.12.2-81.el5.ppc",
"product": {
"name": "luci-0:0.12.2-81.el5.ppc",
"product_id": "luci-0:0.12.2-81.el5.ppc",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/luci@0.12.2-81.el5?arch=ppc"
}
}
}
],
"category": "architecture",
"name": "ppc"
},
{
"branches": [
{
"category": "product_version",
"name": "ricci-0:0.12.2-81.el5.i386",
"product": {
"name": "ricci-0:0.12.2-81.el5.i386",
"product_id": "ricci-0:0.12.2-81.el5.i386",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ricci@0.12.2-81.el5?arch=i386"
}
}
},
{
"category": "product_version",
"name": "conga-debuginfo-0:0.12.2-81.el5.i386",
"product": {
"name": "conga-debuginfo-0:0.12.2-81.el5.i386",
"product_id": "conga-debuginfo-0:0.12.2-81.el5.i386",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/conga-debuginfo@0.12.2-81.el5?arch=i386"
}
}
},
{
"category": "product_version",
"name": "luci-0:0.12.2-81.el5.i386",
"product": {
"name": "luci-0:0.12.2-81.el5.i386",
"product_id": "luci-0:0.12.2-81.el5.i386",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/luci@0.12.2-81.el5?arch=i386"
}
}
}
],
"category": "architecture",
"name": "i386"
},
{
"branches": [
{
"category": "product_version",
"name": "ricci-0:0.12.2-81.el5.x86_64",
"product": {
"name": "ricci-0:0.12.2-81.el5.x86_64",
"product_id": "ricci-0:0.12.2-81.el5.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ricci@0.12.2-81.el5?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "conga-debuginfo-0:0.12.2-81.el5.x86_64",
"product": {
"name": "conga-debuginfo-0:0.12.2-81.el5.x86_64",
"product_id": "conga-debuginfo-0:0.12.2-81.el5.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/conga-debuginfo@0.12.2-81.el5?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "luci-0:0.12.2-81.el5.x86_64",
"product": {
"name": "luci-0:0.12.2-81.el5.x86_64",
"product_id": "luci-0:0.12.2-81.el5.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/luci@0.12.2-81.el5?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "ricci-0:0.12.2-81.el5.ia64",
"product": {
"name": "ricci-0:0.12.2-81.el5.ia64",
"product_id": "ricci-0:0.12.2-81.el5.ia64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ricci@0.12.2-81.el5?arch=ia64"
}
}
},
{
"category": "product_version",
"name": "conga-debuginfo-0:0.12.2-81.el5.ia64",
"product": {
"name": "conga-debuginfo-0:0.12.2-81.el5.ia64",
"product_id": "conga-debuginfo-0:0.12.2-81.el5.ia64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/conga-debuginfo@0.12.2-81.el5?arch=ia64"
}
}
},
{
"category": "product_version",
"name": "luci-0:0.12.2-81.el5.ia64",
"product": {
"name": "luci-0:0.12.2-81.el5.ia64",
"product_id": "luci-0:0.12.2-81.el5.ia64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/luci@0.12.2-81.el5?arch=ia64"
}
}
}
],
"category": "architecture",
"name": "ia64"
},
{
"branches": [
{
"category": "product_version",
"name": "conga-0:0.12.2-81.el5.src",
"product": {
"name": "conga-0:0.12.2-81.el5.src",
"product_id": "conga-0:0.12.2-81.el5.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/conga@0.12.2-81.el5?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "conga-0:0.12.2-81.el5.src as a component of Red Hat Enterprise Linux Clustering (v. 5 server)",
"product_id": "5Server-Cluster:conga-0:0.12.2-81.el5.src"
},
"product_reference": "conga-0:0.12.2-81.el5.src",
"relates_to_product_reference": "5Server-Cluster"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "conga-debuginfo-0:0.12.2-81.el5.i386 as a component of Red Hat Enterprise Linux Clustering (v. 5 server)",
"product_id": "5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.i386"
},
"product_reference": "conga-debuginfo-0:0.12.2-81.el5.i386",
"relates_to_product_reference": "5Server-Cluster"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "conga-debuginfo-0:0.12.2-81.el5.ia64 as a component of Red Hat Enterprise Linux Clustering (v. 5 server)",
"product_id": "5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ia64"
},
"product_reference": "conga-debuginfo-0:0.12.2-81.el5.ia64",
"relates_to_product_reference": "5Server-Cluster"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "conga-debuginfo-0:0.12.2-81.el5.ppc as a component of Red Hat Enterprise Linux Clustering (v. 5 server)",
"product_id": "5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ppc"
},
"product_reference": "conga-debuginfo-0:0.12.2-81.el5.ppc",
"relates_to_product_reference": "5Server-Cluster"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "conga-debuginfo-0:0.12.2-81.el5.x86_64 as a component of Red Hat Enterprise Linux Clustering (v. 5 server)",
"product_id": "5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.x86_64"
},
"product_reference": "conga-debuginfo-0:0.12.2-81.el5.x86_64",
"relates_to_product_reference": "5Server-Cluster"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "luci-0:0.12.2-81.el5.i386 as a component of Red Hat Enterprise Linux Clustering (v. 5 server)",
"product_id": "5Server-Cluster:luci-0:0.12.2-81.el5.i386"
},
"product_reference": "luci-0:0.12.2-81.el5.i386",
"relates_to_product_reference": "5Server-Cluster"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "luci-0:0.12.2-81.el5.ia64 as a component of Red Hat Enterprise Linux Clustering (v. 5 server)",
"product_id": "5Server-Cluster:luci-0:0.12.2-81.el5.ia64"
},
"product_reference": "luci-0:0.12.2-81.el5.ia64",
"relates_to_product_reference": "5Server-Cluster"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "luci-0:0.12.2-81.el5.ppc as a component of Red Hat Enterprise Linux Clustering (v. 5 server)",
"product_id": "5Server-Cluster:luci-0:0.12.2-81.el5.ppc"
},
"product_reference": "luci-0:0.12.2-81.el5.ppc",
"relates_to_product_reference": "5Server-Cluster"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "luci-0:0.12.2-81.el5.x86_64 as a component of Red Hat Enterprise Linux Clustering (v. 5 server)",
"product_id": "5Server-Cluster:luci-0:0.12.2-81.el5.x86_64"
},
"product_reference": "luci-0:0.12.2-81.el5.x86_64",
"relates_to_product_reference": "5Server-Cluster"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ricci-0:0.12.2-81.el5.i386 as a component of Red Hat Enterprise Linux Clustering (v. 5 server)",
"product_id": "5Server-Cluster:ricci-0:0.12.2-81.el5.i386"
},
"product_reference": "ricci-0:0.12.2-81.el5.i386",
"relates_to_product_reference": "5Server-Cluster"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ricci-0:0.12.2-81.el5.ia64 as a component of Red Hat Enterprise Linux Clustering (v. 5 server)",
"product_id": "5Server-Cluster:ricci-0:0.12.2-81.el5.ia64"
},
"product_reference": "ricci-0:0.12.2-81.el5.ia64",
"relates_to_product_reference": "5Server-Cluster"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ricci-0:0.12.2-81.el5.ppc as a component of Red Hat Enterprise Linux Clustering (v. 5 server)",
"product_id": "5Server-Cluster:ricci-0:0.12.2-81.el5.ppc"
},
"product_reference": "ricci-0:0.12.2-81.el5.ppc",
"relates_to_product_reference": "5Server-Cluster"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ricci-0:0.12.2-81.el5.x86_64 as a component of Red Hat Enterprise Linux Clustering (v. 5 server)",
"product_id": "5Server-Cluster:ricci-0:0.12.2-81.el5.x86_64"
},
"product_reference": "ricci-0:0.12.2-81.el5.x86_64",
"relates_to_product_reference": "5Server-Cluster"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2012-5485",
"cwe": {
"id": "CWE-306",
"name": "Missing Authentication for Critical Function"
},
"discovery_date": "2012-11-06T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "878934"
}
],
"notes": [
{
"category": "description",
"text": "It was discovered that Plone, included as a part of luci, did not properly protect the administrator interface (control panel). A remote attacker could use this flaw to inject a specially crafted Python statement or script into Plone\u0027s restricted Python sandbox that, when the administrator interface was accessed, would be executed with the privileges of that administrator user.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "(Plone): Restricted Python injection",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"5Server-Cluster:conga-0:0.12.2-81.el5.src",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.i386",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ia64",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ppc",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:luci-0:0.12.2-81.el5.i386",
"5Server-Cluster:luci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:luci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:luci-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.i386",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:ricci-0:0.12.2-81.el5.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2012-5485"
},
{
"category": "external",
"summary": "RHBZ#878934",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=878934"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2012-5485",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-5485"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2012-5485",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-5485"
}
],
"release_date": "2012-11-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-09-16T05:28:53+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to use the\nRed Hat Network to apply this update are available at\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"5Server-Cluster:conga-0:0.12.2-81.el5.src",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.i386",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ia64",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ppc",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:luci-0:0.12.2-81.el5.i386",
"5Server-Cluster:luci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:luci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:luci-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.i386",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:ricci-0:0.12.2-81.el5.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2014:1194"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"products": [
"5Server-Cluster:conga-0:0.12.2-81.el5.src",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.i386",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ia64",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ppc",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:luci-0:0.12.2-81.el5.i386",
"5Server-Cluster:luci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:luci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:luci-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.i386",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:ricci-0:0.12.2-81.el5.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "(Plone): Restricted Python injection"
},
{
"cve": "CVE-2012-5486",
"cwe": {
"id": "CWE-113",
"name": "Improper Neutralization of CRLF Sequences in HTTP Headers (\u0027HTTP Request/Response Splitting\u0027)"
