cvelistv5 - cve-2013-0314

cve-2013-0314

Vulnerability from cvelistv5

Published

2013-04-12 22:00

Modified

2024-08-06 14:25

Severity ?

Summary

The GateIn Portal export/import gadget in JBoss Enterprise Portal Platform 5.2.2 does not properly check authentication when importing Zip files, which allows remote attackers to modify site contents, remove the site, or alter the access controls for portlets.

References

URL	Tags
secalert@redhat.com	http://rhn.redhat.com/errata/RHSA-2013-0613.html	Vendor Advisory
secalert@redhat.com	http://secunia.com/advisories/52552	Vendor Advisory
secalert@redhat.com	http://www.osvdb.org/91120
secalert@redhat.com	https://bugzilla.redhat.com/show_bug.cgi?id=913327
af854a3a-2127-422b-91ae-364da2661108	http://rhn.redhat.com/errata/RHSA-2013-0613.html	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://secunia.com/advisories/52552	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.osvdb.org/91120
af854a3a-2127-422b-91ae-364da2661108	https://bugzilla.redhat.com/show_bug.cgi?id=913327

Impacted products

Vendor

Product

Version

▼

n/a

Version: n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T14:25:09.030Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=913327"
          },
          {
            "name": "52552",
            "tags": [
              "third-party-advisory",
              "x_refsource_SECUNIA",
              "x_transferred"
            ],
            "url": "http://secunia.com/advisories/52552"
          },
          {
            "name": "91120",
            "tags": [
              "vdb-entry",
              "x_refsource_OSVDB",
              "x_transferred"
            ],
            "url": "http://www.osvdb.org/91120"
          },
          {
            "name": "RHSA-2013:0613",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "http://rhn.redhat.com/errata/RHSA-2013-0613.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "The GateIn Portal export/import gadget in JBoss Enterprise Portal Platform 5.2.2 does not properly check authentication when importing Zip files, which allows remote attackers to modify site contents, remove the site, or alter the access controls for portlets."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2013-04-12T22:00:00Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=913327"
        },
        {
          "name": "52552",
          "tags": [
            "third-party-advisory",
            "x_refsource_SECUNIA"
          ],
          "url": "http://secunia.com/advisories/52552"
        },
        {
          "name": "91120",
          "tags": [
            "vdb-entry",
            "x_refsource_OSVDB"
          ],
          "url": "http://www.osvdb.org/91120"
        },
        {
          "name": "RHSA-2013:0613",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "http://rhn.redhat.com/errata/RHSA-2013-0613.html"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2013-0314",
    "datePublished": "2013-04-12T22:00:00Z",
    "dateReserved": "2012-12-06T00:00:00Z",
    "dateUpdated": "2024-08-06T14:25:09.030Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:redhat:jboss_enterprise_portal_platform:5.2.2:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"3451D2AD-BB7B-4149-97C3-2DB1BCC0EF85\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"The GateIn Portal export/import gadget in JBoss Enterprise Portal Platform 5.2.2 does not properly check authentication when importing Zip files, which allows remote attackers to modify site contents, remove the site, or alter the access controls for portlets.\"}, {\"lang\": \"es\", \"value\": \"El gadget GateIn Portal de exportaci\\u00f3n/importaci\\u00f3n en JBoss Enterprise Portal Platform v5.2.2 no comprueba correctamente la autenticaci\\u00f3n al importar archivos Zip, lo que permite a atacantes remotos modificar el contenido del sitio, quitar el sitio, o alterar los controles de acceso para los portlets.\"}]",
      "id": "CVE-2013-0314",
      "lastModified": "2024-11-21T01:47:17.343",
      "metrics": "{\"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:N/C:P/I:P/A:P\", \"baseScore\": 7.5, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"HIGH\", \"exploitabilityScore\": 10.0, \"impactScore\": 6.4, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2013-04-12T22:55:01.163",
      "references": "[{\"url\": \"http://rhn.redhat.com/errata/RHSA-2013-0613.html\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://secunia.com/advisories/52552\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://www.osvdb.org/91120\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=913327\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2013-0613.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://secunia.com/advisories/52552\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://www.osvdb.org/91120\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=913327\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
      "sourceIdentifier": "secalert@redhat.com",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-287\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2013-0314\",\"sourceIdentifier\":\"secalert@redhat.com\",\"published\":\"2013-04-12T22:55:01.163\",\"lastModified\":\"2024-11-21T01:47:17.343\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The GateIn Portal export/import gadget in JBoss Enterprise Portal Platform 5.2.2 does not properly check authentication when importing Zip files, which allows remote attackers to modify site contents, remove the site, or alter the access controls for portlets.\"},{\"lang\":\"es\",\"value\":\"El gadget GateIn Portal de exportaci\u00f3n/importaci\u00f3n en JBoss Enterprise Portal Platform v5.2.2 no comprueba correctamente la autenticaci\u00f3n al importar archivos Zip, lo que permite a atacantes remotos modificar el contenido del sitio, quitar el sitio, o alterar los controles de acceso para los portlets.\"}],\"metrics\":{\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:P/A:P\",\"baseScore\":7.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":10.0,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-287\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:jboss_enterprise_portal_platform:5.2.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"3451D2AD-BB7B-4149-97C3-2DB1BCC0EF85\"}]}]}],\"references\":[{\"url\":\"http://rhn.redhat.com/errata/RHSA-2013-0613.html\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://secunia.com/advisories/52552\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://www.osvdb.org/91120\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=913327\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2013-0613.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://secunia.com/advisories/52552\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://www.osvdb.org/91120\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=913327\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
  }
}

