Action not permitted
Modal body text goes here.
Modal Title
Modal Body
cve-2013-6443
Vulnerability from cvelistv5
Published
2014-01-23 01:00
Modified
2024-08-06 17:39
Severity ?
EPSS score ?
Summary
CloudForms 3.0 Management Engine before 5.2.1.6 allows remote attackers to bypass the Ruby on Rails protect_from_forgery mechanism and conduct cross-site request forgery (CSRF) attacks via a destructive action in a request.
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T17:39:01.911Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "1029606",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id/1029606"
},
{
"name": "RHSA-2014:0025",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2014-0025.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-01-14T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "CloudForms 3.0 Management Engine before 5.2.1.6 allows remote attackers to bypass the Ruby on Rails protect_from_forgery mechanism and conduct cross-site request forgery (CSRF) attacks via a destructive action in a request."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2014-01-23T00:57:00",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "1029606",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id/1029606"
},
{
"name": "RHSA-2014:0025",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2014-0025.html"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-6443",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "CloudForms 3.0 Management Engine before 5.2.1.6 allows remote attackers to bypass the Ruby on Rails protect_from_forgery mechanism and conduct cross-site request forgery (CSRF) attacks via a destructive action in a request."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "1029606",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id/1029606"
},
{
"name": "RHSA-2014:0025",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2014-0025.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2013-6443",
"datePublished": "2014-01-23T01:00:00",
"dateReserved": "2013-11-04T00:00:00",
"dateUpdated": "2024-08-06T17:39:01.911Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:redhat:cloudforms:3.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"E497C765-C720-4566-BB73-705C36AEA59A\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:redhat:cloudforms_3.0_management_engine:*:*:*:*:*:*:*:*\", \"versionEndIncluding\": \"5.2.1\", \"matchCriteriaId\": \"C4F9D471-71B8-413D-9298-286D875F53A9\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:redhat:cloudforms_3.0_management_engine:5.2:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"D21CFAD1-5422-4595-841D-A80F940B1545\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"CloudForms 3.0 Management Engine before 5.2.1.6 allows remote attackers to bypass the Ruby on Rails protect_from_forgery mechanism and conduct cross-site request forgery (CSRF) attacks via a destructive action in a request.\"}, {\"lang\": \"es\", \"value\": \"CloudForms 3.0 Management Engine anterior a la versi\\u00f3n 5.2.1.6 permite a atacantes remotos evadir el mecanismo protect_from_forgery de Ruby on Rails y llevar a cabo ataques de CSRF a trav\\u00e9s de una acci\\u00f3n destructiva en una petici\\u00f3n.\"}]",
"id": "CVE-2013-6443",
"lastModified": "2024-11-21T01:59:14.567",
"metrics": "{\"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:M/Au:N/C:P/I:P/A:P\", \"baseScore\": 6.8, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"MEDIUM\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 8.6, \"impactScore\": 6.4, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": true}]}",
"published": "2014-01-23T01:55:03.773",
"references": "[{\"url\": \"http://rhn.redhat.com/errata/RHSA-2014-0025.html\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://www.securitytracker.com/id/1029606\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2014-0025.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://www.securitytracker.com/id/1029606\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-352\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2013-6443\",\"sourceIdentifier\":\"secalert@redhat.com\",\"published\":\"2014-01-23T01:55:03.773\",\"lastModified\":\"2024-11-21T01:59:14.567\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"CloudForms 3.0 Management Engine before 5.2.1.6 allows remote attackers to bypass the Ruby on Rails protect_from_forgery mechanism and conduct cross-site request forgery (CSRF) attacks via a destructive action in a request.\"},{\"lang\":\"es\",\"value\":\"CloudForms 3.0 Management Engine anterior a la versi\u00f3n 5.2.1.6 permite a atacantes remotos evadir el mecanismo protect_from_forgery de Ruby on Rails y llevar a cabo ataques de CSRF a trav\u00e9s de una acci\u00f3n destructiva en una petici\u00f3n.\"}],\"metrics\":{\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:P/I:P/A:P\",\"baseScore\":6.8,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-352\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:cloudforms:3.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E497C765-C720-4566-BB73-705C36AEA59A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:cloudforms_3.0_management_engine:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"5.2.1\",\"matchCriteriaId\":\"C4F9D471-71B8-413D-9298-286D875F53A9\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:cloudforms_3.0_management_engine:5.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"D21CFAD1-5422-4595-841D-A80F940B1545\"}]}]}],\"references\":[{\"url\":\"http://rhn.redhat.com/errata/RHSA-2014-0025.html\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://www.securitytracker.com/id/1029606\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2014-0025.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://www.securitytracker.com/id/1029606\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
}
}
rhsa-2014:0025
Vulnerability from csaf_redhat
Published
2014-01-14 19:16
Modified
2024-11-22 07:16
Summary
Red Hat Security Advisory: cfme security, bug fix, and enhancement update
Notes
Topic
Updated cfme packages that fix one security issue, several bugs, and add
various enhancements are now available for Red Hat CloudForms 3.0.
The Red Hat Security Response Team has rated this update as having moderate
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.
Details
Red Hat CloudForms Management Engine delivers the insight, control, and
automation enterprises need to address the challenges of managing virtual
environments, which are far more complex than physical ones. This
technology enables enterprises with existing virtual infrastructures
to improve visibility and control, and those just starting virtualization
deployments to build and operate a well-managed virtual infrastructure.
It was found that sending a GET request for a destructive action could
bypass the Ruby on Rails protect_from_forgery mechanism. A remote attacker
could use this flaw to perform Cross-Site Request Forgery (CSRF) attacks
against CloudForms applications. (CVE-2013-6443)
This issue was discovered by Martin Povolný of Red Hat.
This update fixes several bugs and adds multiple enhancements.
Documentation for these changes will be available shortly from the Red Hat
CloudForms 3.0 Management Engine 5.2 Technical Notes linked to in the
References section.
