Action not permitted
Modal body text goes here.
cve-2013-6417
Vulnerability from cvelistv5
Published
2013-12-07 00:00
Modified
2024-08-06 17:39
Severity ?
EPSS score ?
Summary
actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before 3.2.16 and 4.x before 4.0.2 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request that leverages (1) third-party Rack middleware or (2) custom Rack middleware. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-0155.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T17:39:01.423Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "RHSA-2014:0008",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2014-0008.html"
},
{
"name": "openSUSE-SU-2013:1906",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-updates/2013-12/msg00081.html"
},
{
"name": "RHSA-2014:0469",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2014-0469.html"
},
{
"name": "[ruby-security-ann] 20131203 [CVE-2013-6417] Incomplete fix to CVE-2013-0155 (Unsafe Query Generation Risk)",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/niK4drpSHT4/g8JW8ZsayRkJ"
},
{
"name": "openSUSE-SU-2014:0009",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-updates/2014-01/msg00003.html"
},
{
"name": "openSUSE-SU-2013:1907",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-updates/2013-12/msg00082.html"
},
{
"name": "openSUSE-SU-2013:1904",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-updates/2013-12/msg00079.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://weblog.rubyonrails.org/2013/12/3/Rails_3_2_16_and_4_0_2_have_been_released/"
},
{
"name": "RHSA-2013:1794",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-1794.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://puppet.com/security/cve/cve-2013-6417"
},
{
"name": "DSA-2888",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2014/dsa-2888"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2013-12-03T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before 3.2.16 and 4.x before 4.0.2 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request that leverages (1) third-party Rack middleware or (2) custom Rack middleware. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-0155."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-12-08T10:57:01",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "RHSA-2014:0008",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2014-0008.html"
},
{
"name": "openSUSE-SU-2013:1906",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-updates/2013-12/msg00081.html"
},
{
"name": "RHSA-2014:0469",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2014-0469.html"
},
{
"name": "[ruby-security-ann] 20131203 [CVE-2013-6417] Incomplete fix to CVE-2013-0155 (Unsafe Query Generation Risk)",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/niK4drpSHT4/g8JW8ZsayRkJ"
},
{
"name": "openSUSE-SU-2014:0009",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-updates/2014-01/msg00003.html"
},
{
"name": "openSUSE-SU-2013:1907",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-updates/2013-12/msg00082.html"
},
{
"name": "openSUSE-SU-2013:1904",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-updates/2013-12/msg00079.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://weblog.rubyonrails.org/2013/12/3/Rails_3_2_16_and_4_0_2_have_been_released/"
},
{
"name": "RHSA-2013:1794",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2013-1794.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://puppet.com/security/cve/cve-2013-6417"
},
{
"name": "DSA-2888",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2014/dsa-2888"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-6417",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before 3.2.16 and 4.x before 4.0.2 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request that leverages (1) third-party Rack middleware or (2) custom Rack middleware. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-0155."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "RHSA-2014:0008",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2014-0008.html"
},
{
"name": "openSUSE-SU-2013:1906",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-updates/2013-12/msg00081.html"
},
{
"name": "RHSA-2014:0469",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2014-0469.html"
},
{
"name": "[ruby-security-ann] 20131203 [CVE-2013-6417] Incomplete fix to CVE-2013-0155 (Unsafe Query Generation Risk)",
"refsource": "MLIST",
"url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/niK4drpSHT4/g8JW8ZsayRkJ"
},
{
"name": "openSUSE-SU-2014:0009",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-updates/2014-01/msg00003.html"
},
{
"name": "openSUSE-SU-2013:1907",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-updates/2013-12/msg00082.html"
},
{
"name": "openSUSE-SU-2013:1904",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-updates/2013-12/msg00079.html"
},
{
"name": "http://weblog.rubyonrails.org/2013/12/3/Rails_3_2_16_and_4_0_2_have_been_released/",
"refsource": "CONFIRM",
"url": "http://weblog.rubyonrails.org/2013/12/3/Rails_3_2_16_and_4_0_2_have_been_released/"
},
{
"name": "RHSA-2013:1794",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2013-1794.html"
},
{
"name": "https://puppet.com/security/cve/cve-2013-6417",
"refsource": "CONFIRM",
"url": "https://puppet.com/security/cve/cve-2013-6417"
},
{
"name": "DSA-2888",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2014/dsa-2888"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2013-6417",
"datePublished": "2013-12-07T00:00:00",
"dateReserved": "2013-11-04T00:00:00",
"dateUpdated": "2024-08-06T17:39:01.423Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2013-6417\",\"sourceIdentifier\":\"secalert@redhat.com\",\"published\":\"2013-12-07T00:55:03.773\",\"lastModified\":\"2019-08-08T15:42:45.623\",\"vulnStatus\":\"Modified\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before 3.2.16 and 4.x before 4.0.2 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request that leverages (1) third-party Rack middleware or (2) custom Rack middleware. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-0155.\"},{\"lang\":\"es\",\"value\":\"actoinpack/lib/action_dispatch/http/request.rb en Ruby on Rails anteriores a 3.2.16 y 4.x anteriores a 4.0.2 no considera correctamente las diferencias en la gesti\u00f3n de par\u00e1metros entre el componente Active Record y la implementaci\u00f3n de JSON, lo cual permite a atacantes remotos sortear restricciones de consultas a la base de datos y ejecutar comprobaciones NULL o provocar falta de cl\u00e1usulas WHERE a trav\u00e9s de una petici\u00f3n manipulada que aprovecha (1) middleware Rack de terceros o (2) middleware Rack propio. NOTA: esta vulnerabilidad existe debido a una correcci\u00f3n incompleta de CVE-2013-0155.\"}],\"metrics\":{\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:P/A:N\",\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\",\"baseScore\":6.4},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":10.0,\"impactScore\":4.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-264\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E3BE7DFE-BA20-434B-A1DE-AD038B255C60\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.0:beta:*:*:*:*:*:*\",\"matchCriteriaId\":\"DCEE5B21-C990-4705-8239-0D7B29DAEDA1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.0:beta2:*:*:*:*:*:*\",\"matchCriteriaId\":\"65EE33B1-B079-4CDE-B9C2-F1613A4610DC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.0:beta3:*:*:*:*:*:*\",\"matchCriteriaId\":\"5CAAA20B-824F-4448-99DC-9712FE628073\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.0:beta4:*:*:*:*:*:*\",\"matchCriteriaId\":\"D2BEBDFB-0F30-454A-B74C-F820C9D2708B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.0:rc:*:*:*:*:*:*\",\"matchCriteriaId\":\"1D7CD8C1-95D1-477E-AD96-6582EC33BA01\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.0:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"B6F00D98-3D0F-40AF-AE4F-090B1E6B660C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"9476CE55-69C0-45D3-B723-6F459C90BF05\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.1:pre:*:*:*:*:*:*\",\"matchCriteriaId\":\"486F5BA6-BCF7-4691-9754-19D364B4438D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"112FC73B-A8BC-4EEA-9F4B-CCE685EF2838\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.2:pre:*:*:*:*:*:*\",\"matchCriteriaId\":\"E4498383-6FCA-4E17-A1FD-B0CE7EE50F85\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"D26565B1-2BA6-4A3C-9264-7FC9A1820B59\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.4:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"644EF85E-6D3E-4F5C-96B0-49AD2A2D90CE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.5:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"392E2D58-CB39-4832-B4D9-9C2E23B8E14C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.5:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"1F2466EA-7039-46A1-B4A3-8DACD1953A59\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.6:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"0CAB4E72-0A15-4B26-9B69-074C278568D6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.6:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"A085E105-9375-440A-80CB-9B23E6D7EB4A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.6:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"25911E48-C5D7-4ED8-B4DB-7523A74CCF49\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.7:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"FE6EC1E5-3A4A-4751-9F77-28EF5AF681E3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.7:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"B29674E3-CC80-446B-9A43-82594AE7A058\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.7:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"FF34D8CB-2B6D-4CB8-A206-108293BCFFE7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.8:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"8E5187F6-E3AC-4E0D-B1D0-83DE76C20A4B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.8:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"272268EE-E3E8-4683-B679-55D748877A7E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.8:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"7B69FD33-61FE-4F10-BBE1-215F59035D30\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.8:rc3:*:*:*:*:*:*\",\"matchCriteriaId\":\"08D7CB5D-82EF-4A24-A792-938FAB40863D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.8:rc4:*:*:*:*:*:*\",\"matchCriteriaId\":\"8A044B21-47D5-468D-AF4A-06B3B5CC0824\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.9:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"2196F3D0-532A-40F9-843A-1DFBC8B63FDC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.9:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"CBEDA932-6CB5-438C-94E4-824732A91BE0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.9:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"903E5524-5E45-48CE-A804-EDAEBE3A79AD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.9:rc3:*:*:*:*:*:*\",\"matchCriteriaId\":\"08534AF2-F94E-4FB6-A572-4FB9827276D4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.9:rc4:*:*:*:*:*:*\",\"matchCriteriaId\":\"29E3B4A6-1346-4358-B7BC-84D00ED3ABBE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.9:rc5:*:*:*:*:*:*\",\"matchCriteriaId\":\"B52D7A6B-DD93-45F0-9186-18ABEFF28DF4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.10:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"1F07C641-48DF-43BE-9EB5-72B337C54846\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.10:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"A1CB1B12-99F5-430F-AE19-9A95C17FA123\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.11:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"D1A7C449-8F9A-4CE5-9C3D-375996BFAEE3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.12:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"05D5D58C-DB79-41EA-81AE-5D95C48211B0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.12:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"FE331D6D-99BA-4369-AD8B-B556DEE4955F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.13:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"58304E17-ADFD-4686-9CCF-C1CA31843B94\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.13:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"05108EF0-81AD-4378-9843-5C23F2AC79A3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.14:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"4EE7DA7E-23A5-42AF-9D5C-39240CE2FBDB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.16:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"0C448F62-8231-4221-ADA0-C9B848AE03D1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.17:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"5FBD11A1-51C7-4AF7-AA0B-3A14C5435E70\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.18:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"60255706-C44A-48CB-B98B-A1F0991CBC74\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.19:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"0456E2E8-EF06-414E-8A7D-8005F0EB46B7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.0.20:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"D9EE4763-2495-4B6A-B72F-344967E51C27\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.1.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"DB51F3E9-4899-49A9-9E7B-0DCA92A91DD8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.1.0:beta1:*:*:*:*:*:*\",\"matchCriteriaId\":\"F884F2F4-94F3-46CB-860B-1BCC0EEF408A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.1.0:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"88DFBB48-1C29-4639-9369-F5B413CA2337\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.1.0:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"D37696D7-BEE6-4587-9E33-A7FE24780409\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.1.0:rc3:*:*:*:*:*:*\",\"matchCriteriaId\":\"E95B5D44-0C8D-47BC-A89D-48A5BDEB84F4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.1.0:rc4:*:*:*:*:*:*\",\"matchCriteriaId\":\"1DFDAF6A-76AA-436F-A4F3-DA69892DE2B8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.1.0:rc5:*:*:*:*:*:*\",\"matchCriteriaId\":\"D3172982-3FA4-427F-BE3E-2321D804E49D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.1.0:rc6:*:*:*:*:*:*\",\"matchCriteriaId\":\"FD6EC85B-F092-48FF-966A-96B9227C8656\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.1.0:rc7:*:*:*:*:*:*\",\"matchCriteriaId\":\"9000F3C1-57A0-474C-9C82-E58688F29838\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.1.0:rc8:*:*:*:*:*:*\",\"matchCriteriaId\":\"6E55E42E-AB6A-4E47-AC69-DFDAEB0A8735\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.1.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A42F4E7A-6F6A-485C-8D30-95F3B0285922\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.1.1:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"30B9C0CB-F6E6-4233-84E4-D6E69104DD73\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.1.1:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"84309CC7-A8B7-4ADB-AEA1-964DA5F7B0E0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.1.1:rc3:*:*:*:*:*:*\",\"matchCriteriaId\":\"5343241F-274D-45FF-97C7-2BC2E920BAF0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.1.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"FED122B8-AF4C-4C48-B1E5-54F4A7A31A53\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.1.2:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"157ACCAD-0FB8-4CC9-9DFB-70835DE6506C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.1.2:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"3E50ACF6-7277-4C9A-B42A-E7EFDC317691\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.1.3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C191DC2B-1EC3-48E0-A586-867E6EE4431C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.1.4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"3AA51263-6680-42C6-B119-8241D6F76206\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.1.4:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"B4BC41E8-FEDA-4C31-B479-D49A59FC4D63\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.1.5:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"09C20971-53B5-43B0-AC45-5AA0FDF1B054\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.1.5:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"D1AEFA5D-A793-4BAB-8DED-3D3A31260AD8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.1.6:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"496902D6-409A-40D9-849F-C41264BE5B04\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.1.7:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"2482AB3F-8303-4F95-BE04-C5F06EEF2015\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.1.8:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"244C6952-377C-4AF0-8BA2-C34516A3EB5A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.1.9:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"98A79CC5-71EC-4E90-9E99-2DF62ABC0122\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.1.10:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"6562F3C3-D794-4107-95D4-1C0B0486940B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.2.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"2816C02C-E13E-4367-91F3-14756A90EC9E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.2.0:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"E82AF7C7-B725-40EF-8EE3-18F8E7FAEB29\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.2.0:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"1AE674DE-65DB-437E-A034-A2EE5C584B33\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.2.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"0524F3E3-BAD7-4CD3-A6E7-74CFBE4B46E6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.2.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"32EB2C3F-0F24-43DB-988E-BD2973598F71\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.2.2:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"EB32713D-FE64-445E-872E-B4678C243AB1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.2.3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C55E6B4A-2B9C-46C8-A739-109EA4BA7FD4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.2.3:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"89C618DC-38BC-4484-8C41-BC38B7EB636B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.2.3:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"FE1EF01A-F358-45D3-ADA2-51DD1D8CB6E2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.2.4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"AC2616BD-A4E8-42F3-BB5A-7517DC4EDA3D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.2.4:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"0E376782-98B0-4766-B6FC-67E032A00C62\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.2.5:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"96D08DC1-14E9-4DB9-BC95-3F73B454FBC4\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.2.6:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"F365C9E5-27DC-46C3-AFE4-4876EC7B352B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.2.7:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"6F0016A6-0ED6-443D-B969-CB1226D8E28C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.2.8:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E69470EA-5EBC-4FB9-A722-5B61C70C1140\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.2.9:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B13A8EBB-4211-4AB1-8872-244EEEE20ABD\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.2.10:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C9AB2152-DED8-4CFD-B915-94A9F56FDD05\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.2.11:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C630AB60-DBAF-421E-B663-492BAE8A180F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.2.12:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"0F41CCF8-14EB-4327-A675-83BFDBB53196\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.2.13:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"75842F7D-B1B1-48BA-858F-01148867B3AA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.2.13:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"FE65D701-AA6E-48E4-B62B-C22DEE863503\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:3.2.13:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"17B1E475-C873-4561-9348-027721C08D79\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:ruby_on_rails:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"3.2.15\",\"matchCriteriaId\":\"38F53FB7-A292-4273-BFBE-E231235E845D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"224BD488-0D7E-4F8B-9012-DE872DEB544C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:ruby_on_rails:3.1.11:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"D8F0635C-4EBF-4EA3-9756-A85A3BB5026B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.14:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A325F57E-0055-4279-9ED7-A26E75FC38E5\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.14:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"9A3BA4AE-B4F0-4204-AFA1-1016F0A6F7AB\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.14:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"991F368C-CEB5-4DE6-A7EE-C341F358A4CE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.15:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"01DB164E-E08E-4649-84BD-15B4159A3AA0\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.15:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"E0F7ECFB-86A1-4F00-AD47-971FA23C6D21\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:*:-:*:*:*:*:*:*\",\"versionEndIncluding\":\"4.0.1\",\"matchCriteriaId\":\"1FDABDDD-F2B1-4335-ABB9-76B58AEE9CCF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:4.0.0:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"2E950E33-CD03-45F5-83F9-F106060B4A8B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:4.0.0:beta:*:*:*:*:*:*\",\"matchCriteriaId\":\"547C62C8-4B3E-431B-AA73-5C42ED884671\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:4.0.0:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"4CDAD329-35F7-4C82-8019-A0CF6D069059\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:4.0.0:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"56D3858B-0FEE-4E8D-83C2-68AF0431F478\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:4.0.1:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"35FC7015-267C-403B-A23D-EDA6223D2104\"}]}]}],\"references\":[{\"url\":\"http://lists.opensuse.org/opensuse-updates/2013-12/msg00079.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://lists.opensuse.org/opensuse-updates/2013-12/msg00081.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://lists.opensuse.org/opensuse-updates/2013-12/msg00082.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://lists.opensuse.org/opensuse-updates/2014-01/msg00003.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2013-1794.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2014-0008.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2014-0469.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://weblog.rubyonrails.org/2013/12/3/Rails_3_2_16_and_4_0_2_have_been_released/\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www.debian.org/security/2014/dsa-2888\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://groups.google.com/forum/message/raw?msg=ruby-security-ann/niK4drpSHT4/g8JW8ZsayRkJ\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://puppet.com/security/cve/cve-2013-6417\",\"source\":\"secalert@redhat.com\"}]}}"
}
}
rhsa-2013_1794
Vulnerability from csaf_redhat
Published
2013-12-05 21:54
Modified
2024-11-14 14:24
Summary
Red Hat Security Advisory: ruby193-rubygem-actionpack security update
Notes
Topic
Updated ruby193-rubygem-actionpack packages that fix multiple security
issues are now available for Red Hat Software Collections 1.
