Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2018-3760 (GCVE-0-2018-3760)
Vulnerability from cvelistv5 – Published: 2018-06-26 19:00 – Updated: 2024-09-16 18:39
VLAI?
EPSS
Summary
There is an information leak vulnerability in Sprockets. Versions Affected: 4.0.0.beta7 and lower, 3.7.1 and lower, 2.12.4 and lower. Specially crafted requests can be used to access files that exists on the filesystem that is outside an application's root directory, when the Sprockets server is used in production. All users running an affected release should either upgrade or use one of the work arounds immediately.
Severity ?
No CVSS data available.
CWE
- CWE-22 - Path Traversal (CWE-22)
Assigner
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T04:50:30.511Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/rails/sprockets/commit/c09131cf5b2c479263939c8582e22b98ed616c5fhttps://github.com/rails/sprockets/commit/9c34fa05900b968d74f08ccf40917848a7be9441https://github.com/rails/sprockets/commit/18b8a7f07a50c245e9aee7854ecdbe606bbd8bb5"
},
{
"name": "RHSA-2018:2745",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2018:2745"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://groups.google.com/d/msg/rubyonrails-security/ft_J--l55fM/7roDfQ50BwAJ"
},
{
"name": "RHSA-2018:2244",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2018:2244"
},
{
"name": "RHSA-2018:2561",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2018:2561"
},
{
"name": "RHSA-2018:2245",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "https://access.redhat.com/errata/RHSA-2018:2245"
},
{
"name": "DSA-4242",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "https://www.debian.org/security/2018/dsa-4242"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Sprockets",
"vendor": "HackerOne",
"versions": [
{
"status": "affected",
"version": "4.0.0.beta8, 3.7.2, 2.12.5"
}
]
}
],
"datePublic": "2018-06-19T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "There is an information leak vulnerability in Sprockets. Versions Affected: 4.0.0.beta7 and lower, 3.7.1 and lower, 2.12.4 and lower. Specially crafted requests can be used to access files that exists on the filesystem that is outside an application\u0027s root directory, when the Sprockets server is used in production. All users running an affected release should either upgrade or use one of the work arounds immediately."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "Path Traversal (CWE-22)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-09-27T09:57:01",
"orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"shortName": "hackerone"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/rails/sprockets/commit/c09131cf5b2c479263939c8582e22b98ed616c5fhttps://github.com/rails/sprockets/commit/9c34fa05900b968d74f08ccf40917848a7be9441https://github.com/rails/sprockets/commit/18b8a7f07a50c245e9aee7854ecdbe606bbd8bb5"
},
{
"name": "RHSA-2018:2745",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2018:2745"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://groups.google.com/d/msg/rubyonrails-security/ft_J--l55fM/7roDfQ50BwAJ"
},
{
"name": "RHSA-2018:2244",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2018:2244"
},
{
"name": "RHSA-2018:2561",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2018:2561"
},
{
"name": "RHSA-2018:2245",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "https://access.redhat.com/errata/RHSA-2018:2245"
},
{
"name": "DSA-4242",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "https://www.debian.org/security/2018/dsa-4242"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"DATE_PUBLIC": "2018-06-19T00:00:00",
"ID": "CVE-2018-3760",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Sprockets",
"version": {
"version_data": [
{
"version_value": "4.0.0.beta8, 3.7.2, 2.12.5"
}
]
}
}
]
},
"vendor_name": "HackerOne"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "There is an information leak vulnerability in Sprockets. Versions Affected: 4.0.0.beta7 and lower, 3.7.1 and lower, 2.12.4 and lower. Specially crafted requests can be used to access files that exists on the filesystem that is outside an application\u0027s root directory, when the Sprockets server is used in production. All users running an affected release should either upgrade or use one of the work arounds immediately."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Path Traversal (CWE-22)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/rails/sprockets/commit/c09131cf5b2c479263939c8582e22b98ed616c5fhttps://github.com/rails/sprockets/commit/9c34fa05900b968d74f08ccf40917848a7be9441https://github.com/rails/sprockets/commit/18b8a7f07a50c245e9aee7854ecdbe606bbd8bb5",
"refsource": "MISC",
"url": "https://github.com/rails/sprockets/commit/c09131cf5b2c479263939c8582e22b98ed616c5fhttps://github.com/rails/sprockets/commit/9c34fa05900b968d74f08ccf40917848a7be9441https://github.com/rails/sprockets/commit/18b8a7f07a50c245e9aee7854ecdbe606bbd8bb5"
},
{
"name": "RHSA-2018:2745",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2018:2745"
},
{
"name": "https://groups.google.com/d/msg/rubyonrails-security/ft_J--l55fM/7roDfQ50BwAJ",
"refsource": "MISC",
"url": "https://groups.google.com/d/msg/rubyonrails-security/ft_J--l55fM/7roDfQ50BwAJ"
},
{
"name": "RHSA-2018:2244",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2018:2244"
},
{
"name": "RHSA-2018:2561",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2018:2561"
},
{
"name": "RHSA-2018:2245",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2018:2245"
},
{
"name": "DSA-4242",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2018/dsa-4242"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
"assignerShortName": "hackerone",
"cveId": "CVE-2018-3760",
"datePublished": "2018-06-26T19:00:00Z",
"dateReserved": "2017-12-28T00:00:00",
"dateUpdated": "2024-09-16T18:39:20.968Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:redhat:cloudforms:4.5:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"32E1BA91-4695-4E64-A9D7-4A6CB6904D41\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:redhat:cloudforms:4.6:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"67F7263F-113D-4BAE-B8CB-86A61531A2AC\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"2F6AB192-9D7D-4A9A-8995-E53A9DE9EAFC\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:redhat:enterprise_linux:6.7:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"84FF61DF-D634-4FB5-8DF1-01F631BE1A7A\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"142AD0DD-4CF3-4D74-9442-459CE3347E3A\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:redhat:enterprise_linux:7.3:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"B99A2411-7F6A-457F-A7BF-EB13C630F902\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:redhat:enterprise_linux:7.4:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"041F9200-4C01-4187-AE34-240E8277B54D\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:redhat:enterprise_linux:7.5:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"4EB48767-F095-444F-9E05-D9AC345AB803\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:redhat:enterprise_linux:7.6:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"5F6FA12B-504C-4DBF-A32E-0548557AA2ED\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sprockets_project:sprockets:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"2.0.0\", \"versionEndIncluding\": \"2.12.4\", \"matchCriteriaId\": \"679411A0-8348-42CE-9077-11E82FADA9FC\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sprockets_project:sprockets:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"3.0.0\", \"versionEndIncluding\": \"3.7.1\", \"matchCriteriaId\": \"6ADAEC05-67A2-4861-A986-4C0A4428EAA8\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sprockets_project:sprockets:4.0.0:beta1:*:*:*:*:*:*\", \"matchCriteriaId\": \"E476722A-DCFD-427D-8F67-3C2A996817EC\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sprockets_project:sprockets:4.0.0:beta2:*:*:*:*:*:*\", \"matchCriteriaId\": \"7D018749-4416-4ADA-B701-892F3581F31A\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sprockets_project:sprockets:4.0.0:beta3:*:*:*:*:*:*\", \"matchCriteriaId\": \"3248E9DE-D943-48E3-B611-A65E351C79ED\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sprockets_project:sprockets:4.0.0:beta4:*:*:*:*:*:*\", \"matchCriteriaId\": \"A82607FD-015B-4740-9950-EE783A79C4F3\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sprockets_project:sprockets:4.0.0:beta5:*:*:*:*:*:*\", \"matchCriteriaId\": \"EBCEA292-1CD8-45D6-A495-2085F40B9423\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sprockets_project:sprockets:4.0.0:beta6:*:*:*:*:*:*\", \"matchCriteriaId\": \"79C7FBAE-F4C2-458A-AD65-CC85A956F93F\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:sprockets_project:sprockets:4.0.0:beta7:*:*:*:*:*:*\", \"matchCriteriaId\": \"D873B105-7A65-4EB1-87A2-72C7CF365BF5\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"DEECE5FC-CACF-4496-A3E7-164736409252\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"There is an information leak vulnerability in Sprockets. Versions Affected: 4.0.0.beta7 and lower, 3.7.1 and lower, 2.12.4 and lower. Specially crafted requests can be used to access files that exists on the filesystem that is outside an application\u0027s root directory, when the Sprockets server is used in production. All users running an affected release should either upgrade or use one of the work arounds immediately.\"}, {\"lang\": \"es\", \"value\": \"Existe una vulnerabilidad de fuga de informaci\\u00f3n en Sprockets. Versiones afectadas: 4.0.0.beta7 y anteriores, 3.7.1 y anteriores y 2.12.4 y anteriores. Las peticiones especialmente manipuladas se pueden utilizar para acceder a archivos que existen en el sistema de archivos que est\\u00e1 fuera del directorio root de la aplicaci\\u00f3n, cuando el servidor de Sprockets se utiliza en producci\\u00f3n. Todos los usuarios que ejecuten una distribuci\\u00f3n afectada deben actualizarla o utilizar una de las alternativas inmediatamente.\"}]",
"id": "CVE-2018-3760",
"lastModified": "2024-11-21T04:06:01.503",
"metrics": "{\"cvssMetricV30\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.0\", \"vectorString\": \"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\", \"baseScore\": 7.5, \"baseSeverity\": \"HIGH\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 3.6}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:N/C:P/I:N/A:N\", \"baseScore\": 5.0, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"NONE\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 10.0, \"impactScore\": 2.9, \"acInsufInfo\": true, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
"published": "2018-06-26T19:29:00.343",
"references": "[{\"url\": \"https://access.redhat.com/errata/RHSA-2018:2244\", \"source\": \"support@hackerone.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2018:2245\", \"source\": \"support@hackerone.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2018:2561\", \"source\": \"support@hackerone.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2018:2745\", \"source\": \"support@hackerone.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://github.com/rails/sprockets/commit/c09131cf5b2c479263939c8582e22b98ed616c5fhttps://github.com/rails/sprockets/commit/9c34fa05900b968d74f08ccf40917848a7be9441https://github.com/rails/sprockets/commit/18b8a7f07a50c245e9aee7854ecdbe606bbd8bb5\", \"source\": \"support@hackerone.com\", \"tags\": [\"Broken Link\"]}, {\"url\": \"https://groups.google.com/d/msg/rubyonrails-security/ft_J--l55fM/7roDfQ50BwAJ\", \"source\": \"support@hackerone.com\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://www.debian.org/security/2018/dsa-4242\", \"source\": \"support@hackerone.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2018:2244\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2018:2245\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2018:2561\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://access.redhat.com/errata/RHSA-2018:2745\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://github.com/rails/sprockets/commit/c09131cf5b2c479263939c8582e22b98ed616c5fhttps://github.com/rails/sprockets/commit/9c34fa05900b968d74f08ccf40917848a7be9441https://github.com/rails/sprockets/commit/18b8a7f07a50c245e9aee7854ecdbe606bbd8bb5\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Broken Link\"]}, {\"url\": \"https://groups.google.com/d/msg/rubyonrails-security/ft_J--l55fM/7roDfQ50BwAJ\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Patch\", \"Third Party Advisory\"]}, {\"url\": \"https://www.debian.org/security/2018/dsa-4242\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}]",
"sourceIdentifier": "support@hackerone.com",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"support@hackerone.com\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-22\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-200\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2018-3760\",\"sourceIdentifier\":\"support@hackerone.com\",\"published\":\"2018-06-26T19:29:00.343\",\"lastModified\":\"2024-11-21T04:06:01.503\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"There is an information leak vulnerability in Sprockets. Versions Affected: 4.0.0.beta7 and lower, 3.7.1 and lower, 2.12.4 and lower. Specially crafted requests can be used to access files that exists on the filesystem that is outside an application\u0027s root directory, when the Sprockets server is used in production. All users running an affected release should either upgrade or use one of the work arounds immediately.\"},{\"lang\":\"es\",\"value\":\"Existe una vulnerabilidad de fuga de informaci\u00f3n en Sprockets. Versiones afectadas: 4.0.0.beta7 y anteriores, 3.7.1 y anteriores y 2.12.4 y anteriores. Las peticiones especialmente manipuladas se pueden utilizar para acceder a archivos que existen en el sistema de archivos que est\u00e1 fuera del directorio root de la aplicaci\u00f3n, cuando el servidor de Sprockets se utiliza en producci\u00f3n. Todos los usuarios que ejecuten una distribuci\u00f3n afectada deben actualizarla o utilizar una de las alternativas inmediatamente.\"}],\"metrics\":{\"cvssMetricV30\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:N/A:N\",\"baseScore\":5.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":10.0,\"impactScore\":2.9,\"acInsufInfo\":true,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"support@hackerone.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-22\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-200\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:cloudforms:4.5:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"32E1BA91-4695-4E64-A9D7-4A6CB6904D41\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:cloudforms:4.6:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"67F7263F-113D-4BAE-B8CB-86A61531A2AC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"2F6AB192-9D7D-4A9A-8995-E53A9DE9EAFC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:redhat:enterprise_linux:6.7:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"84FF61DF-D634-4FB5-8DF1-01F631BE1A7A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"142AD0DD-4CF3-4D74-9442-459CE3347E3A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:redhat:enterprise_linux:7.3:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B99A2411-7F6A-457F-A7BF-EB13C630F902\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:redhat:enterprise_linux:7.4:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"041F9200-4C01-4187-AE34-240E8277B54D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:redhat:enterprise_linux:7.5:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"4EB48767-F095-444F-9E05-D9AC345AB803\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:redhat:enterprise_linux:7.6:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"5F6FA12B-504C-4DBF-A32E-0548557AA2ED\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sprockets_project:sprockets:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"2.0.0\",\"versionEndIncluding\":\"2.12.4\",\"matchCriteriaId\":\"679411A0-8348-42CE-9077-11E82FADA9FC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sprockets_project:sprockets:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"3.0.0\",\"versionEndIncluding\":\"3.7.1\",\"matchCriteriaId\":\"6ADAEC05-67A2-4861-A986-4C0A4428EAA8\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sprockets_project:sprockets:4.0.0:beta1:*:*:*:*:*:*\",\"matchCriteriaId\":\"E476722A-DCFD-427D-8F67-3C2A996817EC\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sprockets_project:sprockets:4.0.0:beta2:*:*:*:*:*:*\",\"matchCriteriaId\":\"7D018749-4416-4ADA-B701-892F3581F31A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sprockets_project:sprockets:4.0.0:beta3:*:*:*:*:*:*\",\"matchCriteriaId\":\"3248E9DE-D943-48E3-B611-A65E351C79ED\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sprockets_project:sprockets:4.0.0:beta4:*:*:*:*:*:*\",\"matchCriteriaId\":\"A82607FD-015B-4740-9950-EE783A79C4F3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sprockets_project:sprockets:4.0.0:beta5:*:*:*:*:*:*\",\"matchCriteriaId\":\"EBCEA292-1CD8-45D6-A495-2085F40B9423\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sprockets_project:sprockets:4.0.0:beta6:*:*:*:*:*:*\",\"matchCriteriaId\":\"79C7FBAE-F4C2-458A-AD65-CC85A956F93F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:sprockets_project:sprockets:4.0.0:beta7:*:*:*:*:*:*\",\"matchCriteriaId\":\"D873B105-7A65-4EB1-87A2-72C7CF365BF5\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"DEECE5FC-CACF-4496-A3E7-164736409252\"}]}]}],\"references\":[{\"url\":\"https://access.redhat.com/errata/RHSA-2018:2244\",\"source\":\"support@hackerone.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2018:2245\",\"source\":\"support@hackerone.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2018:2561\",\"source\":\"support@hackerone.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2018:2745\",\"source\":\"support@hackerone.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/rails/sprockets/commit/c09131cf5b2c479263939c8582e22b98ed616c5fhttps://github.com/rails/sprockets/commit/9c34fa05900b968d74f08ccf40917848a7be9441https://github.com/rails/sprockets/commit/18b8a7f07a50c245e9aee7854ecdbe606bbd8bb5\",\"source\":\"support@hackerone.com\",\"tags\":[\"Broken Link\"]},{\"url\":\"https://groups.google.com/d/msg/rubyonrails-security/ft_J--l55fM/7roDfQ50BwAJ\",\"source\":\"support@hackerone.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://www.debian.org/security/2018/dsa-4242\",\"source\":\"support@hackerone.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2018:2244\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2018:2245\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2018:2561\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://access.redhat.com/errata/RHSA-2018:2745\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/rails/sprockets/commit/c09131cf5b2c479263939c8582e22b98ed616c5fhttps://github.com/rails/sprockets/commit/9c34fa05900b968d74f08ccf40917848a7be9441https://github.com/rails/sprockets/commit/18b8a7f07a50c245e9aee7854ecdbe606bbd8bb5\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Broken Link\"]},{\"url\":\"https://groups.google.com/d/msg/rubyonrails-security/ft_J--l55fM/7roDfQ50BwAJ\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://www.debian.org/security/2018/dsa-4242\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}"
}
}
SUSE-SU-2018:2762-1
Vulnerability from csaf_suse - Published: 2018-09-20 06:04 - Updated: 2018-09-20 06:04Summary
Security update for crowbar, crowbar-core, crowbar-ha, crowbar-init, crowbar-openstack, crowbar-ui
Notes
Title of the patch
Security update for crowbar, crowbar-core, crowbar-ha, crowbar-init, crowbar-openstack, crowbar-ui
Description of the patch
This update for crowbar, crowbar-ha, crowbar-init, crowbar-openstack, crowbar-ui fixes the following issues:
This security issues was fixed:
- CVE-2018-3760: Upgrade rubygem-sprockets to prevent an information leak.
Specially crafted requests could have been be used to access files that exists
on the filesystem that is outside an application's root directory, when the
Sprockets server is used in production (bsc#1098369).