rhsa-2013:0613

Vulnerability from csaf_redhat

Published

2013-03-07 18:54

Modified

2024-11-22 06:19

Summary

Red Hat Security Advisory: JBoss Enterprise Portal Platform 5.2.2 security update

Notes

Topic

An update for the GateIn Portal component in JBoss Enterprise Portal Platform 5.2.2 that fixes two security issues is now available from the Red Hat Customer Portal. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Details

JBoss Enterprise Portal Platform is the open source implementation of the Java EE suite of services and Portal services running atop JBoss Enterprise Application Platform. It comprises a set of offerings for enterprise customers who are looking for pre-configured profiles of JBoss Enterprise Middleware components that have been tested and certified together to provide an integrated experience. It was found that the GateIn Portal export/import gadget allowed an export ZIP to be uploaded and imported to a site without authentication. A remote attacker could use this flaw to modify the contents of a site, remove the site, or modify access controls applied to portlets in the site. (CVE-2013-0314) It was found that the GateIn Portal export/import gadget was vulnerable to XXE (XML External Entity) attacks. If the XML provided to the import gadget contained an external XML entity, this XML entity would be resolved. A remote attacker who can access the import gadget could use this flaw to read files in the context of the user running the application server. (CVE-2013-0315) The CVE-2013-0314 issue was discovered by Nick Scavelli of Red Hat, and CVE-2013-0315 was discovered by Arun Neelicattu and David Jorm of the Red Hat Security Response Team. Warning: Before applying this update, back up all applications deployed on JBoss Enterprise Portal Platform, along with all customized configuration files, and any databases and database settings. All users of JBoss Enterprise Portal Platform 5.2.2 as provided from the Red Hat Customer Portal are advised to install this update.