},
"discovery_date": "2012-11-06T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "878939"
}
],
"notes": [
{
"category": "description",
"text": "It was discovered that Plone, included as a part of luci, did not properly sanitize HTTP headers provided within certain URL requests. A remote attacker could use a specially crafted URL that, when processed, would cause the injected HTTP headers to be returned as a part of the Plone HTTP response, potentially allowing the attacker to perform other more advanced attacks.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "(Plone): Reflexive HTTP header injection",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"5Server-Cluster:conga-0:0.12.2-81.el5.src",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.i386",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ia64",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ppc",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:luci-0:0.12.2-81.el5.i386",
"5Server-Cluster:luci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:luci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:luci-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.i386",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:ricci-0:0.12.2-81.el5.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2012-5486"
},
{
"category": "external",
"summary": "RHBZ#878939",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=878939"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2012-5486",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-5486"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2012-5486",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-5486"
}
],
"release_date": "2012-11-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-09-16T05:28:53+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to use the\nRed Hat Network to apply this update are available at\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"5Server-Cluster:conga-0:0.12.2-81.el5.src",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.i386",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ia64",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ppc",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:luci-0:0.12.2-81.el5.i386",
"5Server-Cluster:luci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:luci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:luci-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.i386",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:ricci-0:0.12.2-81.el5.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2014:1194"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"products": [
"5Server-Cluster:conga-0:0.12.2-81.el5.src",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.i386",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ia64",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ppc",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:luci-0:0.12.2-81.el5.i386",
"5Server-Cluster:luci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:luci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:luci-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.i386",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:ricci-0:0.12.2-81.el5.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "(Plone): Reflexive HTTP header injection"
},
{
"cve": "CVE-2012-5488",
"cwe": {
"id": "CWE-95",
"name": "Improper Neutralization of Directives in Dynamically Evaluated Code (\u0027Eval Injection\u0027)"
},
"discovery_date": "2012-11-06T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "878945"
}
],
"notes": [
{
"category": "description",
"text": "It was discovered that Plone, included as a part of luci, did not properly protect the privilege of running RestrictedPython scripts. A remote attacker could use a specially crafted URL that, when processed, would allow the attacker to submit and perform expensive computations or, in conjunction with other attacks, be able to access or alter privileged information.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "(Plone): Restricted Python injection",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"5Server-Cluster:conga-0:0.12.2-81.el5.src",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.i386",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ia64",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ppc",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:luci-0:0.12.2-81.el5.i386",
"5Server-Cluster:luci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:luci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:luci-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.i386",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:ricci-0:0.12.2-81.el5.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2012-5488"
},
{
"category": "external",
"summary": "RHBZ#878945",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=878945"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2012-5488",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-5488"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2012-5488",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-5488"
}
],
"release_date": "2012-11-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-09-16T05:28:53+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to use the\nRed Hat Network to apply this update are available at\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"5Server-Cluster:conga-0:0.12.2-81.el5.src",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.i386",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ia64",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ppc",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:luci-0:0.12.2-81.el5.i386",
"5Server-Cluster:luci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:luci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:luci-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.i386",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:ricci-0:0.12.2-81.el5.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2014:1194"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "HIGH",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.6,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:H/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"products": [
"5Server-Cluster:conga-0:0.12.2-81.el5.src",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.i386",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ia64",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ppc",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:luci-0:0.12.2-81.el5.i386",
"5Server-Cluster:luci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:luci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:luci-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.i386",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:ricci-0:0.12.2-81.el5.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "(Plone): Restricted Python injection"
},
{
"cve": "CVE-2012-5497",
"cwe": {
"id": "CWE-200",
"name": "Exposure of Sensitive Information to an Unauthorized Actor"
},
"discovery_date": "2012-11-06T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "874681"
}
],
"notes": [
{
"category": "description",
"text": "It was discovered that Plone, included as a part of luci, did not properly enforce permissions checks on the membership database. A remote attacker could use a specially crafted URL that, when processed, could allow the attacker to enumerate user account names.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "(Plone): Anonymous users can list user account names",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"5Server-Cluster:conga-0:0.12.2-81.el5.src",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.i386",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ia64",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ppc",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:luci-0:0.12.2-81.el5.i386",
"5Server-Cluster:luci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:luci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:luci-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.i386",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:ricci-0:0.12.2-81.el5.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2012-5497"
},
{
"category": "external",
"summary": "RHBZ#874681",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=874681"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2012-5497",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-5497"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2012-5497",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-5497"
}
],
"release_date": "2012-11-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-09-16T05:28:53+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to use the\nRed Hat Network to apply this update are available at\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"5Server-Cluster:conga-0:0.12.2-81.el5.src",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.i386",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ia64",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ppc",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:luci-0:0.12.2-81.el5.i386",
"5Server-Cluster:luci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:luci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:luci-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.i386",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:ricci-0:0.12.2-81.el5.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2014:1194"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"products": [
"5Server-Cluster:conga-0:0.12.2-81.el5.src",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.i386",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ia64",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ppc",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:luci-0:0.12.2-81.el5.i386",
"5Server-Cluster:luci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:luci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:luci-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.i386",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:ricci-0:0.12.2-81.el5.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "(Plone): Anonymous users can list user account names"
},
{
"cve": "CVE-2012-5498",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2012-11-06T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "874665"
}
],
"notes": [
{
"category": "description",