All users of Red Hat CloudForms are advised to upgrade to these updated
packages, which contain backported patches to correct these issues and add
these enhancements.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Updated cfme packages that fix one security issue, several bugs, and add\nvarious enhancements are now available for Red Hat CloudForms 3.0.\n\nThe Red Hat Security Response Team has rated this update as having moderate\nsecurity impact. A Common Vulnerability Scoring System (CVSS) base score,\nwhich gives a detailed severity rating, is available from the CVE link in\nthe References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat CloudForms Management Engine delivers the insight, control, and\nautomation enterprises need to address the challenges of managing virtual\nenvironments, which are far more complex than physical ones. This\ntechnology enables enterprises with existing virtual infrastructures\nto improve visibility and control, and those just starting virtualization\ndeployments to build and operate a well-managed virtual infrastructure.\n\nIt was found that sending a GET request for a destructive action could\nbypass the Ruby on Rails protect_from_forgery mechanism. A remote attacker\ncould use this flaw to perform Cross-Site Request Forgery (CSRF) attacks\nagainst CloudForms applications. (CVE-2013-6443)\n\nThis issue was discovered by Martin Povoln\u00fd of Red Hat.\n\nThis update fixes several bugs and adds multiple enhancements.\nDocumentation for these changes will be available shortly from the Red Hat\nCloudForms 3.0 Management Engine 5.2 Technical Notes linked to in the\nReferences section.\n\nAll users of Red Hat CloudForms are advised to upgrade to these updated\npackages, which contain backported patches to correct these issues and add\nthese enhancements.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2014:0025",
"url": "https://access.redhat.com/errata/RHSA-2014:0025"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "https://access.redhat.com/site/documentation/en-US/CloudForms/3.0/html/Management_Engine_5.2_Technical_Notes/index.html",
"url": "https://access.redhat.com/site/documentation/en-US/CloudForms/3.0/html/Management_Engine_5.2_Technical_Notes/index.html"
},
{
"category": "external",
"summary": "1044178",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1044178"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2014/rhsa-2014_0025.json"
}
],
"title": "Red Hat Security Advisory: cfme security, bug fix, and enhancement update",
"tracking": {
"current_release_date": "2024-11-22T07:16:09+00:00",
"generator": {
"date": "2024-11-22T07:16:09+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2014:0025",
"initial_release_date": "2014-01-14T19:16:52+00:00",
"revision_history": [
{
"date": "2014-01-14T19:16:52+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2014-01-14T19:16:52+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-22T07:16:09+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Management Engine",
"product": {
"name": "Management Engine",
"product_id": "6Server-CFME",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:cloudforms_managementengine:5::el6"
}
}
}
],
"category": "product_family",
"name": "Red Hat CloudForms"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby193-rubygem-activerecord-1:3.2.13-4.el6cf.src",
"product": {
"name": "ruby193-rubygem-activerecord-1:3.2.13-4.el6cf.src",
"product_id": "ruby193-rubygem-activerecord-1:3.2.13-4.el6cf.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ruby193-rubygem-activerecord@3.2.13-4.el6cf?arch=src\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "ruby193-rubygem-linux_admin-0:0.5.6-1.el6cf.src",
"product": {
"name": "ruby193-rubygem-linux_admin-0:0.5.6-1.el6cf.src",
"product_id": "ruby193-rubygem-linux_admin-0:0.5.6-1.el6cf.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ruby193-rubygem-linux_admin@0.5.6-1.el6cf?arch=src"
}
}
},
{
"category": "product_version",
"name": "cfme-0:5.2.1.8-1.el6cf.src",
"product": {
"name": "cfme-0:5.2.1.8-1.el6cf.src",
"product_id": "cfme-0:5.2.1.8-1.el6cf.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cfme@5.2.1.8-1.el6cf?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby193-rubygem-activerecord-1:3.2.13-4.el6cf.noarch",
"product": {
"name": "ruby193-rubygem-activerecord-1:3.2.13-4.el6cf.noarch",
"product_id": "ruby193-rubygem-activerecord-1:3.2.13-4.el6cf.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ruby193-rubygem-activerecord@3.2.13-4.el6cf?arch=noarch\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "ruby193-rubygem-linux_admin-0:0.5.6-1.el6cf.noarch",
"product": {
"name": "ruby193-rubygem-linux_admin-0:0.5.6-1.el6cf.noarch",
"product_id": "ruby193-rubygem-linux_admin-0:0.5.6-1.el6cf.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ruby193-rubygem-linux_admin@0.5.6-1.el6cf?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "cfme-lib-0:5.2.1.8-1.el6cf.x86_64",
"product": {
"name": "cfme-lib-0:5.2.1.8-1.el6cf.x86_64",
"product_id": "cfme-lib-0:5.2.1.8-1.el6cf.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cfme-lib@5.2.1.8-1.el6cf?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "cfme-0:5.2.1.8-1.el6cf.x86_64",
"product": {
"name": "cfme-0:5.2.1.8-1.el6cf.x86_64",
"product_id": "cfme-0:5.2.1.8-1.el6cf.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cfme@5.2.1.8-1.el6cf?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "cfme-appliance-0:5.2.1.8-1.el6cf.x86_64",
"product": {
"name": "cfme-appliance-0:5.2.1.8-1.el6cf.x86_64",
"product_id": "cfme-appliance-0:5.2.1.8-1.el6cf.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cfme-appliance@5.2.1.8-1.el6cf?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "cfme-debuginfo-0:5.2.1.8-1.el6cf.x86_64",
"product": {
"name": "cfme-debuginfo-0:5.2.1.8-1.el6cf.x86_64",
"product_id": "cfme-debuginfo-0:5.2.1.8-1.el6cf.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cfme-debuginfo@5.2.1.8-1.el6cf?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "mingw32-cfme-host-0:5.2.1.8-1.el6cf.x86_64",
"product": {
"name": "mingw32-cfme-host-0:5.2.1.8-1.el6cf.x86_64",
"product_id": "mingw32-cfme-host-0:5.2.1.8-1.el6cf.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/mingw32-cfme-host@5.2.1.8-1.el6cf?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "cfme-0:5.2.1.8-1.el6cf.src as a component of Management Engine",
"product_id": "6Server-CFME:cfme-0:5.2.1.8-1.el6cf.src"
},
"product_reference": "cfme-0:5.2.1.8-1.el6cf.src",
"relates_to_product_reference": "6Server-CFME"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cfme-0:5.2.1.8-1.el6cf.x86_64 as a component of Management Engine",
"product_id": "6Server-CFME:cfme-0:5.2.1.8-1.el6cf.x86_64"
},
"product_reference": "cfme-0:5.2.1.8-1.el6cf.x86_64",
"relates_to_product_reference": "6Server-CFME"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cfme-appliance-0:5.2.1.8-1.el6cf.x86_64 as a component of Management Engine",
"product_id": "6Server-CFME:cfme-appliance-0:5.2.1.8-1.el6cf.x86_64"
},
"product_reference": "cfme-appliance-0:5.2.1.8-1.el6cf.x86_64",