- CVE-2016-861: Add rate limiting for glance api (bsc#1005886)
These non-security issues were fixed for crowbar:
- upgrade: Lock crowbar-ui before admin upgrade
- upgrade: Make sure schemas are properly migrated after the upgrade
- upgrade: No need for database dump before the upgrade
- upgrade: No need to use crowbar-init during the upgrade
These non-security issues were fixed for crowbar-core:
- upgrade: Remove pre-upgrade constraints from existing locations
- upgrade: Show the grep result when checking for not-migrated instances
- upgrade: Set clone_stateless_services to false on upgrade
- control_lib: fix host allocation check
- Fix exception handling in get_log_lines
- apache: copytruncate apache logs bsc#1083093
- upgrade: Refresh repos before crowbar-ui update (bsc#1099392)
- upgrade: Reset RabbitMQ nodes during upgrade
- upgrade: Do not allow cinder-volume on compute nodes
- upgrade: Wait until all nova-compute services are up before evacuation
- upgrade: Save the information which set of nodes should be upgraded
- Let skip_unready_nodes skip also nodes that are in crowbar_upgrade state
- upgrade: Add missing brackets checking for nodes
- upgrade: Make sure postponed nodes can be skipped when applying proposal
- upgrade: When the upgrade is not finished, show a link to wizard
- upgrade: Correctly delete remaining upgrade scripts
- upgrade: Wait for services shutdown to finish
- upgrade: Unlock crowbar-ui after completed upgrade
- upgrade: Stop cron before stopping any other service
- upgrade: Provide better information after the failure
- upgrade: Report missing scripts
- upgrade: Better check for upgraded nodes - do not rely on state
- upgrade: Improve error messages with lists
- upgrade: Check input is a valid node for nodes
- upgrade: Delete upgrade scripts really at the end of upgrade
- upgrade: Increase the timeout for deleting pacemaker resources
- upgrade: Adapt the check for upgraded? value
- upgrade: Move step to mark the admin upgrade end
- upgrade: Do not finalize nodes that are not upgraded
- upgrade: Fix file layout for rails' autoloading (bsc#1096759)
- upgrade: Deleting cinder services from database no longer needed
- upgrade: Allow postpone and resume of compute nodes upgrade
- upgrade: Allow the access to controller actions when upgrade is postponed
- upgrade: Finalize upgrade of controller nodes after they are done
- upgrade: Added API calls for postponing/resuming compute nodes upgrade
- upgrade: Unblock upgrade status API in Cloud8
- upgrade: Do not end admin step while it is still running (bsc#1095420)
- upgrade: Adapt ceph-related checks to 7-8 upgrade
- upgrade: Allow running schema migrations on upgrade
- upgrade: Fix platform retrieval
These non-security issues were fixed for crowbar-ha:
- pacemaker: allow multiple meta parameters (bsc#1093898)
- haproxy: active-active mode, just one VIP
These non-security issues were fixed for crowbar-openstack:
- Synchronize SSL in the cluster (bsc#1081518)
- neutron: add force_metadata attribute
- rabbitmq: set client timout to default value
- /etc/sysctl.d/99-sysctl.conf is a symlink to /etc/sysctl.conf
- Do not automatically put manila-share roles to compute nodes
- rabbitmq: check for rabbit readiness
- rabbitmq: Make sure rabbit is running on cluster
- monasca: various monasca-installer improvements
- monasca: reduce monasca-installer runs (bsc#1096043)
- manila: Correct field name for cluster name
- Do not mark [:nova][:db_synced] too early
- nova: Do not do partial online migrations, that was Newton specific
- monasca: add elasticsearch tunables (bsc#1090336)
- copytruncate apache logs instead of creating
- rabbitmq: Better dependency check
- aodh: Add config for alarm_history_ttl (bsc#1073703)
- upgrade: cinder: run live migrations at correct rev
These non-security issues were fixed for crowbar-ui:
- upgrade: Dummy backend for status testing
- upgrade: Refactor postpone nodes upgrade
- upgrade: Allow interruption of status wait loop
- upgrade: Added ability to postpone upgrade nodes
- upgrade: Add ability to postpone upgrade nodes
- upgrade: Add ability to postpone upgrade nodes
- upgrade: Add ability to postpone upgrade nodes
- Add ability to postpone upgrade
- upgrade: Remove openstack precheck
- upgrade: Fixed error key for ha_configured
- upgrade: Remove CEPH related code
- Remove the non-essential database-configuration controller
- remove ui typo test
- Remove database configuration option
- upgrade: Update SUSE-OpenStack-Cloud-8 label
- upgrade: Update admin and nodes repo names
Patchnames
SUSE-OpenStack-Cloud-Crowbar-8-2018-1928
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for crowbar, crowbar-core, crowbar-ha, crowbar-init, crowbar-openstack, crowbar-ui",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for crowbar, crowbar-ha, crowbar-init, crowbar-openstack, crowbar-ui fixes the following issues:\n\nThis security issues was fixed:\n\n- CVE-2018-3760: Upgrade rubygem-sprockets to prevent an information leak.\n Specially crafted requests could have been be used to access files that exists\n on the filesystem that is outside an application\u0027s root directory, when the\n Sprockets server is used in production (bsc#1098369).\n- CVE-2016-861: Add rate limiting for glance api (bsc#1005886)\n\nThese non-security issues were fixed for crowbar:\n\n- upgrade: Lock crowbar-ui before admin upgrade\n- upgrade: Make sure schemas are properly migrated after the upgrade\n- upgrade: No need for database dump before the upgrade\n- upgrade: No need to use crowbar-init during the upgrade\n\nThese non-security issues were fixed for crowbar-core:\n\n- upgrade: Remove pre-upgrade constraints from existing locations\n- upgrade: Show the grep result when checking for not-migrated instances\n- upgrade: Set clone_stateless_services to false on upgrade\n- control_lib: fix host allocation check\n- Fix exception handling in get_log_lines\n- apache: copytruncate apache logs bsc#1083093\n- upgrade: Refresh repos before crowbar-ui update (bsc#1099392)\n- upgrade: Reset RabbitMQ nodes during upgrade\n- upgrade: Do not allow cinder-volume on compute nodes\n- upgrade: Wait until all nova-compute services are up before evacuation\n- upgrade: Save the information which set of nodes should be upgraded\n- Let skip_unready_nodes skip also nodes that are in crowbar_upgrade state\n- upgrade: Add missing brackets checking for nodes\n- upgrade: Make sure postponed nodes can be skipped when applying proposal\n- upgrade: When the upgrade is not finished, show a link to wizard\n- upgrade: Correctly delete remaining upgrade scripts\n- upgrade: Wait for services shutdown to finish\n- upgrade: Unlock crowbar-ui after completed upgrade\n- upgrade: Stop cron before stopping any other service\n- upgrade: Provide better information after the failure\n- upgrade: Report missing scripts\n- upgrade: Better check for upgraded nodes - do not rely on state\n- upgrade: Improve error messages with lists\n- upgrade: Check input is a valid node for nodes\n- upgrade: Delete upgrade scripts really at the end of upgrade\n- upgrade: Increase the timeout for deleting pacemaker resources\n- upgrade: Adapt the check for upgraded? value\n- upgrade: Move step to mark the admin upgrade end\n- upgrade: Do not finalize nodes that are not upgraded\n- upgrade: Fix file layout for rails\u0027 autoloading (bsc#1096759)\n- upgrade: Deleting cinder services from database no longer needed\n- upgrade: Allow postpone and resume of compute nodes upgrade\n- upgrade: Allow the access to controller actions when upgrade is postponed\n- upgrade: Finalize upgrade of controller nodes after they are done\n- upgrade: Added API calls for postponing/resuming compute nodes upgrade\n- upgrade: Unblock upgrade status API in Cloud8\n- upgrade: Do not end admin step while it is still running (bsc#1095420)\n- upgrade: Adapt ceph-related checks to 7-8 upgrade\n- upgrade: Allow running schema migrations on upgrade\n- upgrade: Fix platform retrieval\n\nThese non-security issues were fixed for crowbar-ha:\n\n- pacemaker: allow multiple meta parameters (bsc#1093898)\n- haproxy: active-active mode, just one VIP\n\nThese non-security issues were fixed for crowbar-openstack:\n\n- Synchronize SSL in the cluster (bsc#1081518)\n- neutron: add force_metadata attribute\n- rabbitmq: set client timout to default value\n- /etc/sysctl.d/99-sysctl.conf is a symlink to /etc/sysctl.conf\n- Do not automatically put manila-share roles to compute nodes\n- rabbitmq: check for rabbit readiness\n- rabbitmq: Make sure rabbit is running on cluster\n- monasca: various monasca-installer improvements\n- monasca: reduce monasca-installer runs (bsc#1096043)\n- manila: Correct field name for cluster name\n- Do not mark [:nova][:db_synced] too early\n- nova: Do not do partial online migrations, that was Newton specific\n- monasca: add elasticsearch tunables (bsc#1090336)\n- copytruncate apache logs instead of creating\n- rabbitmq: Better dependency check\n- aodh: Add config for alarm_history_ttl (bsc#1073703)\n- upgrade: cinder: run live migrations at correct rev\n\nThese non-security issues were fixed for crowbar-ui:\n\n- upgrade: Dummy backend for status testing\n- upgrade: Refactor postpone nodes upgrade\n- upgrade: Allow interruption of status wait loop\n- upgrade: Added ability to postpone upgrade nodes\n- upgrade: Add ability to postpone upgrade nodes\n- upgrade: Add ability to postpone upgrade nodes\n- upgrade: Add ability to postpone upgrade nodes\n- Add ability to postpone upgrade\n- upgrade: Remove openstack precheck\n- upgrade: Fixed error key for ha_configured\n- upgrade: Remove CEPH related code\n- Remove the non-essential database-configuration controller\n- remove ui typo test\n- Remove database configuration option\n- upgrade: Update SUSE-OpenStack-Cloud-8 label\n- upgrade: Update admin and nodes repo names\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-OpenStack-Cloud-Crowbar-8-2018-1928",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2018_2762-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2018:2762-1",
"url": "https://www.suse.com/support/update/announcement/2018/suse-su-20182762-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2018:2762-1",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2018-September/004567.html"
},
{
"category": "self",
"summary": "SUSE Bug 1005886",
"url": "https://bugzilla.suse.com/1005886"
},
{
"category": "self",
"summary": "SUSE Bug 1073703",
"url": "https://bugzilla.suse.com/1073703"
},
{
"category": "self",
"summary": "SUSE Bug 1081518",
"url": "https://bugzilla.suse.com/1081518"
},
{
"category": "self",
"summary": "SUSE Bug 1083093",
"url": "https://bugzilla.suse.com/1083093"
},
{
"category": "self",
"summary": "SUSE Bug 1090336",
"url": "https://bugzilla.suse.com/1090336"
},
{
"category": "self",
"summary": "SUSE Bug 1093898",
"url": "https://bugzilla.suse.com/1093898"
},
{
"category": "self",
"summary": "SUSE Bug 1095420",
"url": "https://bugzilla.suse.com/1095420"
},
{
"category": "self",
"summary": "SUSE Bug 1096043",
"url": "https://bugzilla.suse.com/1096043"
},
{
"category": "self",
"summary": "SUSE Bug 1096759",
"url": "https://bugzilla.suse.com/1096759"
},
{
"category": "self",
"summary": "SUSE Bug 1098369",
"url": "https://bugzilla.suse.com/1098369"
},
{
"category": "self",
"summary": "SUSE Bug 1099392",
"url": "https://bugzilla.suse.com/1099392"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2016-8611 page",
"url": "https://www.suse.com/security/cve/CVE-2016-8611/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2018-3760 page",
"url": "https://www.suse.com/security/cve/CVE-2018-3760/"
}
],
"title": "Security update for crowbar, crowbar-core, crowbar-ha, crowbar-init, crowbar-openstack, crowbar-ui",
"tracking": {
"current_release_date": "2018-09-20T06:04:40Z",
"generator": {
"date": "2018-09-20T06:04:40Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2018:2762-1",
"initial_release_date": "2018-09-20T06:04:40Z",
"revision_history": [
{
"date": "2018-09-20T06:04:40Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "crowbar-5.0+git.1528696845.81a7b5d0-3.3.1.noarch",
"product": {
"name": "crowbar-5.0+git.1528696845.81a7b5d0-3.3.1.noarch",
"product_id": "crowbar-5.0+git.1528696845.81a7b5d0-3.3.1.noarch"
}
},
{
"category": "product_version",
"name": "crowbar-devel-5.0+git.1528696845.81a7b5d0-3.3.1.noarch",
"product": {
"name": "crowbar-devel-5.0+git.1528696845.81a7b5d0-3.3.1.noarch",
"product_id": "crowbar-devel-5.0+git.1528696845.81a7b5d0-3.3.1.noarch"
}
},
{
"category": "product_version",
"name": "crowbar-ha-5.0+git.1530177874.35b9099-3.3.1.noarch",
"product": {
"name": "crowbar-ha-5.0+git.1530177874.35b9099-3.3.1.noarch",
"product_id": "crowbar-ha-5.0+git.1530177874.35b9099-3.3.1.noarch"
}
},
{
"category": "product_version",
"name": "crowbar-init-5.0+git.1520420379.d5bbb35-3.3.1.noarch",
"product": {
"name": "crowbar-init-5.0+git.1520420379.d5bbb35-3.3.1.noarch",
"product_id": "crowbar-init-5.0+git.1520420379.d5bbb35-3.3.1.noarch"
}
},
{
"category": "product_version",
"name": "crowbar-openstack-5.0+git.1534167599.d325ef804-4.8.2.noarch",
"product": {
"name": "crowbar-openstack-5.0+git.1534167599.d325ef804-4.8.2.noarch",
"product_id": "crowbar-openstack-5.0+git.1534167599.d325ef804-4.8.2.noarch"
}
},
{
"category": "product_version",
"name": "crowbar-ui-1.2.0+git.1533844061.4ac8e723-3.3.1.noarch",
"product": {
"name": "crowbar-ui-1.2.0+git.1533844061.4ac8e723-3.3.1.noarch",
"product_id": "crowbar-ui-1.2.0+git.1533844061.4ac8e723-3.3.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "crowbar-core-5.0+git.1533887407.6e9b0412d-3.8.2.x86_64",
"product": {
"name": "crowbar-core-5.0+git.1533887407.6e9b0412d-3.8.2.x86_64",
"product_id": "crowbar-core-5.0+git.1533887407.6e9b0412d-3.8.2.x86_64"
}
},
{
"category": "product_version",
"name": "crowbar-core-branding-upstream-5.0+git.1533887407.6e9b0412d-3.8.2.x86_64",
"product": {
"name": "crowbar-core-branding-upstream-5.0+git.1533887407.6e9b0412d-3.8.2.x86_64",
"product_id": "crowbar-core-branding-upstream-5.0+git.1533887407.6e9b0412d-3.8.2.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE OpenStack Cloud Crowbar 8",
"product": {
"name": "SUSE OpenStack Cloud Crowbar 8",
"product_id": "SUSE OpenStack Cloud Crowbar 8",
"product_identification_helper": {
"cpe": "cpe:/o:suse:suse-openstack-cloud-crowbar:8"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "crowbar-5.0+git.1528696845.81a7b5d0-3.3.1.noarch as component of SUSE OpenStack Cloud Crowbar 8",
"product_id": "SUSE OpenStack Cloud Crowbar 8:crowbar-5.0+git.1528696845.81a7b5d0-3.3.1.noarch"
},
"product_reference": "crowbar-5.0+git.1528696845.81a7b5d0-3.3.1.noarch",
"relates_to_product_reference": "SUSE OpenStack Cloud Crowbar 8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "crowbar-core-5.0+git.1533887407.6e9b0412d-3.8.2.x86_64 as component of SUSE OpenStack Cloud Crowbar 8",
"product_id": "SUSE OpenStack Cloud Crowbar 8:crowbar-core-5.0+git.1533887407.6e9b0412d-3.8.2.x86_64"
},
"product_reference": "crowbar-core-5.0+git.1533887407.6e9b0412d-3.8.2.x86_64",
"relates_to_product_reference": "SUSE OpenStack Cloud Crowbar 8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "crowbar-core-branding-upstream-5.0+git.1533887407.6e9b0412d-3.8.2.x86_64 as component of SUSE OpenStack Cloud Crowbar 8",
"product_id": "SUSE OpenStack Cloud Crowbar 8:crowbar-core-branding-upstream-5.0+git.1533887407.6e9b0412d-3.8.2.x86_64"
},
"product_reference": "crowbar-core-branding-upstream-5.0+git.1533887407.6e9b0412d-3.8.2.x86_64",
"relates_to_product_reference": "SUSE OpenStack Cloud Crowbar 8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "crowbar-devel-5.0+git.1528696845.81a7b5d0-3.3.1.noarch as component of SUSE OpenStack Cloud Crowbar 8",
"product_id": "SUSE OpenStack Cloud Crowbar 8:crowbar-devel-5.0+git.1528696845.81a7b5d0-3.3.1.noarch"
},
"product_reference": "crowbar-devel-5.0+git.1528696845.81a7b5d0-3.3.1.noarch",
"relates_to_product_reference": "SUSE OpenStack Cloud Crowbar 8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "crowbar-ha-5.0+git.1530177874.35b9099-3.3.1.noarch as component of SUSE OpenStack Cloud Crowbar 8",
"product_id": "SUSE OpenStack Cloud Crowbar 8:crowbar-ha-5.0+git.1530177874.35b9099-3.3.1.noarch"
},
"product_reference": "crowbar-ha-5.0+git.1530177874.35b9099-3.3.1.noarch",
"relates_to_product_reference": "SUSE OpenStack Cloud Crowbar 8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "crowbar-init-5.0+git.1520420379.d5bbb35-3.3.1.noarch as component of SUSE OpenStack Cloud Crowbar 8",
"product_id": "SUSE OpenStack Cloud Crowbar 8:crowbar-init-5.0+git.1520420379.d5bbb35-3.3.1.noarch"
},
"product_reference": "crowbar-init-5.0+git.1520420379.d5bbb35-3.3.1.noarch",
"relates_to_product_reference": "SUSE OpenStack Cloud Crowbar 8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "crowbar-openstack-5.0+git.1534167599.d325ef804-4.8.2.noarch as component of SUSE OpenStack Cloud Crowbar 8",
"product_id": "SUSE OpenStack Cloud Crowbar 8:crowbar-openstack-5.0+git.1534167599.d325ef804-4.8.2.noarch"
},
"product_reference": "crowbar-openstack-5.0+git.1534167599.d325ef804-4.8.2.noarch",
"relates_to_product_reference": "SUSE OpenStack Cloud Crowbar 8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "crowbar-ui-1.2.0+git.1533844061.4ac8e723-3.3.1.noarch as component of SUSE OpenStack Cloud Crowbar 8",
"product_id": "SUSE OpenStack Cloud Crowbar 8:crowbar-ui-1.2.0+git.1533844061.4ac8e723-3.3.1.noarch"
},
"product_reference": "crowbar-ui-1.2.0+git.1533844061.4ac8e723-3.3.1.noarch",
"relates_to_product_reference": "SUSE OpenStack Cloud Crowbar 8"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2016-8611",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2016-8611"
}
],
"notes": [
{
"category": "general",
"text": "A vulnerability was found in Openstack Glance. No limits are enforced within the Glance image service for both v1 and v2 `/images` API POST method for authenticated users, resulting in possible denial of service attacks through database table saturation.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE OpenStack Cloud Crowbar 8:crowbar-5.0+git.1528696845.81a7b5d0-3.3.1.noarch",
"SUSE OpenStack Cloud Crowbar 8:crowbar-core-5.0+git.1533887407.6e9b0412d-3.8.2.x86_64",
"SUSE OpenStack Cloud Crowbar 8:crowbar-core-branding-upstream-5.0+git.1533887407.6e9b0412d-3.8.2.x86_64",
"SUSE OpenStack Cloud Crowbar 8:crowbar-devel-5.0+git.1528696845.81a7b5d0-3.3.1.noarch",
"SUSE OpenStack Cloud Crowbar 8:crowbar-ha-5.0+git.1530177874.35b9099-3.3.1.noarch",
"SUSE OpenStack Cloud Crowbar 8:crowbar-init-5.0+git.1520420379.d5bbb35-3.3.1.noarch",