This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "An update for the GateIn Portal component in JBoss Enterprise Portal\nPlatform 5.2.2 that fixes two security issues is now available from the\nRed Hat Customer Portal.\n\nThe Red Hat Security Response Team has rated this update as having\nimportant security impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "JBoss Enterprise Portal Platform is the open source implementation of the\nJava EE suite of services and Portal services running atop JBoss Enterprise\nApplication Platform. It comprises a set of offerings for enterprise\ncustomers who are looking for pre-configured profiles of JBoss Enterprise\nMiddleware components that have been tested and certified together to\nprovide an integrated experience.\n\nIt was found that the GateIn Portal export/import gadget allowed an export\nZIP to be uploaded and imported to a site without authentication. A remote\nattacker could use this flaw to modify the contents of a site, remove the\nsite, or modify access controls applied to portlets in the site.\n(CVE-2013-0314)\n\nIt was found that the GateIn Portal export/import gadget was vulnerable to\nXXE (XML External Entity) attacks. If the XML provided to the import gadget\ncontained an external XML entity, this XML entity would be resolved. A\nremote attacker who can access the import gadget could use this flaw to\nread files in the context of the user running the application server.\n(CVE-2013-0315)\n\nThe CVE-2013-0314 issue was discovered by Nick Scavelli of Red Hat, and\nCVE-2013-0315 was discovered by Arun Neelicattu and David Jorm of the Red\nHat Security Response Team.\n\nWarning: Before applying this update, back up all applications deployed on\nJBoss Enterprise Portal Platform, along with all customized configuration\nfiles, and any databases and database settings.\n\nAll users of JBoss Enterprise Portal Platform 5.2.2 as provided from the\nRed Hat Customer Portal are advised to install this update.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2013:0613",
        "url": "https://access.redhat.com/errata/RHSA-2013:0613"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#important",
        "url": "https://access.redhat.com/security/updates/classification/#important"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jbportal\u0026downloadType=securityPatches\u0026version=5.2.2",
        "url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jbportal\u0026downloadType=securityPatches\u0026version=5.2.2"
      },
      {
        "category": "external",
        "summary": "913327",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=913327"
      },
      {
        "category": "external",
        "summary": "913340",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=913340"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2013/rhsa-2013_0613.json"
      }
    ],
    "title": "Red Hat Security Advisory: JBoss Enterprise Portal Platform 5.2.2 security update",
    "tracking": {
      "current_release_date": "2024-11-22T06:19:12+00:00",
      "generator": {
        "date": "2024-11-22T06:19:12+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.2.1"
        }
      },
      "id": "RHSA-2013:0613",
      "initial_release_date": "2013-03-07T18:54:00+00:00",
      "revision_history": [
        {
          "date": "2013-03-07T18:54:00+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2013-03-07T19:07:17+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2024-11-22T06:19:12+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat JBoss Portal 5.2",
                "product": {
                  "name": "Red Hat JBoss Portal 5.2",
                  "product_id": "Red Hat JBoss Portal 5.2",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:jboss_enterprise_portal_platform:5.2.2"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat JBoss Middleware"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ]
  },
  "vulnerabilities": [
    {
      "acknowledgments": [
        {
          "names": [
            "Nick Scavelli"
          ],
          "organization": "Red Hat",
          "summary": "This issue was discovered by Red Hat."
        }
      ],
      "cve": "CVE-2013-0314",
      "cwe": {
        "id": "CWE-306",
        "name": "Missing Authentication for Critical Function"
      },
      "discovery_date": "2013-02-20T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "913327"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "The GateIn Portal export/import gadget in JBoss Enterprise Portal Platform 5.2.2 does not properly check authentication when importing Zip files, which allows remote attackers to modify site contents, remove the site, or alter the access controls for portlets.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "Portal: remote unauthenticated site import",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss Portal 5.2"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2013-0314"
        },
        {
          "category": "external",
          "summary": "RHBZ#913327",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=913327"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2013-0314",
          "url": "https://www.cve.org/CVERecord?id=CVE-2013-0314"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-0314",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-0314"
        }
      ],
      "release_date": "2013-03-07T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2013-03-07T18:54:00+00:00",
          "details": "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying the update, back up all\napplications deployed on JBoss Enterprise Portal Platform, along with all\ncustomized configuration files, and any databases and database settings.\n\nNote that it is recommended to halt the JBoss Enterprise Portal Platform\nserver by stopping the JBoss Application Server process before installing\nthis update, and then after installing the update, restart the JBoss\nEnterprise Portal Platform server by starting the JBoss Application Server\nprocess.",
          "product_ids": [
            "Red Hat JBoss Portal 5.2"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2013:0613"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 7.5,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          "products": [
            "Red Hat JBoss Portal 5.2"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "Portal: remote unauthenticated site import"
    },
    {
      "acknowledgments": [
        {
          "names": [
            "Arun Neelicattu"
          ]
        },
        {
          "names": [
            "David Jorm"
          ],
          "organization": "Red Hat Security Response Team",
          "summary": "This issue was discovered by Red Hat."
        }
      ],
      "cve": "CVE-2013-0315",
      "discovery_date": "2013-02-21T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "913340"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "The GateIn Portal export/import gadget in JBoss Enterprise Portal Platform 5.2.2 allows remote attackers to read arbitrary files via a crafted external XML entity in an XML document, aka an XML Entity Expansion (XEE) attack.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "Portal: XML eXternal Entity (XXE) flaw in site import",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss Portal 5.2"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2013-0315"
        },
        {
          "category": "external",
          "summary": "RHBZ#913340",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=913340"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2013-0315",
          "url": "https://www.cve.org/CVERecord?id=CVE-2013-0315"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-0315",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-0315"
        }
      ],
      "release_date": "2013-03-07T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2013-03-07T18:54:00+00:00",
          "details": "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying the update, back up all\napplications deployed on JBoss Enterprise Portal Platform, along with all\ncustomized configuration files, and any databases and database settings.\n\nNote that it is recommended to halt the JBoss Enterprise Portal Platform\nserver by stopping the JBoss Application Server process before installing\nthis update, and then after installing the update, restart the JBoss\nEnterprise Portal Platform server by starting the JBoss Application Server\nprocess.",
          "product_ids": [
            "Red Hat JBoss Portal 5.2"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2013:0613"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 5.0,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
            "version": "2.0"
          },
          "products": [
            "Red Hat JBoss Portal 5.2"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "Portal: XML eXternal Entity (XXE) flaw in site import"
    }
  ]
}