"relates_to_product_reference": "6Server-CFME"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cfme-debuginfo-0:5.2.1.8-1.el6cf.x86_64 as a component of Management Engine",
"product_id": "6Server-CFME:cfme-debuginfo-0:5.2.1.8-1.el6cf.x86_64"
},
"product_reference": "cfme-debuginfo-0:5.2.1.8-1.el6cf.x86_64",
"relates_to_product_reference": "6Server-CFME"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cfme-lib-0:5.2.1.8-1.el6cf.x86_64 as a component of Management Engine",
"product_id": "6Server-CFME:cfme-lib-0:5.2.1.8-1.el6cf.x86_64"
},
"product_reference": "cfme-lib-0:5.2.1.8-1.el6cf.x86_64",
"relates_to_product_reference": "6Server-CFME"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mingw32-cfme-host-0:5.2.1.8-1.el6cf.x86_64 as a component of Management Engine",
"product_id": "6Server-CFME:mingw32-cfme-host-0:5.2.1.8-1.el6cf.x86_64"
},
"product_reference": "mingw32-cfme-host-0:5.2.1.8-1.el6cf.x86_64",
"relates_to_product_reference": "6Server-CFME"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby193-rubygem-activerecord-1:3.2.13-4.el6cf.noarch as a component of Management Engine",
"product_id": "6Server-CFME:ruby193-rubygem-activerecord-1:3.2.13-4.el6cf.noarch"
},
"product_reference": "ruby193-rubygem-activerecord-1:3.2.13-4.el6cf.noarch",
"relates_to_product_reference": "6Server-CFME"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby193-rubygem-activerecord-1:3.2.13-4.el6cf.src as a component of Management Engine",
"product_id": "6Server-CFME:ruby193-rubygem-activerecord-1:3.2.13-4.el6cf.src"
},
"product_reference": "ruby193-rubygem-activerecord-1:3.2.13-4.el6cf.src",
"relates_to_product_reference": "6Server-CFME"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby193-rubygem-linux_admin-0:0.5.6-1.el6cf.noarch as a component of Management Engine",
"product_id": "6Server-CFME:ruby193-rubygem-linux_admin-0:0.5.6-1.el6cf.noarch"
},
"product_reference": "ruby193-rubygem-linux_admin-0:0.5.6-1.el6cf.noarch",
"relates_to_product_reference": "6Server-CFME"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby193-rubygem-linux_admin-0:0.5.6-1.el6cf.src as a component of Management Engine",
"product_id": "6Server-CFME:ruby193-rubygem-linux_admin-0:0.5.6-1.el6cf.src"
},
"product_reference": "ruby193-rubygem-linux_admin-0:0.5.6-1.el6cf.src",
"relates_to_product_reference": "6Server-CFME"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Martin Povoln\u00fd"
],
"organization": "Red Hat",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2013-6443",
"cwe": {
"id": "CWE-352",
"name": "Cross-Site Request Forgery (CSRF)"
},
"discovery_date": "2013-12-17T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1044178"
}
],
"notes": [
{
"category": "description",
"text": "CloudForms 3.0 Management Engine before 5.2.1.6 allows remote attackers to bypass the Ruby on Rails protect_from_forgery mechanism and conduct cross-site request forgery (CSRF) attacks via a destructive action in a request.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "CFME: GET request CSRF vulnerability",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"6Server-CFME:cfme-0:5.2.1.8-1.el6cf.src",
"6Server-CFME:cfme-0:5.2.1.8-1.el6cf.x86_64",
"6Server-CFME:cfme-appliance-0:5.2.1.8-1.el6cf.x86_64",
"6Server-CFME:cfme-debuginfo-0:5.2.1.8-1.el6cf.x86_64",
"6Server-CFME:cfme-lib-0:5.2.1.8-1.el6cf.x86_64",
"6Server-CFME:mingw32-cfme-host-0:5.2.1.8-1.el6cf.x86_64",
"6Server-CFME:ruby193-rubygem-activerecord-1:3.2.13-4.el6cf.noarch",
"6Server-CFME:ruby193-rubygem-activerecord-1:3.2.13-4.el6cf.src",
"6Server-CFME:ruby193-rubygem-linux_admin-0:0.5.6-1.el6cf.noarch",
"6Server-CFME:ruby193-rubygem-linux_admin-0:0.5.6-1.el6cf.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2013-6443"
},
{
"category": "external",
"summary": "RHBZ#1044178",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1044178"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2013-6443",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-6443"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-6443",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-6443"
}
],
"release_date": "2014-01-14T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-01-14T19:16:52+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to use the\nRed Hat Network to apply this update are available at\nhttps://access.redhat.com/site/articles/11258",
"product_ids": [
"6Server-CFME:cfme-0:5.2.1.8-1.el6cf.src",
"6Server-CFME:cfme-0:5.2.1.8-1.el6cf.x86_64",
"6Server-CFME:cfme-appliance-0:5.2.1.8-1.el6cf.x86_64",
"6Server-CFME:cfme-debuginfo-0:5.2.1.8-1.el6cf.x86_64",
"6Server-CFME:cfme-lib-0:5.2.1.8-1.el6cf.x86_64",
"6Server-CFME:mingw32-cfme-host-0:5.2.1.8-1.el6cf.x86_64",
"6Server-CFME:ruby193-rubygem-activerecord-1:3.2.13-4.el6cf.noarch",
"6Server-CFME:ruby193-rubygem-activerecord-1:3.2.13-4.el6cf.src",
"6Server-CFME:ruby193-rubygem-linux_admin-0:0.5.6-1.el6cf.noarch",
"6Server-CFME:ruby193-rubygem-linux_admin-0:0.5.6-1.el6cf.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2014:0025"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"products": [
"6Server-CFME:cfme-0:5.2.1.8-1.el6cf.src",
"6Server-CFME:cfme-0:5.2.1.8-1.el6cf.x86_64",
"6Server-CFME:cfme-appliance-0:5.2.1.8-1.el6cf.x86_64",
"6Server-CFME:cfme-debuginfo-0:5.2.1.8-1.el6cf.x86_64",
"6Server-CFME:cfme-lib-0:5.2.1.8-1.el6cf.x86_64",
"6Server-CFME:mingw32-cfme-host-0:5.2.1.8-1.el6cf.x86_64",
"6Server-CFME:ruby193-rubygem-activerecord-1:3.2.13-4.el6cf.noarch",
"6Server-CFME:ruby193-rubygem-activerecord-1:3.2.13-4.el6cf.src",
"6Server-CFME:ruby193-rubygem-linux_admin-0:0.5.6-1.el6cf.noarch",
"6Server-CFME:ruby193-rubygem-linux_admin-0:0.5.6-1.el6cf.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "CFME: GET request CSRF vulnerability"
}
]
}
rhsa-2014_0025
Vulnerability from csaf_redhat
Published
2014-01-14 19:16
Modified
2024-11-22 07:16
Summary
Red Hat Security Advisory: cfme security, bug fix, and enhancement update
Notes
Topic
Updated cfme packages that fix one security issue, several bugs, and add
various enhancements are now available for Red Hat CloudForms 3.0.
The Red Hat Security Response Team has rated this update as having moderate
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.
Details
Red Hat CloudForms Management Engine delivers the insight, control, and
automation enterprises need to address the challenges of managing virtual
environments, which are far more complex than physical ones. This
technology enables enterprises with existing virtual infrastructures
to improve visibility and control, and those just starting virtualization
deployments to build and operate a well-managed virtual infrastructure.
It was found that sending a GET request for a destructive action could
bypass the Ruby on Rails protect_from_forgery mechanism. A remote attacker
could use this flaw to perform Cross-Site Request Forgery (CSRF) attacks
against CloudForms applications. (CVE-2013-6443)
This issue was discovered by Martin Povolný of Red Hat.
This update fixes several bugs and adds multiple enhancements.
Documentation for these changes will be available shortly from the Red Hat
CloudForms 3.0 Management Engine 5.2 Technical Notes linked to in the
References section.