The Red Hat Security Response Team has rated this update as having
important security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.
Details
Ruby on Rails is a model-view-controller (MVC) framework for web
application development. Action Pack implements the controller and the
view components.
A flaw was found in the way Ruby on Rails performed JSON parameter parsing.
An application using a third party library, which uses the Rack::Request
interface, or custom Rack middleware could bypass the protection
implemented to fix the CVE-2013-0155 vulnerability, causing the application
to receive unsafe parameters and become vulnerable to CVE-2013-0155.
(CVE-2013-6417)
It was discovered that the internationalization component of Ruby on Rails
could, under certain circumstances, return a fallback HTML string that
contained user input. A remote attacker could possibly use this flaw to
perform a reflective cross-site scripting (XSS) attack by providing a
specially crafted input to an application using the aforementioned
component. (CVE-2013-4491)
A denial of service flaw was found in the header handling component of
Action View. A remote attacker could send strings in specially crafted
headers that would be cached indefinitely, which would result in all
available system memory eventually being consumed. (CVE-2013-6414)
It was found that the number_to_currency Action View helper did not
properly escape the unit parameter. An attacker could use this flaw to
perform a cross-site scripting (XSS) attack on an application that uses
data submitted by a user in the unit parameter. (CVE-2013-6415)
All ruby193-rubygem-actionpack users are advised to upgrade to these
updated packages, which contain backported patches to correct these issues.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Updated ruby193-rubygem-actionpack packages that fix multiple security\nissues are now available for Red Hat Software Collections 1.\n\nThe Red Hat Security Response Team has rated this update as having\nimportant security impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Ruby on Rails is a model-view-controller (MVC) framework for web\napplication development. Action Pack implements the controller and the\nview components.\n\nA flaw was found in the way Ruby on Rails performed JSON parameter parsing.\nAn application using a third party library, which uses the Rack::Request\ninterface, or custom Rack middleware could bypass the protection\nimplemented to fix the CVE-2013-0155 vulnerability, causing the application\nto receive unsafe parameters and become vulnerable to CVE-2013-0155.\n(CVE-2013-6417)\n\nIt was discovered that the internationalization component of Ruby on Rails\ncould, under certain circumstances, return a fallback HTML string that\ncontained user input. A remote attacker could possibly use this flaw to\nperform a reflective cross-site scripting (XSS) attack by providing a\nspecially crafted input to an application using the aforementioned\ncomponent. (CVE-2013-4491)\n\nA denial of service flaw was found in the header handling component of\nAction View. A remote attacker could send strings in specially crafted\nheaders that would be cached indefinitely, which would result in all\navailable system memory eventually being consumed. (CVE-2013-6414)\n\nIt was found that the number_to_currency Action View helper did not\nproperly escape the unit parameter. An attacker could use this flaw to\nperform a cross-site scripting (XSS) attack on an application that uses\ndata submitted by a user in the unit parameter. (CVE-2013-6415)\n\nAll ruby193-rubygem-actionpack users are advised to upgrade to these\nupdated packages, which contain backported patches to correct these issues.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2013:1794",
"url": "https://access.redhat.com/errata/RHSA-2013:1794"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "1036409",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1036409"
},
{
"category": "external",
"summary": "1036483",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1036483"
},
{
"category": "external",
"summary": "1036910",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1036910"
},
{
"category": "external",
"summary": "1036922",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1036922"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2013/rhsa-2013_1794.json"
}
],
"title": "Red Hat Security Advisory: ruby193-rubygem-actionpack security update",
"tracking": {
"current_release_date": "2024-11-14T14:24:54+00:00",
"generator": {
"date": "2024-11-14T14:24:54+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.0"
}
},
"id": "RHSA-2013:1794",
"initial_release_date": "2013-12-05T21:54:00+00:00",
"revision_history": [
{
"date": "2013-12-05T21:54:00+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2013-12-05T22:00:44+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-14T14:24:54+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Software Collections 1 for Red Hat Enterprise Linux Server (v. 6)",
"product": {
"name": "Red Hat Software Collections 1 for Red Hat Enterprise Linux Server (v. 6)",
"product_id": "6Server-RHSCL-1.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_software_collections:1::el6"
}
}
},
{
"category": "product_name",
"name": "Red Hat Software Collections 1 for Red Hat Enterprise Linux Workstation (v. 6)",
"product": {
"name": "Red Hat Software Collections 1 for Red Hat Enterprise Linux Workstation (v. 6)",
"product_id": "6Workstation-RHSCL-1.0",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_software_collections:1::el6"
}
}
}
],
"category": "product_family",
"name": "Red Hat Software Collections"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby193-rubygem-actionpack-doc-1:3.2.8-5.1.el6.noarch",
"product": {
"name": "ruby193-rubygem-actionpack-doc-1:3.2.8-5.1.el6.noarch",
"product_id": "ruby193-rubygem-actionpack-doc-1:3.2.8-5.1.el6.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ruby193-rubygem-actionpack-doc@3.2.8-5.1.el6?arch=noarch\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.noarch",
"product": {
"name": "ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.noarch",
"product_id": "ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ruby193-rubygem-actionpack@3.2.8-5.1.el6?arch=noarch\u0026epoch=1"
}
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.src",
"product": {
"name": "ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.src",
"product_id": "ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ruby193-rubygem-actionpack@3.2.8-5.1.el6?arch=src\u0026epoch=1"
}
}
}
],
"category": "architecture",
"name": "src"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.noarch as a component of Red Hat Software Collections 1 for Red Hat Enterprise Linux Server (v. 6)",
"product_id": "6Server-RHSCL-1.0:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.noarch"
},
"product_reference": "ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.noarch",
"relates_to_product_reference": "6Server-RHSCL-1.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.src as a component of Red Hat Software Collections 1 for Red Hat Enterprise Linux Server (v. 6)",
"product_id": "6Server-RHSCL-1.0:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.src"
},
"product_reference": "ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.src",
"relates_to_product_reference": "6Server-RHSCL-1.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby193-rubygem-actionpack-doc-1:3.2.8-5.1.el6.noarch as a component of Red Hat Software Collections 1 for Red Hat Enterprise Linux Server (v. 6)",
"product_id": "6Server-RHSCL-1.0:ruby193-rubygem-actionpack-doc-1:3.2.8-5.1.el6.noarch"
},
"product_reference": "ruby193-rubygem-actionpack-doc-1:3.2.8-5.1.el6.noarch",
"relates_to_product_reference": "6Server-RHSCL-1.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.noarch as a component of Red Hat Software Collections 1 for Red Hat Enterprise Linux Workstation (v. 6)",
"product_id": "6Workstation-RHSCL-1.0:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.noarch"
},
"product_reference": "ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.noarch",
"relates_to_product_reference": "6Workstation-RHSCL-1.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.src as a component of Red Hat Software Collections 1 for Red Hat Enterprise Linux Workstation (v. 6)",
"product_id": "6Workstation-RHSCL-1.0:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.src"
},
"product_reference": "ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.src",
"relates_to_product_reference": "6Workstation-RHSCL-1.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby193-rubygem-actionpack-doc-1:3.2.8-5.1.el6.noarch as a component of Red Hat Software Collections 1 for Red Hat Enterprise Linux Workstation (v. 6)",
"product_id": "6Workstation-RHSCL-1.0:ruby193-rubygem-actionpack-doc-1:3.2.8-5.1.el6.noarch"
},
"product_reference": "ruby193-rubygem-actionpack-doc-1:3.2.8-5.1.el6.noarch",
"relates_to_product_reference": "6Workstation-RHSCL-1.0"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Ruby on Rails upstream"
]
},
{
"names": [
"Peter McLarnan"
],
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2013-4491",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2013-12-01T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1036922"
}
],
"notes": [
{
"category": "description",
"text": "It was discovered that the internationalization component of Ruby on Rails could, under certain circumstances, return a fallback HTML string that contained user input. A remote attacker could possibly use this flaw to perform a reflective cross-site scripting (XSS) attack by providing a specially crafted input to an application using the aforementioned component.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "rubygem-actionpack: i18n missing translation XSS",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"6Server-RHSCL-1.0:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.noarch",
"6Server-RHSCL-1.0:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.src",
"6Server-RHSCL-1.0:ruby193-rubygem-actionpack-doc-1:3.2.8-5.1.el6.noarch",
"6Workstation-RHSCL-1.0:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.noarch",
"6Workstation-RHSCL-1.0:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.src",
"6Workstation-RHSCL-1.0:ruby193-rubygem-actionpack-doc-1:3.2.8-5.1.el6.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2013-4491"
},
{
"category": "external",
"summary": "RHBZ#1036922",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1036922"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2013-4491",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-4491"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-4491",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-4491"
}
],
"release_date": "2013-12-03T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2013-12-05T21:54:00+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to use the\nRed Hat Network to apply this update are available at\nhttps://access.redhat.com/site/articles/11258",
"product_ids": [
"6Server-RHSCL-1.0:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.noarch",
"6Server-RHSCL-1.0:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.src",
"6Server-RHSCL-1.0:ruby193-rubygem-actionpack-doc-1:3.2.8-5.1.el6.noarch",
"6Workstation-RHSCL-1.0:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.noarch",
"6Workstation-RHSCL-1.0:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.src",
"6Workstation-RHSCL-1.0:ruby193-rubygem-actionpack-doc-1:3.2.8-5.1.el6.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2013:1794"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"products": [
"6Server-RHSCL-1.0:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.noarch",
"6Server-RHSCL-1.0:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.src",
"6Server-RHSCL-1.0:ruby193-rubygem-actionpack-doc-1:3.2.8-5.1.el6.noarch",
"6Workstation-RHSCL-1.0:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.noarch",
"6Workstation-RHSCL-1.0:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.src",
"6Workstation-RHSCL-1.0:ruby193-rubygem-actionpack-doc-1:3.2.8-5.1.el6.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "rubygem-actionpack: i18n missing translation XSS"
},
{
"acknowledgments": [
{
"names": [
"Ruby on Rails upstream"
]
},
{
"names": [
"Toby Hsieh"
],
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2013-6414",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2013-12-01T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1036483"
}
],
"notes": [
{
"category": "description",
"text": "A denial of service flaw was found in the header handling component of Action View. A remote attacker could send strings in specially crafted headers that would be cached indefinitely, which would result in all available system memory eventually being consumed.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "rubygem-actionpack: Action View DoS",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"6Server-RHSCL-1.0:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.noarch",
"6Server-RHSCL-1.0:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.src",
"6Server-RHSCL-1.0:ruby193-rubygem-actionpack-doc-1:3.2.8-5.1.el6.noarch",
"6Workstation-RHSCL-1.0:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.noarch",
"6Workstation-RHSCL-1.0:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.src",
"6Workstation-RHSCL-1.0:ruby193-rubygem-actionpack-doc-1:3.2.8-5.1.el6.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2013-6414"
},
{
"category": "external",
"summary": "RHBZ#1036483",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1036483"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2013-6414",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-6414"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-6414",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-6414"
}
],
"release_date": "2013-12-03T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2013-12-05T21:54:00+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to use the\nRed Hat Network to apply this update are available at\nhttps://access.redhat.com/site/articles/11258",
"product_ids": [
"6Server-RHSCL-1.0:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.noarch",
"6Server-RHSCL-1.0:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.src",
"6Server-RHSCL-1.0:ruby193-rubygem-actionpack-doc-1:3.2.8-5.1.el6.noarch",
"6Workstation-RHSCL-1.0:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.noarch",
"6Workstation-RHSCL-1.0:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.src",
"6Workstation-RHSCL-1.0:ruby193-rubygem-actionpack-doc-1:3.2.8-5.1.el6.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2013:1794"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"products": [
"6Server-RHSCL-1.0:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.noarch",
"6Server-RHSCL-1.0:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.src",
"6Server-RHSCL-1.0:ruby193-rubygem-actionpack-doc-1:3.2.8-5.1.el6.noarch",
"6Workstation-RHSCL-1.0:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.noarch",
"6Workstation-RHSCL-1.0:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.src",
"6Workstation-RHSCL-1.0:ruby193-rubygem-actionpack-doc-1:3.2.8-5.1.el6.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "rubygem-actionpack: Action View DoS"
},
{
"acknowledgments": [
{
"names": [
"Ruby on Rails upstream"
]
},
{
"names": [
"Ankit Gupta"
],
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2013-6415",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2013-12-01T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1036910"
}
],
"notes": [
{
"category": "description",
"text": "It was found that the number_to_currency Action View helper did not properly escape the unit parameter. An attacker could use this flaw to perform a cross-site scripting (XSS) attack on an application that uses data submitted by a user in the unit parameter.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "rubygem-actionpack: number_to_currency XSS",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"6Server-RHSCL-1.0:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.noarch",
"6Server-RHSCL-1.0:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.src",
"6Server-RHSCL-1.0:ruby193-rubygem-actionpack-doc-1:3.2.8-5.1.el6.noarch",
"6Workstation-RHSCL-1.0:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.noarch",
"6Workstation-RHSCL-1.0:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.src",
"6Workstation-RHSCL-1.0:ruby193-rubygem-actionpack-doc-1:3.2.8-5.1.el6.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2013-6415"
},
{
"category": "external",
"summary": "RHBZ#1036910",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1036910"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2013-6415",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-6415"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-6415",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-6415"
}
],
"release_date": "2013-12-03T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2013-12-05T21:54:00+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to use the\nRed Hat Network to apply this update are available at\nhttps://access.redhat.com/site/articles/11258",
"product_ids": [
"6Server-RHSCL-1.0:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.noarch",
"6Server-RHSCL-1.0:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.src",
"6Server-RHSCL-1.0:ruby193-rubygem-actionpack-doc-1:3.2.8-5.1.el6.noarch",
"6Workstation-RHSCL-1.0:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.noarch",
"6Workstation-RHSCL-1.0:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.src",
"6Workstation-RHSCL-1.0:ruby193-rubygem-actionpack-doc-1:3.2.8-5.1.el6.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2013:1794"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"products": [
"6Server-RHSCL-1.0:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.noarch",
"6Server-RHSCL-1.0:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.src",
"6Server-RHSCL-1.0:ruby193-rubygem-actionpack-doc-1:3.2.8-5.1.el6.noarch",
"6Workstation-RHSCL-1.0:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.noarch",
"6Workstation-RHSCL-1.0:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.src",
"6Workstation-RHSCL-1.0:ruby193-rubygem-actionpack-doc-1:3.2.8-5.1.el6.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "rubygem-actionpack: number_to_currency XSS"
},
{
"acknowledgments": [
{
"names": [
"Ruby on Rails project"
]
}
],
"cve": "CVE-2013-6417",
"cwe": {
"id": "CWE-89",
"name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)"
},
"discovery_date": "2013-12-01T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1036409"
}
],
"notes": [
{
"category": "description",
"text": "actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before 3.2.16 and 4.x before 4.0.2 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request that leverages (1) third-party Rack middleware or (2) custom Rack middleware. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-0155.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "rubygem-actionpack: unsafe query generation risk (incomplete fix for CVE-2013- 0155)",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"6Server-RHSCL-1.0:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.noarch",
"6Server-RHSCL-1.0:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.src",
"6Server-RHSCL-1.0:ruby193-rubygem-actionpack-doc-1:3.2.8-5.1.el6.noarch",
"6Workstation-RHSCL-1.0:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.noarch",
"6Workstation-RHSCL-1.0:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.src",
"6Workstation-RHSCL-1.0:ruby193-rubygem-actionpack-doc-1:3.2.8-5.1.el6.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2013-6417"
},
{
"category": "external",
"summary": "RHBZ#1036409",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1036409"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2013-6417",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-6417"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-6417",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-6417"
}
],
"release_date": "2013-12-03T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2013-12-05T21:54:00+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to use the\nRed Hat Network to apply this update are available at\nhttps://access.redhat.com/site/articles/11258",
"product_ids": [
"6Server-RHSCL-1.0:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.noarch",
"6Server-RHSCL-1.0:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.src",
"6Server-RHSCL-1.0:ruby193-rubygem-actionpack-doc-1:3.2.8-5.1.el6.noarch",
"6Workstation-RHSCL-1.0:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.noarch",
"6Workstation-RHSCL-1.0:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.src",
"6Workstation-RHSCL-1.0:ruby193-rubygem-actionpack-doc-1:3.2.8-5.1.el6.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2013:1794"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
"products": [
"6Server-RHSCL-1.0:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.noarch",
"6Server-RHSCL-1.0:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.src",
"6Server-RHSCL-1.0:ruby193-rubygem-actionpack-doc-1:3.2.8-5.1.el6.noarch",
"6Workstation-RHSCL-1.0:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.noarch",
"6Workstation-RHSCL-1.0:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.src",
"6Workstation-RHSCL-1.0:ruby193-rubygem-actionpack-doc-1:3.2.8-5.1.el6.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "rubygem-actionpack: unsafe query generation risk (incomplete fix for CVE-2013- 0155)"
}
]
}
rhsa-2014_0469
Vulnerability from csaf_redhat
Published
2014-05-12 18:12
Modified
2024-11-22 07:41
Summary
Red Hat Security Advisory: cfme security, bug fix, and enhancement update
Notes
Topic
Updated cfme packages that fix multiple security issues, several bugs, and
add various enhancements are now available for Red Hat CloudForms 3.0.