"text": "It was discovered that Plone, included as a part of luci, did not properly handle the processing of requests for certain collections. A remote attacker could use a specially crafted URL that, when processed, would lead to excessive I/O and/or cache resource consumption.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "(Plone): Partial denial of service through Collections functionality",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"5Server-Cluster:conga-0:0.12.2-81.el5.src",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.i386",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ia64",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ppc",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:luci-0:0.12.2-81.el5.i386",
"5Server-Cluster:luci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:luci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:luci-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.i386",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:ricci-0:0.12.2-81.el5.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2012-5498"
},
{
"category": "external",
"summary": "RHBZ#874665",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=874665"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2012-5498",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-5498"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2012-5498",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-5498"
}
],
"release_date": "2012-11-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-09-16T05:28:53+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to use the\nRed Hat Network to apply this update are available at\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"5Server-Cluster:conga-0:0.12.2-81.el5.src",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.i386",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ia64",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ppc",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:luci-0:0.12.2-81.el5.i386",
"5Server-Cluster:luci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:luci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:luci-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.i386",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:ricci-0:0.12.2-81.el5.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2014:1194"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"products": [
"5Server-Cluster:conga-0:0.12.2-81.el5.src",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.i386",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ia64",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ppc",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:luci-0:0.12.2-81.el5.i386",
"5Server-Cluster:luci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:luci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:luci-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.i386",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:ricci-0:0.12.2-81.el5.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "(Plone): Partial denial of service through Collections functionality"
},
{
"cve": "CVE-2012-5499",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2012-11-06T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "874657"
}
],
"notes": [
{
"category": "description",
"text": "It was discovered that Plone, included as a part of luci, did not properly handle the processing of very large values passed to an internal utility function. A remote attacker could use a specially crafted URL that, when processed, would lead to excessive memory consumption.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "(Plone): Partial denial of service through internal function",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"5Server-Cluster:conga-0:0.12.2-81.el5.src",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.i386",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ia64",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ppc",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:luci-0:0.12.2-81.el5.i386",
"5Server-Cluster:luci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:luci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:luci-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.i386",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:ricci-0:0.12.2-81.el5.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2012-5499"
},
{
"category": "external",
"summary": "RHBZ#874657",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=874657"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2012-5499",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-5499"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2012-5499",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-5499"
}
],
"release_date": "2012-11-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-09-16T05:28:53+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to use the\nRed Hat Network to apply this update are available at\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"5Server-Cluster:conga-0:0.12.2-81.el5.src",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.i386",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ia64",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ppc",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:luci-0:0.12.2-81.el5.i386",
"5Server-Cluster:luci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:luci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:luci-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.i386",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:ricci-0:0.12.2-81.el5.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2014:1194"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"products": [
"5Server-Cluster:conga-0:0.12.2-81.el5.src",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.i386",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ia64",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ppc",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:luci-0:0.12.2-81.el5.i386",
"5Server-Cluster:luci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:luci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:luci-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.i386",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:ricci-0:0.12.2-81.el5.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "(Plone): Partial denial of service through internal function"
},
{
"cve": "CVE-2012-5500",
"cwe": {
"id": "CWE-284",
"name": "Improper Access Control"
},
"discovery_date": "2012-11-06T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "874649"
}
],
"notes": [
{
"category": "description",
"text": "It was discovered that Plone, included as a part of luci, allowed a remote anonymous user to change titles of content items due to improper permissions checks.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "(Plone): Anonymous users can batch change titles of content items",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"5Server-Cluster:conga-0:0.12.2-81.el5.src",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.i386",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ia64",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ppc",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:luci-0:0.12.2-81.el5.i386",
"5Server-Cluster:luci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:luci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:luci-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.i386",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:ricci-0:0.12.2-81.el5.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2012-5500"
},
{
"category": "external",
"summary": "RHBZ#874649",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=874649"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2012-5500",
"url": "https://www.cve.org/CVERecord?id=CVE-2012-5500"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2012-5500",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-5500"
}
],
"release_date": "2012-11-06T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-09-16T05:28:53+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to use the\nRed Hat Network to apply this update are available at\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"5Server-Cluster:conga-0:0.12.2-81.el5.src",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.i386",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ia64",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ppc",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:luci-0:0.12.2-81.el5.i386",
"5Server-Cluster:luci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:luci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:luci-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.i386",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:ricci-0:0.12.2-81.el5.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2014:1194"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "HIGH",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 2.6,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:H/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"products": [
"5Server-Cluster:conga-0:0.12.2-81.el5.src",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.i386",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ia64",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ppc",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:luci-0:0.12.2-81.el5.i386",
"5Server-Cluster:luci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:luci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:luci-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.i386",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:ricci-0:0.12.2-81.el5.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "(Plone): Anonymous users can batch change titles of content items"
},
{
"acknowledgments": [
{
"names": [
"Jan Pokorny"
],
"organization": "Red Hat",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2013-6496",
"cwe": {
"id": "CWE-200",
"name": "Exposure of Sensitive Information to an Unauthorized Actor"
},
"discovery_date": "2013-06-06T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "971541"
}
],
"notes": [
{
"category": "description",
"text": "Multiple information leak flaws were found in the way conga processed luci site extension-related URL requests. A remote, unauthenticated attacker could issue a specially crafted HTTP request that, when processed, would result in unauthorized information disclosure.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "conga: Multiple information leak flaws in various luci site extensions",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"5Server-Cluster:conga-0:0.12.2-81.el5.src",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.i386",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ia64",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ppc",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:luci-0:0.12.2-81.el5.i386",