All users of Red Hat CloudForms are advised to upgrade to these updated
packages, which contain backported patches to correct these issues and add
these enhancements.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Updated cfme packages that fix one security issue, several bugs, and add\nvarious enhancements are now available for Red Hat CloudForms 3.0.\n\nThe Red Hat Security Response Team has rated this update as having moderate\nsecurity impact. A Common Vulnerability Scoring System (CVSS) base score,\nwhich gives a detailed severity rating, is available from the CVE link in\nthe References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat CloudForms Management Engine delivers the insight, control, and\nautomation enterprises need to address the challenges of managing virtual\nenvironments, which are far more complex than physical ones. This\ntechnology enables enterprises with existing virtual infrastructures\nto improve visibility and control, and those just starting virtualization\ndeployments to build and operate a well-managed virtual infrastructure.\n\nIt was found that sending a GET request for a destructive action could\nbypass the Ruby on Rails protect_from_forgery mechanism. A remote attacker\ncould use this flaw to perform Cross-Site Request Forgery (CSRF) attacks\nagainst CloudForms applications. (CVE-2013-6443)\n\nThis issue was discovered by Martin Povoln\u00fd of Red Hat.\n\nThis update fixes several bugs and adds multiple enhancements.\nDocumentation for these changes will be available shortly from the Red Hat\nCloudForms 3.0 Management Engine 5.2 Technical Notes linked to in the\nReferences section.\n\nAll users of Red Hat CloudForms are advised to upgrade to these updated\npackages, which contain backported patches to correct these issues and add\nthese enhancements.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2014:0025",
"url": "https://access.redhat.com/errata/RHSA-2014:0025"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "https://access.redhat.com/site/documentation/en-US/CloudForms/3.0/html/Management_Engine_5.2_Technical_Notes/index.html",
"url": "https://access.redhat.com/site/documentation/en-US/CloudForms/3.0/html/Management_Engine_5.2_Technical_Notes/index.html"
},
{
"category": "external",
"summary": "1044178",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1044178"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2014/rhsa-2014_0025.json"
}
],
"title": "Red Hat Security Advisory: cfme security, bug fix, and enhancement update",
"tracking": {
"current_release_date": "2024-11-22T07:16:09+00:00",
"generator": {
"date": "2024-11-22T07:16:09+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2014:0025",
"initial_release_date": "2014-01-14T19:16:52+00:00",
"revision_history": [
{
"date": "2014-01-14T19:16:52+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2014-01-14T19:16:52+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-22T07:16:09+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Management Engine",
"product": {
"name": "Management Engine",
"product_id": "6Server-CFME",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:cloudforms_managementengine:5::el6"
}
}
}
],
"category": "product_family",
"name": "Red Hat CloudForms"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby193-rubygem-activerecord-1:3.2.13-4.el6cf.src",
"product": {
"name": "ruby193-rubygem-activerecord-1:3.2.13-4.el6cf.src",
"product_id": "ruby193-rubygem-activerecord-1:3.2.13-4.el6cf.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ruby193-rubygem-activerecord@3.2.13-4.el6cf?arch=src\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "ruby193-rubygem-linux_admin-0:0.5.6-1.el6cf.src",
"product": {
"name": "ruby193-rubygem-linux_admin-0:0.5.6-1.el6cf.src",
"product_id": "ruby193-rubygem-linux_admin-0:0.5.6-1.el6cf.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ruby193-rubygem-linux_admin@0.5.6-1.el6cf?arch=src"
}
}
},
{
"category": "product_version",
"name": "cfme-0:5.2.1.8-1.el6cf.src",
"product": {
"name": "cfme-0:5.2.1.8-1.el6cf.src",
"product_id": "cfme-0:5.2.1.8-1.el6cf.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cfme@5.2.1.8-1.el6cf?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby193-rubygem-activerecord-1:3.2.13-4.el6cf.noarch",
"product": {
"name": "ruby193-rubygem-activerecord-1:3.2.13-4.el6cf.noarch",
"product_id": "ruby193-rubygem-activerecord-1:3.2.13-4.el6cf.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ruby193-rubygem-activerecord@3.2.13-4.el6cf?arch=noarch\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "ruby193-rubygem-linux_admin-0:0.5.6-1.el6cf.noarch",
"product": {
"name": "ruby193-rubygem-linux_admin-0:0.5.6-1.el6cf.noarch",
"product_id": "ruby193-rubygem-linux_admin-0:0.5.6-1.el6cf.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ruby193-rubygem-linux_admin@0.5.6-1.el6cf?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "cfme-lib-0:5.2.1.8-1.el6cf.x86_64",
"product": {
"name": "cfme-lib-0:5.2.1.8-1.el6cf.x86_64",
"product_id": "cfme-lib-0:5.2.1.8-1.el6cf.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cfme-lib@5.2.1.8-1.el6cf?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "cfme-0:5.2.1.8-1.el6cf.x86_64",
"product": {
"name": "cfme-0:5.2.1.8-1.el6cf.x86_64",
"product_id": "cfme-0:5.2.1.8-1.el6cf.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cfme@5.2.1.8-1.el6cf?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "cfme-appliance-0:5.2.1.8-1.el6cf.x86_64",
"product": {
"name": "cfme-appliance-0:5.2.1.8-1.el6cf.x86_64",
"product_id": "cfme-appliance-0:5.2.1.8-1.el6cf.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cfme-appliance@5.2.1.8-1.el6cf?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "cfme-debuginfo-0:5.2.1.8-1.el6cf.x86_64",
"product": {
"name": "cfme-debuginfo-0:5.2.1.8-1.el6cf.x86_64",
"product_id": "cfme-debuginfo-0:5.2.1.8-1.el6cf.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cfme-debuginfo@5.2.1.8-1.el6cf?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "mingw32-cfme-host-0:5.2.1.8-1.el6cf.x86_64",
"product": {
"name": "mingw32-cfme-host-0:5.2.1.8-1.el6cf.x86_64",
"product_id": "mingw32-cfme-host-0:5.2.1.8-1.el6cf.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/mingw32-cfme-host@5.2.1.8-1.el6cf?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "cfme-0:5.2.1.8-1.el6cf.src as a component of Management Engine",
"product_id": "6Server-CFME:cfme-0:5.2.1.8-1.el6cf.src"
},
"product_reference": "cfme-0:5.2.1.8-1.el6cf.src",
"relates_to_product_reference": "6Server-CFME"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cfme-0:5.2.1.8-1.el6cf.x86_64 as a component of Management Engine",