The Red Hat Security Response Team has rated this update as having
Important security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.
Details
Red Hat CloudForms Management Engine delivers the insight, control, and
automation needed to address the challenges of managing virtual
environments.
A flaw was found in the way Ruby on Rails' actionpack rubygem performed
JSON parameter parsing. An application using a third party library, which
uses the Rack::Request interface, or custom Rack middleware could bypass
the protection implemented to fix the CVE-2013-0155 vulnerability, causing
the application to receive unsafe parameters and become vulnerable to
CVE-2013-0155. (CVE-2013-6417)
An input sanitization flaw was found in the saved_report_delete action in
the ReportController. An authenticated Management Engine user could use
this flaw to perform an SQL injection attack on the Management Engine back
end database. (CVE-2014-0137)
It was found that Red Hat CloudForms Management Engine did not properly
check user role permissions for actions associated with catalogs.
An authenticated Management Engine user could use this flaw to delete
arbitrary catalogs regardless of the granted permissions. (CVE-2014-0078)
Multiple stack-based buffer overflow flaws were found in the date/time
implementation of PostgreSQL. An authenticated database user could provide
a specially crafted date/time value that, when processed, could cause
PostgreSQL to crash or, potentially, execute arbitrary code with the
permissions of the user running PostgreSQL. (CVE-2014-0063)
Multiple integer overflow flaws, leading to heap-based buffer overflows,
were found in various type input functions in PostgreSQL. An authenticated
database user could possibly use these flaws to crash PostgreSQL or,
potentially, execute arbitrary code with the permissions of the user
running PostgreSQL. (CVE-2014-0064, CVE-2014-2669)
Multiple potential buffer overflow flaws were found in PostgreSQL.
An authenticated database user could possibly use these flaws to crash
PostgreSQL or, potentially, execute arbitrary code with the permissions of
the user running PostgreSQL. (CVE-2014-0065)
It was found that granting an SQL role to a database user in a PostgreSQL
database without specifying the "ADMIN" option allowed the grantee to
remove other users from their granted role. An authenticated database user
could use this flaw to remove a user from an SQL role which they were
granted access to. (CVE-2014-0060)
A flaw was found in the validator functions provided by PostgreSQL's
procedural languages. An authenticated database user could possibly use
this flaw to escalate their privileges. (CVE-2014-0061)
A race condition was found in the way PostgreSQL's CREATE INDEX command
performed multiple independent lookups of a table that had to be indexed.
An authenticated database user could possibly use this flaw to escalate
their privileges. (CVE-2014-0062)
It was found that the chkpass extension of PostgreSQL did not check the
return value of the crypt() function. An authenticated database user could
possibly use this flaw to crash PostgreSQL via a null pointer dereference.
(CVE-2014-0066)
Red Hat would like to thank the Ruby on Rails project for reporting
CVE-2013-6417; upstream acknowledges Sudhir Rao as the original reporter
of this issue.
Red Hat would also like to thank the PostgreSQL project for reporting
CVE-2014-0060, CVE-2014-0061, CVE-2014-0062, CVE-2014-0063, CVE-2014-0064,
CVE-2014-0065, CVE-2014-0066, and CVE-2014-2669; upstream acknowledges Noah
Misch, Heikki Linnakangas, Peter Eisentraut, Jozef Mlich, Andres Freund,
Robert Haas, Honza Horak, and Bruce Momjian as the original reporters of
these issues.
The CVE-2014-0137 and CVE-2014-0078 issues were discovered by Jan Rusnacko
of the Red Hat Product Security Team.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Updated cfme packages that fix multiple security issues, several bugs, and\nadd various enhancements are now available for Red Hat CloudForms 3.0.\n\nThe Red Hat Security Response Team has rated this update as having\nImportant security impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat CloudForms Management Engine delivers the insight, control, and\nautomation needed to address the challenges of managing virtual\nenvironments.\n\nA flaw was found in the way Ruby on Rails\u0027 actionpack rubygem performed\nJSON parameter parsing. An application using a third party library, which\nuses the Rack::Request interface, or custom Rack middleware could bypass\nthe protection implemented to fix the CVE-2013-0155 vulnerability, causing\nthe application to receive unsafe parameters and become vulnerable to\nCVE-2013-0155. (CVE-2013-6417)\n\nAn input sanitization flaw was found in the saved_report_delete action in\nthe ReportController. An authenticated Management Engine user could use\nthis flaw to perform an SQL injection attack on the Management Engine back\nend database. (CVE-2014-0137)\n\nIt was found that Red Hat CloudForms Management Engine did not properly\ncheck user role permissions for actions associated with catalogs.\nAn authenticated Management Engine user could use this flaw to delete\narbitrary catalogs regardless of the granted permissions. (CVE-2014-0078)\n\nMultiple stack-based buffer overflow flaws were found in the date/time\nimplementation of PostgreSQL. An authenticated database user could provide\na specially crafted date/time value that, when processed, could cause\nPostgreSQL to crash or, potentially, execute arbitrary code with the\npermissions of the user running PostgreSQL. (CVE-2014-0063)\n\nMultiple integer overflow flaws, leading to heap-based buffer overflows,\nwere found in various type input functions in PostgreSQL. An authenticated\ndatabase user could possibly use these flaws to crash PostgreSQL or,\npotentially, execute arbitrary code with the permissions of the user\nrunning PostgreSQL. (CVE-2014-0064, CVE-2014-2669)\n\nMultiple potential buffer overflow flaws were found in PostgreSQL.\nAn authenticated database user could possibly use these flaws to crash\nPostgreSQL or, potentially, execute arbitrary code with the permissions of\nthe user running PostgreSQL. (CVE-2014-0065)\n\nIt was found that granting an SQL role to a database user in a PostgreSQL\ndatabase without specifying the \"ADMIN\" option allowed the grantee to\nremove other users from their granted role. An authenticated database user\ncould use this flaw to remove a user from an SQL role which they were\ngranted access to. (CVE-2014-0060)\n\nA flaw was found in the validator functions provided by PostgreSQL\u0027s\nprocedural languages. An authenticated database user could possibly use\nthis flaw to escalate their privileges. (CVE-2014-0061)\n\nA race condition was found in the way PostgreSQL\u0027s CREATE INDEX command\nperformed multiple independent lookups of a table that had to be indexed.\nAn authenticated database user could possibly use this flaw to escalate\ntheir privileges. (CVE-2014-0062)\n\nIt was found that the chkpass extension of PostgreSQL did not check the\nreturn value of the crypt() function. An authenticated database user could\npossibly use this flaw to crash PostgreSQL via a null pointer dereference.\n(CVE-2014-0066)\n\nRed Hat would like to thank the Ruby on Rails project for reporting\nCVE-2013-6417; upstream acknowledges Sudhir Rao as the original reporter\nof this issue.\n\nRed Hat would also like to thank the PostgreSQL project for reporting\nCVE-2014-0060, CVE-2014-0061, CVE-2014-0062, CVE-2014-0063, CVE-2014-0064,\nCVE-2014-0065, CVE-2014-0066, and CVE-2014-2669; upstream acknowledges Noah\nMisch, Heikki Linnakangas, Peter Eisentraut, Jozef Mlich, Andres Freund,\nRobert Haas, Honza Horak, and Bruce Momjian as the original reporters of\nthese issues.\n\nThe CVE-2014-0137 and CVE-2014-0078 issues were discovered by Jan Rusnacko\nof the Red Hat Product Security Team.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2014:0469",
"url": "https://access.redhat.com/errata/RHSA-2014:0469"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://access.redhat.com/site/documentation/en-US/CloudForms/3.0/html/Management_Engine_5.2_Technical_Notes/index.html",
"url": "https://access.redhat.com/site/documentation/en-US/CloudForms/3.0/html/Management_Engine_5.2_Technical_Notes/index.html"
},
{
"category": "external",
"summary": "1036409",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1036409"
},
{
"category": "external",
"summary": "1064556",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1064556"
},
{
"category": "external",
"summary": "1065219",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1065219"
},
{
"category": "external",
"summary": "1065220",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1065220"
},
{
"category": "external",
"summary": "1065222",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1065222"
},
{
"category": "external",
"summary": "1065226",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1065226"
},
{
"category": "external",
"summary": "1065230",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1065230"
},
{
"category": "external",
"summary": "1065235",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1065235"
},
{
"category": "external",
"summary": "1065236",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1065236"
},
{
"category": "external",
"summary": "1076688",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1076688"
},
{
"category": "external",
"summary": "1082154",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1082154"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2014/rhsa-2014_0469.json"
}
],
"title": "Red Hat Security Advisory: cfme security, bug fix, and enhancement update",
"tracking": {
"current_release_date": "2024-11-22T07:41:57+00:00",
"generator": {
"date": "2024-11-22T07:41:57+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2014:0469",
"initial_release_date": "2014-05-12T18:12:35+00:00",
"revision_history": [
{
"date": "2014-05-12T18:12:35+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2014-05-12T18:12:35+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-22T07:41:57+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Management Engine",
"product": {
"name": "Management Engine",
"product_id": "6Server-CFME",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:cloudforms_managementengine:5::el6"
}
}
}
],
"category": "product_family",
"name": "Red Hat CloudForms"
},
{
"branches": [
{
"category": "product_version",
"name": "postgresql92-postgresql-contrib-0:9.2.7-1.1.el6.x86_64",
"product": {
"name": "postgresql92-postgresql-contrib-0:9.2.7-1.1.el6.x86_64",
"product_id": "postgresql92-postgresql-contrib-0:9.2.7-1.1.el6.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/postgresql92-postgresql-contrib@9.2.7-1.1.el6?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "postgresql92-postgresql-plperl-0:9.2.7-1.1.el6.x86_64",
"product": {
"name": "postgresql92-postgresql-plperl-0:9.2.7-1.1.el6.x86_64",
"product_id": "postgresql92-postgresql-plperl-0:9.2.7-1.1.el6.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/postgresql92-postgresql-plperl@9.2.7-1.1.el6?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "postgresql92-postgresql-libs-0:9.2.7-1.1.el6.x86_64",
"product": {
"name": "postgresql92-postgresql-libs-0:9.2.7-1.1.el6.x86_64",
"product_id": "postgresql92-postgresql-libs-0:9.2.7-1.1.el6.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/postgresql92-postgresql-libs@9.2.7-1.1.el6?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "postgresql92-postgresql-debuginfo-0:9.2.7-1.1.el6.x86_64",
"product": {
"name": "postgresql92-postgresql-debuginfo-0:9.2.7-1.1.el6.x86_64",
"product_id": "postgresql92-postgresql-debuginfo-0:9.2.7-1.1.el6.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/postgresql92-postgresql-debuginfo@9.2.7-1.1.el6?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "postgresql92-postgresql-test-0:9.2.7-1.1.el6.x86_64",
"product": {
"name": "postgresql92-postgresql-test-0:9.2.7-1.1.el6.x86_64",
"product_id": "postgresql92-postgresql-test-0:9.2.7-1.1.el6.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/postgresql92-postgresql-test@9.2.7-1.1.el6?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "postgresql92-postgresql-docs-0:9.2.7-1.1.el6.x86_64",
"product": {
"name": "postgresql92-postgresql-docs-0:9.2.7-1.1.el6.x86_64",
"product_id": "postgresql92-postgresql-docs-0:9.2.7-1.1.el6.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/postgresql92-postgresql-docs@9.2.7-1.1.el6?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "postgresql92-postgresql-upgrade-0:9.2.7-1.1.el6.x86_64",
"product": {
"name": "postgresql92-postgresql-upgrade-0:9.2.7-1.1.el6.x86_64",
"product_id": "postgresql92-postgresql-upgrade-0:9.2.7-1.1.el6.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/postgresql92-postgresql-upgrade@9.2.7-1.1.el6?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "postgresql92-postgresql-devel-0:9.2.7-1.1.el6.x86_64",
"product": {
"name": "postgresql92-postgresql-devel-0:9.2.7-1.1.el6.x86_64",
"product_id": "postgresql92-postgresql-devel-0:9.2.7-1.1.el6.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/postgresql92-postgresql-devel@9.2.7-1.1.el6?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "postgresql92-postgresql-server-0:9.2.7-1.1.el6.x86_64",
"product": {
"name": "postgresql92-postgresql-server-0:9.2.7-1.1.el6.x86_64",
"product_id": "postgresql92-postgresql-server-0:9.2.7-1.1.el6.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/postgresql92-postgresql-server@9.2.7-1.1.el6?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "postgresql92-postgresql-plpython-0:9.2.7-1.1.el6.x86_64",
"product": {
"name": "postgresql92-postgresql-plpython-0:9.2.7-1.1.el6.x86_64",
"product_id": "postgresql92-postgresql-plpython-0:9.2.7-1.1.el6.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/postgresql92-postgresql-plpython@9.2.7-1.1.el6?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "postgresql92-postgresql-0:9.2.7-1.1.el6.x86_64",
"product": {
"name": "postgresql92-postgresql-0:9.2.7-1.1.el6.x86_64",
"product_id": "postgresql92-postgresql-0:9.2.7-1.1.el6.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/postgresql92-postgresql@9.2.7-1.1.el6?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "postgresql92-postgresql-pltcl-0:9.2.7-1.1.el6.x86_64",
"product": {
"name": "postgresql92-postgresql-pltcl-0:9.2.7-1.1.el6.x86_64",
"product_id": "postgresql92-postgresql-pltcl-0:9.2.7-1.1.el6.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/postgresql92-postgresql-pltcl@9.2.7-1.1.el6?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "prince-0:9.0r2-4.el6cf.x86_64",
"product": {
"name": "prince-0:9.0r2-4.el6cf.x86_64",
"product_id": "prince-0:9.0r2-4.el6cf.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/prince@9.0r2-4.el6cf?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "cfme-lib-0:5.2.3.2-1.el6cf.x86_64",
"product": {
"name": "cfme-lib-0:5.2.3.2-1.el6cf.x86_64",
"product_id": "cfme-lib-0:5.2.3.2-1.el6cf.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cfme-lib@5.2.3.2-1.el6cf?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "cfme-debuginfo-0:5.2.3.2-1.el6cf.x86_64",
"product": {
"name": "cfme-debuginfo-0:5.2.3.2-1.el6cf.x86_64",
"product_id": "cfme-debuginfo-0:5.2.3.2-1.el6cf.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cfme-debuginfo@5.2.3.2-1.el6cf?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "cfme-0:5.2.3.2-1.el6cf.x86_64",
"product": {
"name": "cfme-0:5.2.3.2-1.el6cf.x86_64",
"product_id": "cfme-0:5.2.3.2-1.el6cf.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cfme@5.2.3.2-1.el6cf?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "mingw32-cfme-host-0:5.2.3.2-1.el6cf.x86_64",
"product": {
"name": "mingw32-cfme-host-0:5.2.3.2-1.el6cf.x86_64",
"product_id": "mingw32-cfme-host-0:5.2.3.2-1.el6cf.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/mingw32-cfme-host@5.2.3.2-1.el6cf?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "cfme-appliance-0:5.2.3.2-1.el6cf.x86_64",
"product": {
"name": "cfme-appliance-0:5.2.3.2-1.el6cf.x86_64",
"product_id": "cfme-appliance-0:5.2.3.2-1.el6cf.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cfme-appliance@5.2.3.2-1.el6cf?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "postgresql92-postgresql-0:9.2.7-1.1.el6.src",
"product": {
"name": "postgresql92-postgresql-0:9.2.7-1.1.el6.src",
"product_id": "postgresql92-postgresql-0:9.2.7-1.1.el6.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/postgresql92-postgresql@9.2.7-1.1.el6?arch=src"
}
}
},
{
"category": "product_version",
"name": "prince-0:9.0r2-4.el6cf.src",
"product": {
"name": "prince-0:9.0r2-4.el6cf.src",
"product_id": "prince-0:9.0r2-4.el6cf.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/prince@9.0r2-4.el6cf?arch=src"
}
}
},
{
"category": "product_version",
"name": "ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.src",
"product": {
"name": "ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.src",
"product_id": "ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ruby193-rubygem-actionpack@3.2.13-6.el6cf?arch=src\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "cfme-0:5.2.3.2-1.el6cf.src",
"product": {
"name": "cfme-0:5.2.3.2-1.el6cf.src",
"product_id": "cfme-0:5.2.3.2-1.el6cf.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cfme@5.2.3.2-1.el6cf?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.noarch",
"product": {
"name": "ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.noarch",
"product_id": "ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ruby193-rubygem-actionpack@3.2.13-6.el6cf?arch=noarch\u0026epoch=1"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "cfme-0:5.2.3.2-1.el6cf.src as a component of Management Engine",
"product_id": "6Server-CFME:cfme-0:5.2.3.2-1.el6cf.src"
},
"product_reference": "cfme-0:5.2.3.2-1.el6cf.src",
"relates_to_product_reference": "6Server-CFME"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cfme-0:5.2.3.2-1.el6cf.x86_64 as a component of Management Engine",
"product_id": "6Server-CFME:cfme-0:5.2.3.2-1.el6cf.x86_64"
},
"product_reference": "cfme-0:5.2.3.2-1.el6cf.x86_64",
"relates_to_product_reference": "6Server-CFME"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cfme-appliance-0:5.2.3.2-1.el6cf.x86_64 as a component of Management Engine",
"product_id": "6Server-CFME:cfme-appliance-0:5.2.3.2-1.el6cf.x86_64"
},
"product_reference": "cfme-appliance-0:5.2.3.2-1.el6cf.x86_64",
"relates_to_product_reference": "6Server-CFME"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cfme-debuginfo-0:5.2.3.2-1.el6cf.x86_64 as a component of Management Engine",
"product_id": "6Server-CFME:cfme-debuginfo-0:5.2.3.2-1.el6cf.x86_64"
},
"product_reference": "cfme-debuginfo-0:5.2.3.2-1.el6cf.x86_64",
"relates_to_product_reference": "6Server-CFME"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cfme-lib-0:5.2.3.2-1.el6cf.x86_64 as a component of Management Engine",
"product_id": "6Server-CFME:cfme-lib-0:5.2.3.2-1.el6cf.x86_64"
},
"product_reference": "cfme-lib-0:5.2.3.2-1.el6cf.x86_64",
"relates_to_product_reference": "6Server-CFME"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mingw32-cfme-host-0:5.2.3.2-1.el6cf.x86_64 as a component of Management Engine",
"product_id": "6Server-CFME:mingw32-cfme-host-0:5.2.3.2-1.el6cf.x86_64"
},
"product_reference": "mingw32-cfme-host-0:5.2.3.2-1.el6cf.x86_64",
"relates_to_product_reference": "6Server-CFME"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "postgresql92-postgresql-0:9.2.7-1.1.el6.src as a component of Management Engine",
"product_id": "6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.src"
},
"product_reference": "postgresql92-postgresql-0:9.2.7-1.1.el6.src",
"relates_to_product_reference": "6Server-CFME"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "postgresql92-postgresql-0:9.2.7-1.1.el6.x86_64 as a component of Management Engine",
"product_id": "6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.x86_64"
},
"product_reference": "postgresql92-postgresql-0:9.2.7-1.1.el6.x86_64",
"relates_to_product_reference": "6Server-CFME"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "postgresql92-postgresql-contrib-0:9.2.7-1.1.el6.x86_64 as a component of Management Engine",
"product_id": "6Server-CFME:postgresql92-postgresql-contrib-0:9.2.7-1.1.el6.x86_64"
},
"product_reference": "postgresql92-postgresql-contrib-0:9.2.7-1.1.el6.x86_64",
"relates_to_product_reference": "6Server-CFME"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "postgresql92-postgresql-debuginfo-0:9.2.7-1.1.el6.x86_64 as a component of Management Engine",
"product_id": "6Server-CFME:postgresql92-postgresql-debuginfo-0:9.2.7-1.1.el6.x86_64"
},
"product_reference": "postgresql92-postgresql-debuginfo-0:9.2.7-1.1.el6.x86_64",
"relates_to_product_reference": "6Server-CFME"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "postgresql92-postgresql-devel-0:9.2.7-1.1.el6.x86_64 as a component of Management Engine",
"product_id": "6Server-CFME:postgresql92-postgresql-devel-0:9.2.7-1.1.el6.x86_64"
},
"product_reference": "postgresql92-postgresql-devel-0:9.2.7-1.1.el6.x86_64",
"relates_to_product_reference": "6Server-CFME"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "postgresql92-postgresql-docs-0:9.2.7-1.1.el6.x86_64 as a component of Management Engine",