"SUSE OpenStack Cloud Crowbar 8:crowbar-openstack-5.0+git.1534167599.d325ef804-4.8.2.noarch",
"SUSE OpenStack Cloud Crowbar 8:crowbar-ui-1.2.0+git.1533844061.4ac8e723-3.3.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2016-8611",
"url": "https://www.suse.com/security/cve/CVE-2016-8611"
},
{
"category": "external",
"summary": "SUSE Bug 1005886 for CVE-2016-8611",
"url": "https://bugzilla.suse.com/1005886"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE OpenStack Cloud Crowbar 8:crowbar-5.0+git.1528696845.81a7b5d0-3.3.1.noarch",
"SUSE OpenStack Cloud Crowbar 8:crowbar-core-5.0+git.1533887407.6e9b0412d-3.8.2.x86_64",
"SUSE OpenStack Cloud Crowbar 8:crowbar-core-branding-upstream-5.0+git.1533887407.6e9b0412d-3.8.2.x86_64",
"SUSE OpenStack Cloud Crowbar 8:crowbar-devel-5.0+git.1528696845.81a7b5d0-3.3.1.noarch",
"SUSE OpenStack Cloud Crowbar 8:crowbar-ha-5.0+git.1530177874.35b9099-3.3.1.noarch",
"SUSE OpenStack Cloud Crowbar 8:crowbar-init-5.0+git.1520420379.d5bbb35-3.3.1.noarch",
"SUSE OpenStack Cloud Crowbar 8:crowbar-openstack-5.0+git.1534167599.d325ef804-4.8.2.noarch",
"SUSE OpenStack Cloud Crowbar 8:crowbar-ui-1.2.0+git.1533844061.4ac8e723-3.3.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.0"
},
"products": [
"SUSE OpenStack Cloud Crowbar 8:crowbar-5.0+git.1528696845.81a7b5d0-3.3.1.noarch",
"SUSE OpenStack Cloud Crowbar 8:crowbar-core-5.0+git.1533887407.6e9b0412d-3.8.2.x86_64",
"SUSE OpenStack Cloud Crowbar 8:crowbar-core-branding-upstream-5.0+git.1533887407.6e9b0412d-3.8.2.x86_64",
"SUSE OpenStack Cloud Crowbar 8:crowbar-devel-5.0+git.1528696845.81a7b5d0-3.3.1.noarch",
"SUSE OpenStack Cloud Crowbar 8:crowbar-ha-5.0+git.1530177874.35b9099-3.3.1.noarch",
"SUSE OpenStack Cloud Crowbar 8:crowbar-init-5.0+git.1520420379.d5bbb35-3.3.1.noarch",
"SUSE OpenStack Cloud Crowbar 8:crowbar-openstack-5.0+git.1534167599.d325ef804-4.8.2.noarch",
"SUSE OpenStack Cloud Crowbar 8:crowbar-ui-1.2.0+git.1533844061.4ac8e723-3.3.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2018-09-20T06:04:40Z",
"details": "low"
}
],
"title": "CVE-2016-8611"
},
{
"cve": "CVE-2018-3760",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2018-3760"
}
],
"notes": [
{
"category": "general",
"text": "There is an information leak vulnerability in Sprockets. Versions Affected: 4.0.0.beta7 and lower, 3.7.1 and lower, 2.12.4 and lower. Specially crafted requests can be used to access files that exists on the filesystem that is outside an application\u0027s root directory, when the Sprockets server is used in production. All users running an affected release should either upgrade or use one of the work arounds immediately.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE OpenStack Cloud Crowbar 8:crowbar-5.0+git.1528696845.81a7b5d0-3.3.1.noarch",
"SUSE OpenStack Cloud Crowbar 8:crowbar-core-5.0+git.1533887407.6e9b0412d-3.8.2.x86_64",
"SUSE OpenStack Cloud Crowbar 8:crowbar-core-branding-upstream-5.0+git.1533887407.6e9b0412d-3.8.2.x86_64",
"SUSE OpenStack Cloud Crowbar 8:crowbar-devel-5.0+git.1528696845.81a7b5d0-3.3.1.noarch",
"SUSE OpenStack Cloud Crowbar 8:crowbar-ha-5.0+git.1530177874.35b9099-3.3.1.noarch",
"SUSE OpenStack Cloud Crowbar 8:crowbar-init-5.0+git.1520420379.d5bbb35-3.3.1.noarch",
"SUSE OpenStack Cloud Crowbar 8:crowbar-openstack-5.0+git.1534167599.d325ef804-4.8.2.noarch",
"SUSE OpenStack Cloud Crowbar 8:crowbar-ui-1.2.0+git.1533844061.4ac8e723-3.3.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2018-3760",
"url": "https://www.suse.com/security/cve/CVE-2018-3760"
},
{
"category": "external",
"summary": "SUSE Bug 1098369 for CVE-2018-3760",
"url": "https://bugzilla.suse.com/1098369"
},
{
"category": "external",
"summary": "SUSE Bug 1182167 for CVE-2018-3760",
"url": "https://bugzilla.suse.com/1182167"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE OpenStack Cloud Crowbar 8:crowbar-5.0+git.1528696845.81a7b5d0-3.3.1.noarch",
"SUSE OpenStack Cloud Crowbar 8:crowbar-core-5.0+git.1533887407.6e9b0412d-3.8.2.x86_64",
"SUSE OpenStack Cloud Crowbar 8:crowbar-core-branding-upstream-5.0+git.1533887407.6e9b0412d-3.8.2.x86_64",
"SUSE OpenStack Cloud Crowbar 8:crowbar-devel-5.0+git.1528696845.81a7b5d0-3.3.1.noarch",
"SUSE OpenStack Cloud Crowbar 8:crowbar-ha-5.0+git.1530177874.35b9099-3.3.1.noarch",
"SUSE OpenStack Cloud Crowbar 8:crowbar-init-5.0+git.1520420379.d5bbb35-3.3.1.noarch",
"SUSE OpenStack Cloud Crowbar 8:crowbar-openstack-5.0+git.1534167599.d325ef804-4.8.2.noarch",
"SUSE OpenStack Cloud Crowbar 8:crowbar-ui-1.2.0+git.1533844061.4ac8e723-3.3.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"products": [
"SUSE OpenStack Cloud Crowbar 8:crowbar-5.0+git.1528696845.81a7b5d0-3.3.1.noarch",
"SUSE OpenStack Cloud Crowbar 8:crowbar-core-5.0+git.1533887407.6e9b0412d-3.8.2.x86_64",
"SUSE OpenStack Cloud Crowbar 8:crowbar-core-branding-upstream-5.0+git.1533887407.6e9b0412d-3.8.2.x86_64",
"SUSE OpenStack Cloud Crowbar 8:crowbar-devel-5.0+git.1528696845.81a7b5d0-3.3.1.noarch",
"SUSE OpenStack Cloud Crowbar 8:crowbar-ha-5.0+git.1530177874.35b9099-3.3.1.noarch",
"SUSE OpenStack Cloud Crowbar 8:crowbar-init-5.0+git.1520420379.d5bbb35-3.3.1.noarch",
"SUSE OpenStack Cloud Crowbar 8:crowbar-openstack-5.0+git.1534167599.d325ef804-4.8.2.noarch",
"SUSE OpenStack Cloud Crowbar 8:crowbar-ui-1.2.0+git.1533844061.4ac8e723-3.3.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2018-09-20T06:04:40Z",
"details": "important"
}
],
"title": "CVE-2018-3760"
}
]
}
SUSE-SU-2018:1994-1
Vulnerability from csaf_suse - Published: 2018-07-19 07:35 - Updated: 2018-07-19 07:35Summary
Security update for rubygem-sprockets
Notes
Title of the patch
Security update for rubygem-sprockets
Description of the patch
This update for rubygem-sprockets fixes the following issues:
The following security vulnerability was addressed:
- CVE-2018-3760: Fixed a path traversal issue in sprockets/server.rb:forbidden_request?(), which allowed remote attackers to read arbitrary files (bsc#1098369)
Patchnames
SUSE-SLE-Product-HA-15-2018-1349
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for rubygem-sprockets",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for rubygem-sprockets fixes the following issues:\n\nThe following security vulnerability was addressed:\n\n- CVE-2018-3760: Fixed a path traversal issue in sprockets/server.rb:forbidden_request?(), which allowed remote attackers to read arbitrary files (bsc#1098369)\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-SLE-Product-HA-15-2018-1349",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2018_1994-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2018:1994-1",
"url": "https://www.suse.com/support/update/announcement/2018/suse-su-20181994-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2018:1994-1",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2018-July/004288.html"
},
{
"category": "self",
"summary": "SUSE Bug 1098369",
"url": "https://bugzilla.suse.com/1098369"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2018-3760 page",
"url": "https://www.suse.com/security/cve/CVE-2018-3760/"
}
],
"title": "Security update for rubygem-sprockets",
"tracking": {
"current_release_date": "2018-07-19T07:35:45Z",
"generator": {
"date": "2018-07-19T07:35:45Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2018:1994-1",
"initial_release_date": "2018-07-19T07:35:45Z",
"revision_history": [
{
"date": "2018-07-19T07:35:45Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "ruby2.5-rubygem-sprockets-3.7.2-3.3.1.aarch64",
"product": {
"name": "ruby2.5-rubygem-sprockets-3.7.2-3.3.1.aarch64",
"product_id": "ruby2.5-rubygem-sprockets-3.7.2-3.3.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby2.5-rubygem-sprockets-3.7.2-3.3.1.ppc64le",
"product": {
"name": "ruby2.5-rubygem-sprockets-3.7.2-3.3.1.ppc64le",
"product_id": "ruby2.5-rubygem-sprockets-3.7.2-3.3.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby2.5-rubygem-sprockets-3.7.2-3.3.1.s390x",
"product": {
"name": "ruby2.5-rubygem-sprockets-3.7.2-3.3.1.s390x",
"product_id": "ruby2.5-rubygem-sprockets-3.7.2-3.3.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby2.5-rubygem-sprockets-3.7.2-3.3.1.x86_64",
"product": {
"name": "ruby2.5-rubygem-sprockets-3.7.2-3.3.1.x86_64",
"product_id": "ruby2.5-rubygem-sprockets-3.7.2-3.3.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise High Availability Extension 15",
"product": {
"name": "SUSE Linux Enterprise High Availability Extension 15",
"product_id": "SUSE Linux Enterprise High Availability Extension 15",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-ha:15"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.5-rubygem-sprockets-3.7.2-3.3.1.aarch64 as component of SUSE Linux Enterprise High Availability Extension 15",
"product_id": "SUSE Linux Enterprise High Availability Extension 15:ruby2.5-rubygem-sprockets-3.7.2-3.3.1.aarch64"
},
"product_reference": "ruby2.5-rubygem-sprockets-3.7.2-3.3.1.aarch64",
"relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.5-rubygem-sprockets-3.7.2-3.3.1.ppc64le as component of SUSE Linux Enterprise High Availability Extension 15",
"product_id": "SUSE Linux Enterprise High Availability Extension 15:ruby2.5-rubygem-sprockets-3.7.2-3.3.1.ppc64le"
},
"product_reference": "ruby2.5-rubygem-sprockets-3.7.2-3.3.1.ppc64le",
"relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.5-rubygem-sprockets-3.7.2-3.3.1.s390x as component of SUSE Linux Enterprise High Availability Extension 15",
"product_id": "SUSE Linux Enterprise High Availability Extension 15:ruby2.5-rubygem-sprockets-3.7.2-3.3.1.s390x"
},
"product_reference": "ruby2.5-rubygem-sprockets-3.7.2-3.3.1.s390x",
"relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.5-rubygem-sprockets-3.7.2-3.3.1.x86_64 as component of SUSE Linux Enterprise High Availability Extension 15",
"product_id": "SUSE Linux Enterprise High Availability Extension 15:ruby2.5-rubygem-sprockets-3.7.2-3.3.1.x86_64"
},
"product_reference": "ruby2.5-rubygem-sprockets-3.7.2-3.3.1.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2018-3760",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2018-3760"
}
],
"notes": [
{
"category": "general",
"text": "There is an information leak vulnerability in Sprockets. Versions Affected: 4.0.0.beta7 and lower, 3.7.1 and lower, 2.12.4 and lower. Specially crafted requests can be used to access files that exists on the filesystem that is outside an application\u0027s root directory, when the Sprockets server is used in production. All users running an affected release should either upgrade or use one of the work arounds immediately.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise High Availability Extension 15:ruby2.5-rubygem-sprockets-3.7.2-3.3.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15:ruby2.5-rubygem-sprockets-3.7.2-3.3.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15:ruby2.5-rubygem-sprockets-3.7.2-3.3.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15:ruby2.5-rubygem-sprockets-3.7.2-3.3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2018-3760",
"url": "https://www.suse.com/security/cve/CVE-2018-3760"
},
{
"category": "external",
"summary": "SUSE Bug 1098369 for CVE-2018-3760",
"url": "https://bugzilla.suse.com/1098369"
},
{
"category": "external",
"summary": "SUSE Bug 1182167 for CVE-2018-3760",
"url": "https://bugzilla.suse.com/1182167"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise High Availability Extension 15:ruby2.5-rubygem-sprockets-3.7.2-3.3.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15:ruby2.5-rubygem-sprockets-3.7.2-3.3.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15:ruby2.5-rubygem-sprockets-3.7.2-3.3.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15:ruby2.5-rubygem-sprockets-3.7.2-3.3.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"products": [
"SUSE Linux Enterprise High Availability Extension 15:ruby2.5-rubygem-sprockets-3.7.2-3.3.1.aarch64",
"SUSE Linux Enterprise High Availability Extension 15:ruby2.5-rubygem-sprockets-3.7.2-3.3.1.ppc64le",
"SUSE Linux Enterprise High Availability Extension 15:ruby2.5-rubygem-sprockets-3.7.2-3.3.1.s390x",
"SUSE Linux Enterprise High Availability Extension 15:ruby2.5-rubygem-sprockets-3.7.2-3.3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2018-07-19T07:35:45Z",
"details": "important"
}
],
"title": "CVE-2018-3760"
}
]
}
SUSE-SU-2018:2217-1
Vulnerability from csaf_suse - Published: 2018-08-06 13:16 - Updated: 2018-08-06 13:16Summary
Security update for rubygem-sprockets-2_12
Notes
Title of the patch
Security update for rubygem-sprockets-2_12
Description of the patch
This update for rubygem-sprockets-2_12 fixes the following issues:
Security issue fixed:
- CVE-2018-3760: Fix path traversal in sprockets/server.rb:forbidden_request?() that can allow remote attackers to
read arbitrary files (bsc#1098369).
Patchnames
SUSE-OpenStack-Cloud-7-2018-1500
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for rubygem-sprockets-2_12",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for rubygem-sprockets-2_12 fixes the following issues:\n\nSecurity issue fixed:\n\n- CVE-2018-3760: Fix path traversal in sprockets/server.rb:forbidden_request?() that can allow remote attackers to\n read arbitrary files (bsc#1098369).\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-OpenStack-Cloud-7-2018-1500",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2018_2217-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2018:2217-1",
"url": "https://www.suse.com/support/update/announcement/2018/suse-su-20182217-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2018:2217-1",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2018-August/004376.html"
},
{
"category": "self",
"summary": "SUSE Bug 1098369",
"url": "https://bugzilla.suse.com/1098369"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2018-3760 page",
"url": "https://www.suse.com/security/cve/CVE-2018-3760/"
}
],
"title": "Security update for rubygem-sprockets-2_12",
"tracking": {
"current_release_date": "2018-08-06T13:16:56Z",
"generator": {
"date": "2018-08-06T13:16:56Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2018:2217-1",
"initial_release_date": "2018-08-06T13:16:56Z",
"revision_history": [
{
"date": "2018-08-06T13:16:56Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "ruby2.1-rubygem-sprockets-2_12-2.12.5-1.3.1.aarch64",
"product": {
"name": "ruby2.1-rubygem-sprockets-2_12-2.12.5-1.3.1.aarch64",
"product_id": "ruby2.1-rubygem-sprockets-2_12-2.12.5-1.3.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby2.1-rubygem-sprockets-2_12-2.12.5-1.3.1.s390x",
"product": {
"name": "ruby2.1-rubygem-sprockets-2_12-2.12.5-1.3.1.s390x",
"product_id": "ruby2.1-rubygem-sprockets-2_12-2.12.5-1.3.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby2.1-rubygem-sprockets-2_12-2.12.5-1.3.1.x86_64",
"product": {
"name": "ruby2.1-rubygem-sprockets-2_12-2.12.5-1.3.1.x86_64",
"product_id": "ruby2.1-rubygem-sprockets-2_12-2.12.5-1.3.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE OpenStack Cloud 7",
"product": {
"name": "SUSE OpenStack Cloud 7",
"product_id": "SUSE OpenStack Cloud 7",
"product_identification_helper": {
"cpe": "cpe:/o:suse:suse-openstack-cloud:7"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.1-rubygem-sprockets-2_12-2.12.5-1.3.1.aarch64 as component of SUSE OpenStack Cloud 7",
"product_id": "SUSE OpenStack Cloud 7:ruby2.1-rubygem-sprockets-2_12-2.12.5-1.3.1.aarch64"
},
"product_reference": "ruby2.1-rubygem-sprockets-2_12-2.12.5-1.3.1.aarch64",
"relates_to_product_reference": "SUSE OpenStack Cloud 7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.1-rubygem-sprockets-2_12-2.12.5-1.3.1.s390x as component of SUSE OpenStack Cloud 7",
"product_id": "SUSE OpenStack Cloud 7:ruby2.1-rubygem-sprockets-2_12-2.12.5-1.3.1.s390x"
},
"product_reference": "ruby2.1-rubygem-sprockets-2_12-2.12.5-1.3.1.s390x",
"relates_to_product_reference": "SUSE OpenStack Cloud 7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.1-rubygem-sprockets-2_12-2.12.5-1.3.1.x86_64 as component of SUSE OpenStack Cloud 7",
"product_id": "SUSE OpenStack Cloud 7:ruby2.1-rubygem-sprockets-2_12-2.12.5-1.3.1.x86_64"
},
"product_reference": "ruby2.1-rubygem-sprockets-2_12-2.12.5-1.3.1.x86_64",
"relates_to_product_reference": "SUSE OpenStack Cloud 7"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2018-3760",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2018-3760"
}
],
"notes": [
{
"category": "general",
"text": "There is an information leak vulnerability in Sprockets. Versions Affected: 4.0.0.beta7 and lower, 3.7.1 and lower, 2.12.4 and lower. Specially crafted requests can be used to access files that exists on the filesystem that is outside an application\u0027s root directory, when the Sprockets server is used in production. All users running an affected release should either upgrade or use one of the work arounds immediately.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE OpenStack Cloud 7:ruby2.1-rubygem-sprockets-2_12-2.12.5-1.3.1.aarch64",
"SUSE OpenStack Cloud 7:ruby2.1-rubygem-sprockets-2_12-2.12.5-1.3.1.s390x",
"SUSE OpenStack Cloud 7:ruby2.1-rubygem-sprockets-2_12-2.12.5-1.3.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2018-3760",
"url": "https://www.suse.com/security/cve/CVE-2018-3760"
},
{
"category": "external",
"summary": "SUSE Bug 1098369 for CVE-2018-3760",
"url": "https://bugzilla.suse.com/1098369"
},
{
"category": "external",
"summary": "SUSE Bug 1182167 for CVE-2018-3760",
"url": "https://bugzilla.suse.com/1182167"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE OpenStack Cloud 7:ruby2.1-rubygem-sprockets-2_12-2.12.5-1.3.1.aarch64",
"SUSE OpenStack Cloud 7:ruby2.1-rubygem-sprockets-2_12-2.12.5-1.3.1.s390x",
"SUSE OpenStack Cloud 7:ruby2.1-rubygem-sprockets-2_12-2.12.5-1.3.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"products": [
"SUSE OpenStack Cloud 7:ruby2.1-rubygem-sprockets-2_12-2.12.5-1.3.1.aarch64",
"SUSE OpenStack Cloud 7:ruby2.1-rubygem-sprockets-2_12-2.12.5-1.3.1.s390x",
"SUSE OpenStack Cloud 7:ruby2.1-rubygem-sprockets-2_12-2.12.5-1.3.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2018-08-06T13:16:56Z",
"details": "important"
}
],
"title": "CVE-2018-3760"
}
]
}
SUSE-SU-2018:2176-1
Vulnerability from csaf_suse - Published: 2018-08-02 15:20 - Updated: 2018-08-02 15:20Summary
Security update for rubygem-sprockets-2_12
Notes
Title of the patch
Security update for rubygem-sprockets-2_12
Description of the patch
This update for rubygem-sprockets-2_12 fixes the following issues:
Security issue fixed:
- CVE-2018-3760: Fix path traversal in sprockets/server.rb:forbidden_request?() that can allow remote attackers to read
arbitrary files (bsc#1098369).