"product_id": "6Server-CFME:cfme-0:5.2.1.8-1.el6cf.x86_64"
},
"product_reference": "cfme-0:5.2.1.8-1.el6cf.x86_64",
"relates_to_product_reference": "6Server-CFME"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cfme-appliance-0:5.2.1.8-1.el6cf.x86_64 as a component of Management Engine",
"product_id": "6Server-CFME:cfme-appliance-0:5.2.1.8-1.el6cf.x86_64"
},
"product_reference": "cfme-appliance-0:5.2.1.8-1.el6cf.x86_64",
"relates_to_product_reference": "6Server-CFME"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cfme-debuginfo-0:5.2.1.8-1.el6cf.x86_64 as a component of Management Engine",
"product_id": "6Server-CFME:cfme-debuginfo-0:5.2.1.8-1.el6cf.x86_64"
},
"product_reference": "cfme-debuginfo-0:5.2.1.8-1.el6cf.x86_64",
"relates_to_product_reference": "6Server-CFME"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cfme-lib-0:5.2.1.8-1.el6cf.x86_64 as a component of Management Engine",
"product_id": "6Server-CFME:cfme-lib-0:5.2.1.8-1.el6cf.x86_64"
},
"product_reference": "cfme-lib-0:5.2.1.8-1.el6cf.x86_64",
"relates_to_product_reference": "6Server-CFME"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mingw32-cfme-host-0:5.2.1.8-1.el6cf.x86_64 as a component of Management Engine",
"product_id": "6Server-CFME:mingw32-cfme-host-0:5.2.1.8-1.el6cf.x86_64"
},
"product_reference": "mingw32-cfme-host-0:5.2.1.8-1.el6cf.x86_64",
"relates_to_product_reference": "6Server-CFME"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby193-rubygem-activerecord-1:3.2.13-4.el6cf.noarch as a component of Management Engine",
"product_id": "6Server-CFME:ruby193-rubygem-activerecord-1:3.2.13-4.el6cf.noarch"
},
"product_reference": "ruby193-rubygem-activerecord-1:3.2.13-4.el6cf.noarch",
"relates_to_product_reference": "6Server-CFME"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby193-rubygem-activerecord-1:3.2.13-4.el6cf.src as a component of Management Engine",
"product_id": "6Server-CFME:ruby193-rubygem-activerecord-1:3.2.13-4.el6cf.src"
},
"product_reference": "ruby193-rubygem-activerecord-1:3.2.13-4.el6cf.src",
"relates_to_product_reference": "6Server-CFME"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby193-rubygem-linux_admin-0:0.5.6-1.el6cf.noarch as a component of Management Engine",
"product_id": "6Server-CFME:ruby193-rubygem-linux_admin-0:0.5.6-1.el6cf.noarch"
},
"product_reference": "ruby193-rubygem-linux_admin-0:0.5.6-1.el6cf.noarch",
"relates_to_product_reference": "6Server-CFME"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby193-rubygem-linux_admin-0:0.5.6-1.el6cf.src as a component of Management Engine",
"product_id": "6Server-CFME:ruby193-rubygem-linux_admin-0:0.5.6-1.el6cf.src"
},
"product_reference": "ruby193-rubygem-linux_admin-0:0.5.6-1.el6cf.src",
"relates_to_product_reference": "6Server-CFME"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Martin Povoln\u00fd"
],
"organization": "Red Hat",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2013-6443",
"cwe": {
"id": "CWE-352",
"name": "Cross-Site Request Forgery (CSRF)"
},
"discovery_date": "2013-12-17T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1044178"
}
],
"notes": [
{
"category": "description",
"text": "CloudForms 3.0 Management Engine before 5.2.1.6 allows remote attackers to bypass the Ruby on Rails protect_from_forgery mechanism and conduct cross-site request forgery (CSRF) attacks via a destructive action in a request.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "CFME: GET request CSRF vulnerability",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"6Server-CFME:cfme-0:5.2.1.8-1.el6cf.src",
"6Server-CFME:cfme-0:5.2.1.8-1.el6cf.x86_64",
"6Server-CFME:cfme-appliance-0:5.2.1.8-1.el6cf.x86_64",
"6Server-CFME:cfme-debuginfo-0:5.2.1.8-1.el6cf.x86_64",
"6Server-CFME:cfme-lib-0:5.2.1.8-1.el6cf.x86_64",
"6Server-CFME:mingw32-cfme-host-0:5.2.1.8-1.el6cf.x86_64",
"6Server-CFME:ruby193-rubygem-activerecord-1:3.2.13-4.el6cf.noarch",
"6Server-CFME:ruby193-rubygem-activerecord-1:3.2.13-4.el6cf.src",
"6Server-CFME:ruby193-rubygem-linux_admin-0:0.5.6-1.el6cf.noarch",
"6Server-CFME:ruby193-rubygem-linux_admin-0:0.5.6-1.el6cf.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2013-6443"
},
{
"category": "external",
"summary": "RHBZ#1044178",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1044178"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2013-6443",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-6443"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-6443",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-6443"
}
],
"release_date": "2014-01-14T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-01-14T19:16:52+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to use the\nRed Hat Network to apply this update are available at\nhttps://access.redhat.com/site/articles/11258",
"product_ids": [
"6Server-CFME:cfme-0:5.2.1.8-1.el6cf.src",
"6Server-CFME:cfme-0:5.2.1.8-1.el6cf.x86_64",
"6Server-CFME:cfme-appliance-0:5.2.1.8-1.el6cf.x86_64",
"6Server-CFME:cfme-debuginfo-0:5.2.1.8-1.el6cf.x86_64",
"6Server-CFME:cfme-lib-0:5.2.1.8-1.el6cf.x86_64",
"6Server-CFME:mingw32-cfme-host-0:5.2.1.8-1.el6cf.x86_64",
"6Server-CFME:ruby193-rubygem-activerecord-1:3.2.13-4.el6cf.noarch",
"6Server-CFME:ruby193-rubygem-activerecord-1:3.2.13-4.el6cf.src",
"6Server-CFME:ruby193-rubygem-linux_admin-0:0.5.6-1.el6cf.noarch",
"6Server-CFME:ruby193-rubygem-linux_admin-0:0.5.6-1.el6cf.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2014:0025"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"products": [
"6Server-CFME:cfme-0:5.2.1.8-1.el6cf.src",
"6Server-CFME:cfme-0:5.2.1.8-1.el6cf.x86_64",
"6Server-CFME:cfme-appliance-0:5.2.1.8-1.el6cf.x86_64",
"6Server-CFME:cfme-debuginfo-0:5.2.1.8-1.el6cf.x86_64",
"6Server-CFME:cfme-lib-0:5.2.1.8-1.el6cf.x86_64",
"6Server-CFME:mingw32-cfme-host-0:5.2.1.8-1.el6cf.x86_64",
"6Server-CFME:ruby193-rubygem-activerecord-1:3.2.13-4.el6cf.noarch",
"6Server-CFME:ruby193-rubygem-activerecord-1:3.2.13-4.el6cf.src",
"6Server-CFME:ruby193-rubygem-linux_admin-0:0.5.6-1.el6cf.noarch",
"6Server-CFME:ruby193-rubygem-linux_admin-0:0.5.6-1.el6cf.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "CFME: GET request CSRF vulnerability"
}
]
}
RHSA-2014:0025
Vulnerability from csaf_redhat
Published
2014-01-14 19:16
Modified
2024-11-22 07:16
Summary
Red Hat Security Advisory: cfme security, bug fix, and enhancement update
Notes
Topic
Updated cfme packages that fix one security issue, several bugs, and add
various enhancements are now available for Red Hat CloudForms 3.0.