"product_id": "6Server-CFME:postgresql92-postgresql-docs-0:9.2.7-1.1.el6.x86_64"
},
"product_reference": "postgresql92-postgresql-docs-0:9.2.7-1.1.el6.x86_64",
"relates_to_product_reference": "6Server-CFME"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "postgresql92-postgresql-libs-0:9.2.7-1.1.el6.x86_64 as a component of Management Engine",
"product_id": "6Server-CFME:postgresql92-postgresql-libs-0:9.2.7-1.1.el6.x86_64"
},
"product_reference": "postgresql92-postgresql-libs-0:9.2.7-1.1.el6.x86_64",
"relates_to_product_reference": "6Server-CFME"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "postgresql92-postgresql-plperl-0:9.2.7-1.1.el6.x86_64 as a component of Management Engine",
"product_id": "6Server-CFME:postgresql92-postgresql-plperl-0:9.2.7-1.1.el6.x86_64"
},
"product_reference": "postgresql92-postgresql-plperl-0:9.2.7-1.1.el6.x86_64",
"relates_to_product_reference": "6Server-CFME"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "postgresql92-postgresql-plpython-0:9.2.7-1.1.el6.x86_64 as a component of Management Engine",
"product_id": "6Server-CFME:postgresql92-postgresql-plpython-0:9.2.7-1.1.el6.x86_64"
},
"product_reference": "postgresql92-postgresql-plpython-0:9.2.7-1.1.el6.x86_64",
"relates_to_product_reference": "6Server-CFME"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "postgresql92-postgresql-pltcl-0:9.2.7-1.1.el6.x86_64 as a component of Management Engine",
"product_id": "6Server-CFME:postgresql92-postgresql-pltcl-0:9.2.7-1.1.el6.x86_64"
},
"product_reference": "postgresql92-postgresql-pltcl-0:9.2.7-1.1.el6.x86_64",
"relates_to_product_reference": "6Server-CFME"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "postgresql92-postgresql-server-0:9.2.7-1.1.el6.x86_64 as a component of Management Engine",
"product_id": "6Server-CFME:postgresql92-postgresql-server-0:9.2.7-1.1.el6.x86_64"
},
"product_reference": "postgresql92-postgresql-server-0:9.2.7-1.1.el6.x86_64",
"relates_to_product_reference": "6Server-CFME"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "postgresql92-postgresql-test-0:9.2.7-1.1.el6.x86_64 as a component of Management Engine",
"product_id": "6Server-CFME:postgresql92-postgresql-test-0:9.2.7-1.1.el6.x86_64"
},
"product_reference": "postgresql92-postgresql-test-0:9.2.7-1.1.el6.x86_64",
"relates_to_product_reference": "6Server-CFME"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "postgresql92-postgresql-upgrade-0:9.2.7-1.1.el6.x86_64 as a component of Management Engine",
"product_id": "6Server-CFME:postgresql92-postgresql-upgrade-0:9.2.7-1.1.el6.x86_64"
},
"product_reference": "postgresql92-postgresql-upgrade-0:9.2.7-1.1.el6.x86_64",
"relates_to_product_reference": "6Server-CFME"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "prince-0:9.0r2-4.el6cf.src as a component of Management Engine",
"product_id": "6Server-CFME:prince-0:9.0r2-4.el6cf.src"
},
"product_reference": "prince-0:9.0r2-4.el6cf.src",
"relates_to_product_reference": "6Server-CFME"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "prince-0:9.0r2-4.el6cf.x86_64 as a component of Management Engine",
"product_id": "6Server-CFME:prince-0:9.0r2-4.el6cf.x86_64"
},
"product_reference": "prince-0:9.0r2-4.el6cf.x86_64",
"relates_to_product_reference": "6Server-CFME"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.noarch as a component of Management Engine",
"product_id": "6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.noarch"
},
"product_reference": "ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.noarch",
"relates_to_product_reference": "6Server-CFME"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.src as a component of Management Engine",
"product_id": "6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.src"
},
"product_reference": "ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.src",
"relates_to_product_reference": "6Server-CFME"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Ruby on Rails project"
]
}
],
"cve": "CVE-2013-6417",
"cwe": {
"id": "CWE-89",
"name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)"
},
"discovery_date": "2013-12-01T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1036409"
}
],
"notes": [
{
"category": "description",
"text": "actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before 3.2.16 and 4.x before 4.0.2 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request that leverages (1) third-party Rack middleware or (2) custom Rack middleware. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-0155.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "rubygem-actionpack: unsafe query generation risk (incomplete fix for CVE-2013- 0155)",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"6Server-CFME:cfme-0:5.2.3.2-1.el6cf.src",
"6Server-CFME:cfme-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:cfme-appliance-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:cfme-debuginfo-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:cfme-lib-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:mingw32-cfme-host-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.src",
"6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-contrib-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-debuginfo-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-devel-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-docs-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-libs-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-plperl-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-plpython-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-pltcl-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-server-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-test-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-upgrade-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:prince-0:9.0r2-4.el6cf.src",
"6Server-CFME:prince-0:9.0r2-4.el6cf.x86_64",
"6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.noarch",
"6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2013-6417"
},
{
"category": "external",
"summary": "RHBZ#1036409",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1036409"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2013-6417",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-6417"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-6417",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-6417"
}
],
"release_date": "2013-12-03T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-05-12T18:12:35+00:00",
"details": "These updated packages upgrade PostgreSQL to version 9.2.7, which fixes\nthese issues as well as several non-security issues. Refer to the\nPostgreSQL Release Notes for a full list of changes:\n\nhttp://www.postgresql.org/docs/9.2/static/release-9-2-7.html\n\nThis update also fixes several bugs and adds various enhancements.\nDocumentation for these changes will be available shortly from the\nTechnical Notes document linked to in the References section.\n\nAll users of Red Hat CloudForms 3.0 are advised to upgrade to these updated\npackages, which correct these issues and add these enhancements.\n\nBefore applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to use the\nRed Hat Network to apply this update are available at\nhttps://access.redhat.com/site/articles/11258",
"product_ids": [
"6Server-CFME:cfme-0:5.2.3.2-1.el6cf.src",
"6Server-CFME:cfme-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:cfme-appliance-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:cfme-debuginfo-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:cfme-lib-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:mingw32-cfme-host-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.src",
"6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-contrib-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-debuginfo-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-devel-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-docs-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-libs-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-plperl-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-plpython-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-pltcl-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-server-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-test-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-upgrade-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:prince-0:9.0r2-4.el6cf.src",
"6Server-CFME:prince-0:9.0r2-4.el6cf.x86_64",
"6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.noarch",
"6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2014:0469"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
"products": [
"6Server-CFME:cfme-0:5.2.3.2-1.el6cf.src",
"6Server-CFME:cfme-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:cfme-appliance-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:cfme-debuginfo-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:cfme-lib-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:mingw32-cfme-host-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.src",
"6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-contrib-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-debuginfo-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-devel-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-docs-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-libs-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-plperl-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-plpython-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-pltcl-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-server-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-test-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-upgrade-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:prince-0:9.0r2-4.el6cf.src",
"6Server-CFME:prince-0:9.0r2-4.el6cf.x86_64",
"6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.noarch",
"6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "rubygem-actionpack: unsafe query generation risk (incomplete fix for CVE-2013- 0155)"
},
{
"acknowledgments": [
{
"names": [
"PostgreSQL project"
]
},
{
"names": [
"Noah Misch"
],
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2014-0060",
"discovery_date": "2014-02-10T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1065219"
}
],
"notes": [
{
"category": "description",
"text": "PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 does not properly enforce the ADMIN OPTION restriction, which allows remote authenticated members of a role to add or remove arbitrary users to that role by calling the SET ROLE command before the associated GRANT command.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "postgresql: SET ROLE without ADMIN OPTION allows adding and removing group members",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"6Server-CFME:cfme-0:5.2.3.2-1.el6cf.src",
"6Server-CFME:cfme-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:cfme-appliance-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:cfme-debuginfo-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:cfme-lib-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:mingw32-cfme-host-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.src",
"6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-contrib-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-debuginfo-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-devel-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-docs-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-libs-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-plperl-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-plpython-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-pltcl-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-server-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-test-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-upgrade-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:prince-0:9.0r2-4.el6cf.src",
"6Server-CFME:prince-0:9.0r2-4.el6cf.x86_64",
"6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.noarch",
"6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2014-0060"
},
{
"category": "external",
"summary": "RHBZ#1065219",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1065219"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2014-0060",
"url": "https://www.cve.org/CVERecord?id=CVE-2014-0060"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2014-0060",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0060"
}
],
"release_date": "2014-02-17T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-05-12T18:12:35+00:00",
"details": "These updated packages upgrade PostgreSQL to version 9.2.7, which fixes\nthese issues as well as several non-security issues. Refer to the\nPostgreSQL Release Notes for a full list of changes:\n\nhttp://www.postgresql.org/docs/9.2/static/release-9-2-7.html\n\nThis update also fixes several bugs and adds various enhancements.\nDocumentation for these changes will be available shortly from the\nTechnical Notes document linked to in the References section.\n\nAll users of Red Hat CloudForms 3.0 are advised to upgrade to these updated\npackages, which correct these issues and add these enhancements.\n\nBefore applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to use the\nRed Hat Network to apply this update are available at\nhttps://access.redhat.com/site/articles/11258",
"product_ids": [
"6Server-CFME:cfme-0:5.2.3.2-1.el6cf.src",
"6Server-CFME:cfme-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:cfme-appliance-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:cfme-debuginfo-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:cfme-lib-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:mingw32-cfme-host-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.src",
"6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-contrib-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-debuginfo-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-devel-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-docs-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-libs-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-plperl-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-plpython-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-pltcl-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-server-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-test-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-upgrade-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:prince-0:9.0r2-4.el6cf.src",
"6Server-CFME:prince-0:9.0r2-4.el6cf.x86_64",
"6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.noarch",
"6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2014:0469"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:P",
"version": "2.0"
},
"products": [
"6Server-CFME:cfme-0:5.2.3.2-1.el6cf.src",
"6Server-CFME:cfme-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:cfme-appliance-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:cfme-debuginfo-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:cfme-lib-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:mingw32-cfme-host-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.src",
"6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-contrib-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-debuginfo-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-devel-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-docs-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-libs-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-plperl-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-plpython-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-pltcl-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-server-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-test-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-upgrade-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:prince-0:9.0r2-4.el6cf.src",
"6Server-CFME:prince-0:9.0r2-4.el6cf.x86_64",
"6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.noarch",
"6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "postgresql: SET ROLE without ADMIN OPTION allows adding and removing group members"
},
{
"acknowledgments": [
{
"names": [
"PostgreSQL project"
]
},
{
"names": [
"Andres Freund"
],
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2014-0061",
"discovery_date": "2014-02-10T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1065220"
}
],
"notes": [
{
"category": "description",
"text": "The validator functions for the procedural languages (PLs) in PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 allow remote authenticated users to gain privileges via a function that is (1) defined in another language or (2) not allowed to be directly called by the user due to permissions.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "postgresql: privilege escalation via procedural language validator functions",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"6Server-CFME:cfme-0:5.2.3.2-1.el6cf.src",
"6Server-CFME:cfme-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:cfme-appliance-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:cfme-debuginfo-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:cfme-lib-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:mingw32-cfme-host-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.src",
"6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-contrib-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-debuginfo-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-devel-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-docs-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-libs-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-plperl-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-plpython-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-pltcl-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-server-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-test-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-upgrade-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:prince-0:9.0r2-4.el6cf.src",
"6Server-CFME:prince-0:9.0r2-4.el6cf.x86_64",
"6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.noarch",
"6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2014-0061"
},
{
"category": "external",
"summary": "RHBZ#1065220",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1065220"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2014-0061",
"url": "https://www.cve.org/CVERecord?id=CVE-2014-0061"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2014-0061",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0061"
}
],
"release_date": "2014-02-17T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-05-12T18:12:35+00:00",
"details": "These updated packages upgrade PostgreSQL to version 9.2.7, which fixes\nthese issues as well as several non-security issues. Refer to the\nPostgreSQL Release Notes for a full list of changes:\n\nhttp://www.postgresql.org/docs/9.2/static/release-9-2-7.html\n\nThis update also fixes several bugs and adds various enhancements.\nDocumentation for these changes will be available shortly from the\nTechnical Notes document linked to in the References section.\n\nAll users of Red Hat CloudForms 3.0 are advised to upgrade to these updated\npackages, which correct these issues and add these enhancements.\n\nBefore applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to use the\nRed Hat Network to apply this update are available at\nhttps://access.redhat.com/site/articles/11258",
"product_ids": [
"6Server-CFME:cfme-0:5.2.3.2-1.el6cf.src",
"6Server-CFME:cfme-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:cfme-appliance-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:cfme-debuginfo-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:cfme-lib-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:mingw32-cfme-host-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.src",
"6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-contrib-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-debuginfo-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-devel-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-docs-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-libs-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-plperl-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-plpython-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-pltcl-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-server-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-test-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-upgrade-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:prince-0:9.0r2-4.el6cf.src",
"6Server-CFME:prince-0:9.0r2-4.el6cf.x86_64",
"6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.noarch",
"6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2014:0469"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"products": [
"6Server-CFME:cfme-0:5.2.3.2-1.el6cf.src",
"6Server-CFME:cfme-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:cfme-appliance-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:cfme-debuginfo-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:cfme-lib-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:mingw32-cfme-host-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.src",