rhsa-2013_0613

Vulnerability from csaf_redhat

Published

2013-03-07 18:54

Modified

2024-11-22 06:19

Summary

Red Hat Security Advisory: JBoss Enterprise Portal Platform 5.2.2 security update

Notes

Topic

Details

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "An update for the GateIn Portal component in JBoss Enterprise Portal\nPlatform 5.2.2 that fixes two security issues is now available from the\nRed Hat Customer Portal.\n\nThe Red Hat Security Response Team has rated this update as having\nimportant security impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "JBoss Enterprise Portal Platform is the open source implementation of the\nJava EE suite of services and Portal services running atop JBoss Enterprise\nApplication Platform. It comprises a set of offerings for enterprise\ncustomers who are looking for pre-configured profiles of JBoss Enterprise\nMiddleware components that have been tested and certified together to\nprovide an integrated experience.\n\nIt was found that the GateIn Portal export/import gadget allowed an export\nZIP to be uploaded and imported to a site without authentication. A remote\nattacker could use this flaw to modify the contents of a site, remove the\nsite, or modify access controls applied to portlets in the site.\n(CVE-2013-0314)\n\nIt was found that the GateIn Portal export/import gadget was vulnerable to\nXXE (XML External Entity) attacks. If the XML provided to the import gadget\ncontained an external XML entity, this XML entity would be resolved. A\nremote attacker who can access the import gadget could use this flaw to\nread files in the context of the user running the application server.\n(CVE-2013-0315)\n\nThe CVE-2013-0314 issue was discovered by Nick Scavelli of Red Hat, and\nCVE-2013-0315 was discovered by Arun Neelicattu and David Jorm of the Red\nHat Security Response Team.\n\nWarning: Before applying this update, back up all applications deployed on\nJBoss Enterprise Portal Platform, along with all customized configuration\nfiles, and any databases and database settings.\n\nAll users of JBoss Enterprise Portal Platform 5.2.2 as provided from the\nRed Hat Customer Portal are advised to install this update.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2013:0613",
        "url": "https://access.redhat.com/errata/RHSA-2013:0613"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#important",
        "url": "https://access.redhat.com/security/updates/classification/#important"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jbportal\u0026downloadType=securityPatches\u0026version=5.2.2",
        "url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jbportal\u0026downloadType=securityPatches\u0026version=5.2.2"
      },
      {
        "category": "external",
        "summary": "913327",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=913327"
      },
      {
        "category": "external",
        "summary": "913340",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=913340"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2013/rhsa-2013_0613.json"
      }
    ],
    "title": "Red Hat Security Advisory: JBoss Enterprise Portal Platform 5.2.2 security update",
    "tracking": {
      "current_release_date": "2024-11-22T06:19:12+00:00",
      "generator": {
        "date": "2024-11-22T06:19:12+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.2.1"
        }
      },
      "id": "RHSA-2013:0613",
      "initial_release_date": "2013-03-07T18:54:00+00:00",
      "revision_history": [
        {
          "date": "2013-03-07T18:54:00+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2013-03-07T19:07:17+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2024-11-22T06:19:12+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat JBoss Portal 5.2",
                "product": {
                  "name": "Red Hat JBoss Portal 5.2",
                  "product_id": "Red Hat JBoss Portal 5.2",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:jboss_enterprise_portal_platform:5.2.2"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat JBoss Middleware"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ]
  },
  "vulnerabilities": [
    {
      "acknowledgments": [
        {
          "names": [
            "Nick Scavelli"
          ],
          "organization": "Red Hat",
          "summary": "This issue was discovered by Red Hat."
        }
      ],
      "cve": "CVE-2013-0314",
      "cwe": {
        "id": "CWE-306",
        "name": "Missing Authentication for Critical Function"
      },