The Red Hat Security Response Team has rated this update as having moderate
security impact. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available from the CVE link in
the References section.
Details
Red Hat CloudForms Management Engine delivers the insight, control, and
automation enterprises need to address the challenges of managing virtual
environments, which are far more complex than physical ones. This
technology enables enterprises with existing virtual infrastructures
to improve visibility and control, and those just starting virtualization
deployments to build and operate a well-managed virtual infrastructure.
It was found that sending a GET request for a destructive action could
bypass the Ruby on Rails protect_from_forgery mechanism. A remote attacker
could use this flaw to perform Cross-Site Request Forgery (CSRF) attacks
against CloudForms applications. (CVE-2013-6443)
This issue was discovered by Martin Povolný of Red Hat.
This update fixes several bugs and adds multiple enhancements.
Documentation for these changes will be available shortly from the Red Hat
CloudForms 3.0 Management Engine 5.2 Technical Notes linked to in the
References section.
All users of Red Hat CloudForms are advised to upgrade to these updated
packages, which contain backported patches to correct these issues and add
these enhancements.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Updated cfme packages that fix one security issue, several bugs, and add\nvarious enhancements are now available for Red Hat CloudForms 3.0.\n\nThe Red Hat Security Response Team has rated this update as having moderate\nsecurity impact. A Common Vulnerability Scoring System (CVSS) base score,\nwhich gives a detailed severity rating, is available from the CVE link in\nthe References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat CloudForms Management Engine delivers the insight, control, and\nautomation enterprises need to address the challenges of managing virtual\nenvironments, which are far more complex than physical ones. This\ntechnology enables enterprises with existing virtual infrastructures\nto improve visibility and control, and those just starting virtualization\ndeployments to build and operate a well-managed virtual infrastructure.\n\nIt was found that sending a GET request for a destructive action could\nbypass the Ruby on Rails protect_from_forgery mechanism. A remote attacker\ncould use this flaw to perform Cross-Site Request Forgery (CSRF) attacks\nagainst CloudForms applications. (CVE-2013-6443)\n\nThis issue was discovered by Martin Povoln\u00fd of Red Hat.\n\nThis update fixes several bugs and adds multiple enhancements.\nDocumentation for these changes will be available shortly from the Red Hat\nCloudForms 3.0 Management Engine 5.2 Technical Notes linked to in the\nReferences section.\n\nAll users of Red Hat CloudForms are advised to upgrade to these updated\npackages, which contain backported patches to correct these issues and add\nthese enhancements.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2014:0025",
"url": "https://access.redhat.com/errata/RHSA-2014:0025"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#moderate",
"url": "https://access.redhat.com/security/updates/classification/#moderate"
},
{
"category": "external",
"summary": "https://access.redhat.com/site/documentation/en-US/CloudForms/3.0/html/Management_Engine_5.2_Technical_Notes/index.html",
"url": "https://access.redhat.com/site/documentation/en-US/CloudForms/3.0/html/Management_Engine_5.2_Technical_Notes/index.html"
},
{
"category": "external",
"summary": "1044178",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1044178"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2014/rhsa-2014_0025.json"
}
],
"title": "Red Hat Security Advisory: cfme security, bug fix, and enhancement update",
"tracking": {
"current_release_date": "2024-11-22T07:16:09+00:00",
"generator": {
"date": "2024-11-22T07:16:09+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2014:0025",
"initial_release_date": "2014-01-14T19:16:52+00:00",
"revision_history": [
{
"date": "2014-01-14T19:16:52+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2014-01-14T19:16:52+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-22T07:16:09+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Management Engine",
"product": {
"name": "Management Engine",
"product_id": "6Server-CFME",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:cloudforms_managementengine:5::el6"
}
}
}
],
"category": "product_family",
"name": "Red Hat CloudForms"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby193-rubygem-activerecord-1:3.2.13-4.el6cf.src",
"product": {
"name": "ruby193-rubygem-activerecord-1:3.2.13-4.el6cf.src",
"product_id": "ruby193-rubygem-activerecord-1:3.2.13-4.el6cf.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ruby193-rubygem-activerecord@3.2.13-4.el6cf?arch=src\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "ruby193-rubygem-linux_admin-0:0.5.6-1.el6cf.src",
"product": {
"name": "ruby193-rubygem-linux_admin-0:0.5.6-1.el6cf.src",
"product_id": "ruby193-rubygem-linux_admin-0:0.5.6-1.el6cf.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ruby193-rubygem-linux_admin@0.5.6-1.el6cf?arch=src"
}
}
},
{
"category": "product_version",
"name": "cfme-0:5.2.1.8-1.el6cf.src",
"product": {
"name": "cfme-0:5.2.1.8-1.el6cf.src",
"product_id": "cfme-0:5.2.1.8-1.el6cf.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cfme@5.2.1.8-1.el6cf?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby193-rubygem-activerecord-1:3.2.13-4.el6cf.noarch",
"product": {
"name": "ruby193-rubygem-activerecord-1:3.2.13-4.el6cf.noarch",
"product_id": "ruby193-rubygem-activerecord-1:3.2.13-4.el6cf.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ruby193-rubygem-activerecord@3.2.13-4.el6cf?arch=noarch\u0026epoch=1"
}
}
},
{
"category": "product_version",
"name": "ruby193-rubygem-linux_admin-0:0.5.6-1.el6cf.noarch",
"product": {
"name": "ruby193-rubygem-linux_admin-0:0.5.6-1.el6cf.noarch",
"product_id": "ruby193-rubygem-linux_admin-0:0.5.6-1.el6cf.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ruby193-rubygem-linux_admin@0.5.6-1.el6cf?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "cfme-lib-0:5.2.1.8-1.el6cf.x86_64",
"product": {
"name": "cfme-lib-0:5.2.1.8-1.el6cf.x86_64",
"product_id": "cfme-lib-0:5.2.1.8-1.el6cf.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cfme-lib@5.2.1.8-1.el6cf?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "cfme-0:5.2.1.8-1.el6cf.x86_64",
"product": {
"name": "cfme-0:5.2.1.8-1.el6cf.x86_64",
"product_id": "cfme-0:5.2.1.8-1.el6cf.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cfme@5.2.1.8-1.el6cf?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "cfme-appliance-0:5.2.1.8-1.el6cf.x86_64",
"product": {
"name": "cfme-appliance-0:5.2.1.8-1.el6cf.x86_64",
"product_id": "cfme-appliance-0:5.2.1.8-1.el6cf.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cfme-appliance@5.2.1.8-1.el6cf?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "cfme-debuginfo-0:5.2.1.8-1.el6cf.x86_64",
"product": {
"name": "cfme-debuginfo-0:5.2.1.8-1.el6cf.x86_64",