"6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-contrib-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-debuginfo-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-devel-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-docs-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-libs-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-plperl-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-plpython-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-pltcl-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-server-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-test-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-upgrade-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:prince-0:9.0r2-4.el6cf.src",
"6Server-CFME:prince-0:9.0r2-4.el6cf.x86_64",
"6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.noarch",
"6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "postgresql: privilege escalation via procedural language validator functions"
},
{
"acknowledgments": [
{
"names": [
"PostgreSQL project"
]
},
{
"names": [
"Andres Freund",
"Robert Haas"
],
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2014-0062",
"discovery_date": "2014-02-10T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1065222"
}
],
"notes": [
{
"category": "description",
"text": "Race condition in the (1) CREATE INDEX and (2) unspecified ALTER TABLE commands in PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 allows remote authenticated users to create an unauthorized index or read portions of unauthorized tables by creating or deleting a table with the same name during the timing window.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "postgresql: CREATE INDEX race condition possibly leading to privilege escalation",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"6Server-CFME:cfme-0:5.2.3.2-1.el6cf.src",
"6Server-CFME:cfme-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:cfme-appliance-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:cfme-debuginfo-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:cfme-lib-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:mingw32-cfme-host-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.src",
"6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-contrib-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-debuginfo-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-devel-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-docs-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-libs-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-plperl-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-plpython-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-pltcl-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-server-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-test-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-upgrade-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:prince-0:9.0r2-4.el6cf.src",
"6Server-CFME:prince-0:9.0r2-4.el6cf.x86_64",
"6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.noarch",
"6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2014-0062"
},
{
"category": "external",
"summary": "RHBZ#1065222",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1065222"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2014-0062",
"url": "https://www.cve.org/CVERecord?id=CVE-2014-0062"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2014-0062",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0062"
}
],
"release_date": "2014-02-17T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-05-12T18:12:35+00:00",
"details": "These updated packages upgrade PostgreSQL to version 9.2.7, which fixes\nthese issues as well as several non-security issues. Refer to the\nPostgreSQL Release Notes for a full list of changes:\n\nhttp://www.postgresql.org/docs/9.2/static/release-9-2-7.html\n\nThis update also fixes several bugs and adds various enhancements.\nDocumentation for these changes will be available shortly from the\nTechnical Notes document linked to in the References section.\n\nAll users of Red Hat CloudForms 3.0 are advised to upgrade to these updated\npackages, which correct these issues and add these enhancements.\n\nBefore applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to use the\nRed Hat Network to apply this update are available at\nhttps://access.redhat.com/site/articles/11258",
"product_ids": [
"6Server-CFME:cfme-0:5.2.3.2-1.el6cf.src",
"6Server-CFME:cfme-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:cfme-appliance-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:cfme-debuginfo-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:cfme-lib-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:mingw32-cfme-host-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.src",
"6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-contrib-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-debuginfo-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-devel-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-docs-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-libs-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-plperl-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-plpython-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-pltcl-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-server-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-test-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-upgrade-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:prince-0:9.0r2-4.el6cf.src",
"6Server-CFME:prince-0:9.0r2-4.el6cf.x86_64",
"6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.noarch",
"6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2014:0469"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:M/Au:S/C:P/I:N/A:N",
"version": "2.0"
},
"products": [
"6Server-CFME:cfme-0:5.2.3.2-1.el6cf.src",
"6Server-CFME:cfme-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:cfme-appliance-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:cfme-debuginfo-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:cfme-lib-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:mingw32-cfme-host-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.src",
"6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-contrib-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-debuginfo-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-devel-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-docs-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-libs-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-plperl-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-plpython-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-pltcl-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-server-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-test-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-upgrade-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:prince-0:9.0r2-4.el6cf.src",
"6Server-CFME:prince-0:9.0r2-4.el6cf.x86_64",
"6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.noarch",
"6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "postgresql: CREATE INDEX race condition possibly leading to privilege escalation"
},
{
"acknowledgments": [
{
"names": [
"PostgreSQL project"
]
},
{
"names": [
"Noah Misch"
],
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2014-0063",
"cwe": {
"id": "CWE-121",
"name": "Stack-based Buffer Overflow"
},
"discovery_date": "2014-02-10T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1065226"
}
],
"notes": [
{
"category": "description",
"text": "Multiple stack-based buffer overflows in PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 allow remote authenticated users to cause a denial of service (crash) or possibly execute arbitrary code via vectors related to an incorrect MAXDATELEN constant and datetime values involving (1) intervals, (2) timestamps, or (3) timezones, a different vulnerability than CVE-2014-0065.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "postgresql: stack-based buffer overflow in datetime input/output",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"6Server-CFME:cfme-0:5.2.3.2-1.el6cf.src",
"6Server-CFME:cfme-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:cfme-appliance-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:cfme-debuginfo-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:cfme-lib-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:mingw32-cfme-host-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.src",
"6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-contrib-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-debuginfo-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-devel-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-docs-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-libs-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-plperl-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-plpython-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-pltcl-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-server-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-test-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-upgrade-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:prince-0:9.0r2-4.el6cf.src",
"6Server-CFME:prince-0:9.0r2-4.el6cf.x86_64",
"6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.noarch",
"6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2014-0063"
},
{
"category": "external",
"summary": "RHBZ#1065226",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1065226"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2014-0063",
"url": "https://www.cve.org/CVERecord?id=CVE-2014-0063"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2014-0063",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0063"
}
],
"release_date": "2014-02-17T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-05-12T18:12:35+00:00",
"details": "These updated packages upgrade PostgreSQL to version 9.2.7, which fixes\nthese issues as well as several non-security issues. Refer to the\nPostgreSQL Release Notes for a full list of changes:\n\nhttp://www.postgresql.org/docs/9.2/static/release-9-2-7.html\n\nThis update also fixes several bugs and adds various enhancements.\nDocumentation for these changes will be available shortly from the\nTechnical Notes document linked to in the References section.\n\nAll users of Red Hat CloudForms 3.0 are advised to upgrade to these updated\npackages, which correct these issues and add these enhancements.\n\nBefore applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to use the\nRed Hat Network to apply this update are available at\nhttps://access.redhat.com/site/articles/11258",
"product_ids": [
"6Server-CFME:cfme-0:5.2.3.2-1.el6cf.src",
"6Server-CFME:cfme-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:cfme-appliance-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:cfme-debuginfo-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:cfme-lib-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:mingw32-cfme-host-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.src",
"6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-contrib-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-debuginfo-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-devel-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-docs-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-libs-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-plperl-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-plpython-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-pltcl-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-server-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-test-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-upgrade-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:prince-0:9.0r2-4.el6cf.src",
"6Server-CFME:prince-0:9.0r2-4.el6cf.x86_64",
"6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.noarch",
"6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2014:0469"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"products": [
"6Server-CFME:cfme-0:5.2.3.2-1.el6cf.src",
"6Server-CFME:cfme-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:cfme-appliance-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:cfme-debuginfo-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:cfme-lib-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:mingw32-cfme-host-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.src",
"6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-contrib-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-debuginfo-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-devel-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-docs-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-libs-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-plperl-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-plpython-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-pltcl-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-server-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-test-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-upgrade-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:prince-0:9.0r2-4.el6cf.src",
"6Server-CFME:prince-0:9.0r2-4.el6cf.x86_64",
"6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.noarch",
"6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "postgresql: stack-based buffer overflow in datetime input/output"
},
{
"acknowledgments": [
{
"names": [
"PostgreSQL project"
]
},
{
"names": [
"Heikki Linnakangas",
"Noah Misch"
],
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2014-0064",
"cwe": {
"id": "CWE-190",
"name": "Integer Overflow or Wraparound"
},
"discovery_date": "2014-02-10T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1065230"
}
],
"notes": [
{
"category": "description",
"text": "Multiple integer overflows in the path_in and other unspecified functions in PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 allow remote authenticated users to have unspecified impact and attack vectors, which trigger a buffer overflow. NOTE: this identifier has been SPLIT due to different affected versions; use CVE-2014-2669 for the hstore vector.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "postgresql: integer overflows leading to buffer overflows",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"6Server-CFME:cfme-0:5.2.3.2-1.el6cf.src",
"6Server-CFME:cfme-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:cfme-appliance-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:cfme-debuginfo-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:cfme-lib-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:mingw32-cfme-host-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.src",
"6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-contrib-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-debuginfo-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-devel-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-docs-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-libs-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-plperl-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-plpython-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-pltcl-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-server-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-test-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-upgrade-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:prince-0:9.0r2-4.el6cf.src",
"6Server-CFME:prince-0:9.0r2-4.el6cf.x86_64",
"6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.noarch",
"6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2014-0064"
},
{
"category": "external",
"summary": "RHBZ#1065230",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1065230"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2014-0064",
"url": "https://www.cve.org/CVERecord?id=CVE-2014-0064"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2014-0064",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0064"
}
],
"release_date": "2014-02-17T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-05-12T18:12:35+00:00",
"details": "These updated packages upgrade PostgreSQL to version 9.2.7, which fixes\nthese issues as well as several non-security issues. Refer to the\nPostgreSQL Release Notes for a full list of changes:\n\nhttp://www.postgresql.org/docs/9.2/static/release-9-2-7.html\n\nThis update also fixes several bugs and adds various enhancements.\nDocumentation for these changes will be available shortly from the\nTechnical Notes document linked to in the References section.\n\nAll users of Red Hat CloudForms 3.0 are advised to upgrade to these updated\npackages, which correct these issues and add these enhancements.\n\nBefore applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to use the\nRed Hat Network to apply this update are available at\nhttps://access.redhat.com/site/articles/11258",
"product_ids": [
"6Server-CFME:cfme-0:5.2.3.2-1.el6cf.src",
"6Server-CFME:cfme-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:cfme-appliance-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:cfme-debuginfo-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:cfme-lib-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:mingw32-cfme-host-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.src",
"6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-contrib-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-debuginfo-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-devel-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-docs-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-libs-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-plperl-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-plpython-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-pltcl-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-server-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-test-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-upgrade-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:prince-0:9.0r2-4.el6cf.src",
"6Server-CFME:prince-0:9.0r2-4.el6cf.x86_64",
"6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.noarch",
"6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2014:0469"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"products": [
"6Server-CFME:cfme-0:5.2.3.2-1.el6cf.src",
"6Server-CFME:cfme-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:cfme-appliance-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:cfme-debuginfo-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:cfme-lib-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:mingw32-cfme-host-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.src",
"6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-contrib-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-debuginfo-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-devel-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-docs-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-libs-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-plperl-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-plpython-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-pltcl-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-server-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-test-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-upgrade-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:prince-0:9.0r2-4.el6cf.src",
"6Server-CFME:prince-0:9.0r2-4.el6cf.x86_64",
"6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.noarch",
"6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "postgresql: integer overflows leading to buffer overflows"
},
{
"acknowledgments": [
{
"names": [
"PostgreSQL project"
]
},
{
"names": [
"Peter Eisentraut",
"Jozef Mlich"
],
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2014-0065",
"discovery_date": "2014-02-10T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1065235"
}
],
"notes": [
{
"category": "description",
"text": "Multiple buffer overflows in PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 allow remote authenticated users to have unspecified impact and attack vectors, a different vulnerability than CVE-2014-0063.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "postgresql: possible buffer overflow flaws",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"6Server-CFME:cfme-0:5.2.3.2-1.el6cf.src",
"6Server-CFME:cfme-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:cfme-appliance-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:cfme-debuginfo-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:cfme-lib-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:mingw32-cfme-host-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.src",
"6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-contrib-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-debuginfo-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-devel-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-docs-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-libs-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-plperl-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-plpython-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-pltcl-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-server-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-test-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-upgrade-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:prince-0:9.0r2-4.el6cf.src",