Patchnames
SUSE-OpenStack-Cloud-Crowbar-8-2018-1326
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for rubygem-sprockets-2_12",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for rubygem-sprockets-2_12 fixes the following issues:\n\nSecurity issue fixed:\n\n- CVE-2018-3760: Fix path traversal in sprockets/server.rb:forbidden_request?() that can allow remote attackers to read\n arbitrary files (bsc#1098369).\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-OpenStack-Cloud-Crowbar-8-2018-1326",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2018_2176-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2018:2176-1",
"url": "https://www.suse.com/support/update/announcement/2018/suse-su-20182176-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2018:2176-1",
"url": "https://www.suse.com/support/update/announcement/2018/suse-su-20182176-1.html"
},
{
"category": "self",
"summary": "SUSE Bug 1098369",
"url": "https://bugzilla.suse.com/1098369"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2018-3760 page",
"url": "https://www.suse.com/security/cve/CVE-2018-3760/"
}
],
"title": "Security update for rubygem-sprockets-2_12",
"tracking": {
"current_release_date": "2018-08-02T15:20:25Z",
"generator": {
"date": "2018-08-02T15:20:25Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2018:2176-1",
"initial_release_date": "2018-08-02T15:20:25Z",
"revision_history": [
{
"date": "2018-08-02T15:20:25Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "ruby2.1-rubygem-sprockets-2_12-2.12.5-1.4.1.x86_64",
"product": {
"name": "ruby2.1-rubygem-sprockets-2_12-2.12.5-1.4.1.x86_64",
"product_id": "ruby2.1-rubygem-sprockets-2_12-2.12.5-1.4.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE OpenStack Cloud Crowbar 8",
"product": {
"name": "SUSE OpenStack Cloud Crowbar 8",
"product_id": "SUSE OpenStack Cloud Crowbar 8",
"product_identification_helper": {
"cpe": "cpe:/o:suse:suse-openstack-cloud-crowbar:8"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.1-rubygem-sprockets-2_12-2.12.5-1.4.1.x86_64 as component of SUSE OpenStack Cloud Crowbar 8",
"product_id": "SUSE OpenStack Cloud Crowbar 8:ruby2.1-rubygem-sprockets-2_12-2.12.5-1.4.1.x86_64"
},
"product_reference": "ruby2.1-rubygem-sprockets-2_12-2.12.5-1.4.1.x86_64",
"relates_to_product_reference": "SUSE OpenStack Cloud Crowbar 8"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2018-3760",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2018-3760"
}
],
"notes": [
{
"category": "general",
"text": "There is an information leak vulnerability in Sprockets. Versions Affected: 4.0.0.beta7 and lower, 3.7.1 and lower, 2.12.4 and lower. Specially crafted requests can be used to access files that exists on the filesystem that is outside an application\u0027s root directory, when the Sprockets server is used in production. All users running an affected release should either upgrade or use one of the work arounds immediately.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE OpenStack Cloud Crowbar 8:ruby2.1-rubygem-sprockets-2_12-2.12.5-1.4.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2018-3760",
"url": "https://www.suse.com/security/cve/CVE-2018-3760"
},
{
"category": "external",
"summary": "SUSE Bug 1098369 for CVE-2018-3760",
"url": "https://bugzilla.suse.com/1098369"
},
{
"category": "external",
"summary": "SUSE Bug 1182167 for CVE-2018-3760",
"url": "https://bugzilla.suse.com/1182167"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE OpenStack Cloud Crowbar 8:ruby2.1-rubygem-sprockets-2_12-2.12.5-1.4.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"products": [
"SUSE OpenStack Cloud Crowbar 8:ruby2.1-rubygem-sprockets-2_12-2.12.5-1.4.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2018-08-02T15:20:25Z",
"details": "important"
}
],
"title": "CVE-2018-3760"
}
]
}
SUSE-SU-2018:2603-1
Vulnerability from csaf_suse - Published: 2018-09-04 08:48 - Updated: 2018-09-04 08:48Summary
Security update for crowbar, crowbar-core, crowbar-ha, crowbar-openstack, crowbar-ui
Notes
Title of the patch
Security update for crowbar, crowbar-core, crowbar-ha, crowbar-openstack, crowbar-ui
Description of the patch
This update for crowbar, crowbar-ha, crowbar-init, crowbar-openstack, crowbar-ui fixes the following issues:
This security issues was fixed:
- CVE-2018-3760: Upgrade rubygem-sprockets to prevent an information leak.
Specially crafted requests could have been be used to access files that exists
on the filesystem that is outside an application's root directory, when the
Sprockets server is used in production (bsc#1098369).
- CVE-2016-861: Add rate limiting for glance api (bsc#1005886)
These non-security issues were fixed for crowbar:
- upgrade: Lock crowbar-ui before admin upgrade
- upgrade: Make sure schemas are properly migrated after the upgrade
These non-security issues were fixed for crowbar-core:
- upgrade: Add the upgrade menu entry
- upgrade: Fix upgrade link
- apache: copytruncate apache logs bsc#1083093
- Fix exception handling in get_log_lines
- upgrade: Raise the default timeouts for most time consuming actions
- upgrade: Do not allow manila-share on compute nodes
- control_lib: fix host allocation check
- upgrade: Check input is a valid node for nodes
- upgrade: Provide better information after the failure
- upgrade: Report missing scripts
- upgrade: Improve error messages with lists
- upgrade: Do not allow cinder-volume on compute nodes
- upgrade: Fix file layout for rails' autoloading (bsc#1096759)
- upgrade: Added API calls for postponing/resuming compute nodes upgrade
- upgrade: Unlock crowbar-ui after completed upgrade
- upgrade: Do not check if ceph roles are present on compute nodes
- upgrade: Fix labels for SOC8 repositories
- upgrade: Finish only controllers step
These non-security issues were fixed for crowbar-ha:
- haproxy: increased SSL stick table to 100k
- DRBD: Fix DRBD resources setup on reinstall node
- pacemaker: allow multiple meta parameters (bsc#1093898)
These non-security issues were fixed for crowbar-openstack:
- nova: reload nova-placement-api (bsc#1103383)
- Synchronize SSL in the cluster (bsc#1081518)
- neutron: add force_metadata attribute
- copytruncate apache logs instead of creating
- rabbitmq: set client timout to default value
- Revert 'database: Split database-server role into backend specific roles'
- Revert 'database: Allow parallel deployments of postgresql and mysql'
- Revert 'database: Allow parallel HA deployment of PostgreSQL and MariaDB'
- Revert 'database: Fix 'Attributes' UI after role renaming'
- Revert 'monasca: Fix check for mysql after it got moved to a separate role'
- Revert 'Restore caching of db_settings'
- Revert 'database: Migration fixes for separate DB roles'
- database: Migration fixes for separate DB roles
- Restore caching of db_settings
- monasca: Fix check for mysql after it got moved to a separate role
- database: Fix 'Attributes' UI after role renaming
- database: Allow parallel HA deployment of PostgreSQL and MariaDB
- database: Allow parallel deployments of postgresql and mysql
- database: Split database-server role into backend specific roles
- Do not automatically put manila-share roles to compute nodes
- rabbitmq: check for rabbit readiness
- rabbitmq: Make sure rabbit is running on cluster
- monasca: various monasca-installer improvements
- manila: Correct field name for cluster name
- mariadb: Add prefix to configs
- mariadb: Remove redundant config values
- aodh: Add config for alarm_history_ttl (bsc#1073703)
These non-security issues were fixed for crowbar-ui:
- upgrade: Dummy backend for status testing
- upgrade: Refactor postpone nodes upgrade
- upgrade: Allow interruption of status wait loop
- upgrade: Added ability to postpone upgrade nodes
- upgrade: Add ability to postpone upgrade nodes
- upgrade: Add ability to postpone upgrade nodes
- upgrade: Add ability to postpone upgrade nodes
- Add ability to postpone upgrade
- upgrade: Remove openstack precheck
- upgrade: Fixed error key for ha_configured
- upgrade: Remove CEPH related code
- Remove the non-essential database-configuration controller
- remove ui typo test
- Remove database configuration option
- upgrade: Update SUSE-OpenStack-Cloud-8 label
- upgrade: Update admin and nodes repo names
- enable and document docker development environment
Patchnames
SUSE-OpenStack-Cloud-7-2018-1828,SUSE-Storage-4-2018-1828
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for crowbar, crowbar-core, crowbar-ha, crowbar-openstack, crowbar-ui",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for crowbar, crowbar-ha, crowbar-init, crowbar-openstack, crowbar-ui fixes the following issues:\n\nThis security issues was fixed:\n\n- CVE-2018-3760: Upgrade rubygem-sprockets to prevent an information leak.\n Specially crafted requests could have been be used to access files that exists\n on the filesystem that is outside an application\u0027s root directory, when the\n Sprockets server is used in production (bsc#1098369).\n- CVE-2016-861: Add rate limiting for glance api (bsc#1005886)\n\nThese non-security issues were fixed for crowbar:\n\n- upgrade: Lock crowbar-ui before admin upgrade\n- upgrade: Make sure schemas are properly migrated after the upgrade\n\nThese non-security issues were fixed for crowbar-core:\n\n- upgrade: Add the upgrade menu entry\n- upgrade: Fix upgrade link\n- apache: copytruncate apache logs bsc#1083093\n- Fix exception handling in get_log_lines\n- upgrade: Raise the default timeouts for most time consuming actions\n- upgrade: Do not allow manila-share on compute nodes\n- control_lib: fix host allocation check\n- upgrade: Check input is a valid node for nodes\n- upgrade: Provide better information after the failure\n- upgrade: Report missing scripts\n- upgrade: Improve error messages with lists\n- upgrade: Do not allow cinder-volume on compute nodes\n- upgrade: Fix file layout for rails\u0027 autoloading (bsc#1096759)\n- upgrade: Added API calls for postponing/resuming compute nodes upgrade\n- upgrade: Unlock crowbar-ui after completed upgrade\n- upgrade: Do not check if ceph roles are present on compute nodes\n- upgrade: Fix labels for SOC8 repositories\n- upgrade: Finish only controllers step\n\nThese non-security issues were fixed for crowbar-ha:\n\n- haproxy: increased SSL stick table to 100k\n- DRBD: Fix DRBD resources setup on reinstall node\n- pacemaker: allow multiple meta parameters (bsc#1093898)\n\nThese non-security issues were fixed for crowbar-openstack:\n\n- nova: reload nova-placement-api (bsc#1103383)\n- Synchronize SSL in the cluster (bsc#1081518)\n- neutron: add force_metadata attribute\n- copytruncate apache logs instead of creating\n- rabbitmq: set client timout to default value\n- Revert \u0027database: Split database-server role into backend specific roles\u0027\n- Revert \u0027database: Allow parallel deployments of postgresql and mysql\u0027\n- Revert \u0027database: Allow parallel HA deployment of PostgreSQL and MariaDB\u0027\n- Revert \u0027database: Fix \u0027Attributes\u0027 UI after role renaming\u0027\n- Revert \u0027monasca: Fix check for mysql after it got moved to a separate role\u0027\n- Revert \u0027Restore caching of db_settings\u0027\n- Revert \u0027database: Migration fixes for separate DB roles\u0027\n- database: Migration fixes for separate DB roles\n- Restore caching of db_settings\n- monasca: Fix check for mysql after it got moved to a separate role\n- database: Fix \u0027Attributes\u0027 UI after role renaming\n- database: Allow parallel HA deployment of PostgreSQL and MariaDB\n- database: Allow parallel deployments of postgresql and mysql\n- database: Split database-server role into backend specific roles\n- Do not automatically put manila-share roles to compute nodes\n- rabbitmq: check for rabbit readiness\n- rabbitmq: Make sure rabbit is running on cluster\n- monasca: various monasca-installer improvements\n- manila: Correct field name for cluster name\n- mariadb: Add prefix to configs\n- mariadb: Remove redundant config values\n- aodh: Add config for alarm_history_ttl (bsc#1073703)\n\nThese non-security issues were fixed for crowbar-ui:\n\n- upgrade: Dummy backend for status testing\n- upgrade: Refactor postpone nodes upgrade\n- upgrade: Allow interruption of status wait loop\n- upgrade: Added ability to postpone upgrade nodes\n- upgrade: Add ability to postpone upgrade nodes\n- upgrade: Add ability to postpone upgrade nodes\n- upgrade: Add ability to postpone upgrade nodes\n- Add ability to postpone upgrade\n- upgrade: Remove openstack precheck\n- upgrade: Fixed error key for ha_configured\n- upgrade: Remove CEPH related code\n- Remove the non-essential database-configuration controller\n- remove ui typo test\n- Remove database configuration option\n- upgrade: Update SUSE-OpenStack-Cloud-8 label\n- upgrade: Update admin and nodes repo names\n- enable and document docker development environment\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-OpenStack-Cloud-7-2018-1828,SUSE-Storage-4-2018-1828",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2018_2603-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2018:2603-1",
"url": "https://www.suse.com/support/update/announcement/2018/suse-su-20182603-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2018:2603-1",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2018-September/004530.html"
},
{
"category": "self",
"summary": "SUSE Bug 1005886",
"url": "https://bugzilla.suse.com/1005886"
},
{
"category": "self",
"summary": "SUSE Bug 1073703",
"url": "https://bugzilla.suse.com/1073703"
},
{
"category": "self",
"summary": "SUSE Bug 1081518",
"url": "https://bugzilla.suse.com/1081518"
},
{
"category": "self",
"summary": "SUSE Bug 1083093",
"url": "https://bugzilla.suse.com/1083093"
},
{
"category": "self",
"summary": "SUSE Bug 1093898",
"url": "https://bugzilla.suse.com/1093898"
},
{
"category": "self",
"summary": "SUSE Bug 1096759",
"url": "https://bugzilla.suse.com/1096759"
},
{
"category": "self",
"summary": "SUSE Bug 1098369",
"url": "https://bugzilla.suse.com/1098369"
},
{
"category": "self",
"summary": "SUSE Bug 1103383",
"url": "https://bugzilla.suse.com/1103383"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2016-8611 page",
"url": "https://www.suse.com/security/cve/CVE-2016-8611/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2018-3760 page",
"url": "https://www.suse.com/security/cve/CVE-2018-3760/"
}
],
"title": "Security update for crowbar, crowbar-core, crowbar-ha, crowbar-openstack, crowbar-ui",
"tracking": {
"current_release_date": "2018-09-04T08:48:31Z",
"generator": {
"date": "2018-09-04T08:48:31Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2018:2603-1",
"initial_release_date": "2018-09-04T08:48:31Z",
"revision_history": [
{
"date": "2018-09-04T08:48:31Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "crowbar-core-4.0+git.1534246408.3ab19c567-9.33.1.aarch64",
"product": {
"name": "crowbar-core-4.0+git.1534246408.3ab19c567-9.33.1.aarch64",
"product_id": "crowbar-core-4.0+git.1534246408.3ab19c567-9.33.1.aarch64"
}
},
{
"category": "product_version",
"name": "crowbar-core-branding-upstream-4.0+git.1534246408.3ab19c567-9.33.1.aarch64",
"product": {
"name": "crowbar-core-branding-upstream-4.0+git.1534246408.3ab19c567-9.33.1.aarch64",
"product_id": "crowbar-core-branding-upstream-4.0+git.1534246408.3ab19c567-9.33.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "crowbar-4.0+git.1528801103.f5708341-7.20.1.noarch",
"product": {
"name": "crowbar-4.0+git.1528801103.f5708341-7.20.1.noarch",
"product_id": "crowbar-4.0+git.1528801103.f5708341-7.20.1.noarch"
}
},
{
"category": "product_version",
"name": "crowbar-devel-4.0+git.1528801103.f5708341-7.20.1.noarch",
"product": {
"name": "crowbar-devel-4.0+git.1528801103.f5708341-7.20.1.noarch",
"product_id": "crowbar-devel-4.0+git.1528801103.f5708341-7.20.1.noarch"
}
},
{
"category": "product_version",
"name": "crowbar-ha-4.0+git.1533750802.5768e73-4.34.1.noarch",
"product": {
"name": "crowbar-ha-4.0+git.1533750802.5768e73-4.34.1.noarch",
"product_id": "crowbar-ha-4.0+git.1533750802.5768e73-4.34.1.noarch"
}
},
{
"category": "product_version",
"name": "crowbar-openstack-4.0+git.1534254269.ce598a9fe-9.39.1.noarch",
"product": {
"name": "crowbar-openstack-4.0+git.1534254269.ce598a9fe-9.39.1.noarch",
"product_id": "crowbar-openstack-4.0+git.1534254269.ce598a9fe-9.39.1.noarch"
}
},
{
"category": "product_version",
"name": "crowbar-ui-1.1.0+git.1533844061.4ac8e723-4.3.1.noarch",
"product": {
"name": "crowbar-ui-1.1.0+git.1533844061.4ac8e723-4.3.1.noarch",
"product_id": "crowbar-ui-1.1.0+git.1533844061.4ac8e723-4.3.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "crowbar-core-4.0+git.1534246408.3ab19c567-9.33.1.s390x",
"product": {
"name": "crowbar-core-4.0+git.1534246408.3ab19c567-9.33.1.s390x",
"product_id": "crowbar-core-4.0+git.1534246408.3ab19c567-9.33.1.s390x"
}
},
{
"category": "product_version",
"name": "crowbar-core-branding-upstream-4.0+git.1534246408.3ab19c567-9.33.1.s390x",
"product": {