"product_id": "cfme-debuginfo-0:5.2.1.8-1.el6cf.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cfme-debuginfo@5.2.1.8-1.el6cf?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "mingw32-cfme-host-0:5.2.1.8-1.el6cf.x86_64",
"product": {
"name": "mingw32-cfme-host-0:5.2.1.8-1.el6cf.x86_64",
"product_id": "mingw32-cfme-host-0:5.2.1.8-1.el6cf.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/mingw32-cfme-host@5.2.1.8-1.el6cf?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "cfme-0:5.2.1.8-1.el6cf.src as a component of Management Engine",
"product_id": "6Server-CFME:cfme-0:5.2.1.8-1.el6cf.src"
},
"product_reference": "cfme-0:5.2.1.8-1.el6cf.src",
"relates_to_product_reference": "6Server-CFME"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cfme-0:5.2.1.8-1.el6cf.x86_64 as a component of Management Engine",
"product_id": "6Server-CFME:cfme-0:5.2.1.8-1.el6cf.x86_64"
},
"product_reference": "cfme-0:5.2.1.8-1.el6cf.x86_64",
"relates_to_product_reference": "6Server-CFME"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cfme-appliance-0:5.2.1.8-1.el6cf.x86_64 as a component of Management Engine",
"product_id": "6Server-CFME:cfme-appliance-0:5.2.1.8-1.el6cf.x86_64"
},
"product_reference": "cfme-appliance-0:5.2.1.8-1.el6cf.x86_64",
"relates_to_product_reference": "6Server-CFME"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cfme-debuginfo-0:5.2.1.8-1.el6cf.x86_64 as a component of Management Engine",
"product_id": "6Server-CFME:cfme-debuginfo-0:5.2.1.8-1.el6cf.x86_64"
},
"product_reference": "cfme-debuginfo-0:5.2.1.8-1.el6cf.x86_64",
"relates_to_product_reference": "6Server-CFME"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cfme-lib-0:5.2.1.8-1.el6cf.x86_64 as a component of Management Engine",
"product_id": "6Server-CFME:cfme-lib-0:5.2.1.8-1.el6cf.x86_64"
},
"product_reference": "cfme-lib-0:5.2.1.8-1.el6cf.x86_64",
"relates_to_product_reference": "6Server-CFME"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "mingw32-cfme-host-0:5.2.1.8-1.el6cf.x86_64 as a component of Management Engine",
"product_id": "6Server-CFME:mingw32-cfme-host-0:5.2.1.8-1.el6cf.x86_64"
},
"product_reference": "mingw32-cfme-host-0:5.2.1.8-1.el6cf.x86_64",
"relates_to_product_reference": "6Server-CFME"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby193-rubygem-activerecord-1:3.2.13-4.el6cf.noarch as a component of Management Engine",
"product_id": "6Server-CFME:ruby193-rubygem-activerecord-1:3.2.13-4.el6cf.noarch"
},
"product_reference": "ruby193-rubygem-activerecord-1:3.2.13-4.el6cf.noarch",
"relates_to_product_reference": "6Server-CFME"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby193-rubygem-activerecord-1:3.2.13-4.el6cf.src as a component of Management Engine",
"product_id": "6Server-CFME:ruby193-rubygem-activerecord-1:3.2.13-4.el6cf.src"
},
"product_reference": "ruby193-rubygem-activerecord-1:3.2.13-4.el6cf.src",
"relates_to_product_reference": "6Server-CFME"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby193-rubygem-linux_admin-0:0.5.6-1.el6cf.noarch as a component of Management Engine",
"product_id": "6Server-CFME:ruby193-rubygem-linux_admin-0:0.5.6-1.el6cf.noarch"
},
"product_reference": "ruby193-rubygem-linux_admin-0:0.5.6-1.el6cf.noarch",
"relates_to_product_reference": "6Server-CFME"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby193-rubygem-linux_admin-0:0.5.6-1.el6cf.src as a component of Management Engine",
"product_id": "6Server-CFME:ruby193-rubygem-linux_admin-0:0.5.6-1.el6cf.src"
},
"product_reference": "ruby193-rubygem-linux_admin-0:0.5.6-1.el6cf.src",
"relates_to_product_reference": "6Server-CFME"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Martin Povoln\u00fd"
],
"organization": "Red Hat",
"summary": "This issue was discovered by Red Hat."
}
],
"cve": "CVE-2013-6443",
"cwe": {
"id": "CWE-352",
"name": "Cross-Site Request Forgery (CSRF)"
},
"discovery_date": "2013-12-17T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1044178"
}
],
"notes": [
{
"category": "description",
"text": "CloudForms 3.0 Management Engine before 5.2.1.6 allows remote attackers to bypass the Ruby on Rails protect_from_forgery mechanism and conduct cross-site request forgery (CSRF) attacks via a destructive action in a request.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "CFME: GET request CSRF vulnerability",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"6Server-CFME:cfme-0:5.2.1.8-1.el6cf.src",
"6Server-CFME:cfme-0:5.2.1.8-1.el6cf.x86_64",
"6Server-CFME:cfme-appliance-0:5.2.1.8-1.el6cf.x86_64",
"6Server-CFME:cfme-debuginfo-0:5.2.1.8-1.el6cf.x86_64",
"6Server-CFME:cfme-lib-0:5.2.1.8-1.el6cf.x86_64",
"6Server-CFME:mingw32-cfme-host-0:5.2.1.8-1.el6cf.x86_64",
"6Server-CFME:ruby193-rubygem-activerecord-1:3.2.13-4.el6cf.noarch",
"6Server-CFME:ruby193-rubygem-activerecord-1:3.2.13-4.el6cf.src",
"6Server-CFME:ruby193-rubygem-linux_admin-0:0.5.6-1.el6cf.noarch",
"6Server-CFME:ruby193-rubygem-linux_admin-0:0.5.6-1.el6cf.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2013-6443"
},
{
"category": "external",
"summary": "RHBZ#1044178",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1044178"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2013-6443",
"url": "https://www.cve.org/CVERecord?id=CVE-2013-6443"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-6443",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-6443"
}
],
"release_date": "2014-01-14T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2014-01-14T19:16:52+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to use the\nRed Hat Network to apply this update are available at\nhttps://access.redhat.com/site/articles/11258",
"product_ids": [
"6Server-CFME:cfme-0:5.2.1.8-1.el6cf.src",
"6Server-CFME:cfme-0:5.2.1.8-1.el6cf.x86_64",
"6Server-CFME:cfme-appliance-0:5.2.1.8-1.el6cf.x86_64",
"6Server-CFME:cfme-debuginfo-0:5.2.1.8-1.el6cf.x86_64",
"6Server-CFME:cfme-lib-0:5.2.1.8-1.el6cf.x86_64",
"6Server-CFME:mingw32-cfme-host-0:5.2.1.8-1.el6cf.x86_64",
"6Server-CFME:ruby193-rubygem-activerecord-1:3.2.13-4.el6cf.noarch",
"6Server-CFME:ruby193-rubygem-activerecord-1:3.2.13-4.el6cf.src",
"6Server-CFME:ruby193-rubygem-linux_admin-0:0.5.6-1.el6cf.noarch",
"6Server-CFME:ruby193-rubygem-linux_admin-0:0.5.6-1.el6cf.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2014:0025"
}
],
"scores": [
{
"cvss_v2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"products": [
"6Server-CFME:cfme-0:5.2.1.8-1.el6cf.src",
"6Server-CFME:cfme-0:5.2.1.8-1.el6cf.x86_64",
"6Server-CFME:cfme-appliance-0:5.2.1.8-1.el6cf.x86_64",
"6Server-CFME:cfme-debuginfo-0:5.2.1.8-1.el6cf.x86_64",
"6Server-CFME:cfme-lib-0:5.2.1.8-1.el6cf.x86_64",
"6Server-CFME:mingw32-cfme-host-0:5.2.1.8-1.el6cf.x86_64",
"6Server-CFME:ruby193-rubygem-activerecord-1:3.2.13-4.el6cf.noarch",
"6Server-CFME:ruby193-rubygem-activerecord-1:3.2.13-4.el6cf.src",
"6Server-CFME:ruby193-rubygem-linux_admin-0:0.5.6-1.el6cf.noarch",
"6Server-CFME:ruby193-rubygem-linux_admin-0:0.5.6-1.el6cf.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "CFME: GET request CSRF vulnerability"
}
]
}
ghsa-vvp8-xf2f-vgc6
Vulnerability from github
Published
2022-05-17 04:54
Modified
2022-05-17 04:54
Details
CloudForms 3.0 Management Engine before 5.2.1.6 allows remote attackers to bypass the Ruby on Rails protect_from_forgery mechanism and conduct cross-site request forgery (CSRF) attacks via a destructive action in a request.