"6Server-CFME:prince-0:9.0r2-4.el6cf.x86_64",
"6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.noarch",
"6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2014-0065"
},
{
"category": "external",
"summary": "RHBZ#1065235",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1065235"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2014-0065",
"url": "https://www.cve.org/CVERecord?id=CVE-2014-0065"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2014-0065",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0065"
}
],
"release_date": "2014-02-17T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-05-12T18:12:35+00:00",
"details": "These updated packages upgrade PostgreSQL to version 9.2.7, which fixes\nthese issues as well as several non-security issues. Refer to the\nPostgreSQL Release Notes for a full list of changes:\n\nhttp://www.postgresql.org/docs/9.2/static/release-9-2-7.html\n\nThis update also fixes several bugs and adds various enhancements.\nDocumentation for these changes will be available shortly from the\nTechnical Notes document linked to in the References section.\n\nAll users of Red Hat CloudForms 3.0 are advised to upgrade to these updated\npackages, which correct these issues and add these enhancements.\n\nBefore applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to use the\nRed Hat Network to apply this update are available at\nhttps://access.redhat.com/site/articles/11258",
"product_ids": [
"6Server-CFME:cfme-0:5.2.3.2-1.el6cf.src",
"6Server-CFME:cfme-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:cfme-appliance-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:cfme-debuginfo-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:cfme-lib-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:mingw32-cfme-host-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.src",
"6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-contrib-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-debuginfo-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-devel-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-docs-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-libs-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-plperl-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-plpython-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-pltcl-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-server-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-test-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-upgrade-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:prince-0:9.0r2-4.el6cf.src",
"6Server-CFME:prince-0:9.0r2-4.el6cf.x86_64",
"6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.noarch",
"6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2014:0469"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"products": [
"6Server-CFME:cfme-0:5.2.3.2-1.el6cf.src",
"6Server-CFME:cfme-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:cfme-appliance-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:cfme-debuginfo-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:cfme-lib-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:mingw32-cfme-host-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.src",
"6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-contrib-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-debuginfo-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-devel-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-docs-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-libs-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-plperl-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-plpython-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-pltcl-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-server-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-test-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-upgrade-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:prince-0:9.0r2-4.el6cf.src",
"6Server-CFME:prince-0:9.0r2-4.el6cf.x86_64",
"6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.noarch",
"6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "postgresql: possible buffer overflow flaws"
},
{
"acknowledgments": [
{
"names": [
"PostgreSQL project"
]
},
{
"names": [
"Honza Horak",
"Bruce Momjian"
],
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2014-0066",
"cwe": {
"id": "CWE-476",
"name": "NULL Pointer Dereference"
},
"discovery_date": "2014-02-10T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1065236"
}
],
"notes": [
{
"category": "description",
"text": "The chkpass extension in PostgreSQL before 8.4.20, 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 does not properly check the return value of the crypt library function, which allows remote authenticated users to cause a denial of service (NULL pointer dereference and crash) via unspecified vectors.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "postgresql: NULL pointer dereference",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"6Server-CFME:cfme-0:5.2.3.2-1.el6cf.src",
"6Server-CFME:cfme-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:cfme-appliance-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:cfme-debuginfo-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:cfme-lib-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:mingw32-cfme-host-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.src",
"6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-contrib-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-debuginfo-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-devel-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-docs-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-libs-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-plperl-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-plpython-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-pltcl-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-server-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-test-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-upgrade-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:prince-0:9.0r2-4.el6cf.src",
"6Server-CFME:prince-0:9.0r2-4.el6cf.x86_64",
"6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.noarch",
"6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2014-0066"
},
{
"category": "external",
"summary": "RHBZ#1065236",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1065236"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2014-0066",
"url": "https://www.cve.org/CVERecord?id=CVE-2014-0066"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2014-0066",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0066"
}
],
"release_date": "2014-02-17T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-05-12T18:12:35+00:00",
"details": "These updated packages upgrade PostgreSQL to version 9.2.7, which fixes\nthese issues as well as several non-security issues. Refer to the\nPostgreSQL Release Notes for a full list of changes:\n\nhttp://www.postgresql.org/docs/9.2/static/release-9-2-7.html\n\nThis update also fixes several bugs and adds various enhancements.\nDocumentation for these changes will be available shortly from the\nTechnical Notes document linked to in the References section.\n\nAll users of Red Hat CloudForms 3.0 are advised to upgrade to these updated\npackages, which correct these issues and add these enhancements.\n\nBefore applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to use the\nRed Hat Network to apply this update are available at\nhttps://access.redhat.com/site/articles/11258",
"product_ids": [
"6Server-CFME:cfme-0:5.2.3.2-1.el6cf.src",
"6Server-CFME:cfme-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:cfme-appliance-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:cfme-debuginfo-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:cfme-lib-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:mingw32-cfme-host-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.src",
"6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-contrib-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-debuginfo-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-devel-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-docs-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-libs-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-plperl-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-plpython-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-pltcl-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-server-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-test-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-upgrade-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:prince-0:9.0r2-4.el6cf.src",
"6Server-CFME:prince-0:9.0r2-4.el6cf.x86_64",
"6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.noarch",
"6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2014:0469"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P",
"version": "2.0"
},
"products": [
"6Server-CFME:cfme-0:5.2.3.2-1.el6cf.src",
"6Server-CFME:cfme-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:cfme-appliance-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:cfme-debuginfo-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:cfme-lib-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:mingw32-cfme-host-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.src",
"6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-contrib-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-debuginfo-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-devel-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-docs-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-libs-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-plperl-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-plpython-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-pltcl-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-server-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-test-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-upgrade-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:prince-0:9.0r2-4.el6cf.src",
"6Server-CFME:prince-0:9.0r2-4.el6cf.x86_64",
"6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.noarch",
"6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "postgresql: NULL pointer dereference"
},
{
"acknowledgments": [
{
"names": [
"Jan Rusnacko"
],
"organization": "Red Hat Product Security Team",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2014-0078",
"cwe": {
"id": "CWE-862",
"name": "Missing Authorization"
},
"discovery_date": "2014-02-12T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1064556"
}
],
"notes": [
{
"category": "description",
"text": "The CatalogController in Red Hat CloudForms Management Engine (CFME) before 5.2.3.2 allows remote authenticated users to delete arbitrary catalogs via vectors involving guessing the catalog ID.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "CFME: multiple authorization bypass vulnerabilities in CatalogController",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"6Server-CFME:cfme-0:5.2.3.2-1.el6cf.src",
"6Server-CFME:cfme-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:cfme-appliance-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:cfme-debuginfo-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:cfme-lib-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:mingw32-cfme-host-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.src",
"6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-contrib-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-debuginfo-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-devel-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-docs-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-libs-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-plperl-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-plpython-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-pltcl-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-server-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-test-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-upgrade-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:prince-0:9.0r2-4.el6cf.src",
"6Server-CFME:prince-0:9.0r2-4.el6cf.x86_64",
"6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.noarch",
"6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2014-0078"
},
{
"category": "external",
"summary": "RHBZ#1064556",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1064556"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2014-0078",
"url": "https://www.cve.org/CVERecord?id=CVE-2014-0078"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2014-0078",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0078"
}
],
"release_date": "2014-05-12T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-05-12T18:12:35+00:00",
"details": "These updated packages upgrade PostgreSQL to version 9.2.7, which fixes\nthese issues as well as several non-security issues. Refer to the\nPostgreSQL Release Notes for a full list of changes:\n\nhttp://www.postgresql.org/docs/9.2/static/release-9-2-7.html\n\nThis update also fixes several bugs and adds various enhancements.\nDocumentation for these changes will be available shortly from the\nTechnical Notes document linked to in the References section.\n\nAll users of Red Hat CloudForms 3.0 are advised to upgrade to these updated\npackages, which correct these issues and add these enhancements.\n\nBefore applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to use the\nRed Hat Network to apply this update are available at\nhttps://access.redhat.com/site/articles/11258",
"product_ids": [
"6Server-CFME:cfme-0:5.2.3.2-1.el6cf.src",
"6Server-CFME:cfme-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:cfme-appliance-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:cfme-debuginfo-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:cfme-lib-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:mingw32-cfme-host-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.src",
"6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-contrib-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-debuginfo-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-devel-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-docs-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-libs-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-plperl-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-plpython-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-pltcl-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-server-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-test-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-upgrade-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:prince-0:9.0r2-4.el6cf.src",
"6Server-CFME:prince-0:9.0r2-4.el6cf.x86_64",
"6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.noarch",
"6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2014:0469"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:N/A:P",
"version": "2.0"
},
"products": [
"6Server-CFME:cfme-0:5.2.3.2-1.el6cf.src",
"6Server-CFME:cfme-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:cfme-appliance-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:cfme-debuginfo-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:cfme-lib-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:mingw32-cfme-host-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.src",
"6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-contrib-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-debuginfo-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-devel-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-docs-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-libs-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-plperl-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-plpython-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-pltcl-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-server-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-test-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-upgrade-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:prince-0:9.0r2-4.el6cf.src",
"6Server-CFME:prince-0:9.0r2-4.el6cf.x86_64",
"6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.noarch",
"6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "CFME: multiple authorization bypass vulnerabilities in CatalogController"
},
{
"acknowledgments": [
{
"names": [
"Jan Rusnacko"
],
"organization": "Red Hat Product Security Team",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2014-0137",
"cwe": {
"id": "CWE-89",
"name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)"
},
"discovery_date": "2014-03-14T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1076688"
}
],
"notes": [
{
"category": "description",
"text": "SQL injection vulnerability in the saved_report_delete action in the ReportController in Red Hat CloudForms Management Engine (CFME) before 5.2.3.2 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors, related to MiqReportResult.exists.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "CFME: ReportController SQL injection",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"6Server-CFME:cfme-0:5.2.3.2-1.el6cf.src",
"6Server-CFME:cfme-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:cfme-appliance-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:cfme-debuginfo-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:cfme-lib-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:mingw32-cfme-host-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.src",
"6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-contrib-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-debuginfo-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-devel-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-docs-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-libs-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-plperl-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-plpython-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-pltcl-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-server-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-test-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-upgrade-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:prince-0:9.0r2-4.el6cf.src",
"6Server-CFME:prince-0:9.0r2-4.el6cf.x86_64",
"6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.noarch",
"6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2014-0137"
},
{
"category": "external",
"summary": "RHBZ#1076688",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1076688"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2014-0137",
"url": "https://www.cve.org/CVERecord?id=CVE-2014-0137"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2014-0137",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-0137"
}
],
"release_date": "2014-05-12T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-05-12T18:12:35+00:00",
"details": "These updated packages upgrade PostgreSQL to version 9.2.7, which fixes\nthese issues as well as several non-security issues. Refer to the\nPostgreSQL Release Notes for a full list of changes:\n\nhttp://www.postgresql.org/docs/9.2/static/release-9-2-7.html\n\nThis update also fixes several bugs and adds various enhancements.\nDocumentation for these changes will be available shortly from the\nTechnical Notes document linked to in the References section.\n\nAll users of Red Hat CloudForms 3.0 are advised to upgrade to these updated\npackages, which correct these issues and add these enhancements.\n\nBefore applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to use the\nRed Hat Network to apply this update are available at\nhttps://access.redhat.com/site/articles/11258",
"product_ids": [
"6Server-CFME:cfme-0:5.2.3.2-1.el6cf.src",
"6Server-CFME:cfme-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:cfme-appliance-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:cfme-debuginfo-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:cfme-lib-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:mingw32-cfme-host-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.src",
"6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-contrib-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-debuginfo-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-devel-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-docs-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-libs-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-plperl-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-plpython-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-pltcl-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-server-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-test-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-upgrade-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:prince-0:9.0r2-4.el6cf.src",