"5Server-Cluster:luci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:luci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:luci-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.i386",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:ricci-0:0.12.2-81.el5.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2013-6496"
},
{
"category": "external",
"summary": "RHBZ#971541",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=971541"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2013-6496",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-6496"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-6496",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-6496"
}
],
"release_date": "2014-09-16T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-09-16T05:28:53+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to use the\nRed Hat Network to apply this update are available at\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"5Server-Cluster:conga-0:0.12.2-81.el5.src",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.i386",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ia64",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ppc",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:luci-0:0.12.2-81.el5.i386",
"5Server-Cluster:luci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:luci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:luci-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.i386",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:ricci-0:0.12.2-81.el5.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2014:1194"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"products": [
"5Server-Cluster:conga-0:0.12.2-81.el5.src",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.i386",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ia64",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ppc",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:luci-0:0.12.2-81.el5.i386",
"5Server-Cluster:luci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:luci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:luci-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.i386",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:ricci-0:0.12.2-81.el5.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "conga: Multiple information leak flaws in various luci site extensions"
},
{
"acknowledgments": [
{
"names": [
"Radek Steiger"
],
"organization": "Red Hat",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2014-3521",
"cwe": {
"id": "CWE-862",
"name": "Missing Authorization"
},
"discovery_date": "2014-04-18T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1112813"
}
],
"notes": [
{
"category": "description",
"text": "It was discovered that various components in the luci site extension-related URLs were not properly restricted to administrative users. A remote, authenticated attacker could escalate their privileges to perform certain actions that should be restricted to administrative users, such as adding users and systems, and viewing log data.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "luci: unauthorized administrative access granted to non-administrative users",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"5Server-Cluster:conga-0:0.12.2-81.el5.src",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.i386",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ia64",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ppc",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:luci-0:0.12.2-81.el5.i386",
"5Server-Cluster:luci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:luci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:luci-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.i386",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:ricci-0:0.12.2-81.el5.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2014-3521"
},
{
"category": "external",
"summary": "RHBZ#1112813",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1112813"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2014-3521",
"url": "https://www.cve.org/CVERecord?id=CVE-2014-3521"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2014-3521",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-3521"
}
],
"release_date": "2014-09-16T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-09-16T05:28:53+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to use the\nRed Hat Network to apply this update are available at\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"5Server-Cluster:conga-0:0.12.2-81.el5.src",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.i386",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ia64",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ppc",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:luci-0:0.12.2-81.el5.i386",
"5Server-Cluster:luci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:luci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:luci-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.i386",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:ricci-0:0.12.2-81.el5.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2014:1194"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 5.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:N",
"version": "2.0"
},
"products": [
"5Server-Cluster:conga-0:0.12.2-81.el5.src",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.i386",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ia64",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.ppc",
"5Server-Cluster:conga-debuginfo-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:luci-0:0.12.2-81.el5.i386",
"5Server-Cluster:luci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:luci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:luci-0:0.12.2-81.el5.x86_64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.i386",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ia64",
"5Server-Cluster:ricci-0:0.12.2-81.el5.ppc",
"5Server-Cluster:ricci-0:0.12.2-81.el5.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "luci: unauthorized administrative access granted to non-administrative users"
}
]
}
ghsa-77hv-8796-8ccp
Vulnerability from github
Published
2018-07-23 19:51
Modified
2024-10-11 20:53
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
8.7 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
8.7 (High) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
Summary
HTTP header injection in Plone and Zope2
Details
ZPublisher.HTTPRequest._scrubHeader in Zope 2 before 2.13.19, as used in Plone before 4.3 beta 1, allows remote attackers to inject arbitrary HTTP headers via a linefeed (LF) character.
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "Zope2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.13.19"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "PyPI",
"name": "Plone"
},
"ranges": [
{
"events": [
{
"introduced": "3.3.2"
},
{
"fixed": "4.2.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 4.3a2"
},
"package": {
"ecosystem": "PyPI",
"name": "Plone"
},
"ranges": [
{
"events": [
{
"introduced": "4.3a1"
},
{
"fixed": "4.3b1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2012-5486"
],
"database_specific": {
"cwe_ids": [],
"github_reviewed": true,
"github_reviewed_at": "2020-06-16T21:21:53Z",
"nvd_published_at": "2014-09-30T14:55:00Z",
"severity": "HIGH"
},
"details": "ZPublisher.HTTPRequest._scrubHeader in Zope 2 before 2.13.19, as used in Plone before 4.3 beta 1, allows remote attackers to inject arbitrary HTTP headers via a linefeed (LF) character.",
"id": "GHSA-77hv-8796-8ccp",
"modified": "2024-10-11T20:53:34Z",
"published": "2018-07-23T19:51:50Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2012-5486"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2014:1194"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2012-5486"
},
{
"type": "WEB",
"url": "https://bugs.launchpad.net/zope2/+bug/930812"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=878939"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-77hv-8796-8ccp"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/plone/PYSEC-2014-28.yaml"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/tree/main/vulns/zope2/PYSEC-2014-73.yaml"
},
{
"type": "WEB",
"url": "https://plone.org/products/plone-hotfix/releases/20121106"
},
{
"type": "WEB",
"url": "https://plone.org/products/plone/security/advisories/20121106/02"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2014-1194.html"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2012/11/10/1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "HTTP header injection in Plone and Zope2"
}
pysec-2014-28
Vulnerability from pysec
Published
2014-09-30 14:55
Modified
2021-07-25 23:34
Details
ZPublisher.HTTPRequest._scrubHeader in Zope 2 before 2.13.19, as used in Plone before 4.3 beta 1, allows remote attackers to inject arbitrary HTTP headers via a linefeed (LF) character.
Impacted products
| Name | purl | plone | pkg:pypi/plone |
|---|
Aliases
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "plone",
"purl": "pkg:pypi/plone"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.2.3"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"3.2",
"3.2.1",
"3.2.2",
"3.2.3",
"3.2a1",
"3.2rc1",
"3.3",
"3.3.1",
"3.3.2",
"3.3.3",
"3.3.4",
"3.3.5",
"3.3.6",
"3.3b1",
"3.3rc1",
"3.3rc2",
"3.3rc3",
"3.3rc4",
"3.3rc5",
"4.0",
"4.0.1",
"4.0.10",
"4.0.2",
"4.0.3",
"4.0.4",
"4.0.5",
"4.0.6",
"4.0.7",
"4.0.8",
"4.0.9",
"4.0a1",
"4.0a2",
"4.0a3",
"4.0a4",
"4.0a5",
"4.0b1",
"4.0b2",
"4.0b3",
"4.0b4",
"4.0b5",
"4.0rc1",
"4.1",
"4.1.1",
"4.1.2",
"4.1.3",
"4.1.4",
"4.1.5",
"4.1.6",
"4.1a1",
"4.1a2",
"4.1a3",
"4.1b1",
"4.1b2",
"4.1rc2",
"4.1rc3",
"4.2",
"4.2.1",
"4.2.2",
"4.2a1",
"4.2a2",
"4.2b1",
"4.2b2",
"4.2rc1",
"4.2rc2"
]
}
],
"aliases": [
"CVE-2012-5486",
"GHSA-77hv-8796-8ccp"
],
"details": "ZPublisher.HTTPRequest._scrubHeader in Zope 2 before 2.13.19, as used in Plone before 4.3 beta 1, allows remote attackers to inject arbitrary HTTP headers via a linefeed (LF) character.",
"id": "PYSEC-2014-28",
"modified": "2021-07-25T23:34:43.396566Z",
"published": "2014-09-30T14:55:00Z",
"references": [
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2012/11/10/1"
},
{
"type": "WEB",
"url": "https://bugs.launchpad.net/zope2/+bug/930812"
},
{
"type": "ADVISORY",
"url": "https://plone.org/products/plone/security/advisories/20121106/02"
},
{
"type": "WEB",
"url": "https://plone.org/products/plone-hotfix/releases/20121106"
},
{
"type": "ADVISORY",
"url": "http://rhn.redhat.com/errata/RHSA-2014-1194.html"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-77hv-8796-8ccp"
}
]
}
pysec-2014-73
Vulnerability from pysec
Published
2014-09-30 14:55
Modified
2021-07-25 23:34
Details
ZPublisher.HTTPRequest._scrubHeader in Zope 2 before 2.13.19, as used in Plone before 4.3 beta 1, allows remote attackers to inject arbitrary HTTP headers via a linefeed (LF) character.