{
"affected": [],
"aliases": [
"CVE-2013-6443"
],
"database_specific": {
"cwe_ids": [
"CWE-352"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2014-01-23T01:55:00Z",
"severity": "MODERATE"
},
"details": "CloudForms 3.0 Management Engine before 5.2.1.6 allows remote attackers to bypass the Ruby on Rails protect_from_forgery mechanism and conduct cross-site request forgery (CSRF) attacks via a destructive action in a request.",
"id": "GHSA-vvp8-xf2f-vgc6",
"modified": "2022-05-17T04:54:10Z",
"published": "2022-05-17T04:54:10Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2013-6443"
},
{
"type": "WEB",
"url": "http://rhn.redhat.com/errata/RHSA-2014-0025.html"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1029606"
}
],
"schema_version": "1.4.0",
"severity": []
}
gsd-2013-6443
Vulnerability from gsd
Modified
2023-12-13 01:22
Details
CloudForms 3.0 Management Engine before 5.2.1.6 allows remote attackers to bypass the Ruby on Rails protect_from_forgery mechanism and conduct cross-site request forgery (CSRF) attacks via a destructive action in a request.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2013-6443",
"description": "CloudForms 3.0 Management Engine before 5.2.1.6 allows remote attackers to bypass the Ruby on Rails protect_from_forgery mechanism and conduct cross-site request forgery (CSRF) attacks via a destructive action in a request.",
"id": "GSD-2013-6443",
"references": [
"https://access.redhat.com/errata/RHSA-2014:0025"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2013-6443"
],
"details": "CloudForms 3.0 Management Engine before 5.2.1.6 allows remote attackers to bypass the Ruby on Rails protect_from_forgery mechanism and conduct cross-site request forgery (CSRF) attacks via a destructive action in a request.",
"id": "GSD-2013-6443",
"modified": "2023-12-13T01:22:18.876912Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-6443",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "CloudForms 3.0 Management Engine before 5.2.1.6 allows remote attackers to bypass the Ruby on Rails protect_from_forgery mechanism and conduct cross-site request forgery (CSRF) attacks via a destructive action in a request."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "1029606",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id/1029606"
},
{
"name": "RHSA-2014:0025",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2014-0025.html"
}
]
}
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:redhat:cloudforms:3.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:cloudforms_3.0_management_engine:5.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:cloudforms_3.0_management_engine:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "5.2.1",
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2013-6443"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "CloudForms 3.0 Management Engine before 5.2.1.6 allows remote attackers to bypass the Ruby on Rails protect_from_forgery mechanism and conduct cross-site request forgery (CSRF) attacks via a destructive action in a request."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "RHSA-2014:0025",
"refsource": "REDHAT",
"tags": [
"Vendor Advisory"
],
"url": "http://rhn.redhat.com/errata/RHSA-2014-0025.html"
},
{
"name": "1029606",
"refsource": "SECTRACK",
"tags": [],
"url": "http://www.securitytracker.com/id/1029606"
}
]
}
},
"impact": {
"baseMetricV2": {
"cvssV2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": true
}
},
"lastModifiedDate": "2014-01-23T18:18Z",
"publishedDate": "2014-01-23T01:55Z"
}
}
}
cve-2013-6443
Vulnerability from fkie_nvd
Published
2014-01-23 01:55
Modified
2024-11-21 01:59
Severity ?
Summary
CloudForms 3.0 Management Engine before 5.2.1.6 allows remote attackers to bypass the Ruby on Rails protect_from_forgery mechanism and conduct cross-site request forgery (CSRF) attacks via a destructive action in a request.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| redhat | cloudforms | 3.0 | |
| redhat | cloudforms_3.0_management_engine | * | |
| redhat | cloudforms_3.0_management_engine | 5.2 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:redhat:cloudforms:3.0:*:*:*:*:*:*:*",
"matchCriteriaId": "E497C765-C720-4566-BB73-705C36AEA59A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:cloudforms_3.0_management_engine:*:*:*:*:*:*:*:*",
"matchCriteriaId": "C4F9D471-71B8-413D-9298-286D875F53A9",
"versionEndIncluding": "5.2.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:cloudforms_3.0_management_engine:5.2:*:*:*:*:*:*:*",
"matchCriteriaId": "D21CFAD1-5422-4595-841D-A80F940B1545",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "CloudForms 3.0 Management Engine before 5.2.1.6 allows remote attackers to bypass the Ruby on Rails protect_from_forgery mechanism and conduct cross-site request forgery (CSRF) attacks via a destructive action in a request."
},
{
"lang": "es",
"value": "CloudForms 3.0 Management Engine anterior a la versi\u00f3n 5.2.1.6 permite a atacantes remotos evadir el mecanismo protect_from_forgery de Ruby on Rails y llevar a cabo ataques de CSRF a trav\u00e9s de una acci\u00f3n destructiva en una petici\u00f3n."
}
],
"id": "CVE-2013-6443",
"lastModified": "2024-11-21T01:59:14.567",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
]
},
"published": "2014-01-23T01:55:03.773",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Vendor Advisory"
],
"url": "http://rhn.redhat.com/errata/RHSA-2014-0025.html"
},
{
"source": "secalert@redhat.com",
"url": "http://www.securitytracker.com/id/1029606"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Vendor Advisory"
],
"url": "http://rhn.redhat.com/errata/RHSA-2014-0025.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"url": "http://www.securitytracker.com/id/1029606"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-352"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.