"name": "crowbar-core-branding-upstream-4.0+git.1534246408.3ab19c567-9.33.1.s390x",
"product_id": "crowbar-core-branding-upstream-4.0+git.1534246408.3ab19c567-9.33.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "crowbar-core-4.0+git.1534246408.3ab19c567-9.33.1.x86_64",
"product": {
"name": "crowbar-core-4.0+git.1534246408.3ab19c567-9.33.1.x86_64",
"product_id": "crowbar-core-4.0+git.1534246408.3ab19c567-9.33.1.x86_64"
}
},
{
"category": "product_version",
"name": "crowbar-core-branding-upstream-4.0+git.1534246408.3ab19c567-9.33.1.x86_64",
"product": {
"name": "crowbar-core-branding-upstream-4.0+git.1534246408.3ab19c567-9.33.1.x86_64",
"product_id": "crowbar-core-branding-upstream-4.0+git.1534246408.3ab19c567-9.33.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE OpenStack Cloud 7",
"product": {
"name": "SUSE OpenStack Cloud 7",
"product_id": "SUSE OpenStack Cloud 7",
"product_identification_helper": {
"cpe": "cpe:/o:suse:suse-openstack-cloud:7"
}
}
},
{
"category": "product_name",
"name": "SUSE Enterprise Storage 4",
"product": {
"name": "SUSE Enterprise Storage 4",
"product_id": "SUSE Enterprise Storage 4",
"product_identification_helper": {
"cpe": "cpe:/o:suse:ses:4"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "crowbar-4.0+git.1528801103.f5708341-7.20.1.noarch as component of SUSE OpenStack Cloud 7",
"product_id": "SUSE OpenStack Cloud 7:crowbar-4.0+git.1528801103.f5708341-7.20.1.noarch"
},
"product_reference": "crowbar-4.0+git.1528801103.f5708341-7.20.1.noarch",
"relates_to_product_reference": "SUSE OpenStack Cloud 7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "crowbar-core-4.0+git.1534246408.3ab19c567-9.33.1.aarch64 as component of SUSE OpenStack Cloud 7",
"product_id": "SUSE OpenStack Cloud 7:crowbar-core-4.0+git.1534246408.3ab19c567-9.33.1.aarch64"
},
"product_reference": "crowbar-core-4.0+git.1534246408.3ab19c567-9.33.1.aarch64",
"relates_to_product_reference": "SUSE OpenStack Cloud 7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "crowbar-core-4.0+git.1534246408.3ab19c567-9.33.1.s390x as component of SUSE OpenStack Cloud 7",
"product_id": "SUSE OpenStack Cloud 7:crowbar-core-4.0+git.1534246408.3ab19c567-9.33.1.s390x"
},
"product_reference": "crowbar-core-4.0+git.1534246408.3ab19c567-9.33.1.s390x",
"relates_to_product_reference": "SUSE OpenStack Cloud 7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "crowbar-core-4.0+git.1534246408.3ab19c567-9.33.1.x86_64 as component of SUSE OpenStack Cloud 7",
"product_id": "SUSE OpenStack Cloud 7:crowbar-core-4.0+git.1534246408.3ab19c567-9.33.1.x86_64"
},
"product_reference": "crowbar-core-4.0+git.1534246408.3ab19c567-9.33.1.x86_64",
"relates_to_product_reference": "SUSE OpenStack Cloud 7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "crowbar-core-branding-upstream-4.0+git.1534246408.3ab19c567-9.33.1.aarch64 as component of SUSE OpenStack Cloud 7",
"product_id": "SUSE OpenStack Cloud 7:crowbar-core-branding-upstream-4.0+git.1534246408.3ab19c567-9.33.1.aarch64"
},
"product_reference": "crowbar-core-branding-upstream-4.0+git.1534246408.3ab19c567-9.33.1.aarch64",
"relates_to_product_reference": "SUSE OpenStack Cloud 7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "crowbar-core-branding-upstream-4.0+git.1534246408.3ab19c567-9.33.1.s390x as component of SUSE OpenStack Cloud 7",
"product_id": "SUSE OpenStack Cloud 7:crowbar-core-branding-upstream-4.0+git.1534246408.3ab19c567-9.33.1.s390x"
},
"product_reference": "crowbar-core-branding-upstream-4.0+git.1534246408.3ab19c567-9.33.1.s390x",
"relates_to_product_reference": "SUSE OpenStack Cloud 7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "crowbar-core-branding-upstream-4.0+git.1534246408.3ab19c567-9.33.1.x86_64 as component of SUSE OpenStack Cloud 7",
"product_id": "SUSE OpenStack Cloud 7:crowbar-core-branding-upstream-4.0+git.1534246408.3ab19c567-9.33.1.x86_64"
},
"product_reference": "crowbar-core-branding-upstream-4.0+git.1534246408.3ab19c567-9.33.1.x86_64",
"relates_to_product_reference": "SUSE OpenStack Cloud 7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "crowbar-devel-4.0+git.1528801103.f5708341-7.20.1.noarch as component of SUSE OpenStack Cloud 7",
"product_id": "SUSE OpenStack Cloud 7:crowbar-devel-4.0+git.1528801103.f5708341-7.20.1.noarch"
},
"product_reference": "crowbar-devel-4.0+git.1528801103.f5708341-7.20.1.noarch",
"relates_to_product_reference": "SUSE OpenStack Cloud 7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "crowbar-ha-4.0+git.1533750802.5768e73-4.34.1.noarch as component of SUSE OpenStack Cloud 7",
"product_id": "SUSE OpenStack Cloud 7:crowbar-ha-4.0+git.1533750802.5768e73-4.34.1.noarch"
},
"product_reference": "crowbar-ha-4.0+git.1533750802.5768e73-4.34.1.noarch",
"relates_to_product_reference": "SUSE OpenStack Cloud 7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "crowbar-openstack-4.0+git.1534254269.ce598a9fe-9.39.1.noarch as component of SUSE OpenStack Cloud 7",
"product_id": "SUSE OpenStack Cloud 7:crowbar-openstack-4.0+git.1534254269.ce598a9fe-9.39.1.noarch"
},
"product_reference": "crowbar-openstack-4.0+git.1534254269.ce598a9fe-9.39.1.noarch",
"relates_to_product_reference": "SUSE OpenStack Cloud 7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "crowbar-ui-1.1.0+git.1533844061.4ac8e723-4.3.1.noarch as component of SUSE OpenStack Cloud 7",
"product_id": "SUSE OpenStack Cloud 7:crowbar-ui-1.1.0+git.1533844061.4ac8e723-4.3.1.noarch"
},
"product_reference": "crowbar-ui-1.1.0+git.1533844061.4ac8e723-4.3.1.noarch",
"relates_to_product_reference": "SUSE OpenStack Cloud 7"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "crowbar-4.0+git.1528801103.f5708341-7.20.1.noarch as component of SUSE Enterprise Storage 4",
"product_id": "SUSE Enterprise Storage 4:crowbar-4.0+git.1528801103.f5708341-7.20.1.noarch"
},
"product_reference": "crowbar-4.0+git.1528801103.f5708341-7.20.1.noarch",
"relates_to_product_reference": "SUSE Enterprise Storage 4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "crowbar-core-4.0+git.1534246408.3ab19c567-9.33.1.aarch64 as component of SUSE Enterprise Storage 4",
"product_id": "SUSE Enterprise Storage 4:crowbar-core-4.0+git.1534246408.3ab19c567-9.33.1.aarch64"
},
"product_reference": "crowbar-core-4.0+git.1534246408.3ab19c567-9.33.1.aarch64",
"relates_to_product_reference": "SUSE Enterprise Storage 4"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "crowbar-core-4.0+git.1534246408.3ab19c567-9.33.1.x86_64 as component of SUSE Enterprise Storage 4",
"product_id": "SUSE Enterprise Storage 4:crowbar-core-4.0+git.1534246408.3ab19c567-9.33.1.x86_64"
},
"product_reference": "crowbar-core-4.0+git.1534246408.3ab19c567-9.33.1.x86_64",
"relates_to_product_reference": "SUSE Enterprise Storage 4"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2016-8611",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2016-8611"
}
],
"notes": [
{
"category": "general",
"text": "A vulnerability was found in Openstack Glance. No limits are enforced within the Glance image service for both v1 and v2 `/images` API POST method for authenticated users, resulting in possible denial of service attacks through database table saturation.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Enterprise Storage 4:crowbar-4.0+git.1528801103.f5708341-7.20.1.noarch",
"SUSE Enterprise Storage 4:crowbar-core-4.0+git.1534246408.3ab19c567-9.33.1.aarch64",
"SUSE Enterprise Storage 4:crowbar-core-4.0+git.1534246408.3ab19c567-9.33.1.x86_64",
"SUSE OpenStack Cloud 7:crowbar-4.0+git.1528801103.f5708341-7.20.1.noarch",
"SUSE OpenStack Cloud 7:crowbar-core-4.0+git.1534246408.3ab19c567-9.33.1.aarch64",
"SUSE OpenStack Cloud 7:crowbar-core-4.0+git.1534246408.3ab19c567-9.33.1.s390x",
"SUSE OpenStack Cloud 7:crowbar-core-4.0+git.1534246408.3ab19c567-9.33.1.x86_64",
"SUSE OpenStack Cloud 7:crowbar-core-branding-upstream-4.0+git.1534246408.3ab19c567-9.33.1.aarch64",
"SUSE OpenStack Cloud 7:crowbar-core-branding-upstream-4.0+git.1534246408.3ab19c567-9.33.1.s390x",
"SUSE OpenStack Cloud 7:crowbar-core-branding-upstream-4.0+git.1534246408.3ab19c567-9.33.1.x86_64",
"SUSE OpenStack Cloud 7:crowbar-devel-4.0+git.1528801103.f5708341-7.20.1.noarch",
"SUSE OpenStack Cloud 7:crowbar-ha-4.0+git.1533750802.5768e73-4.34.1.noarch",
"SUSE OpenStack Cloud 7:crowbar-openstack-4.0+git.1534254269.ce598a9fe-9.39.1.noarch",
"SUSE OpenStack Cloud 7:crowbar-ui-1.1.0+git.1533844061.4ac8e723-4.3.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2016-8611",
"url": "https://www.suse.com/security/cve/CVE-2016-8611"
},
{
"category": "external",
"summary": "SUSE Bug 1005886 for CVE-2016-8611",
"url": "https://bugzilla.suse.com/1005886"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Enterprise Storage 4:crowbar-4.0+git.1528801103.f5708341-7.20.1.noarch",
"SUSE Enterprise Storage 4:crowbar-core-4.0+git.1534246408.3ab19c567-9.33.1.aarch64",
"SUSE Enterprise Storage 4:crowbar-core-4.0+git.1534246408.3ab19c567-9.33.1.x86_64",
"SUSE OpenStack Cloud 7:crowbar-4.0+git.1528801103.f5708341-7.20.1.noarch",
"SUSE OpenStack Cloud 7:crowbar-core-4.0+git.1534246408.3ab19c567-9.33.1.aarch64",
"SUSE OpenStack Cloud 7:crowbar-core-4.0+git.1534246408.3ab19c567-9.33.1.s390x",
"SUSE OpenStack Cloud 7:crowbar-core-4.0+git.1534246408.3ab19c567-9.33.1.x86_64",
"SUSE OpenStack Cloud 7:crowbar-core-branding-upstream-4.0+git.1534246408.3ab19c567-9.33.1.aarch64",
"SUSE OpenStack Cloud 7:crowbar-core-branding-upstream-4.0+git.1534246408.3ab19c567-9.33.1.s390x",
"SUSE OpenStack Cloud 7:crowbar-core-branding-upstream-4.0+git.1534246408.3ab19c567-9.33.1.x86_64",
"SUSE OpenStack Cloud 7:crowbar-devel-4.0+git.1528801103.f5708341-7.20.1.noarch",
"SUSE OpenStack Cloud 7:crowbar-ha-4.0+git.1533750802.5768e73-4.34.1.noarch",
"SUSE OpenStack Cloud 7:crowbar-openstack-4.0+git.1534254269.ce598a9fe-9.39.1.noarch",
"SUSE OpenStack Cloud 7:crowbar-ui-1.1.0+git.1533844061.4ac8e723-4.3.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.0"
},
"products": [
"SUSE Enterprise Storage 4:crowbar-4.0+git.1528801103.f5708341-7.20.1.noarch",
"SUSE Enterprise Storage 4:crowbar-core-4.0+git.1534246408.3ab19c567-9.33.1.aarch64",
"SUSE Enterprise Storage 4:crowbar-core-4.0+git.1534246408.3ab19c567-9.33.1.x86_64",
"SUSE OpenStack Cloud 7:crowbar-4.0+git.1528801103.f5708341-7.20.1.noarch",
"SUSE OpenStack Cloud 7:crowbar-core-4.0+git.1534246408.3ab19c567-9.33.1.aarch64",
"SUSE OpenStack Cloud 7:crowbar-core-4.0+git.1534246408.3ab19c567-9.33.1.s390x",
"SUSE OpenStack Cloud 7:crowbar-core-4.0+git.1534246408.3ab19c567-9.33.1.x86_64",
"SUSE OpenStack Cloud 7:crowbar-core-branding-upstream-4.0+git.1534246408.3ab19c567-9.33.1.aarch64",
"SUSE OpenStack Cloud 7:crowbar-core-branding-upstream-4.0+git.1534246408.3ab19c567-9.33.1.s390x",
"SUSE OpenStack Cloud 7:crowbar-core-branding-upstream-4.0+git.1534246408.3ab19c567-9.33.1.x86_64",
"SUSE OpenStack Cloud 7:crowbar-devel-4.0+git.1528801103.f5708341-7.20.1.noarch",
"SUSE OpenStack Cloud 7:crowbar-ha-4.0+git.1533750802.5768e73-4.34.1.noarch",
"SUSE OpenStack Cloud 7:crowbar-openstack-4.0+git.1534254269.ce598a9fe-9.39.1.noarch",
"SUSE OpenStack Cloud 7:crowbar-ui-1.1.0+git.1533844061.4ac8e723-4.3.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2018-09-04T08:48:31Z",
"details": "low"
}
],
"title": "CVE-2016-8611"
},
{
"cve": "CVE-2018-3760",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2018-3760"
}
],
"notes": [
{
"category": "general",
"text": "There is an information leak vulnerability in Sprockets. Versions Affected: 4.0.0.beta7 and lower, 3.7.1 and lower, 2.12.4 and lower. Specially crafted requests can be used to access files that exists on the filesystem that is outside an application\u0027s root directory, when the Sprockets server is used in production. All users running an affected release should either upgrade or use one of the work arounds immediately.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Enterprise Storage 4:crowbar-4.0+git.1528801103.f5708341-7.20.1.noarch",
"SUSE Enterprise Storage 4:crowbar-core-4.0+git.1534246408.3ab19c567-9.33.1.aarch64",
"SUSE Enterprise Storage 4:crowbar-core-4.0+git.1534246408.3ab19c567-9.33.1.x86_64",
"SUSE OpenStack Cloud 7:crowbar-4.0+git.1528801103.f5708341-7.20.1.noarch",
"SUSE OpenStack Cloud 7:crowbar-core-4.0+git.1534246408.3ab19c567-9.33.1.aarch64",
"SUSE OpenStack Cloud 7:crowbar-core-4.0+git.1534246408.3ab19c567-9.33.1.s390x",
"SUSE OpenStack Cloud 7:crowbar-core-4.0+git.1534246408.3ab19c567-9.33.1.x86_64",
"SUSE OpenStack Cloud 7:crowbar-core-branding-upstream-4.0+git.1534246408.3ab19c567-9.33.1.aarch64",
"SUSE OpenStack Cloud 7:crowbar-core-branding-upstream-4.0+git.1534246408.3ab19c567-9.33.1.s390x",
"SUSE OpenStack Cloud 7:crowbar-core-branding-upstream-4.0+git.1534246408.3ab19c567-9.33.1.x86_64",
"SUSE OpenStack Cloud 7:crowbar-devel-4.0+git.1528801103.f5708341-7.20.1.noarch",
"SUSE OpenStack Cloud 7:crowbar-ha-4.0+git.1533750802.5768e73-4.34.1.noarch",
"SUSE OpenStack Cloud 7:crowbar-openstack-4.0+git.1534254269.ce598a9fe-9.39.1.noarch",
"SUSE OpenStack Cloud 7:crowbar-ui-1.1.0+git.1533844061.4ac8e723-4.3.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2018-3760",
"url": "https://www.suse.com/security/cve/CVE-2018-3760"
},
{
"category": "external",
"summary": "SUSE Bug 1098369 for CVE-2018-3760",
"url": "https://bugzilla.suse.com/1098369"
},
{
"category": "external",
"summary": "SUSE Bug 1182167 for CVE-2018-3760",
"url": "https://bugzilla.suse.com/1182167"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Enterprise Storage 4:crowbar-4.0+git.1528801103.f5708341-7.20.1.noarch",
"SUSE Enterprise Storage 4:crowbar-core-4.0+git.1534246408.3ab19c567-9.33.1.aarch64",
"SUSE Enterprise Storage 4:crowbar-core-4.0+git.1534246408.3ab19c567-9.33.1.x86_64",
"SUSE OpenStack Cloud 7:crowbar-4.0+git.1528801103.f5708341-7.20.1.noarch",
"SUSE OpenStack Cloud 7:crowbar-core-4.0+git.1534246408.3ab19c567-9.33.1.aarch64",
"SUSE OpenStack Cloud 7:crowbar-core-4.0+git.1534246408.3ab19c567-9.33.1.s390x",
"SUSE OpenStack Cloud 7:crowbar-core-4.0+git.1534246408.3ab19c567-9.33.1.x86_64",
"SUSE OpenStack Cloud 7:crowbar-core-branding-upstream-4.0+git.1534246408.3ab19c567-9.33.1.aarch64",
"SUSE OpenStack Cloud 7:crowbar-core-branding-upstream-4.0+git.1534246408.3ab19c567-9.33.1.s390x",
"SUSE OpenStack Cloud 7:crowbar-core-branding-upstream-4.0+git.1534246408.3ab19c567-9.33.1.x86_64",
"SUSE OpenStack Cloud 7:crowbar-devel-4.0+git.1528801103.f5708341-7.20.1.noarch",
"SUSE OpenStack Cloud 7:crowbar-ha-4.0+git.1533750802.5768e73-4.34.1.noarch",
"SUSE OpenStack Cloud 7:crowbar-openstack-4.0+git.1534254269.ce598a9fe-9.39.1.noarch",
"SUSE OpenStack Cloud 7:crowbar-ui-1.1.0+git.1533844061.4ac8e723-4.3.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"products": [
"SUSE Enterprise Storage 4:crowbar-4.0+git.1528801103.f5708341-7.20.1.noarch",
"SUSE Enterprise Storage 4:crowbar-core-4.0+git.1534246408.3ab19c567-9.33.1.aarch64",
"SUSE Enterprise Storage 4:crowbar-core-4.0+git.1534246408.3ab19c567-9.33.1.x86_64",
"SUSE OpenStack Cloud 7:crowbar-4.0+git.1528801103.f5708341-7.20.1.noarch",
"SUSE OpenStack Cloud 7:crowbar-core-4.0+git.1534246408.3ab19c567-9.33.1.aarch64",
"SUSE OpenStack Cloud 7:crowbar-core-4.0+git.1534246408.3ab19c567-9.33.1.s390x",
"SUSE OpenStack Cloud 7:crowbar-core-4.0+git.1534246408.3ab19c567-9.33.1.x86_64",
"SUSE OpenStack Cloud 7:crowbar-core-branding-upstream-4.0+git.1534246408.3ab19c567-9.33.1.aarch64",
"SUSE OpenStack Cloud 7:crowbar-core-branding-upstream-4.0+git.1534246408.3ab19c567-9.33.1.s390x",
"SUSE OpenStack Cloud 7:crowbar-core-branding-upstream-4.0+git.1534246408.3ab19c567-9.33.1.x86_64",
"SUSE OpenStack Cloud 7:crowbar-devel-4.0+git.1528801103.f5708341-7.20.1.noarch",
"SUSE OpenStack Cloud 7:crowbar-ha-4.0+git.1533750802.5768e73-4.34.1.noarch",
"SUSE OpenStack Cloud 7:crowbar-openstack-4.0+git.1534254269.ce598a9fe-9.39.1.noarch",
"SUSE OpenStack Cloud 7:crowbar-ui-1.1.0+git.1533844061.4ac8e723-4.3.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2018-09-04T08:48:31Z",
"details": "important"
}
],
"title": "CVE-2018-3760"
}
]
}
RHSA-2018:2745
Vulnerability from csaf_redhat - Published: 2018-09-26 18:36 - Updated: 2025-11-21 18:06Summary
Red Hat Security Advisory: CloudForms 4.5.5 security, bug fix and enhancement update
Notes
Topic
An update is now available for CloudForms Management Engine 5.8.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat CloudForms Management Engine delivers the insight, control, and automation needed to address the challenges of managing virtual environments. CloudForms Management Engine is built on Ruby on Rails, a model-view-controller (MVC) framework for web application development.
Security Fix(es):
* rubygem-sprockets: Path traversal in forbidden_request?() can allow remote attackers to read arbitrary files (CVE-2018-3760)
* cfme: Improper access control in dRuby allows local users to execute arbitrary commands as root (CVE-2018-10905)
For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
Red Hat would like to thank Stephen Gappinger (American Express) for reporting CVE-2018-10905.