      "discovery_date": "2013-02-20T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "913327"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "The GateIn Portal export/import gadget in JBoss Enterprise Portal Platform 5.2.2 does not properly check authentication when importing Zip files, which allows remote attackers to modify site contents, remove the site, or alter the access controls for portlets.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "Portal: remote unauthenticated site import",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss Portal 5.2"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2013-0314"
        },
        {
          "category": "external",
          "summary": "RHBZ#913327",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=913327"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2013-0314",
          "url": "https://www.cve.org/CVERecord?id=CVE-2013-0314"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-0314",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-0314"
        }
      ],
      "release_date": "2013-03-07T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2013-03-07T18:54:00+00:00",
          "details": "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying the update, back up all\napplications deployed on JBoss Enterprise Portal Platform, along with all\ncustomized configuration files, and any databases and database settings.\n\nNote that it is recommended to halt the JBoss Enterprise Portal Platform\nserver by stopping the JBoss Application Server process before installing\nthis update, and then after installing the update, restart the JBoss\nEnterprise Portal Platform server by starting the JBoss Application Server\nprocess.",
          "product_ids": [
            "Red Hat JBoss Portal 5.2"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2013:0613"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 7.5,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          "products": [
            "Red Hat JBoss Portal 5.2"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "Portal: remote unauthenticated site import"
    },
    {
      "acknowledgments": [
        {
          "names": [
            "Arun Neelicattu"
          ]
        },
        {
          "names": [
            "David Jorm"
          ],
          "organization": "Red Hat Security Response Team",
          "summary": "This issue was discovered by Red Hat."
        }
      ],
      "cve": "CVE-2013-0315",
      "discovery_date": "2013-02-21T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "913340"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "The GateIn Portal export/import gadget in JBoss Enterprise Portal Platform 5.2.2 allows remote attackers to read arbitrary files via a crafted external XML entity in an XML document, aka an XML Entity Expansion (XEE) attack.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "Portal: XML eXternal Entity (XXE) flaw in site import",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss Portal 5.2"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2013-0315"
        },
        {
          "category": "external",
          "summary": "RHBZ#913340",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=913340"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2013-0315",
          "url": "https://www.cve.org/CVERecord?id=CVE-2013-0315"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-0315",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-0315"
        }
      ],
      "release_date": "2013-03-07T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2013-03-07T18:54:00+00:00",
          "details": "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying the update, back up all\napplications deployed on JBoss Enterprise Portal Platform, along with all\ncustomized configuration files, and any databases and database settings.\n\nNote that it is recommended to halt the JBoss Enterprise Portal Platform\nserver by stopping the JBoss Application Server process before installing\nthis update, and then after installing the update, restart the JBoss\nEnterprise Portal Platform server by starting the JBoss Application Server\nprocess.",
          "product_ids": [
            "Red Hat JBoss Portal 5.2"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2013:0613"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 5.0,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
            "version": "2.0"
          },
          "products": [
            "Red Hat JBoss Portal 5.2"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "Portal: XML eXternal Entity (XXE) flaw in site import"
    }
  ]
}

RHSA-2013:0613

Vulnerability from csaf_redhat

Published

2013-03-07 18:54

Modified

2024-11-22 06:19

Summary

Red Hat Security Advisory: JBoss Enterprise Portal Platform 5.2.2 security update