Impacted products
| Name | purl | zope2 | pkg:pypi/zope2 |
|---|
Aliases
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "zope2",
"purl": "pkg:pypi/zope2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.13.19"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"2.12.0",
"2.12.0.a1",
"2.12.0a2",
"2.12.0a3",
"2.12.0a4",
"2.12.0b1",
"2.12.0b2",
"2.12.0b3",
"2.12.0b4",
"2.12.0c1",
"2.12.1",
"2.12.10",
"2.12.11",
"2.12.12",
"2.12.13",
"2.12.14",
"2.12.15",
"2.12.16",
"2.12.17",
"2.12.18",
"2.12.19",
"2.12.2",
"2.12.20",
"2.12.21",
"2.12.22",
"2.12.23",
"2.12.24",
"2.12.25",
"2.12.26",
"2.12.27",
"2.12.28",
"2.12.3",
"2.12.4",
"2.12.5",
"2.12.6",
"2.12.7",
"2.12.8",
"2.12.9",
"2.13.0",
"2.13.0a1",
"2.13.0a2",
"2.13.0a3",
"2.13.0a4",
"2.13.0b1",
"2.13.0c1",
"2.13.1",
"2.13.10",
"2.13.11",
"2.13.12",
"2.13.13",
"2.13.14",
"2.13.15",
"2.13.16",
"2.13.17",
"2.13.18",
"2.13.2",
"2.13.3",
"2.13.4",
"2.13.5",
"2.13.6",
"2.13.7",
"2.13.8",
"2.13.9"
]
}
],
"aliases": [
"CVE-2012-5486",
"GHSA-77hv-8796-8ccp"
],
"details": "ZPublisher.HTTPRequest._scrubHeader in Zope 2 before 2.13.19, as used in Plone before 4.3 beta 1, allows remote attackers to inject arbitrary HTTP headers via a linefeed (LF) character.",
"id": "PYSEC-2014-73",
"modified": "2021-07-25T23:34:58.778006Z",
"published": "2014-09-30T14:55:00Z",
"references": [
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2012/11/10/1"
},
{
"type": "WEB",
"url": "https://bugs.launchpad.net/zope2/+bug/930812"
},
{
"type": "ADVISORY",
"url": "https://plone.org/products/plone/security/advisories/20121106/02"
},
{
"type": "WEB",
"url": "https://plone.org/products/plone-hotfix/releases/20121106"
},
{
"type": "ADVISORY",
"url": "http://rhn.redhat.com/errata/RHSA-2014-1194.html"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-77hv-8796-8ccp"
}
]
}
gsd-2012-5486
Vulnerability from gsd
Modified
2023-12-13 01:20
Details
ZPublisher.HTTPRequest._scrubHeader in Zope 2 before 2.13.19, as used in Plone before 4.3 beta 1, allows remote attackers to inject arbitrary HTTP headers via a linefeed (LF) character.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2012-5486",
"description": "ZPublisher.HTTPRequest._scrubHeader in Zope 2 before 2.13.19, as used in Plone before 4.3 beta 1, allows remote attackers to inject arbitrary HTTP headers via a linefeed (LF) character.",
"id": "GSD-2012-5486",
"references": [
"https://access.redhat.com/errata/RHSA-2014:1194",
"https://linux.oracle.com/cve/CVE-2012-5486.html"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2012-5486"
],
"details": "ZPublisher.HTTPRequest._scrubHeader in Zope 2 before 2.13.19, as used in Plone before 4.3 beta 1, allows remote attackers to inject arbitrary HTTP headers via a linefeed (LF) character.",
"id": "GSD-2012-5486",
"modified": "2023-12-13T01:20:19.697370Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2012-5486",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "ZPublisher.HTTPRequest._scrubHeader in Zope 2 before 2.13.19, as used in Plone before 4.3 beta 1, allows remote attackers to inject arbitrary HTTP headers via a linefeed (LF) character."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://rhn.redhat.com/errata/RHSA-2014-1194.html",
"refsource": "MISC",
"url": "http://rhn.redhat.com/errata/RHSA-2014-1194.html"
},
{
"name": "http://www.openwall.com/lists/oss-security/2012/11/10/1",
"refsource": "MISC",
"url": "http://www.openwall.com/lists/oss-security/2012/11/10/1"
},
{
"name": "https://plone.org/products/plone-hotfix/releases/20121106",
"refsource": "MISC",
"url": "https://plone.org/products/plone-hotfix/releases/20121106"
},
{
"name": "https://bugs.launchpad.net/zope2/+bug/930812",
"refsource": "MISC",
"url": "https://bugs.launchpad.net/zope2/+bug/930812"
},
{
"name": "https://plone.org/products/plone/security/advisories/20121106/02",
"refsource": "MISC",
"url": "https://plone.org/products/plone/security/advisories/20121106/02"
}
]
}
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003e=3.3.2,\u003c4.2.3||\u003e=4.3a1,\u003c=4.3a2",
"affected_versions": "All versions starting from 3.3.2 before 4.2.3, all versions starting from 4.3a1 up to 4.3a2",
"cvss_v2": "AV:N/AC:L/Au:N/C:N/I:P/A:P",
"cwe_ids": [
"CWE-1035",
"CWE-937"
],
"date": "2021-06-11",
"description": "ZPublisher.HTTPRequest._scrubHeader in Zope 2 before 2.13.19, as used in Plone before 4.3 beta 1, allows remote attackers to inject arbitrary HTTP headers via a linefeed character.",
"fixed_versions": [
"4.2.3",
"4.3b1"
],
"identifier": "CVE-2012-5486",
"identifiers": [
"GHSA-77hv-8796-8ccp",
"CVE-2012-5486"
],
"not_impacted": "All versions before 3.3.2, all versions starting from 4.2.3 before 4.3a1, all versions after 4.3a2",
"package_slug": "pypi/Plone",
"pubdate": "2018-07-23",
"solution": "Upgrade to versions 4.2.3, 4.3b1 or above.",
"title": "Moderate severity vulnerability that affects Plone and Zope2",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2012-5486",
"https://bugs.launchpad.net/zope2/+bug/930812",
"https://github.com/advisories/GHSA-77hv-8796-8ccp",
"https://plone.org/products/plone-hotfix/releases/20121106",
"https://plone.org/products/plone/security/advisories/20121106/02",
"http://rhn.redhat.com/errata/RHSA-2014-1194.html",
"http://www.openwall.com/lists/oss-security/2012/11/10/1"
],
"uuid": "2c372656-1512-4aef-9066-19ef0dec3502"
},
{
"affected_range": "\u003c2.13.19",
"affected_versions": "All versions before 2.13.19",
"cvss_v2": "AV:N/AC:L/Au:N/C:N/I:P/A:P",
"cwe_ids": [
"CWE-1035",
"CWE-937"
],
"date": "2021-06-11",
"description": "ZPublisher.HTTPRequest._scrubHeader in Zope 2, as used in Plone beta 1, allows remote attackers to inject arbitrary HTTP headers via a linefeed (LF) character.",
"fixed_versions": [
"2.13.19"
],
"identifier": "CVE-2012-5486",
"identifiers": [
"GHSA-77hv-8796-8ccp",
"CVE-2012-5486"
],
"not_impacted": "All versions starting from 2.13.19",
"package_slug": "pypi/Zope2",
"pubdate": "2018-07-23",
"solution": "Upgrade to version 2.13.19 or above.",
"title": "Moderate severity vulnerability that affects Plone and Zope2",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2012-5486",
"https://bugs.launchpad.net/zope2/+bug/930812",
"https://github.com/advisories/GHSA-77hv-8796-8ccp",
"https://plone.org/products/plone-hotfix/releases/20121106",
"https://plone.org/products/plone/security/advisories/20121106/02",
"http://rhn.redhat.com/errata/RHSA-2014-1194.html",
"http://www.openwall.com/lists/oss-security/2012/11/10/1"
],
"uuid": "969e75bd-0324-47eb-9c61-9b4cf74bb4f2"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:plone:plone:3.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:plone:plone:1.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:plone:plone:4.2:a1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:plone:plone:4.0.5:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:plone:plone:3.0.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:plone:plone:1.0.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:plone:plone:3.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:plone:plone:3.2.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:plone:plone:3.1.4:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:plone:plone:3.1.5.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:plone:plone:4.2:b2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:plone:plone:4.2.0.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:plone:plone:2.1.4:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:plone:plone:4.0.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:plone:plone:4.2.1.