Additional Changes:
This update fixes various bugs and adds enhancements. Documentation for these changes is available from the Release Notes document.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update is now available for CloudForms Management Engine 5.8.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat CloudForms Management Engine delivers the insight, control, and automation needed to address the challenges of managing virtual environments. CloudForms Management Engine is built on Ruby on Rails, a model-view-controller (MVC) framework for web application development.\n\nSecurity Fix(es):\n\n* rubygem-sprockets: Path traversal in forbidden_request?() can allow remote attackers to read arbitrary files (CVE-2018-3760)\n\n* cfme: Improper access control in dRuby allows local users to execute arbitrary commands as root (CVE-2018-10905)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.\n\nRed Hat would like to thank Stephen Gappinger (American Express) for reporting CVE-2018-10905.\n\nAdditional Changes:\n\nThis update fixes various bugs and adds enhancements. Documentation for these changes is available from the Release Notes document.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2018:2745",
"url": "https://access.redhat.com/errata/RHSA-2018:2745"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://access.redhat.com/documentation/en-us/red_hat_cloudforms/4.5/html/release_notes",
"url": "https://access.redhat.com/documentation/en-us/red_hat_cloudforms/4.5/html/release_notes"
},
{
"category": "external",
"summary": "1586214",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1586214"
},
{
"category": "external",
"summary": "1590761",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1590761"
},
{
"category": "external",
"summary": "1591443",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1591443"
},
{
"category": "external",
"summary": "1593058",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1593058"
},
{
"category": "external",
"summary": "1593353",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1593353"
},
{
"category": "external",
"summary": "1593678",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1593678"
},
{
"category": "external",
"summary": "1593798",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1593798"
},
{
"category": "external",
"summary": "1593914",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1593914"
},
{
"category": "external",
"summary": "1594008",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1594008"
},
{
"category": "external",
"summary": "1594028",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1594028"
},
{
"category": "external",
"summary": "1594326",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1594326"
},
{
"category": "external",
"summary": "1594387",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1594387"
},
{
"category": "external",
"summary": "1595457",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1595457"
},
{
"category": "external",
"summary": "1595462",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1595462"
},
{
"category": "external",
"summary": "1595771",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1595771"
},
{
"category": "external",
"summary": "1596336",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1596336"
},
{
"category": "external",
"summary": "1602190",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1602190"
},
{
"category": "external",
"summary": "1607442",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1607442"
},
{
"category": "external",
"summary": "1608849",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1608849"
},
{
"category": "external",
"summary": "1613388",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1613388"
},
{
"category": "external",
"summary": "1613758",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1613758"
},
{
"category": "external",
"summary": "1622632",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1622632"
},
{
"category": "external",
"summary": "1623574",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1623574"
},
{
"category": "external",
"summary": "1625250",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1625250"
},
{
"category": "external",
"summary": "1626475",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1626475"
},
{
"category": "external",
"summary": "1626502",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1626502"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2018/rhsa-2018_2745.json"
}
],
"title": "Red Hat Security Advisory: CloudForms 4.5.5 security, bug fix and enhancement update",
"tracking": {
"current_release_date": "2025-11-21T18:06:07+00:00",
"generator": {
"date": "2025-11-21T18:06:07+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.12"
}
},
"id": "RHSA-2018:2745",
"initial_release_date": "2018-09-26T18:36:57+00:00",
"revision_history": [
{
"date": "2018-09-26T18:36:57+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2018-09-26T18:36:57+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-11-21T18:06:07+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "CloudForms Management Engine 5.8",
"product": {
"name": "CloudForms Management Engine 5.8",
"product_id": "7Server-RH7-CFME-5.8",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:cloudforms_managementengine:5.8::el7"
}
}
}
],
"category": "product_family",
"name": "Red Hat CloudForms"
},
{
"branches": [
{
"category": "product_version",
"name": "rh-postgresql95-postgresql-pglogical-debuginfo-0:1.2.1-2.el7cf.x86_64",
"product": {
"name": "rh-postgresql95-postgresql-pglogical-debuginfo-0:1.2.1-2.el7cf.x86_64",
"product_id": "rh-postgresql95-postgresql-pglogical-debuginfo-0:1.2.1-2.el7cf.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-postgresql95-postgresql-pglogical-debuginfo@1.2.1-2.el7cf?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "rh-postgresql95-postgresql-pglogical-0:1.2.1-2.el7cf.x86_64",
"product": {
"name": "rh-postgresql95-postgresql-pglogical-0:1.2.1-2.el7cf.x86_64",
"product_id": "rh-postgresql95-postgresql-pglogical-0:1.2.1-2.el7cf.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-postgresql95-postgresql-pglogical@1.2.1-2.el7cf?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "ansible-tower-server-0:3.1.8-1.el7at.x86_64",
"product": {
"name": "ansible-tower-server-0:3.1.8-1.el7at.x86_64",
"product_id": "ansible-tower-server-0:3.1.8-1.el7at.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ansible-tower-server@3.1.8-1.el7at?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "ansible-tower-setup-0:3.1.8-1.el7at.x86_64",
"product": {
"name": "ansible-tower-setup-0:3.1.8-1.el7at.x86_64",
"product_id": "ansible-tower-setup-0:3.1.8-1.el7at.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ansible-tower-setup@3.1.8-1.el7at?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "cfme-0:5.8.5.1-1.el7cf.x86_64",
"product": {
"name": "cfme-0:5.8.5.1-1.el7cf.x86_64",
"product_id": "cfme-0:5.8.5.1-1.el7cf.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cfme@5.8.5.1-1.el7cf?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "cfme-debuginfo-0:5.8.5.1-1.el7cf.x86_64",
"product": {
"name": "cfme-debuginfo-0:5.8.5.1-1.el7cf.x86_64",
"product_id": "cfme-debuginfo-0:5.8.5.1-1.el7cf.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cfme-debuginfo@5.8.5.1-1.el7cf?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "cfme-appliance-0:5.8.5.1-1.el7cf.x86_64",
"product": {
"name": "cfme-appliance-0:5.8.5.1-1.el7cf.x86_64",
"product_id": "cfme-appliance-0:5.8.5.1-1.el7cf.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cfme-appliance@5.8.5.1-1.el7cf?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "cfme-appliance-debuginfo-0:5.8.5.1-1.el7cf.x86_64",
"product": {
"name": "cfme-appliance-debuginfo-0:5.8.5.1-1.el7cf.x86_64",
"product_id": "cfme-appliance-debuginfo-0:5.8.5.1-1.el7cf.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cfme-appliance-debuginfo@5.8.5.1-1.el7cf?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "cfme-gemset-0:5.8.5.1-1.el7cf.x86_64",
"product": {
"name": "cfme-gemset-0:5.8.5.1-1.el7cf.x86_64",
"product_id": "cfme-gemset-0:5.8.5.1-1.el7cf.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cfme-gemset@5.8.5.1-1.el7cf?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "rh-postgresql95-postgresql-pglogical-0:1.2.1-2.el7cf.src",
"product": {
"name": "rh-postgresql95-postgresql-pglogical-0:1.2.1-2.el7cf.src",
"product_id": "rh-postgresql95-postgresql-pglogical-0:1.2.1-2.el7cf.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-postgresql95-postgresql-pglogical@1.2.1-2.el7cf?arch=src"
}
}
},
{
"category": "product_version",
"name": "cfme-0:5.8.5.1-1.el7cf.src",
"product": {
"name": "cfme-0:5.8.5.1-1.el7cf.src",
"product_id": "cfme-0:5.8.5.1-1.el7cf.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cfme@5.8.5.1-1.el7cf?arch=src"
}
}
},
{
"category": "product_version",
"name": "cfme-appliance-0:5.8.5.1-1.el7cf.src",
"product": {
"name": "cfme-appliance-0:5.8.5.1-1.el7cf.src",
"product_id": "cfme-appliance-0:5.8.5.1-1.el7cf.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cfme-appliance@5.8.5.1-1.el7cf?arch=src"
}
}
},
{
"category": "product_version",
"name": "cfme-gemset-0:5.8.5.1-1.el7cf.src",
"product": {
"name": "cfme-gemset-0:5.8.5.1-1.el7cf.src",
"product_id": "cfme-gemset-0:5.8.5.1-1.el7cf.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cfme-gemset@5.8.5.1-1.el7cf?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "ansible-tower-server-0:3.1.8-1.el7at.x86_64 as a component of CloudForms Management Engine 5.8",
"product_id": "7Server-RH7-CFME-5.8:ansible-tower-server-0:3.1.8-1.el7at.x86_64"
},
"product_reference": "ansible-tower-server-0:3.1.8-1.el7at.x86_64",
"relates_to_product_reference": "7Server-RH7-CFME-5.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ansible-tower-setup-0:3.1.8-1.el7at.x86_64 as a component of CloudForms Management Engine 5.8",
"product_id": "7Server-RH7-CFME-5.8:ansible-tower-setup-0:3.1.8-1.el7at.x86_64"
},
"product_reference": "ansible-tower-setup-0:3.1.8-1.el7at.x86_64",
"relates_to_product_reference": "7Server-RH7-CFME-5.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cfme-0:5.8.5.1-1.el7cf.src as a component of CloudForms Management Engine 5.8",
"product_id": "7Server-RH7-CFME-5.8:cfme-0:5.8.5.1-1.el7cf.src"
},
"product_reference": "cfme-0:5.8.5.1-1.el7cf.src",
"relates_to_product_reference": "7Server-RH7-CFME-5.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cfme-0:5.8.5.1-1.el7cf.x86_64 as a component of CloudForms Management Engine 5.8",
"product_id": "7Server-RH7-CFME-5.8:cfme-0:5.8.5.1-1.el7cf.x86_64"
},
"product_reference": "cfme-0:5.8.5.1-1.el7cf.x86_64",
"relates_to_product_reference": "7Server-RH7-CFME-5.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cfme-appliance-0:5.8.5.1-1.el7cf.src as a component of CloudForms Management Engine 5.8",
"product_id": "7Server-RH7-CFME-5.8:cfme-appliance-0:5.8.5.1-1.el7cf.src"
},
"product_reference": "cfme-appliance-0:5.8.5.1-1.el7cf.src",
"relates_to_product_reference": "7Server-RH7-CFME-5.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cfme-appliance-0:5.8.5.1-1.el7cf.x86_64 as a component of CloudForms Management Engine 5.8",
"product_id": "7Server-RH7-CFME-5.8:cfme-appliance-0:5.8.5.1-1.el7cf.x86_64"
},
"product_reference": "cfme-appliance-0:5.8.5.1-1.el7cf.x86_64",
"relates_to_product_reference": "7Server-RH7-CFME-5.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cfme-appliance-debuginfo-0:5.8.5.1-1.el7cf.x86_64 as a component of CloudForms Management Engine 5.8",
"product_id": "7Server-RH7-CFME-5.8:cfme-appliance-debuginfo-0:5.8.5.1-1.el7cf.x86_64"
},
"product_reference": "cfme-appliance-debuginfo-0:5.8.5.1-1.el7cf.x86_64",
"relates_to_product_reference": "7Server-RH7-CFME-5.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cfme-debuginfo-0:5.8.5.1-1.el7cf.x86_64 as a component of CloudForms Management Engine 5.8",
"product_id": "7Server-RH7-CFME-5.8:cfme-debuginfo-0:5.8.5.1-1.el7cf.x86_64"
},
"product_reference": "cfme-debuginfo-0:5.8.5.1-1.el7cf.x86_64",
"relates_to_product_reference": "7Server-RH7-CFME-5.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cfme-gemset-0:5.8.5.1-1.el7cf.src as a component of CloudForms Management Engine 5.8",
"product_id": "7Server-RH7-CFME-5.8:cfme-gemset-0:5.8.5.1-1.el7cf.src"
},
"product_reference": "cfme-gemset-0:5.8.5.1-1.el7cf.src",
"relates_to_product_reference": "7Server-RH7-CFME-5.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cfme-gemset-0:5.8.5.1-1.el7cf.x86_64 as a component of CloudForms Management Engine 5.8",
"product_id": "7Server-RH7-CFME-5.8:cfme-gemset-0:5.8.5.1-1.el7cf.x86_64"
},
"product_reference": "cfme-gemset-0:5.8.5.1-1.el7cf.x86_64",
"relates_to_product_reference": "7Server-RH7-CFME-5.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-postgresql95-postgresql-pglogical-0:1.2.1-2.el7cf.src as a component of CloudForms Management Engine 5.8",
"product_id": "7Server-RH7-CFME-5.8:rh-postgresql95-postgresql-pglogical-0:1.2.1-2.el7cf.src"
},
"product_reference": "rh-postgresql95-postgresql-pglogical-0:1.2.1-2.el7cf.src",
"relates_to_product_reference": "7Server-RH7-CFME-5.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-postgresql95-postgresql-pglogical-0:1.2.1-2.el7cf.x86_64 as a component of CloudForms Management Engine 5.8",
"product_id": "7Server-RH7-CFME-5.8:rh-postgresql95-postgresql-pglogical-0:1.2.1-2.el7cf.x86_64"
},
"product_reference": "rh-postgresql95-postgresql-pglogical-0:1.2.1-2.el7cf.x86_64",
"relates_to_product_reference": "7Server-RH7-CFME-5.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-postgresql95-postgresql-pglogical-debuginfo-0:1.2.1-2.el7cf.x86_64 as a component of CloudForms Management Engine 5.8",
"product_id": "7Server-RH7-CFME-5.8:rh-postgresql95-postgresql-pglogical-debuginfo-0:1.2.1-2.el7cf.x86_64"
},
"product_reference": "rh-postgresql95-postgresql-pglogical-debuginfo-0:1.2.1-2.el7cf.x86_64",
"relates_to_product_reference": "7Server-RH7-CFME-5.8"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2018-3760",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2018-06-20T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1593058"
}
],
"notes": [
{
"category": "description",
"text": "There is an information leak vulnerability in Sprockets. Versions Affected: 4.0.0.beta7 and lower, 3.7.1 and lower, 2.12.4 and lower. Specially crafted requests can be used to access files that exists on the filesystem that is outside an application\u0027s root directory, when the Sprockets server is used in production. All users running an affected release should either upgrade or use one of the work arounds immediately.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "rubygem-sprockets: Path traversal in forbidden_request?() can allow remote attackers to read arbitrary files",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-CFME-5.8:ansible-tower-server-0:3.1.8-1.el7at.x86_64",
"7Server-RH7-CFME-5.8:ansible-tower-setup-0:3.1.8-1.el7at.x86_64",
"7Server-RH7-CFME-5.8:cfme-0:5.8.5.1-1.el7cf.src",
"7Server-RH7-CFME-5.8:cfme-0:5.8.5.1-1.el7cf.x86_64",
"7Server-RH7-CFME-5.8:cfme-appliance-0:5.8.5.1-1.el7cf.src",
"7Server-RH7-CFME-5.8:cfme-appliance-0:5.8.5.1-1.el7cf.x86_64",
"7Server-RH7-CFME-5.8:cfme-appliance-debuginfo-0:5.8.5.1-1.el7cf.x86_64",
"7Server-RH7-CFME-5.8:cfme-debuginfo-0:5.8.5.1-1.el7cf.x86_64",
"7Server-RH7-CFME-5.8:cfme-gemset-0:5.8.5.1-1.el7cf.src",
"7Server-RH7-CFME-5.8:cfme-gemset-0:5.8.5.1-1.el7cf.x86_64",
"7Server-RH7-CFME-5.8:rh-postgresql95-postgresql-pglogical-0:1.2.1-2.el7cf.src",
"7Server-RH7-CFME-5.8:rh-postgresql95-postgresql-pglogical-0:1.2.1-2.el7cf.x86_64",
"7Server-RH7-CFME-5.8:rh-postgresql95-postgresql-pglogical-debuginfo-0:1.2.1-2.el7cf.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-3760"
},
{
"category": "external",
"summary": "RHBZ#1593058",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1593058"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-3760",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-3760"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-3760",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-3760"
},
{
"category": "external",
"summary": "http://www.openwall.com/lists/oss-security/2018/06/19/2",
"url": "http://www.openwall.com/lists/oss-security/2018/06/19/2"
},
{
"category": "external",
"summary": "https://blog.heroku.com/rails-asset-pipeline-vulnerability",
"url": "https://blog.heroku.com/rails-asset-pipeline-vulnerability"
}
],
"release_date": "2018-06-20T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2018-09-26T18:36:57+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RH7-CFME-5.8:ansible-tower-server-0:3.1.8-1.el7at.x86_64",
"7Server-RH7-CFME-5.8:ansible-tower-setup-0:3.1.8-1.el7at.x86_64",
"7Server-RH7-CFME-5.8:cfme-0:5.8.5.1-1.el7cf.src",
"7Server-RH7-CFME-5.8:cfme-0:5.8.5.1-1.el7cf.x86_64",
"7Server-RH7-CFME-5.8:cfme-appliance-0:5.8.5.1-1.el7cf.src",
"7Server-RH7-CFME-5.8:cfme-appliance-0:5.8.5.1-1.el7cf.x86_64",
"7Server-RH7-CFME-5.8:cfme-appliance-debuginfo-0:5.8.5.1-1.el7cf.x86_64",
"7Server-RH7-CFME-5.8:cfme-debuginfo-0:5.8.5.1-1.el7cf.x86_64",
"7Server-RH7-CFME-5.8:cfme-gemset-0:5.8.5.1-1.el7cf.src",
"7Server-RH7-CFME-5.8:cfme-gemset-0:5.8.5.1-1.el7cf.x86_64",
"7Server-RH7-CFME-5.8:rh-postgresql95-postgresql-pglogical-0:1.2.1-2.el7cf.src",
"7Server-RH7-CFME-5.8:rh-postgresql95-postgresql-pglogical-0:1.2.1-2.el7cf.x86_64",
"7Server-RH7-CFME-5.8:rh-postgresql95-postgresql-pglogical-debuginfo-0:1.2.1-2.el7cf.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2018:2745"
},
{
"category": "workaround",
"details": "Ensure config.assets.compile = false in production.rb.",
"product_ids": [
"7Server-RH7-CFME-5.8:ansible-tower-server-0:3.1.8-1.el7at.x86_64",
"7Server-RH7-CFME-5.8:ansible-tower-setup-0:3.1.8-1.el7at.x86_64",
"7Server-RH7-CFME-5.8:cfme-0:5.8.5.1-1.el7cf.src",
"7Server-RH7-CFME-5.8:cfme-0:5.8.5.1-1.el7cf.x86_64",
"7Server-RH7-CFME-5.8:cfme-appliance-0:5.8.5.1-1.el7cf.src",
"7Server-RH7-CFME-5.8:cfme-appliance-0:5.8.5.1-1.el7cf.x86_64",
"7Server-RH7-CFME-5.8:cfme-appliance-debuginfo-0:5.8.5.1-1.el7cf.x86_64",
"7Server-RH7-CFME-5.8:cfme-debuginfo-0:5.8.5.1-1.el7cf.x86_64",
"7Server-RH7-CFME-5.8:cfme-gemset-0:5.8.5.1-1.el7cf.src",
"7Server-RH7-CFME-5.8:cfme-gemset-0:5.8.5.1-1.el7cf.x86_64",
"7Server-RH7-CFME-5.8:rh-postgresql95-postgresql-pglogical-0:1.2.1-2.el7cf.src",
"7Server-RH7-CFME-5.8:rh-postgresql95-postgresql-pglogical-0:1.2.1-2.el7cf.x86_64",
"7Server-RH7-CFME-5.8:rh-postgresql95-postgresql-pglogical-debuginfo-0:1.2.1-2.el7cf.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"products": [
"7Server-RH7-CFME-5.8:ansible-tower-server-0:3.1.8-1.el7at.x86_64",
"7Server-RH7-CFME-5.8:ansible-tower-setup-0:3.1.8-1.el7at.x86_64",
"7Server-RH7-CFME-5.8:cfme-0:5.8.5.1-1.el7cf.src",
"7Server-RH7-CFME-5.8:cfme-0:5.8.5.1-1.el7cf.x86_64",
"7Server-RH7-CFME-5.8:cfme-appliance-0:5.8.5.1-1.el7cf.src",
"7Server-RH7-CFME-5.8:cfme-appliance-0:5.8.5.1-1.el7cf.x86_64",
"7Server-RH7-CFME-5.8:cfme-appliance-debuginfo-0:5.8.5.1-1.el7cf.x86_64",
"7Server-RH7-CFME-5.8:cfme-debuginfo-0:5.8.5.1-1.el7cf.x86_64",
"7Server-RH7-CFME-5.8:cfme-gemset-0:5.8.5.1-1.el7cf.src",
"7Server-RH7-CFME-5.8:cfme-gemset-0:5.8.5.1-1.el7cf.x86_64",
"7Server-RH7-CFME-5.8:rh-postgresql95-postgresql-pglogical-0:1.2.1-2.el7cf.src",
"7Server-RH7-CFME-5.8:rh-postgresql95-postgresql-pglogical-0:1.2.1-2.el7cf.x86_64",
"7Server-RH7-CFME-5.8:rh-postgresql95-postgresql-pglogical-debuginfo-0:1.2.1-2.el7cf.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "rubygem-sprockets: Path traversal in forbidden_request?() can allow remote attackers to read arbitrary files"
},
{
"acknowledgments": [
{
"names": [
"Stephen Gappinger"
],
"organization": "American Express"
}
],
"cve": "CVE-2018-10905",
"cwe": {
"id": "CWE-284",
"name": "Improper Access Control"
},
"discovery_date": "2018-07-18T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1602190"
}
],
"notes": [
{
"category": "description",
"text": "CloudForms Management Engine has a vulnerability that allows local users to execute arbitrary commands as root. An attacker with SSH access to the system can use the dRuby (DRb) module installed on the system to execute arbitrary shell commands using `instance_eval()`.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "cfme: Improper access control in dRuby allows local users to execute arbitrary commands as root",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-CFME-5.8:ansible-tower-server-0:3.1.8-1.el7at.x86_64",
"7Server-RH7-CFME-5.8:ansible-tower-setup-0:3.1.8-1.el7at.x86_64",
"7Server-RH7-CFME-5.8:cfme-0:5.8.5.1-1.el7cf.src",
"7Server-RH7-CFME-5.8:cfme-0:5.8.5.1-1.el7cf.x86_64",
"7Server-RH7-CFME-5.8:cfme-appliance-0:5.8.5.1-1.el7cf.src",
"7Server-RH7-CFME-5.8:cfme-appliance-0:5.8.5.1-1.el7cf.x86_64",
"7Server-RH7-CFME-5.8:cfme-appliance-debuginfo-0:5.8.5.1-1.el7cf.x86_64",
"7Server-RH7-CFME-5.8:cfme-debuginfo-0:5.8.5.1-1.el7cf.x86_64",
"7Server-RH7-CFME-5.8:cfme-gemset-0:5.8.5.1-1.el7cf.src",
"7Server-RH7-CFME-5.8:cfme-gemset-0:5.8.5.1-1.el7cf.x86_64",
"7Server-RH7-CFME-5.8:rh-postgresql95-postgresql-pglogical-0:1.2.1-2.el7cf.src",
"7Server-RH7-CFME-5.8:rh-postgresql95-postgresql-pglogical-0:1.2.1-2.el7cf.x86_64",
"7Server-RH7-CFME-5.8:rh-postgresql95-postgresql-pglogical-debuginfo-0:1.2.1-2.el7cf.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-10905"
},
{
"category": "external",
"summary": "RHBZ#1602190",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1602190"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-10905",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-10905"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-10905",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-10905"
}
],
"release_date": "2018-07-20T19:54:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2018-09-26T18:36:57+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RH7-CFME-5.8:ansible-tower-server-0:3.1.8-1.el7at.x86_64",
"7Server-RH7-CFME-5.8:ansible-tower-setup-0:3.1.8-1.el7at.x86_64",
"7Server-RH7-CFME-5.8:cfme-0:5.8.5.1-1.el7cf.src",
"7Server-RH7-CFME-5.8:cfme-0:5.8.5.1-1.el7cf.x86_64",
"7Server-RH7-CFME-5.8:cfme-appliance-0:5.8.5.1-1.el7cf.src",
"7Server-RH7-CFME-5.8:cfme-appliance-0:5.8.5.1-1.el7cf.x86_64",
"7Server-RH7-CFME-5.8:cfme-appliance-debuginfo-0:5.8.5.1-1.el7cf.x86_64",
"7Server-RH7-CFME-5.8:cfme-debuginfo-0:5.8.5.1-1.el7cf.x86_64",
"7Server-RH7-CFME-5.8:cfme-gemset-0:5.8.5.1-1.el7cf.src",
"7Server-RH7-CFME-5.8:cfme-gemset-0:5.8.5.1-1.el7cf.x86_64",
"7Server-RH7-CFME-5.8:rh-postgresql95-postgresql-pglogical-0:1.2.1-2.el7cf.src",
"7Server-RH7-CFME-5.8:rh-postgresql95-postgresql-pglogical-0:1.2.1-2.el7cf.x86_64",
"7Server-RH7-CFME-5.8:rh-postgresql95-postgresql-pglogical-debuginfo-0:1.2.1-2.el7cf.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2018:2745"
},
{
"category": "workaround",
"details": "Administrators of the CloudForms appliance can filter local packages going to the port where MIQ Server is listening, by using the following iptables command:\n# iptables -I OUTPUT 1 -o lo -d localhost/32 -p tcp -m tcp --dport \u003cMIQ Server port\u003e -m owner \u0027!\u0027 --uid-owner root -j DROP\n\nWhere the MIQ Server port can be found using netstat command:\n# netstat -nl --tcp -p | grep -i \"miq server\"",
"product_ids": [
"7Server-RH7-CFME-5.8:ansible-tower-server-0:3.1.8-1.el7at.x86_64",
"7Server-RH7-CFME-5.8:ansible-tower-setup-0:3.1.8-1.el7at.x86_64",
"7Server-RH7-CFME-5.8:cfme-0:5.8.5.1-1.el7cf.src",
"7Server-RH7-CFME-5.8:cfme-0:5.8.5.1-1.el7cf.x86_64",
"7Server-RH7-CFME-5.8:cfme-appliance-0:5.8.5.1-1.el7cf.src",
"7Server-RH7-CFME-5.8:cfme-appliance-0:5.8.5.1-1.el7cf.x86_64",
"7Server-RH7-CFME-5.8:cfme-appliance-debuginfo-0:5.8.5.1-1.el7cf.x86_64",
"7Server-RH7-CFME-5.8:cfme-debuginfo-0:5.8.5.1-1.el7cf.x86_64",
"7Server-RH7-CFME-5.8:cfme-gemset-0:5.8.5.1-1.el7cf.src",
"7Server-RH7-CFME-5.8:cfme-gemset-0:5.8.5.1-1.el7cf.x86_64",
"7Server-RH7-CFME-5.8:rh-postgresql95-postgresql-pglogical-0:1.2.1-2.el7cf.src",
"7Server-RH7-CFME-5.8:rh-postgresql95-postgresql-pglogical-0:1.2.1-2.el7cf.x86_64",
"7Server-RH7-CFME-5.8:rh-postgresql95-postgresql-pglogical-debuginfo-0:1.2.1-2.el7cf.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"7Server-RH7-CFME-5.8:ansible-tower-server-0:3.1.8-1.el7at.x86_64",
"7Server-RH7-CFME-5.8:ansible-tower-setup-0:3.1.8-1.el7at.x86_64",
"7Server-RH7-CFME-5.8:cfme-0:5.8.5.1-1.el7cf.src",
"7Server-RH7-CFME-5.8:cfme-0:5.8.5.1-1.el7cf.x86_64",
"7Server-RH7-CFME-5.8:cfme-appliance-0:5.8.5.1-1.el7cf.src",
"7Server-RH7-CFME-5.8:cfme-appliance-0:5.8.5.1-1.el7cf.x86_64",
"7Server-RH7-CFME-5.8:cfme-appliance-debuginfo-0:5.8.5.1-1.el7cf.x86_64",
"7Server-RH7-CFME-5.8:cfme-debuginfo-0:5.8.5.1-1.el7cf.x86_64",
"7Server-RH7-CFME-5.8:cfme-gemset-0:5.8.5.1-1.el7cf.src",
"7Server-RH7-CFME-5.8:cfme-gemset-0:5.8.5.1-1.el7cf.x86_64",
"7Server-RH7-CFME-5.8:rh-postgresql95-postgresql-pglogical-0:1.2.1-2.el7cf.src",
"7Server-RH7-CFME-5.8:rh-postgresql95-postgresql-pglogical-0:1.2.1-2.el7cf.x86_64",
"7Server-RH7-CFME-5.8:rh-postgresql95-postgresql-pglogical-debuginfo-0:1.2.1-2.el7cf.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "cfme: Improper access control in dRuby allows local users to execute arbitrary commands as root"
}
]
}
RHSA-2018_2561
Vulnerability from csaf_redhat - Published: 2018-09-04 18:00 - Updated: 2024-11-22 12:11Summary
Red Hat Security Advisory: CloudForms 4.6.4 security, bug fix, and enhancement update
Notes
Topic
An update is now available for CloudForms Management Engine 5.9.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat CloudForms Management Engine delivers the insight, control, and automation needed to address the challenges of managing virtual environments. CloudForms Management Engine is built on Ruby on Rails, a model-view-controller (MVC) framework for web application development. Action Pack implements the controller and the view components.