Notes

Topic

Details

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "An update for the GateIn Portal component in JBoss Enterprise Portal\nPlatform 5.2.2 that fixes two security issues is now available from the\nRed Hat Customer Portal.\n\nThe Red Hat Security Response Team has rated this update as having\nimportant security impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "JBoss Enterprise Portal Platform is the open source implementation of the\nJava EE suite of services and Portal services running atop JBoss Enterprise\nApplication Platform. It comprises a set of offerings for enterprise\ncustomers who are looking for pre-configured profiles of JBoss Enterprise\nMiddleware components that have been tested and certified together to\nprovide an integrated experience.\n\nIt was found that the GateIn Portal export/import gadget allowed an export\nZIP to be uploaded and imported to a site without authentication. A remote\nattacker could use this flaw to modify the contents of a site, remove the\nsite, or modify access controls applied to portlets in the site.\n(CVE-2013-0314)\n\nIt was found that the GateIn Portal export/import gadget was vulnerable to\nXXE (XML External Entity) attacks. If the XML provided to the import gadget\ncontained an external XML entity, this XML entity would be resolved. A\nremote attacker who can access the import gadget could use this flaw to\nread files in the context of the user running the application server.\n(CVE-2013-0315)\n\nThe CVE-2013-0314 issue was discovered by Nick Scavelli of Red Hat, and\nCVE-2013-0315 was discovered by Arun Neelicattu and David Jorm of the Red\nHat Security Response Team.\n\nWarning: Before applying this update, back up all applications deployed on\nJBoss Enterprise Portal Platform, along with all customized configuration\nfiles, and any databases and database settings.\n\nAll users of JBoss Enterprise Portal Platform 5.2.2 as provided from the\nRed Hat Customer Portal are advised to install this update.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2013:0613",
        "url": "https://access.redhat.com/errata/RHSA-2013:0613"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#important",
        "url": "https://access.redhat.com/security/updates/classification/#important"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jbportal\u0026downloadType=securityPatches\u0026version=5.2.2",
        "url": "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jbportal\u0026downloadType=securityPatches\u0026version=5.2.2"
      },
      {
        "category": "external",
        "summary": "913327",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=913327"
      },
      {
        "category": "external",
        "summary": "913340",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=913340"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2013/rhsa-2013_0613.json"
      }
    ],
    "title": "Red Hat Security Advisory: JBoss Enterprise Portal Platform 5.2.2 security update",
    "tracking": {
      "current_release_date": "2024-11-22T06:19:12+00:00",
      "generator": {
        "date": "2024-11-22T06:19:12+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.2.1"
        }
      },
      "id": "RHSA-2013:0613",
      "initial_release_date": "2013-03-07T18:54:00+00:00",
      "revision_history": [
        {
          "date": "2013-03-07T18:54:00+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2013-03-07T19:07:17+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2024-11-22T06:19:12+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat JBoss Portal 5.2",
                "product": {
                  "name": "Red Hat JBoss Portal 5.2",
                  "product_id": "Red Hat JBoss Portal 5.2",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:jboss_enterprise_portal_platform:5.2.2"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat JBoss Middleware"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ]
  },
  "vulnerabilities": [
    {
      "acknowledgments": [
        {
          "names": [
            "Nick Scavelli"
          ],
          "organization": "Red Hat",
          "summary": "This issue was discovered by Red Hat."
        }
      ],
      "cve": "CVE-2013-0314",
      "cwe": {
        "id": "CWE-306",
        "name": "Missing Authentication for Critical Function"
      },
      "discovery_date": "2013-02-20T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "913327"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "The GateIn Portal export/import gadget in JBoss Enterprise Portal Platform 5.2.2 does not properly check authentication when importing Zip files, which allows remote attackers to modify site contents, remove the site, or alter the access controls for portlets.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "Portal: remote unauthenticated site import",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss Portal 5.2"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2013-0314"
        },
        {
          "category": "external",
          "summary": "RHBZ#913327",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=913327"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2013-0314",
          "url": "https://www.cve.org/CVERecord?id=CVE-2013-0314"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-0314",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-0314"
        }
      ],
      "release_date": "2013-03-07T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2013-03-07T18:54:00+00:00",
          "details": "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying the update, back up all\napplications deployed on JBoss Enterprise Portal Platform, along with all\ncustomized configuration files, and any databases and database settings.\n\nNote that it is recommended to halt the JBoss Enterprise Portal Platform\nserver by stopping the JBoss Application Server process before installing\nthis update, and then after installing the update, restart the JBoss\nEnterprise Portal Platform server by starting the JBoss Application Server\nprocess.",
          "product_ids": [
            "Red Hat JBoss Portal 5.2"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2013:0613"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 7.5,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          "products": [
            "Red Hat JBoss Portal 5.2"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "Portal: remote unauthenticated site import"
    },
    {
      "acknowledgments": [
        {
          "names": [
            "Arun Neelicattu"
          ]
        },
        {
          "names": [
            "David Jorm"
          ],
          "organization": "Red Hat Security Response Team",
          "summary": "This issue was discovered by Red Hat."
        }
      ],
      "cve": "CVE-2013-0315",
      "discovery_date": "2013-02-21T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "913340"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "The GateIn Portal export/import gadget in JBoss Enterprise Portal Platform 5.2.2 allows remote attackers to read arbitrary files via a crafted external XML entity in an XML document, aka an XML Entity Expansion (XEE) attack.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "Portal: XML eXternal Entity (XXE) flaw in site import",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat JBoss Portal 5.2"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2013-0315"
        },
        {
          "category": "external",
          "summary": "RHBZ#913340",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=913340"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2013-0315",
          "url": "https://www.cve.org/CVERecord?id=CVE-2013-0315"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-0315",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-0315"
        }
      ],
      "release_date": "2013-03-07T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2013-03-07T18:54:00+00:00",
          "details": "The References section of this erratum contains a download link (you must\nlog in to download the update). Before applying the update, back up all\napplications deployed on JBoss Enterprise Portal Platform, along with all\ncustomized configuration files, and any databases and database settings.\n\nNote that it is recommended to halt the JBoss Enterprise Portal Platform\nserver by stopping the JBoss Application Server process before installing\nthis update, and then after installing the update, restart the JBoss\nEnterprise Portal Platform server by starting the JBoss Application Server\nprocess.",
          "product_ids": [
            "Red Hat JBoss Portal 5.2"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2013:0613"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 5.0,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "NONE",
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
            "version": "2.0"
          },
          "products": [
            "Red Hat JBoss Portal 5.2"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "Portal: XML eXternal Entity (XXE) flaw in site import"
    }
  ]
}