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:plone:plone:3.3.5:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:plone:plone:3.0.6:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:plone:plone:2.5.4:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:plone:plone:3.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:plone:plone:3.1.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:plone:plone:4.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:plone:plone:2.1.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:plone:plone:3.3.4:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:plone:plone:2.0.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:plone:plone:1.0.4:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:plone:plone:4.2:b1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:plone:plone:3.3.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:plone:plone:4.2:rc2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:plone:plone:2.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:plone:plone:4.1.6:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:plone:plone:4.0.4:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:plone:plone:3.1.7:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:plone:plone:2.5.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:plone:plone:4.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:plone:plone:2.5.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:plone:plone:3.2.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:plone:plone:2.0.4:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:plone:plone:2.1.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:plone:plone:1.0.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:plone:plone:3.0.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:plone:plone:3.3.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:plone:plone:4.2:a2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:plone:plone:3.0.4:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:plone:plone:4.1.4:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:plone:plone:2.0.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:plone:plone:2.0.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:plone:plone:3.1.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:plone:plone:3.2.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:plone:plone:4.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:plone:plone:1.0.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:plone:plone:2.0.5:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:plone:plone:4.1.5:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:plone:plone:3.0.5:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:plone:plone:4.0.6.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:plone:plone:2.5:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:plone:plone:1.0.6:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:plone:plone:4.2:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:plone:plone:2.5.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:plone:plone:4.0.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:plone:plone:3.0.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:plone:plone:2.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:plone:plone:3.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:plone:plone:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "4.2.2",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:plone:plone:3.3.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:plone:plone:2.1.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:plone:plone:3.1.6:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:plone:plone:3.1.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:plone:plone:4.0.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:plone:plone:1.0.5:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:plone:plone:2.5.5:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:plone:plone:4.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:plone:plone:4.2.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:zope:zope:2.8.8:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:zope:zope:2.10.8:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:zope:zope:2.7.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:zope:zope:2.11.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:zope:zope:2.11.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:zope:zope:2.9.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:zope:zope:2.7.6:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:zope:zope:2.9.4:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:zope:zope:2.9.5:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:zope:zope:2.7.5:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:zope:zope:2.11.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:zope:zope:2.11.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:zope:zope:2.7.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:zope:zope:2.13.18:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:zope:zope:2.8.6:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:zope:zope:2.9.7:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:zope:zope:2.7.4:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:zope:zope:2.9.6:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:zope:zope:2.9.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:zope:zope:2.10.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:zope:zope:2.8.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:zope:zope:2.6.4:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:zope:zope:2.8.4:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:zope:zope:2.7.8:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:zope:zope:2.7.7:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:zope:zope:2.5.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:zope:zope:2.6.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2012-5486"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "ZPublisher.HTTPRequest._scrubHeader in Zope 2 before 2.13.19, as used in Plone before 4.3 beta 1, allows remote attackers to inject arbitrary HTTP headers via a linefeed (LF) character."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[oss-security] 20121109 Re: Re: CVE Request - Zope / Plone: Multiple vectors corrected within 20121106 fix",
"refsource": "MLIST",
"tags": [],
"url": "http://www.openwall.com/lists/oss-security/2012/11/10/1"
},
{
"name": "https://bugs.launchpad.net/zope2/+bug/930812",
"refsource": "CONFIRM",
"tags": [],
"url": "https://bugs.launchpad.net/zope2/+bug/930812"
},
{
"name": "https://plone.org/products/plone/security/advisories/20121106/02",
"refsource": "CONFIRM",
"tags": [
"Vendor Advisory"
],
"url": "https://plone.org/products/plone/security/advisories/20121106/02"
},
{
"name": "https://plone.org/products/plone-hotfix/releases/20121106",
"refsource": "CONFIRM",
"tags": [
"Patch"
],
"url": "https://plone.org/products/plone-hotfix/releases/20121106"
},
{
"name": "RHSA-2014:1194",
"refsource": "REDHAT",
"tags": [],
"url": "http://rhn.redhat.com/errata/RHSA-2014-1194.html"
}
]
}
},
"impact": {
"baseMetricV2": {
"acInsufInfo": false,
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.4,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": false
}
},
"lastModifiedDate": "2023-02-13T04:36Z",
"publishedDate": "2014-09-30T14:55Z"
}
}
}
fkie_cve-2012-5486
Vulnerability from fkie_nvd
Published
2014-09-30 14:55
Modified
2024-11-21 01:44
Severity ?
Summary
ZPublisher.HTTPRequest._scrubHeader in Zope 2 before 2.13.19, as used in Plone before 4.3 beta 1, allows remote attackers to inject arbitrary HTTP headers via a linefeed (LF) character.