Security Fix(es):
* cfme: Improper access control in dRuby allows local users to execute arbitrary commands as root (CVE-2018-10905)
* rubygem-sprockets: Path traversal in forbidden_request?() can allow remote attackers to read arbitrary files (CVE-2018-3760)
For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
Red Hat would like to thank Stephen Gappinger (American Express) for reporting CVE-2018-10905.
Additional Changes:
This update fixes various bugs and adds enhancements. Documentation for these changes is available from the Release Notes document.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update is now available for CloudForms Management Engine 5.9.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat CloudForms Management Engine delivers the insight, control, and automation needed to address the challenges of managing virtual environments. CloudForms Management Engine is built on Ruby on Rails, a model-view-controller (MVC) framework for web application development. Action Pack implements the controller and the view components.\n\nSecurity Fix(es):\n\n* cfme: Improper access control in dRuby allows local users to execute arbitrary commands as root (CVE-2018-10905)\n\n* rubygem-sprockets: Path traversal in forbidden_request?() can allow remote attackers to read arbitrary files (CVE-2018-3760)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.\n\nRed Hat would like to thank Stephen Gappinger (American Express) for reporting CVE-2018-10905.\n\nAdditional Changes:\n\nThis update fixes various bugs and adds enhancements. Documentation for these changes is available from the Release Notes document.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2018:2561",
"url": "https://access.redhat.com/errata/RHSA-2018:2561"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "1565259",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1565259"
},
{
"category": "external",
"summary": "1588527",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1588527"
},
{
"category": "external",
"summary": "1591494",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1591494"
},
{
"category": "external",
"summary": "1591495",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1591495"
},
{
"category": "external",
"summary": "1591496",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1591496"
},
{
"category": "external",
"summary": "1591497",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1591497"
},
{
"category": "external",
"summary": "1593058",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1593058"
},
{
"category": "external",
"summary": "1595416",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1595416"
},
{
"category": "external",
"summary": "1595445",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1595445"
},
{
"category": "external",
"summary": "1595447",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1595447"
},
{
"category": "external",
"summary": "1595448",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1595448"
},
{
"category": "external",
"summary": "1595450",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1595450"
},
{
"category": "external",
"summary": "1595451",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1595451"
},
{
"category": "external",
"summary": "1595454",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1595454"
},
{
"category": "external",
"summary": "1595456",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1595456"
},
{
"category": "external",
"summary": "1595461",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1595461"
},
{
"category": "external",
"summary": "1595776",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1595776"
},
{
"category": "external",
"summary": "1598528",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1598528"
},
{
"category": "external",
"summary": "1598532",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1598532"
},
{
"category": "external",
"summary": "1598873",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1598873"
},
{
"category": "external",
"summary": "1599350",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1599350"
},
{
"category": "external",
"summary": "1599353",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1599353"
},
{
"category": "external",
"summary": "1600191",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1600191"
},
{
"category": "external",
"summary": "1600670",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1600670"
},
{
"category": "external",
"summary": "1600738",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1600738"
},
{
"category": "external",
"summary": "1601587",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601587"
},
{
"category": "external",
"summary": "1601589",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601589"
},
{
"category": "external",
"summary": "1602190",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1602190"
},
{
"category": "external",
"summary": "1603022",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1603022"
},
{
"category": "external",
"summary": "1603029",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1603029"
},
{
"category": "external",
"summary": "1603031",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1603031"
},
{
"category": "external",
"summary": "1603058",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1603058"
},
{
"category": "external",
"summary": "1603210",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1603210"
},
{
"category": "external",
"summary": "1607441",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1607441"
},
{
"category": "external",
"summary": "1608844",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1608844"
},
{
"category": "external",
"summary": "1610055",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1610055"
},
{
"category": "external",
"summary": "1610425",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1610425"
},
{
"category": "external",
"summary": "1610685",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1610685"
},
{
"category": "external",
"summary": "1611002",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1611002"
},
{
"category": "external",
"summary": "1611660",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1611660"
},
{
"category": "external",
"summary": "1612062",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1612062"
},
{
"category": "external",
"summary": "1612856",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1612856"
},
{
"category": "external",
"summary": "1612889",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1612889"
},
{
"category": "external",
"summary": "1613295",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1613295"
},
{
"category": "external",
"summary": "1613387",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1613387"
},
{
"category": "external",
"summary": "1613757",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1613757"
},
{
"category": "external",
"summary": "1615633",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1615633"
},
{
"category": "external",
"summary": "1618219",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1618219"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2018/rhsa-2018_2561.json"
}
],
"title": "Red Hat Security Advisory: CloudForms 4.6.4 security, bug fix, and enhancement update",
"tracking": {
"current_release_date": "2024-11-22T12:11:09+00:00",
"generator": {
"date": "2024-11-22T12:11:09+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2018:2561",
"initial_release_date": "2018-09-04T18:00:51+00:00",
"revision_history": [
{
"date": "2018-09-04T18:00:51+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2018-09-04T18:00:51+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-22T12:11:09+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "CloudForms Management Engine 5.9",
"product": {
"name": "CloudForms Management Engine 5.9",
"product_id": "7Server-RH7-CFME-5.9",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:cloudforms_managementengine:5.9::el7"
}
}
}
],
"category": "product_family",
"name": "Red Hat CloudForms"
},
{
"branches": [
{
"category": "product_version",
"name": "rh-ruby23-rubygem-redhat_access_cfme-doc-0:2.0.3-1.el7cf.noarch",
"product": {
"name": "rh-ruby23-rubygem-redhat_access_cfme-doc-0:2.0.3-1.el7cf.noarch",
"product_id": "rh-ruby23-rubygem-redhat_access_cfme-doc-0:2.0.3-1.el7cf.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-ruby23-rubygem-redhat_access_cfme-doc@2.0.3-1.el7cf?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "rh-ruby23-rubygem-redhat_access_cfme-0:2.0.3-1.el7cf.noarch",
"product": {
"name": "rh-ruby23-rubygem-redhat_access_cfme-0:2.0.3-1.el7cf.noarch",
"product_id": "rh-ruby23-rubygem-redhat_access_cfme-0:2.0.3-1.el7cf.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-ruby23-rubygem-redhat_access_cfme@2.0.3-1.el7cf?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "rh-ruby23-rubygem-redhat_access_cfme-0:2.0.3-1.el7cf.src",
"product": {
"name": "rh-ruby23-rubygem-redhat_access_cfme-0:2.0.3-1.el7cf.src",
"product_id": "rh-ruby23-rubygem-redhat_access_cfme-0:2.0.3-1.el7cf.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-ruby23-rubygem-redhat_access_cfme@2.0.3-1.el7cf?arch=src"
}
}
},
{
"category": "product_version",
"name": "rh-postgresql95-postgresql-pglogical-0:2.1.0-4.el7cf.src",
"product": {
"name": "rh-postgresql95-postgresql-pglogical-0:2.1.0-4.el7cf.src",
"product_id": "rh-postgresql95-postgresql-pglogical-0:2.1.0-4.el7cf.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-postgresql95-postgresql-pglogical@2.1.0-4.el7cf?arch=src"
}
}
},
{
"category": "product_version",
"name": "cfme-0:5.9.4.7-1.el7cf.src",
"product": {
"name": "cfme-0:5.9.4.7-1.el7cf.src",
"product_id": "cfme-0:5.9.4.7-1.el7cf.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cfme@5.9.4.7-1.el7cf?arch=src"
}
}
},
{
"category": "product_version",
"name": "cfme-appliance-0:5.9.4.7-1.el7cf.src",
"product": {
"name": "cfme-appliance-0:5.9.4.7-1.el7cf.src",
"product_id": "cfme-appliance-0:5.9.4.7-1.el7cf.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cfme-appliance@5.9.4.7-1.el7cf?arch=src"
}
}
},
{
"category": "product_version",
"name": "cfme-gemset-0:5.9.4.7-1.el7cf.src",
"product": {
"name": "cfme-gemset-0:5.9.4.7-1.el7cf.src",
"product_id": "cfme-gemset-0:5.9.4.7-1.el7cf.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cfme-gemset@5.9.4.7-1.el7cf?arch=src"
}
}
},
{
"category": "product_version",
"name": "cfme-amazon-smartstate-0:5.9.4.7-1.el7cf.src",
"product": {
"name": "cfme-amazon-smartstate-0:5.9.4.7-1.el7cf.src",
"product_id": "cfme-amazon-smartstate-0:5.9.4.7-1.el7cf.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cfme-amazon-smartstate@5.9.4.7-1.el7cf?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "rh-postgresql95-postgresql-pglogical-0:2.1.0-4.el7cf.x86_64",
"product": {
"name": "rh-postgresql95-postgresql-pglogical-0:2.1.0-4.el7cf.x86_64",
"product_id": "rh-postgresql95-postgresql-pglogical-0:2.1.0-4.el7cf.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-postgresql95-postgresql-pglogical@2.1.0-4.el7cf?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "rh-postgresql95-postgresql-pglogical-debuginfo-0:2.1.0-4.el7cf.x86_64",
"product": {
"name": "rh-postgresql95-postgresql-pglogical-debuginfo-0:2.1.0-4.el7cf.x86_64",
"product_id": "rh-postgresql95-postgresql-pglogical-debuginfo-0:2.1.0-4.el7cf.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-postgresql95-postgresql-pglogical-debuginfo@2.1.0-4.el7cf?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "cfme-0:5.9.4.7-1.el7cf.x86_64",
"product": {
"name": "cfme-0:5.9.4.7-1.el7cf.x86_64",
"product_id": "cfme-0:5.9.4.7-1.el7cf.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cfme@5.9.4.7-1.el7cf?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "cfme-debuginfo-0:5.9.4.7-1.el7cf.x86_64",
"product": {
"name": "cfme-debuginfo-0:5.9.4.7-1.el7cf.x86_64",
"product_id": "cfme-debuginfo-0:5.9.4.7-1.el7cf.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cfme-debuginfo@5.9.4.7-1.el7cf?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "cfme-appliance-0:5.9.4.7-1.el7cf.x86_64",
"product": {
"name": "cfme-appliance-0:5.9.4.7-1.el7cf.x86_64",
"product_id": "cfme-appliance-0:5.9.4.7-1.el7cf.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cfme-appliance@5.9.4.7-1.el7cf?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "cfme-appliance-common-0:5.9.4.7-1.el7cf.x86_64",
"product": {
"name": "cfme-appliance-common-0:5.9.4.7-1.el7cf.x86_64",
"product_id": "cfme-appliance-common-0:5.9.4.7-1.el7cf.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cfme-appliance-common@5.9.4.7-1.el7cf?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "cfme-appliance-tools-0:5.9.4.7-1.el7cf.x86_64",
"product": {
"name": "cfme-appliance-tools-0:5.9.4.7-1.el7cf.x86_64",
"product_id": "cfme-appliance-tools-0:5.9.4.7-1.el7cf.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cfme-appliance-tools@5.9.4.7-1.el7cf?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "cfme-appliance-debuginfo-0:5.9.4.7-1.el7cf.x86_64",
"product": {
"name": "cfme-appliance-debuginfo-0:5.9.4.7-1.el7cf.x86_64",
"product_id": "cfme-appliance-debuginfo-0:5.9.4.7-1.el7cf.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cfme-appliance-debuginfo@5.9.4.7-1.el7cf?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "cfme-gemset-0:5.9.4.7-1.el7cf.x86_64",
"product": {
"name": "cfme-gemset-0:5.9.4.7-1.el7cf.x86_64",
"product_id": "cfme-gemset-0:5.9.4.7-1.el7cf.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cfme-gemset@5.9.4.7-1.el7cf?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "cfme-gemset-debuginfo-0:5.9.4.7-1.el7cf.x86_64",
"product": {
"name": "cfme-gemset-debuginfo-0:5.9.4.7-1.el7cf.x86_64",
"product_id": "cfme-gemset-debuginfo-0:5.9.4.7-1.el7cf.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cfme-gemset-debuginfo@5.9.4.7-1.el7cf?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "cfme-amazon-smartstate-0:5.9.4.7-1.el7cf.x86_64",
"product": {
"name": "cfme-amazon-smartstate-0:5.9.4.7-1.el7cf.x86_64",
"product_id": "cfme-amazon-smartstate-0:5.9.4.7-1.el7cf.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cfme-amazon-smartstate@5.9.4.7-1.el7cf?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "cfme-0:5.9.4.7-1.el7cf.src as a component of CloudForms Management Engine 5.9",
"product_id": "7Server-RH7-CFME-5.9:cfme-0:5.9.4.7-1.el7cf.src"
},
"product_reference": "cfme-0:5.9.4.7-1.el7cf.src",
"relates_to_product_reference": "7Server-RH7-CFME-5.9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cfme-0:5.9.4.7-1.el7cf.x86_64 as a component of CloudForms Management Engine 5.9",
"product_id": "7Server-RH7-CFME-5.9:cfme-0:5.9.4.7-1.el7cf.x86_64"
},
"product_reference": "cfme-0:5.9.4.7-1.el7cf.x86_64",
"relates_to_product_reference": "7Server-RH7-CFME-5.9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cfme-amazon-smartstate-0:5.9.4.7-1.el7cf.src as a component of CloudForms Management Engine 5.9",
"product_id": "7Server-RH7-CFME-5.9:cfme-amazon-smartstate-0:5.9.4.7-1.el7cf.src"
},
"product_reference": "cfme-amazon-smartstate-0:5.9.4.7-1.el7cf.src",
"relates_to_product_reference": "7Server-RH7-CFME-5.9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cfme-amazon-smartstate-0:5.9.4.7-1.el7cf.x86_64 as a component of CloudForms Management Engine 5.9",
"product_id": "7Server-RH7-CFME-5.9:cfme-amazon-smartstate-0:5.9.4.7-1.el7cf.x86_64"
},
"product_reference": "cfme-amazon-smartstate-0:5.9.4.7-1.el7cf.x86_64",
"relates_to_product_reference": "7Server-RH7-CFME-5.9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cfme-appliance-0:5.9.4.7-1.el7cf.src as a component of CloudForms Management Engine 5.9",
"product_id": "7Server-RH7-CFME-5.9:cfme-appliance-0:5.9.4.7-1.el7cf.src"
},
"product_reference": "cfme-appliance-0:5.9.4.7-1.el7cf.src",
"relates_to_product_reference": "7Server-RH7-CFME-5.9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cfme-appliance-0:5.9.4.7-1.el7cf.x86_64 as a component of CloudForms Management Engine 5.9",
"product_id": "7Server-RH7-CFME-5.9:cfme-appliance-0:5.9.4.7-1.el7cf.x86_64"
},
"product_reference": "cfme-appliance-0:5.9.4.7-1.el7cf.x86_64",
"relates_to_product_reference": "7Server-RH7-CFME-5.9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cfme-appliance-common-0:5.9.4.7-1.el7cf.x86_64 as a component of CloudForms Management Engine 5.9",
"product_id": "7Server-RH7-CFME-5.9:cfme-appliance-common-0:5.9.4.7-1.el7cf.x86_64"
},
"product_reference": "cfme-appliance-common-0:5.9.4.7-1.el7cf.x86_64",
"relates_to_product_reference": "7Server-RH7-CFME-5.9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cfme-appliance-debuginfo-0:5.9.4.7-1.el7cf.x86_64 as a component of CloudForms Management Engine 5.9",
"product_id": "7Server-RH7-CFME-5.9:cfme-appliance-debuginfo-0:5.9.4.7-1.el7cf.x86_64"
},
"product_reference": "cfme-appliance-debuginfo-0:5.9.4.7-1.el7cf.x86_64",
"relates_to_product_reference": "7Server-RH7-CFME-5.9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cfme-appliance-tools-0:5.9.4.7-1.el7cf.x86_64 as a component of CloudForms Management Engine 5.9",
"product_id": "7Server-RH7-CFME-5.9:cfme-appliance-tools-0:5.9.4.7-1.el7cf.x86_64"
},
"product_reference": "cfme-appliance-tools-0:5.9.4.7-1.el7cf.x86_64",
"relates_to_product_reference": "7Server-RH7-CFME-5.9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cfme-debuginfo-0:5.9.4.7-1.el7cf.x86_64 as a component of CloudForms Management Engine 5.9",
"product_id": "7Server-RH7-CFME-5.9:cfme-debuginfo-0:5.9.4.7-1.el7cf.x86_64"
},
"product_reference": "cfme-debuginfo-0:5.9.4.7-1.el7cf.x86_64",
"relates_to_product_reference": "7Server-RH7-CFME-5.9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cfme-gemset-0:5.9.4.7-1.el7cf.src as a component of CloudForms Management Engine 5.9",
"product_id": "7Server-RH7-CFME-5.9:cfme-gemset-0:5.9.4.7-1.el7cf.src"