gsd-2013-0314

Vulnerability from gsd

Modified

2023-12-13 01:22

Details

Aliases

CVE-2013-0314

Aliases

CVE-2013-0314

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2013-0314",
    "description": "The GateIn Portal export/import gadget in JBoss Enterprise Portal Platform 5.2.2 does not properly check authentication when importing Zip files, which allows remote attackers to modify site contents, remove the site, or alter the access controls for portlets.",
    "id": "GSD-2013-0314",
    "references": [
      "https://access.redhat.com/errata/RHSA-2013:0613"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2013-0314"
      ],
      "details": "The GateIn Portal export/import gadget in JBoss Enterprise Portal Platform 5.2.2 does not properly check authentication when importing Zip files, which allows remote attackers to modify site contents, remove the site, or alter the access controls for portlets.",
      "id": "GSD-2013-0314",
      "modified": "2023-12-13T01:22:15.029729Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "secalert@redhat.com",
        "ID": "CVE-2013-0314",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "The GateIn Portal export/import gadget in JBoss Enterprise Portal Platform 5.2.2 does not properly check authentication when importing Zip files, which allows remote attackers to modify site contents, remove the site, or alter the access controls for portlets."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "http://rhn.redhat.com/errata/RHSA-2013-0613.html",
            "refsource": "MISC",
            "url": "http://rhn.redhat.com/errata/RHSA-2013-0613.html"
          },
          {
            "name": "http://secunia.com/advisories/52552",
            "refsource": "MISC",
            "url": "http://secunia.com/advisories/52552"
          },
          {
            "name": "http://www.osvdb.org/91120",
            "refsource": "MISC",
            "url": "http://www.osvdb.org/91120"
          },
          {
            "name": "https://bugzilla.redhat.com/show_bug.cgi?id=913327",
            "refsource": "MISC",
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=913327"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:redhat:jboss_enterprise_portal_platform:5.2.2:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2013-0314"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "The GateIn Portal export/import gadget in JBoss Enterprise Portal Platform 5.2.2 does not properly check authentication when importing Zip files, which allows remote attackers to modify site contents, remove the site, or alter the access controls for portlets."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-287"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://bugzilla.redhat.com/show_bug.cgi?id=913327",
              "refsource": "MISC",
              "tags": [],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=913327"
            },
            {
              "name": "RHSA-2013:0613",
              "refsource": "REDHAT",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "http://rhn.redhat.com/errata/RHSA-2013-0613.html"
            },
            {
              "name": "52552",
              "refsource": "SECUNIA",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "http://secunia.com/advisories/52552"
            },
            {
              "name": "91120",
              "refsource": "OSVDB",
              "tags": [],
              "url": "http://www.osvdb.org/91120"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 7.5,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 10.0,
          "impactScore": 6.4,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "HIGH",
          "userInteractionRequired": false
        }
      },
      "lastModifiedDate": "2013-04-15T04:00Z",
      "publishedDate": "2013-04-12T22:55Z"
    }
  }
}