References
Impacted products
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:plone:plone:*:*:*:*:*:*:*:*",
"matchCriteriaId": "17D1DF1B-1EAE-4B2E-89D5-A97301AE3164",
"versionEndIncluding": "4.2.2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:plone:plone:1.0:*:*:*:*:*:*:*",
"matchCriteriaId": "6A2A9AE1-47C9-4073-BC2C-08C62874FFF1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:plone:plone:1.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "3802A1E1-0816-449E-858E-20039F4ED5DF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:plone:plone:1.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "BC1E9D9C-97A0-4093-9492-493B1B4CD4B0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:plone:plone:1.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "4099B8D1-1F79-4BFB-943E-158E7394D90B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:plone:plone:1.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "FA0E119C-876F-4226-AF5F-44763EEBA29A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:plone:plone:1.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "B4937F4A-147C-4AD8-BB88-C3C3C9C8ADBA",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:plone:plone:1.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "035E2851-A3D4-4E90-8602-F500DC469C3E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:plone:plone:2.0:*:*:*:*:*:*:*",
"matchCriteriaId": "2BDEAEAC-3B26-4C95-865C-326ACD793133",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:plone:plone:2.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "BA5D3643-BFBB-48BE-802C-D6CD940945F1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:plone:plone:2.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "E3FC29D0-66F9-4A1A-86A6-8FD427825112",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:plone:plone:2.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "78E33FEC-33DA-45AC-8095-0D3C74FADC9B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:plone:plone:2.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "4FC93EC3-FE5D-410E-8DE5-2346D839F56C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:plone:plone:2.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "67D4EB7F-BC46-4F2E-B065-303961C47B1E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:plone:plone:2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "08747064-EC22-40B4-92EF-4640788FE55D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:plone:plone:2.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "A4EB85E3-9A76-4B79-AF7D-91484784A2EF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:plone:plone:2.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "78755057-2613-4D5E-8F59-2C117EE282B6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:plone:plone:2.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "D49359CD-63EF-4D3A-92DC-C16DEE88138B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:plone:plone:2.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "9DE940BA-B784-4193-AB77-333F15B6C32D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:plone:plone:2.5:*:*:*:*:*:*:*",
"matchCriteriaId": "9762C674-380B-4831-BBA1-3B27742121B0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:plone:plone:2.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "3D938645-80CE-4287-830E-A3BD0C5C84FB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:plone:plone:2.5.2:*:*:*:*:*:*:*",
"matchCriteriaId": "BB0F7BFC-DC20-46B3-90E7-264E3A8A7886",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:plone:plone:2.5.3:*:*:*:*:*:*:*",
"matchCriteriaId": "F2C09C10-AEA0-41F4-B964-507B40580BE9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:plone:plone:2.5.4:*:*:*:*:*:*:*",
"matchCriteriaId": "7B60568E-A688-46AF-B627-062A029A7324",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:plone:plone:2.5.5:*:*:*:*:*:*:*",
"matchCriteriaId": "8B635DAD-AC53-4484-8750-200B662DAFD1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:plone:plone:3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "0B647E76-E8B8-4329-8848-3B90EB262807",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:plone:plone:3.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "0D0A6B8F-4018-44DC-9862-45309619DC6D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:plone:plone:3.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "0F10374F-2BB3-48D2-B19F-9B2D038A8E35",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:plone:plone:3.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "FEAC4F93-D26C-48F3-A7FF-8DC008FC2671",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:plone:plone:3.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "552661B7-093D-4B3C-8770-FCDE6032AA17",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:plone:plone:3.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "5180F9D2-E44B-455D-968C-792026AC832A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:plone:plone:3.0.6:*:*:*:*:*:*:*",
"matchCriteriaId": "636226E4-B880-41FE-A727-EF56CF8E6249",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:plone:plone:3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "BF6E934A-C344-4861-8CD4-D18D52672D5C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:plone:plone:3.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "25780BBE-8013-4100-9EA8-7EFC244399A0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:plone:plone:3.1.2:*:*:*:*:*:*:*",
"matchCriteriaId": "A089ED64-07E6-4F4C-97AE-AF74269A4DB1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:plone:plone:3.1.3:*:*:*:*:*:*:*",
"matchCriteriaId": "EF2334C9-9B34-4C7D-93A2-172E596E05C6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:plone:plone:3.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "354046F4-FA55-4AFC-935A-C803D36CDE86",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:plone:plone:3.1.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "DF1496A7-6D0A-4970-B0BF-83758065BC6A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:plone:plone:3.1.6:*:*:*:*:*:*:*",
"matchCriteriaId": "47DEF57C-92F0-4999-AF8E-CEE27EE92CD6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:plone:plone:3.1.7:*:*:*:*:*:*:*",
"matchCriteriaId": "4BED4241-D823-402A-A389-7E52C410E2F7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:plone:plone:3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "CE9A55E6-F265-4BB8-8683-3E0CFA01EC73",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:plone:plone:3.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "970FD910-50A4-478A-ADE6-EB912C261DAD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:plone:plone:3.2.2:*:*:*:*:*:*:*",
"matchCriteriaId": "0A490523-1063-44E4-A72A-C23070279181",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:plone:plone:3.2.3:*:*:*:*:*:*:*",
"matchCriteriaId": "D8559F17-63D1-45DB-8A28-47F729DC6686",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:plone:plone:3.3:*:*:*:*:*:*:*",
"matchCriteriaId": "FDC93803-6506-4382-A013-18010EE7E06B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:plone:plone:3.3.1:*:*:*:*:*:*:*",
"matchCriteriaId": "E65977FD-A880-4D16-B56B-94A72774F42D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:plone:plone:3.3.2:*:*:*:*:*:*:*",
"matchCriteriaId": "4EA5B4F8-2155-403D-97D8-1272285D508B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:plone:plone:3.3.3:*:*:*:*:*:*:*",
"matchCriteriaId": "A3CA2943-77E5-4384-A019-415BBCE62F94",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:plone:plone:3.3.4:*:*:*:*:*:*:*",
"matchCriteriaId": "B7FF63F6-F1DC-4A97-A2E6-11CF613A31E8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:plone:plone:3.3.5:*:*:*:*:*:*:*",
"matchCriteriaId": "538A3519-5B04-4FE5-A3C0-FD26EFA32705",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:plone:plone:4.0:*:*:*:*:*:*:*",
"matchCriteriaId": "F3306D84-0F5B-46BA-9BCC-DCD0A1CDD604",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:plone:plone:4.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "E08F4534-A588-463F-A745-39E559AB1CB8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:plone:plone:4.0.2:*:*:*:*:*:*:*",
"matchCriteriaId": "B64341BA-5722-415E-9771-9837168AB7C0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:plone:plone:4.0.3:*:*:*:*:*:*:*",
"matchCriteriaId": "E2929227-AE19-428D-9AC3-D312A559039B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:plone:plone:4.0.4:*:*:*:*:*:*:*",