"6Server-CFME:prince-0:9.0r2-4.el6cf.x86_64",
"6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.noarch",
"6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2014:0469"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.9,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:N",
"version": "2.0"
},
"products": [
"6Server-CFME:cfme-0:5.2.3.2-1.el6cf.src",
"6Server-CFME:cfme-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:cfme-appliance-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:cfme-debuginfo-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:cfme-lib-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:mingw32-cfme-host-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.src",
"6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-contrib-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-debuginfo-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-devel-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-docs-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-libs-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-plperl-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-plpython-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-pltcl-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-server-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-test-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-upgrade-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:prince-0:9.0r2-4.el6cf.src",
"6Server-CFME:prince-0:9.0r2-4.el6cf.x86_64",
"6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.noarch",
"6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "CFME: ReportController SQL injection"
},
{
"acknowledgments": [
{
"names": [
"PostgreSQL project"
]
},
{
"names": [
"Heikki Linnakangas",
"Noah Misch"
],
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2014-2669",
"cwe": {
"id": "CWE-190",
"name": "Integer Overflow or Wraparound"
},
"discovery_date": "2014-02-10T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1082154"
}
],
"notes": [
{
"category": "description",
"text": "Multiple integer overflows in contrib/hstore/hstore_io.c in PostgreSQL 9.0.x before 9.0.16, 9.1.x before 9.1.12, 9.2.x before 9.2.7, and 9.3.x before 9.3.3 allow remote authenticated users to have unspecified impact via vectors related to the (1) hstore_recv, (2) hstore_from_arrays, and (3) hstore_from_array functions in contrib/hstore/hstore_io.c; and the (4) hstoreArrayToPairs function in contrib/hstore/hstore_op.c, which triggers a buffer overflow. NOTE: this issue was SPLIT from CVE-2014-0064 because it has a different set of affected versions.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "postgresql: multiple integer overflows in hstore_io.c",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Not vulnerable. This issue did not affect the versions of PostgreSQL as shipped with Red Hat Enterprise Linux 5 and 6.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"6Server-CFME:cfme-0:5.2.3.2-1.el6cf.src",
"6Server-CFME:cfme-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:cfme-appliance-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:cfme-debuginfo-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:cfme-lib-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:mingw32-cfme-host-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.src",
"6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-contrib-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-debuginfo-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-devel-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-docs-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-libs-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-plperl-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-plpython-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-pltcl-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-server-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-test-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-upgrade-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:prince-0:9.0r2-4.el6cf.src",
"6Server-CFME:prince-0:9.0r2-4.el6cf.x86_64",
"6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.noarch",
"6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2014-2669"
},
{
"category": "external",
"summary": "RHBZ#1082154",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1082154"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2014-2669",
"url": "https://www.cve.org/CVERecord?id=CVE-2014-2669"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2014-2669",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2014-2669"
}
],
"release_date": "2014-02-17T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-05-12T18:12:35+00:00",
"details": "These updated packages upgrade PostgreSQL to version 9.2.7, which fixes\nthese issues as well as several non-security issues. Refer to the\nPostgreSQL Release Notes for a full list of changes:\n\nhttp://www.postgresql.org/docs/9.2/static/release-9-2-7.html\n\nThis update also fixes several bugs and adds various enhancements.\nDocumentation for these changes will be available shortly from the\nTechnical Notes document linked to in the References section.\n\nAll users of Red Hat CloudForms 3.0 are advised to upgrade to these updated\npackages, which correct these issues and add these enhancements.\n\nBefore applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to use the\nRed Hat Network to apply this update are available at\nhttps://access.redhat.com/site/articles/11258",
"product_ids": [
"6Server-CFME:cfme-0:5.2.3.2-1.el6cf.src",
"6Server-CFME:cfme-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:cfme-appliance-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:cfme-debuginfo-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:cfme-lib-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:mingw32-cfme-host-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.src",
"6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-contrib-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-debuginfo-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-devel-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-docs-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-libs-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-plperl-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-plpython-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-pltcl-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-server-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-test-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-upgrade-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:prince-0:9.0r2-4.el6cf.src",
"6Server-CFME:prince-0:9.0r2-4.el6cf.x86_64",
"6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.noarch",
"6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2014:0469"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P",
"version": "2.0"
},
"products": [
"6Server-CFME:cfme-0:5.2.3.2-1.el6cf.src",
"6Server-CFME:cfme-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:cfme-appliance-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:cfme-debuginfo-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:cfme-lib-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:mingw32-cfme-host-0:5.2.3.2-1.el6cf.x86_64",
"6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.src",
"6Server-CFME:postgresql92-postgresql-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-contrib-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-debuginfo-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-devel-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-docs-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-libs-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-plperl-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-plpython-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-pltcl-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-server-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-test-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:postgresql92-postgresql-upgrade-0:9.2.7-1.1.el6.x86_64",
"6Server-CFME:prince-0:9.0r2-4.el6cf.src",
"6Server-CFME:prince-0:9.0r2-4.el6cf.x86_64",
"6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.noarch",
"6Server-CFME:ruby193-rubygem-actionpack-1:3.2.13-6.el6cf.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "postgresql: multiple integer overflows in hstore_io.c"
}
]
}
rhsa-2014_0008
Vulnerability from csaf_redhat
Published
2014-01-06 18:02
Modified
2024-11-14 14:25
Summary
Red Hat Security Advisory: ruby193-rubygem-actionpack security update
Notes
Topic
Updated ruby193-rubygem-actionpack packages that fix multiple security
issues are now available for Red Hat OpenStack 3.0.
The Red Hat Security Response Team has rated this update as having
important security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.
Details
Ruby on Rails is a model-view-controller (MVC) framework for web
application development. Action Pack implements the controller and the
view components.
A flaw was found in the way Ruby on Rails performed JSON parameter parsing.
An application using a third party library, which uses the Rack::Request
interface, or custom Rack middleware could bypass the protection
implemented to fix the CVE-2013-0155 vulnerability, causing the application
to receive unsafe parameters and become vulnerable to CVE-2013-0155.
(CVE-2013-6417)
It was discovered that the internationalization component of Ruby on Rails
could, under certain circumstances, return a fallback HTML string that
contained user input. A remote attacker could possibly use this flaw to
perform a reflective cross-site scripting (XSS) attack by providing a
specially crafted input to an application using the aforementioned
component. (CVE-2013-4491)
A denial of service flaw was found in the header handling component of
Action View. A remote attacker could send strings in specially crafted
headers that would be cached indefinitely, which would result in all
available system memory eventually being consumed. (CVE-2013-6414)
It was found that the number_to_currency Action View helper did not
properly escape the unit parameter. An attacker could use this flaw to
perform a cross-site scripting (XSS) attack on an application that uses
data submitted by a user in the unit parameter. (CVE-2013-6415)
Users of Red Hat OpenStack 3.0 are advised to upgrade to these updated
packages, which correct these issues.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Updated ruby193-rubygem-actionpack packages that fix multiple security\nissues are now available for Red Hat OpenStack 3.0.\n\nThe Red Hat Security Response Team has rated this update as having\nimportant security impact. Common Vulnerability Scoring System (CVSS) base\nscores, which give detailed severity ratings, are available for each\nvulnerability from the CVE links in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Ruby on Rails is a model-view-controller (MVC) framework for web\napplication development. Action Pack implements the controller and the\nview components.\n\nA flaw was found in the way Ruby on Rails performed JSON parameter parsing.\nAn application using a third party library, which uses the Rack::Request\ninterface, or custom Rack middleware could bypass the protection\nimplemented to fix the CVE-2013-0155 vulnerability, causing the application\nto receive unsafe parameters and become vulnerable to CVE-2013-0155.\n(CVE-2013-6417)\n\nIt was discovered that the internationalization component of Ruby on Rails\ncould, under certain circumstances, return a fallback HTML string that\ncontained user input. A remote attacker could possibly use this flaw to\nperform a reflective cross-site scripting (XSS) attack by providing a\nspecially crafted input to an application using the aforementioned\ncomponent. (CVE-2013-4491)\n\nA denial of service flaw was found in the header handling component of\nAction View. A remote attacker could send strings in specially crafted\nheaders that would be cached indefinitely, which would result in all\navailable system memory eventually being consumed. (CVE-2013-6414)\n\nIt was found that the number_to_currency Action View helper did not\nproperly escape the unit parameter. An attacker could use this flaw to\nperform a cross-site scripting (XSS) attack on an application that uses\ndata submitted by a user in the unit parameter. (CVE-2013-6415)\n\nUsers of Red Hat OpenStack 3.0 are advised to upgrade to these updated\npackages, which correct these issues.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2014:0008",
"url": "https://access.redhat.com/errata/RHSA-2014:0008"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "1036409",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1036409"
},
{
"category": "external",
"summary": "1036483",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1036483"
},
{
"category": "external",
"summary": "1036910",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1036910"
},
{
"category": "external",
"summary": "1036922",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1036922"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2014/rhsa-2014_0008.json"
}
],
"title": "Red Hat Security Advisory: ruby193-rubygem-actionpack security update",
"tracking": {
"current_release_date": "2024-11-14T14:25:50+00:00",
"generator": {
"date": "2024-11-14T14:25:50+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.0"
}
},
"id": "RHSA-2014:0008",
"initial_release_date": "2014-01-06T18:02:24+00:00",
"revision_history": [
{
"date": "2014-01-06T18:02:24+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2014-01-06T18:02:25+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-14T14:25:50+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux OpenStack Platform 3.0",
"product": {
"name": "Red Hat Enterprise Linux OpenStack Platform 3.0",
"product_id": "6Server-Grizzly",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:openstack:3::el6"
}
}
}
],
"category": "product_family",
"name": "Red Hat OpenStack Platform"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.src",
"product": {
"name": "ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.src",
"product_id": "ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ruby193-rubygem-actionpack@3.2.8-5.1.el6?arch=src\u0026epoch=1"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.noarch",
"product": {
"name": "ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.noarch",
"product_id": "ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ruby193-rubygem-actionpack@3.2.8-5.1.el6?arch=noarch\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "ruby193-rubygem-actionpack-doc-1:3.2.8-5.1.el6.noarch",
"product": {
"name": "ruby193-rubygem-actionpack-doc-1:3.2.8-5.1.el6.noarch",
"product_id": "ruby193-rubygem-actionpack-doc-1:3.2.8-5.1.el6.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ruby193-rubygem-actionpack-doc@3.2.8-5.1.el6?arch=noarch\u0026epoch=1"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 3.0",
"product_id": "6Server-Grizzly:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.noarch"
},
"product_reference": "ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.noarch",
"relates_to_product_reference": "6Server-Grizzly"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.src as a component of Red Hat Enterprise Linux OpenStack Platform 3.0",
"product_id": "6Server-Grizzly:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.src"
},
"product_reference": "ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.src",
"relates_to_product_reference": "6Server-Grizzly"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby193-rubygem-actionpack-doc-1:3.2.8-5.1.el6.noarch as a component of Red Hat Enterprise Linux OpenStack Platform 3.0",
"product_id": "6Server-Grizzly:ruby193-rubygem-actionpack-doc-1:3.2.8-5.1.el6.noarch"
},
"product_reference": "ruby193-rubygem-actionpack-doc-1:3.2.8-5.1.el6.noarch",
"relates_to_product_reference": "6Server-Grizzly"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Ruby on Rails upstream"
]
},
{
"names": [
"Peter McLarnan"
],
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2013-4491",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2013-12-01T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1036922"
}
],
"notes": [
{
"category": "description",
"text": "It was discovered that the internationalization component of Ruby on Rails could, under certain circumstances, return a fallback HTML string that contained user input. A remote attacker could possibly use this flaw to perform a reflective cross-site scripting (XSS) attack by providing a specially crafted input to an application using the aforementioned component.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "rubygem-actionpack: i18n missing translation XSS",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"6Server-Grizzly:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.noarch",
"6Server-Grizzly:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.src",
"6Server-Grizzly:ruby193-rubygem-actionpack-doc-1:3.2.8-5.1.el6.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2013-4491"
},
{
"category": "external",
"summary": "RHBZ#1036922",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1036922"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2013-4491",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-4491"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-4491",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-4491"
}
],
"release_date": "2013-12-03T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-01-06T18:02:24+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/site/articles/11258",
"product_ids": [
"6Server-Grizzly:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.noarch",
"6Server-Grizzly:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.src",
"6Server-Grizzly:ruby193-rubygem-actionpack-doc-1:3.2.8-5.1.el6.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2014:0008"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"products": [
"6Server-Grizzly:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.noarch",
"6Server-Grizzly:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.src",
"6Server-Grizzly:ruby193-rubygem-actionpack-doc-1:3.2.8-5.1.el6.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "rubygem-actionpack: i18n missing translation XSS"
},
{
"acknowledgments": [
{
"names": [
"Ruby on Rails upstream"
]
},
{
"names": [
"Toby Hsieh"
],
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2013-6414",
"cwe": {
"id": "CWE-400",
"name": "Uncontrolled Resource Consumption"
},
"discovery_date": "2013-12-01T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1036483"
}
],
"notes": [
{
"category": "description",
"text": "A denial of service flaw was found in the header handling component of Action View. A remote attacker could send strings in specially crafted headers that would be cached indefinitely, which would result in all available system memory eventually being consumed.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "rubygem-actionpack: Action View DoS",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"6Server-Grizzly:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.noarch",
"6Server-Grizzly:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.src",
"6Server-Grizzly:ruby193-rubygem-actionpack-doc-1:3.2.8-5.1.el6.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2013-6414"
},
{
"category": "external",
"summary": "RHBZ#1036483",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1036483"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2013-6414",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-6414"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-6414",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-6414"
}
],
"release_date": "2013-12-03T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-01-06T18:02:24+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/site/articles/11258",
"product_ids": [
"6Server-Grizzly:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.noarch",
"6Server-Grizzly:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.src",
"6Server-Grizzly:ruby193-rubygem-actionpack-doc-1:3.2.8-5.1.el6.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2014:0008"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
"version": "2.0"
},
"products": [
"6Server-Grizzly:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.noarch",
"6Server-Grizzly:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.src",
"6Server-Grizzly:ruby193-rubygem-actionpack-doc-1:3.2.8-5.1.el6.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "rubygem-actionpack: Action View DoS"
},
{
"acknowledgments": [
{
"names": [
"Ruby on Rails upstream"
]
},
{
"names": [
"Ankit Gupta"
],
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2013-6415",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2013-12-01T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1036910"
}
],
"notes": [
{
"category": "description",
"text": "It was found that the number_to_currency Action View helper did not properly escape the unit parameter. An attacker could use this flaw to perform a cross-site scripting (XSS) attack on an application that uses data submitted by a user in the unit parameter.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "rubygem-actionpack: number_to_currency XSS",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"6Server-Grizzly:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.noarch",