cve-2013-0314

Vulnerability from fkie_nvd

Published

2013-04-12 22:55

Modified

2024-11-21 01:47

Severity ?

Summary

References

URL	Tags
secalert@redhat.com	http://rhn.redhat.com/errata/RHSA-2013-0613.html	Vendor Advisory
secalert@redhat.com	http://secunia.com/advisories/52552	Vendor Advisory
secalert@redhat.com	http://www.osvdb.org/91120
secalert@redhat.com	https://bugzilla.redhat.com/show_bug.cgi?id=913327
af854a3a-2127-422b-91ae-364da2661108	http://rhn.redhat.com/errata/RHSA-2013-0613.html	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://secunia.com/advisories/52552	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.osvdb.org/91120
af854a3a-2127-422b-91ae-364da2661108	https://bugzilla.redhat.com/show_bug.cgi?id=913327

Impacted products

	Vendor	Product	Version
	redhat	jboss_enterprise_portal_platform	5.2.2

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:jboss_enterprise_portal_platform:5.2.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "3451D2AD-BB7B-4149-97C3-2DB1BCC0EF85",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "The GateIn Portal export/import gadget in JBoss Enterprise Portal Platform 5.2.2 does not properly check authentication when importing Zip files, which allows remote attackers to modify site contents, remove the site, or alter the access controls for portlets."
    },
    {
      "lang": "es",
      "value": "El gadget GateIn Portal de exportaci\u00f3n/importaci\u00f3n en JBoss Enterprise Portal Platform v5.2.2 no comprueba correctamente la autenticaci\u00f3n al importar archivos Zip, lo que permite a atacantes remotos modificar el contenido del sitio, quitar el sitio, o alterar los controles de acceso para los portlets."
    }
  ],
  "id": "CVE-2013-0314",
  "lastModified": "2024-11-21T01:47:17.343",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "HIGH",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 7.5,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 6.4,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ]
  },
  "published": "2013-04-12T22:55:01.163",
  "references": [
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://rhn.redhat.com/errata/RHSA-2013-0613.html"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://secunia.com/advisories/52552"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://www.osvdb.org/91120"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=913327"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://rhn.redhat.com/errata/RHSA-2013-0613.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://secunia.com/advisories/52552"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.osvdb.org/91120"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=913327"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-287"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

ghsa-5gr9-q682-676m

Vulnerability from github

Published

2022-05-05 02:48

Modified

2022-05-05 02:48

Details

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2013-0314"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-287"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2013-04-12T22:55:00Z",
    "severity": "HIGH"
  },
  "details": "The GateIn Portal export/import gadget in JBoss Enterprise Portal Platform 5.2.2 does not properly check authentication when importing Zip files, which allows remote attackers to modify site contents, remove the site, or alter the access controls for portlets.",
  "id": "GHSA-5gr9-q682-676m",
  "modified": "2022-05-05T02:48:46Z",
  "published": "2022-05-05T02:48:46Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-0314"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=913327"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2013-0613.html"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/52552"
    },
    {
      "type": "WEB",
      "url": "http://www.osvdb.org/91120"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

cve-2013-0314

Vulnerability from cvelistv5

rhsa-2013:0613

Vulnerability from csaf_redhat

rhsa-2013_0613

Vulnerability from csaf_redhat

RHSA-2013:0613

Vulnerability from csaf_redhat

gsd-2013-0314

Vulnerability from gsd

cve-2013-0314

Vulnerability from fkie_nvd

ghsa-5gr9-q682-676m

Vulnerability from github

Tags

Sightings

Nomenclature