"matchCriteriaId": "3B6DC866-0FEE-475B-855C-A69E004810CD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:plone:plone:4.0.5:*:*:*:*:*:*:*",
"matchCriteriaId": "50BF3E8E-152C-4E89-BAA2-A952D10F4611",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:plone:plone:4.0.6.1:*:*:*:*:*:*:*",
"matchCriteriaId": "49DB97A7-89DD-43C0-A490-84AA7069764B",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:plone:plone:4.1:*:*:*:*:*:*:*",
"matchCriteriaId": "7C44B53B-953B-4522-A5B4-11573850D2CD",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:plone:plone:4.1.4:*:*:*:*:*:*:*",
"matchCriteriaId": "47321B60-67DA-4543-B173-D629A9569B45",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:plone:plone:4.1.5:*:*:*:*:*:*:*",
"matchCriteriaId": "58B36EB2-723F-4E25-8018-EEB2BE806D9D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:plone:plone:4.1.6:*:*:*:*:*:*:*",
"matchCriteriaId": "7962EF74-6AC1-424C-A202-163AFDADA971",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:plone:plone:4.2:*:*:*:*:*:*:*",
"matchCriteriaId": "1F1818BB-E23A-4136-898D-1D0C80C08728",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:plone:plone:4.2:a1:*:*:*:*:*:*",
"matchCriteriaId": "4E75A96E-2471-442A-8502-8F34EF18A477",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:plone:plone:4.2:a2:*:*:*:*:*:*",
"matchCriteriaId": "7971F6D6-8885-4D2A-BCDF-96D3D0C78841",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:plone:plone:4.2:b1:*:*:*:*:*:*",
"matchCriteriaId": "0489DDC0-E65A-4EAD-854B-033307C2945C",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:plone:plone:4.2:b2:*:*:*:*:*:*",
"matchCriteriaId": "659407BA-C011-4632-A355-41BD418EFA90",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:plone:plone:4.2:rc1:*:*:*:*:*:*",
"matchCriteriaId": "42729F4A-C726-4955-80DB-68A18F774F05",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:plone:plone:4.2:rc2:*:*:*:*:*:*",
"matchCriteriaId": "9C9F5C87-AD89-4E99-BA1D-E922CD0D7691",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:plone:plone:4.2.0.1:*:*:*:*:*:*:*",
"matchCriteriaId": "9E59B50E-FF75-4A97-B76A-288A2981D4FC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:plone:plone:4.2.1:*:*:*:*:*:*:*",
"matchCriteriaId": "5CB06627-133A-40D1-8816-E31E0A9BAD22",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:plone:plone:4.2.1.1:*:*:*:*:*:*:*",
"matchCriteriaId": "3FE6B05A-1655-4FC1-AB07-0DF71F0021A2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:plone:plone:4.3:*:*:*:*:*:*:*",
"matchCriteriaId": "CE168A35-1A46-4A6F-8A08-25CDD886066D",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:zope:zope:2.5.1:*:*:*:*:*:*:*",
"matchCriteriaId": "484BD5DA-B3D7-41C4-8E02-AE8C4EBEC5A2",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zope:zope:2.6.1:*:*:*:*:*:*:*",
"matchCriteriaId": "60254EFC-026C-41A9-8587-ED22B2570CCF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zope:zope:2.6.4:*:*:*:*:*:*:*",
"matchCriteriaId": "98388A7B-2DE4-4C40-9135-EB4BAD6BC69E",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zope:zope:2.7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E296CD1C-2601-4A63-9E9D-38A39C84BF5D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zope:zope:2.7.3:*:*:*:*:*:*:*",
"matchCriteriaId": "EAA38381-4C32-4C55-8116-341028D1888A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zope:zope:2.7.4:*:*:*:*:*:*:*",
"matchCriteriaId": "1B294E38-65FD-474D-BABC-9447EF33202A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zope:zope:2.7.5:*:*:*:*:*:*:*",
"matchCriteriaId": "685805FD-1A33-480E-A313-255EDF0B5266",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zope:zope:2.7.6:*:*:*:*:*:*:*",
"matchCriteriaId": "D827148D-4A8A-41DB-91B6-0049706D53D8",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zope:zope:2.7.7:*:*:*:*:*:*:*",
"matchCriteriaId": "0273EF1B-BC64-432F-8966-68547DFAD6BC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zope:zope:2.7.8:*:*:*:*:*:*:*",
"matchCriteriaId": "5A52CDCE-172C-4FAC-9015-ACF362E8E8A0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zope:zope:2.8.1:*:*:*:*:*:*:*",
"matchCriteriaId": "244107E5-42B0-4695-BBC9-5B90AD0A1336",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zope:zope:2.8.4:*:*:*:*:*:*:*",
"matchCriteriaId": "9A40B0D1-1812-4BC7-AC7D-CCE6184A9DB1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zope:zope:2.8.6:*:*:*:*:*:*:*",
"matchCriteriaId": "62BCE60F-9081-44D3-87FC-396D1A954626",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zope:zope:2.8.8:*:*:*:*:*:*:*",
"matchCriteriaId": "B2759CCE-3A1F-4E3F-9832-8BF3AA4F20F9",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zope:zope:2.9.2:*:*:*:*:*:*:*",
"matchCriteriaId": "C0279FD6-9E30-429A-BB70-9B7AF7055160",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zope:zope:2.9.3:*:*:*:*:*:*:*",
"matchCriteriaId": "78E8ABCF-A7BE-4AB7-BFE9-CF29F7E02860",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zope:zope:2.9.4:*:*:*:*:*:*:*",
"matchCriteriaId": "6561FF26-91C5-40AF-8AA6-E98D295AC33F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zope:zope:2.9.5:*:*:*:*:*:*:*",
"matchCriteriaId": "DAF323F8-6F93-46CB-A94C-B0774C54188F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zope:zope:2.9.6:*:*:*:*:*:*:*",
"matchCriteriaId": "0EF07C5D-DE44-409F-87B6-FB713BAF2547",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zope:zope:2.9.7:*:*:*:*:*:*:*",
"matchCriteriaId": "AACD00C8-F451-4B27-855F-57B6F38A28E6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zope:zope:2.10.3:*:*:*:*:*:*:*",
"matchCriteriaId": "0A85B5F4-C731-45F7-801F-8399B06EE135",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zope:zope:2.10.8:*:*:*:*:*:*:*",
"matchCriteriaId": "52629E94-50DC-4F00-8F96-217F4F2B82B3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zope:zope:2.11.0:*:*:*:*:*:*:*",
"matchCriteriaId": "92CC66BD-4B63-4CA5-9F4E-A5F1FC6A86DC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zope:zope:2.11.1:*:*:*:*:*:*:*",
"matchCriteriaId": "68155E38-F337-42CE-AE30-9482EBED8EA6",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zope:zope:2.11.2:*:*:*:*:*:*:*",
"matchCriteriaId": "E7994032-FEBB-4FD3-9808-A7B277CAD8A7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zope:zope:2.11.3:*:*:*:*:*:*:*",
"matchCriteriaId": "C675DA8E-D981-4CFE-8EF7-04FD187DC5CB",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:zope:zope:2.13.18:*:*:*:*:*:*:*",
"matchCriteriaId": "DFE141CF-0196-4DCA-B328-84F8EA3D6804",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "ZPublisher.HTTPRequest._scrubHeader in Zope 2 before 2.13.19, as used in Plone before 4.3 beta 1, allows remote attackers to inject arbitrary HTTP headers via a linefeed (LF) character."
},
{
"lang": "es",
"value": "ZPublisher.HTTPRequest._scrubHeader en Zope 2 anterior a 2.13.19, utilizado en Plone anterior a 4.3 beta 1, permite a atacantes remotos inyectar cabeceras HTTP arbitrarias a trav\u00e9s de un caracter \u0027linefeed\u0027 (LF)."
}
],
"evaluatorComment": "\u003ca href = \"http://cwe.mitre.org/data/definitions/113.html\"\u003e CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers (\u0027HTTP Response Splitting\u0027) \u003c/a\u003e",
"id": "CVE-2012-5486",
"lastModified": "2024-11-21T01:44:44.650",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.4,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
]
},
"published": "2014-09-30T14:55:05.843",
"references": [
{
"source": "secalert@redhat.com",
"url": "http://rhn.redhat.com/errata/RHSA-2014-1194.html"
},
{
"source": "secalert@redhat.com",
"url": "http://www.openwall.com/lists/oss-security/2012/11/10/1"
},
{
"source": "secalert@redhat.com",
"url": "https://bugs.launchpad.net/zope2/+bug/930812"
},
{
"source": "secalert@redhat.com",
"tags": [
"Patch"
],
"url": "https://plone.org/products/plone-hotfix/releases/20121106"
},
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "https://plone.org/products/plone/security/advisories/20121106/02"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://rhn.redhat.com/errata/RHSA-2014-1194.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.openwall.com/lists/oss-security/2012/11/10/1"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "https://bugs.launchpad.net/zope2/+bug/930812"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch"
],
"url": "https://plone.org/products/plone-hotfix/releases/20121106"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "https://plone.org/products/plone/security/advisories/20121106/02"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.