"6Server-Grizzly:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.src",
"6Server-Grizzly:ruby193-rubygem-actionpack-doc-1:3.2.8-5.1.el6.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2013-6415"
},
{
"category": "external",
"summary": "RHBZ#1036910",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1036910"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2013-6415",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-6415"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-6415",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-6415"
}
],
"release_date": "2013-12-03T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-01-06T18:02:24+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/site/articles/11258",
"product_ids": [
"6Server-Grizzly:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.noarch",
"6Server-Grizzly:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.src",
"6Server-Grizzly:ruby193-rubygem-actionpack-doc-1:3.2.8-5.1.el6.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2014:0008"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"products": [
"6Server-Grizzly:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.noarch",
"6Server-Grizzly:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.src",
"6Server-Grizzly:ruby193-rubygem-actionpack-doc-1:3.2.8-5.1.el6.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "rubygem-actionpack: number_to_currency XSS"
},
{
"acknowledgments": [
{
"names": [
"Ruby on Rails project"
]
}
],
"cve": "CVE-2013-6417",
"cwe": {
"id": "CWE-89",
"name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)"
},
"discovery_date": "2013-12-01T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1036409"
}
],
"notes": [
{
"category": "description",
"text": "actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before 3.2.16 and 4.x before 4.0.2 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request that leverages (1) third-party Rack middleware or (2) custom Rack middleware. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-0155.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "rubygem-actionpack: unsafe query generation risk (incomplete fix for CVE-2013- 0155)",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"6Server-Grizzly:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.noarch",
"6Server-Grizzly:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.src",
"6Server-Grizzly:ruby193-rubygem-actionpack-doc-1:3.2.8-5.1.el6.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2013-6417"
},
{
"category": "external",
"summary": "RHBZ#1036409",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1036409"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2013-6417",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-6417"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-6417",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-6417"
}
],
"release_date": "2013-12-03T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-01-06T18:02:24+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/site/articles/11258",
"product_ids": [
"6Server-Grizzly:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.noarch",
"6Server-Grizzly:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.src",
"6Server-Grizzly:ruby193-rubygem-actionpack-doc-1:3.2.8-5.1.el6.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2014:0008"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
"products": [
"6Server-Grizzly:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.noarch",
"6Server-Grizzly:ruby193-rubygem-actionpack-1:3.2.8-5.1.el6.src",
"6Server-Grizzly:ruby193-rubygem-actionpack-doc-1:3.2.8-5.1.el6.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "rubygem-actionpack: unsafe query generation risk (incomplete fix for CVE-2013- 0155)"
}
]
}
gsd-2013-6417
Vulnerability from gsd
Modified
2013-12-03 00:00
Details
The prior fix to CVE-2013-0155 was incomplete and the use of common
3rd party libraries can accidentally circumvent the protection. Due
to the way that Rack::Request and Rails::Request interact, it is
possible for a 3rd party or custom rack middleware to parse the
parameters insecurely and store them in the same key that Rails uses
for its own parameters. In the event that happens the application
will receive unsafe parameters and could be vulnerable to the earlier
vulnerability.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2013-6417",
"description": "actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before 3.2.16 and 4.x before 4.0.2 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request that leverages (1) third-party Rack middleware or (2) custom Rack middleware. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-0155.",
"id": "GSD-2013-6417",
"references": [
"https://www.suse.com/security/cve/CVE-2013-6417.html",
"https://www.debian.org/security/2014/dsa-2888",
"https://access.redhat.com/errata/RHSA-2014:0469",
"https://access.redhat.com/errata/RHSA-2014:0008",
"https://access.redhat.com/errata/RHSA-2013:1794"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "actionpack",
"purl": "pkg:gem/actionpack"
}
}
],
"aliases": [
"CVE-2013-6417",
"OSVDB-100527"
],
"details": "The prior fix to CVE-2013-0155 was incomplete and the use of common\n3rd party libraries can accidentally circumvent the protection. Due\nto the way that Rack::Request and Rails::Request interact, it is\npossible for a 3rd party or custom rack middleware to parse the\nparameters insecurely and store them in the same key that Rails uses\nfor its own parameters. In the event that happens the application\nwill receive unsafe parameters and could be vulnerable to the earlier\nvulnerability.\n",
"id": "GSD-2013-6417",
"modified": "2013-12-03T00:00:00.000Z",
"published": "2013-12-03T00:00:00.000Z",
"references": [
{
"type": "WEB",
"url": "https://groups.google.com/forum/#!topic/ruby-security-ann/niK4drpSHT4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": 6.4,
"type": "CVSS_V2"
}
],
"summary": "Incomplete fix to CVE-2013-0155 (Unsafe Query Generation Risk)"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-6417",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before 3.2.16 and 4.x before 4.0.2 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request that leverages (1) third-party Rack middleware or (2) custom Rack middleware. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-0155."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "RHSA-2014:0008",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2014-0008.html"
},
{
"name": "openSUSE-SU-2013:1906",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-updates/2013-12/msg00081.html"
},
{
"name": "RHSA-2014:0469",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2014-0469.html"
},
{
"name": "[ruby-security-ann] 20131203 [CVE-2013-6417] Incomplete fix to CVE-2013-0155 (Unsafe Query Generation Risk)",
"refsource": "MLIST",
"url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/niK4drpSHT4/g8JW8ZsayRkJ"
},
{
"name": "openSUSE-SU-2014:0009",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-updates/2014-01/msg00003.html"
},
{
"name": "openSUSE-SU-2013:1907",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-updates/2013-12/msg00082.html"
},
{
"name": "openSUSE-SU-2013:1904",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-updates/2013-12/msg00079.html"
},
{
"name": "http://weblog.rubyonrails.org/2013/12/3/Rails_3_2_16_and_4_0_2_have_been_released/",
"refsource": "CONFIRM",
"url": "http://weblog.rubyonrails.org/2013/12/3/Rails_3_2_16_and_4_0_2_have_been_released/"
},
{
"name": "RHSA-2013:1794",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2013-1794.html"
},
{
"name": "https://puppet.com/security/cve/cve-2013-6417",
"refsource": "CONFIRM",
"url": "https://puppet.com/security/cve/cve-2013-6417"
},
{
"name": "DSA-2888",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2014/dsa-2888"
}
]
}
},
"github.com/rubysec/ruby-advisory-db": {
"cve": "2013-6417",
"cvss_v2": 6.4,
"date": "2013-12-03",
"description": "The prior fix to CVE-2013-0155 was incomplete and the use of common\n3rd party libraries can accidentally circumvent the protection. Due\nto the way that Rack::Request and Rails::Request interact, it is\npossible for a 3rd party or custom rack middleware to parse the\nparameters insecurely and store them in the same key that Rails uses\nfor its own parameters. In the event that happens the application\nwill receive unsafe parameters and could be vulnerable to the earlier\nvulnerability.\n",
"framework": "rails",
"gem": "actionpack",
"osvdb": 100527,
"patched_versions": [
"~\u003e 3.2.16",
"\u003e= 4.0.2"
],
"title": "Incomplete fix to CVE-2013-0155 (Unsafe Query Generation Risk)",
"url": "https://groups.google.com/forum/#!topic/ruby-security-ann/niK4drpSHT4"
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003e=2.0.0 \u003c3.2.16||\u003e=4.0.0.beta1 \u003c4.0.2",
"affected_versions": "All versions starting from 2.0.0 before 3.2.16, all versions starting from 4.0.0.beta1 before 4.0.2",
"credit": "Sudhir Rao",
"cvss_v2": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-264",
"CWE-937"
],
"date": "2019-08-08",
"description": "Due to the way that `Rack::Request` and `Rails::Request` interact, it is possible for a 3rd party or custom rack middleware to parse the parameters insecurely and store them in the same key that Rails uses for its own parameters. In the event that happens the application will receive unsafe parameters and could be vulnerable to the earlier vulnerability: it would be possible for an attacker to issue unexpected database queries with `IS NULL` or empty where clauses.",
"fixed_versions": [
"3.2.16",
"4.0.2"
],
"identifier": "CVE-2013-6417",
"identifiers": [
"CVE-2013-6417"
],
"not_impacted": "To be sure you\u0027re not impacted, you need to audit your middleware chain and ensure that each of the libraries in use does not create an instance of Rack::Request.",
"package_slug": "gem/actionpack",
"pubdate": "2013-12-06",
"solution": "Upgrade to latest or use patches (see source)",
"title": "Incomplete fix to CVE-2013-0155 (Unsafe Query Generation Risk)",
"urls": [
"http://seclists.org/oss-sec/2013/q4/403"
],
"uuid": "e09e1383-e450-4cb7-81c7-296a7ee346bc"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.6:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.5:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.15:rc2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.13:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.12:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.9:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.8:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.2:rc2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc8:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.0:beta1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.9:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.4:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.4:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.15:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:ruby_on_rails:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "3.2.15",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.11:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.10:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.7:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.6:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.2:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc7:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc6:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc5:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc3:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.6:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.5:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.2:pre:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.13:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.12:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.12:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.0:rc:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta4:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc4:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.6:rc2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.6:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.20:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.14:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.13:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.0:rc2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.9:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.3:rc2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.3:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.14:rc2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.14:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.0:rc2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.5:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.5:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.1.11:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.10:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.1:rc3:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc5:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc4:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc4:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc3:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.8:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.8:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.7:rc2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.5:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.4:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.19:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.18:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.11:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.10:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta3:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.8:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.7:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.2:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.2.14:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.13:rc2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.13:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.0:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.2.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.4:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.4:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.1:rc2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.1:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc3:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.1.0:rc2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.9:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.7:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.7:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.4:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.17:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.16:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.10:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.1:pre:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.0:beta:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.0.0:rc2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.0.1:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.0.0:beta:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:*:-:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "4.0.1",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.0.0:-:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:rubyonrails:rails:4.0.0:rc1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-6417"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before 3.2.16 and 4.x before 4.0.2 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request that leverages (1) third-party Rack middleware or (2) custom Rack middleware. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-0155."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-264"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[ruby-security-ann] 20131203 [CVE-2013-6417] Incomplete fix to CVE-2013-0155 (Unsafe Query Generation Risk)",
"refsource": "MLIST",
"tags": [],
"url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/niK4drpSHT4/g8JW8ZsayRkJ"
},
{
"name": "http://weblog.rubyonrails.org/2013/12/3/Rails_3_2_16_and_4_0_2_have_been_released/",
"refsource": "CONFIRM",
"tags": [],
"url": "http://weblog.rubyonrails.org/2013/12/3/Rails_3_2_16_and_4_0_2_have_been_released/"
},
{
"name": "RHSA-2013:1794",
"refsource": "REDHAT",
"tags": [],
"url": "http://rhn.redhat.com/errata/RHSA-2013-1794.html"
},
{
"name": "openSUSE-SU-2013:1904",
"refsource": "SUSE",
"tags": [],
"url": "http://lists.opensuse.org/opensuse-updates/2013-12/msg00079.html"
},
{
"name": "openSUSE-SU-2013:1906",
"refsource": "SUSE",
"tags": [],
"url": "http://lists.opensuse.org/opensuse-updates/2013-12/msg00081.html"
},
{
"name": "openSUSE-SU-2013:1907",
"refsource": "SUSE",
"tags": [],
"url": "http://lists.opensuse.org/opensuse-updates/2013-12/msg00082.html"
},
{
"name": "openSUSE-SU-2014:0009",
"refsource": "SUSE",
"tags": [],
"url": "http://lists.opensuse.org/opensuse-updates/2014-01/msg00003.html"
},
{
"name": "RHSA-2014:0008",
"refsource": "REDHAT",
"tags": [],
"url": "http://rhn.redhat.com/errata/RHSA-2014-0008.html"
},
{
"name": "DSA-2888",
"refsource": "DEBIAN",
"tags": [],
"url": "http://www.debian.org/security/2014/dsa-2888"
},
{
"name": "RHSA-2014:0469",
"refsource": "REDHAT",
"tags": [],
"url": "http://rhn.redhat.com/errata/RHSA-2014-0469.html"
},
{
"name": "https://puppet.com/security/cve/cve-2013-6417",
"refsource": "CONFIRM",
"tags": [],
"url": "https://puppet.com/security/cve/cve-2013-6417"
}
]
}
},
"impact": {
"baseMetricV2": {
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 6.4,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": false
}
},
"lastModifiedDate": "2019-08-08T15:42Z",
"publishedDate": "2013-12-07T00:55Z"
}
}
}
ghsa-wpw7-wxjm-cw8r
Vulnerability from github
Published
2017-10-24 18:33
Modified
2023-08-25 19:25
Summary
actionpack allows bypass of database-query restrictions
Details
actionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before 3.2.16 and 4.x before 4.0.2 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request that leverages (1) third-party Rack middleware or (2) custom Rack middleware. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-0155.
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "actionpack"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.0"
},
{
"fixed": "3.2.16"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "actionpack"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0"
},
{
"fixed": "4.0.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2013-6417"
],
"database_specific": {
"cwe_ids": [
"CWE-284"
],
"github_reviewed": true,
"github_reviewed_at": "2020-06-16T22:00:55Z",
"nvd_published_at": "2013-12-07T00:55:00Z",
"severity": "MODERATE"
},
"details": "`actionpack/lib/action_dispatch/http/request.rb` in Ruby on Rails before 3.2.16 and 4.x before 4.0.2 does not properly consider differences in parameter handling between the Active Record component and the JSON implementation, which allows remote attackers to bypass intended database-query restrictions and perform NULL checks or trigger missing WHERE clauses via a crafted request that leverages (1) third-party Rack middleware or (2) custom Rack middleware. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-0155.",
"id": "GHSA-wpw7-wxjm-cw8r",
"modified": "2023-08-25T19:25:00Z",
"published": "2017-10-24T18:33:36Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-6417"
},
{
"type": "PACKAGE",
"url": "https://github.com/rails/rails"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2013-6417.yml"
},
{
"type": "WEB",
"url": "https://groups.google.com/forum/#!topic/ruby-security-ann/niK4drpSHT4"
},
{
"type": "WEB",
"url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/niK4drpSHT4/g8JW8ZsayRkJ"
},
{
"type": "WEB",
"url": "https://puppet.com/security/cve/cve-2013-6417"
},
{
"type": "WEB",
"url": "https://web.archive.org/web/20160806051251/https://puppet.com/security/cve/cve-2013-6417"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-updates/2013-12/msg00079.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-updates/2013-12/msg00081.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-updates/2013-12/msg00082.html"
},
{
"type": "WEB",
"url": "http://lists.opensuse.org/opensuse-updates/2014-01/msg00003.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2013-1794.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2014-0008.html"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2014-0469.html"
},
{
"type": "WEB",
"url": "http://weblog.rubyonrails.org/2013/12/3/Rails_3_2_16_and_4_0_2_have_been_released"
},
{
"type": "WEB",
"url": "http://www.debian.org/security/2014/dsa-2888"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "actionpack allows bypass of database-query restrictions"
}
Loading...
Loading...
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.