},
"product_reference": "cfme-gemset-0:5.9.4.7-1.el7cf.src",
"relates_to_product_reference": "7Server-RH7-CFME-5.9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cfme-gemset-0:5.9.4.7-1.el7cf.x86_64 as a component of CloudForms Management Engine 5.9",
"product_id": "7Server-RH7-CFME-5.9:cfme-gemset-0:5.9.4.7-1.el7cf.x86_64"
},
"product_reference": "cfme-gemset-0:5.9.4.7-1.el7cf.x86_64",
"relates_to_product_reference": "7Server-RH7-CFME-5.9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cfme-gemset-debuginfo-0:5.9.4.7-1.el7cf.x86_64 as a component of CloudForms Management Engine 5.9",
"product_id": "7Server-RH7-CFME-5.9:cfme-gemset-debuginfo-0:5.9.4.7-1.el7cf.x86_64"
},
"product_reference": "cfme-gemset-debuginfo-0:5.9.4.7-1.el7cf.x86_64",
"relates_to_product_reference": "7Server-RH7-CFME-5.9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-postgresql95-postgresql-pglogical-0:2.1.0-4.el7cf.src as a component of CloudForms Management Engine 5.9",
"product_id": "7Server-RH7-CFME-5.9:rh-postgresql95-postgresql-pglogical-0:2.1.0-4.el7cf.src"
},
"product_reference": "rh-postgresql95-postgresql-pglogical-0:2.1.0-4.el7cf.src",
"relates_to_product_reference": "7Server-RH7-CFME-5.9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-postgresql95-postgresql-pglogical-0:2.1.0-4.el7cf.x86_64 as a component of CloudForms Management Engine 5.9",
"product_id": "7Server-RH7-CFME-5.9:rh-postgresql95-postgresql-pglogical-0:2.1.0-4.el7cf.x86_64"
},
"product_reference": "rh-postgresql95-postgresql-pglogical-0:2.1.0-4.el7cf.x86_64",
"relates_to_product_reference": "7Server-RH7-CFME-5.9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-postgresql95-postgresql-pglogical-debuginfo-0:2.1.0-4.el7cf.x86_64 as a component of CloudForms Management Engine 5.9",
"product_id": "7Server-RH7-CFME-5.9:rh-postgresql95-postgresql-pglogical-debuginfo-0:2.1.0-4.el7cf.x86_64"
},
"product_reference": "rh-postgresql95-postgresql-pglogical-debuginfo-0:2.1.0-4.el7cf.x86_64",
"relates_to_product_reference": "7Server-RH7-CFME-5.9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-ruby23-rubygem-redhat_access_cfme-0:2.0.3-1.el7cf.noarch as a component of CloudForms Management Engine 5.9",
"product_id": "7Server-RH7-CFME-5.9:rh-ruby23-rubygem-redhat_access_cfme-0:2.0.3-1.el7cf.noarch"
},
"product_reference": "rh-ruby23-rubygem-redhat_access_cfme-0:2.0.3-1.el7cf.noarch",
"relates_to_product_reference": "7Server-RH7-CFME-5.9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-ruby23-rubygem-redhat_access_cfme-0:2.0.3-1.el7cf.src as a component of CloudForms Management Engine 5.9",
"product_id": "7Server-RH7-CFME-5.9:rh-ruby23-rubygem-redhat_access_cfme-0:2.0.3-1.el7cf.src"
},
"product_reference": "rh-ruby23-rubygem-redhat_access_cfme-0:2.0.3-1.el7cf.src",
"relates_to_product_reference": "7Server-RH7-CFME-5.9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-ruby23-rubygem-redhat_access_cfme-doc-0:2.0.3-1.el7cf.noarch as a component of CloudForms Management Engine 5.9",
"product_id": "7Server-RH7-CFME-5.9:rh-ruby23-rubygem-redhat_access_cfme-doc-0:2.0.3-1.el7cf.noarch"
},
"product_reference": "rh-ruby23-rubygem-redhat_access_cfme-doc-0:2.0.3-1.el7cf.noarch",
"relates_to_product_reference": "7Server-RH7-CFME-5.9"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2018-3760",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2018-06-20T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1593058"
}
],
"notes": [
{
"category": "description",
"text": "There is an information leak vulnerability in Sprockets. Versions Affected: 4.0.0.beta7 and lower, 3.7.1 and lower, 2.12.4 and lower. Specially crafted requests can be used to access files that exists on the filesystem that is outside an application\u0027s root directory, when the Sprockets server is used in production. All users running an affected release should either upgrade or use one of the work arounds immediately.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "rubygem-sprockets: Path traversal in forbidden_request?() can allow remote attackers to read arbitrary files",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-CFME-5.9:cfme-0:5.9.4.7-1.el7cf.src",
"7Server-RH7-CFME-5.9:cfme-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-amazon-smartstate-0:5.9.4.7-1.el7cf.src",
"7Server-RH7-CFME-5.9:cfme-amazon-smartstate-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-appliance-0:5.9.4.7-1.el7cf.src",
"7Server-RH7-CFME-5.9:cfme-appliance-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-appliance-common-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-appliance-debuginfo-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-appliance-tools-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-debuginfo-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-gemset-0:5.9.4.7-1.el7cf.src",
"7Server-RH7-CFME-5.9:cfme-gemset-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-gemset-debuginfo-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:rh-postgresql95-postgresql-pglogical-0:2.1.0-4.el7cf.src",
"7Server-RH7-CFME-5.9:rh-postgresql95-postgresql-pglogical-0:2.1.0-4.el7cf.x86_64",
"7Server-RH7-CFME-5.9:rh-postgresql95-postgresql-pglogical-debuginfo-0:2.1.0-4.el7cf.x86_64",
"7Server-RH7-CFME-5.9:rh-ruby23-rubygem-redhat_access_cfme-0:2.0.3-1.el7cf.noarch",
"7Server-RH7-CFME-5.9:rh-ruby23-rubygem-redhat_access_cfme-0:2.0.3-1.el7cf.src",
"7Server-RH7-CFME-5.9:rh-ruby23-rubygem-redhat_access_cfme-doc-0:2.0.3-1.el7cf.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-3760"
},
{
"category": "external",
"summary": "RHBZ#1593058",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1593058"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-3760",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-3760"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-3760",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-3760"
},
{
"category": "external",
"summary": "http://www.openwall.com/lists/oss-security/2018/06/19/2",
"url": "http://www.openwall.com/lists/oss-security/2018/06/19/2"
},
{
"category": "external",
"summary": "https://blog.heroku.com/rails-asset-pipeline-vulnerability",
"url": "https://blog.heroku.com/rails-asset-pipeline-vulnerability"
}
],
"release_date": "2018-06-20T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2018-09-04T18:00:51+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RH7-CFME-5.9:cfme-0:5.9.4.7-1.el7cf.src",
"7Server-RH7-CFME-5.9:cfme-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-amazon-smartstate-0:5.9.4.7-1.el7cf.src",
"7Server-RH7-CFME-5.9:cfme-amazon-smartstate-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-appliance-0:5.9.4.7-1.el7cf.src",
"7Server-RH7-CFME-5.9:cfme-appliance-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-appliance-common-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-appliance-debuginfo-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-appliance-tools-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-debuginfo-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-gemset-0:5.9.4.7-1.el7cf.src",
"7Server-RH7-CFME-5.9:cfme-gemset-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-gemset-debuginfo-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:rh-postgresql95-postgresql-pglogical-0:2.1.0-4.el7cf.src",
"7Server-RH7-CFME-5.9:rh-postgresql95-postgresql-pglogical-0:2.1.0-4.el7cf.x86_64",
"7Server-RH7-CFME-5.9:rh-postgresql95-postgresql-pglogical-debuginfo-0:2.1.0-4.el7cf.x86_64",
"7Server-RH7-CFME-5.9:rh-ruby23-rubygem-redhat_access_cfme-0:2.0.3-1.el7cf.noarch",
"7Server-RH7-CFME-5.9:rh-ruby23-rubygem-redhat_access_cfme-0:2.0.3-1.el7cf.src",
"7Server-RH7-CFME-5.9:rh-ruby23-rubygem-redhat_access_cfme-doc-0:2.0.3-1.el7cf.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2018:2561"
},
{
"category": "workaround",
"details": "Ensure config.assets.compile = false in production.rb.",
"product_ids": [
"7Server-RH7-CFME-5.9:cfme-0:5.9.4.7-1.el7cf.src",
"7Server-RH7-CFME-5.9:cfme-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-amazon-smartstate-0:5.9.4.7-1.el7cf.src",
"7Server-RH7-CFME-5.9:cfme-amazon-smartstate-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-appliance-0:5.9.4.7-1.el7cf.src",
"7Server-RH7-CFME-5.9:cfme-appliance-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-appliance-common-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-appliance-debuginfo-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-appliance-tools-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-debuginfo-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-gemset-0:5.9.4.7-1.el7cf.src",
"7Server-RH7-CFME-5.9:cfme-gemset-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-gemset-debuginfo-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:rh-postgresql95-postgresql-pglogical-0:2.1.0-4.el7cf.src",
"7Server-RH7-CFME-5.9:rh-postgresql95-postgresql-pglogical-0:2.1.0-4.el7cf.x86_64",
"7Server-RH7-CFME-5.9:rh-postgresql95-postgresql-pglogical-debuginfo-0:2.1.0-4.el7cf.x86_64",
"7Server-RH7-CFME-5.9:rh-ruby23-rubygem-redhat_access_cfme-0:2.0.3-1.el7cf.noarch",
"7Server-RH7-CFME-5.9:rh-ruby23-rubygem-redhat_access_cfme-0:2.0.3-1.el7cf.src",
"7Server-RH7-CFME-5.9:rh-ruby23-rubygem-redhat_access_cfme-doc-0:2.0.3-1.el7cf.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"products": [
"7Server-RH7-CFME-5.9:cfme-0:5.9.4.7-1.el7cf.src",
"7Server-RH7-CFME-5.9:cfme-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-amazon-smartstate-0:5.9.4.7-1.el7cf.src",
"7Server-RH7-CFME-5.9:cfme-amazon-smartstate-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-appliance-0:5.9.4.7-1.el7cf.src",
"7Server-RH7-CFME-5.9:cfme-appliance-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-appliance-common-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-appliance-debuginfo-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-appliance-tools-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-debuginfo-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-gemset-0:5.9.4.7-1.el7cf.src",
"7Server-RH7-CFME-5.9:cfme-gemset-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-gemset-debuginfo-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:rh-postgresql95-postgresql-pglogical-0:2.1.0-4.el7cf.src",
"7Server-RH7-CFME-5.9:rh-postgresql95-postgresql-pglogical-0:2.1.0-4.el7cf.x86_64",
"7Server-RH7-CFME-5.9:rh-postgresql95-postgresql-pglogical-debuginfo-0:2.1.0-4.el7cf.x86_64",
"7Server-RH7-CFME-5.9:rh-ruby23-rubygem-redhat_access_cfme-0:2.0.3-1.el7cf.noarch",
"7Server-RH7-CFME-5.9:rh-ruby23-rubygem-redhat_access_cfme-0:2.0.3-1.el7cf.src",
"7Server-RH7-CFME-5.9:rh-ruby23-rubygem-redhat_access_cfme-doc-0:2.0.3-1.el7cf.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "rubygem-sprockets: Path traversal in forbidden_request?() can allow remote attackers to read arbitrary files"
},
{
"acknowledgments": [
{
"names": [
"Stephen Gappinger"
],
"organization": "American Express"
}
],
"cve": "CVE-2018-10905",
"cwe": {
"id": "CWE-284",
"name": "Improper Access Control"
},
"discovery_date": "2018-07-18T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1602190"
}
],
"notes": [
{
"category": "description",
"text": "CloudForms Management Engine has a vulnerability that allows local users to execute arbitrary commands as root. An attacker with SSH access to the system can use the dRuby (DRb) module installed on the system to execute arbitrary shell commands using `instance_eval()`.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "cfme: Improper access control in dRuby allows local users to execute arbitrary commands as root",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-CFME-5.9:cfme-0:5.9.4.7-1.el7cf.src",
"7Server-RH7-CFME-5.9:cfme-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-amazon-smartstate-0:5.9.4.7-1.el7cf.src",
"7Server-RH7-CFME-5.9:cfme-amazon-smartstate-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-appliance-0:5.9.4.7-1.el7cf.src",
"7Server-RH7-CFME-5.9:cfme-appliance-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-appliance-common-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-appliance-debuginfo-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-appliance-tools-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-debuginfo-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-gemset-0:5.9.4.7-1.el7cf.src",
"7Server-RH7-CFME-5.9:cfme-gemset-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-gemset-debuginfo-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:rh-postgresql95-postgresql-pglogical-0:2.1.0-4.el7cf.src",
"7Server-RH7-CFME-5.9:rh-postgresql95-postgresql-pglogical-0:2.1.0-4.el7cf.x86_64",
"7Server-RH7-CFME-5.9:rh-postgresql95-postgresql-pglogical-debuginfo-0:2.1.0-4.el7cf.x86_64",
"7Server-RH7-CFME-5.9:rh-ruby23-rubygem-redhat_access_cfme-0:2.0.3-1.el7cf.noarch",
"7Server-RH7-CFME-5.9:rh-ruby23-rubygem-redhat_access_cfme-0:2.0.3-1.el7cf.src",
"7Server-RH7-CFME-5.9:rh-ruby23-rubygem-redhat_access_cfme-doc-0:2.0.3-1.el7cf.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-10905"
},
{
"category": "external",
"summary": "RHBZ#1602190",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1602190"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-10905",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-10905"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-10905",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-10905"
}
],
"release_date": "2018-07-20T19:54:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2018-09-04T18:00:51+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RH7-CFME-5.9:cfme-0:5.9.4.7-1.el7cf.src",
"7Server-RH7-CFME-5.9:cfme-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-amazon-smartstate-0:5.9.4.7-1.el7cf.src",
"7Server-RH7-CFME-5.9:cfme-amazon-smartstate-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-appliance-0:5.9.4.7-1.el7cf.src",
"7Server-RH7-CFME-5.9:cfme-appliance-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-appliance-common-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-appliance-debuginfo-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-appliance-tools-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-debuginfo-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-gemset-0:5.9.4.7-1.el7cf.src",
"7Server-RH7-CFME-5.9:cfme-gemset-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-gemset-debuginfo-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:rh-postgresql95-postgresql-pglogical-0:2.1.0-4.el7cf.src",
"7Server-RH7-CFME-5.9:rh-postgresql95-postgresql-pglogical-0:2.1.0-4.el7cf.x86_64",
"7Server-RH7-CFME-5.9:rh-postgresql95-postgresql-pglogical-debuginfo-0:2.1.0-4.el7cf.x86_64",
"7Server-RH7-CFME-5.9:rh-ruby23-rubygem-redhat_access_cfme-0:2.0.3-1.el7cf.noarch",
"7Server-RH7-CFME-5.9:rh-ruby23-rubygem-redhat_access_cfme-0:2.0.3-1.el7cf.src",
"7Server-RH7-CFME-5.9:rh-ruby23-rubygem-redhat_access_cfme-doc-0:2.0.3-1.el7cf.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2018:2561"
},
{
"category": "workaround",
"details": "Administrators of the CloudForms appliance can filter local packages going to the port where MIQ Server is listening, by using the following iptables command:\n# iptables -I OUTPUT 1 -o lo -d localhost/32 -p tcp -m tcp --dport \u003cMIQ Server port\u003e -m owner \u0027!\u0027 --uid-owner root -j DROP\n\nWhere the MIQ Server port can be found using netstat command:\n# netstat -nl --tcp -p | grep -i \"miq server\"",
"product_ids": [
"7Server-RH7-CFME-5.9:cfme-0:5.9.4.7-1.el7cf.src",
"7Server-RH7-CFME-5.9:cfme-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-amazon-smartstate-0:5.9.4.7-1.el7cf.src",
"7Server-RH7-CFME-5.9:cfme-amazon-smartstate-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-appliance-0:5.9.4.7-1.el7cf.src",
"7Server-RH7-CFME-5.9:cfme-appliance-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-appliance-common-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-appliance-debuginfo-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-appliance-tools-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-debuginfo-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-gemset-0:5.9.4.7-1.el7cf.src",
"7Server-RH7-CFME-5.9:cfme-gemset-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-gemset-debuginfo-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:rh-postgresql95-postgresql-pglogical-0:2.1.0-4.el7cf.src",
"7Server-RH7-CFME-5.9:rh-postgresql95-postgresql-pglogical-0:2.1.0-4.el7cf.x86_64",
"7Server-RH7-CFME-5.9:rh-postgresql95-postgresql-pglogical-debuginfo-0:2.1.0-4.el7cf.x86_64",
"7Server-RH7-CFME-5.9:rh-ruby23-rubygem-redhat_access_cfme-0:2.0.3-1.el7cf.noarch",
"7Server-RH7-CFME-5.9:rh-ruby23-rubygem-redhat_access_cfme-0:2.0.3-1.el7cf.src",
"7Server-RH7-CFME-5.9:rh-ruby23-rubygem-redhat_access_cfme-doc-0:2.0.3-1.el7cf.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"7Server-RH7-CFME-5.9:cfme-0:5.9.4.7-1.el7cf.src",
"7Server-RH7-CFME-5.9:cfme-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-amazon-smartstate-0:5.9.4.7-1.el7cf.src",
"7Server-RH7-CFME-5.9:cfme-amazon-smartstate-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-appliance-0:5.9.4.7-1.el7cf.src",
"7Server-RH7-CFME-5.9:cfme-appliance-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-appliance-common-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-appliance-debuginfo-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-appliance-tools-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-debuginfo-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-gemset-0:5.9.4.7-1.el7cf.src",
"7Server-RH7-CFME-5.9:cfme-gemset-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-gemset-debuginfo-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:rh-postgresql95-postgresql-pglogical-0:2.1.0-4.el7cf.src",
"7Server-RH7-CFME-5.9:rh-postgresql95-postgresql-pglogical-0:2.1.0-4.el7cf.x86_64",
"7Server-RH7-CFME-5.9:rh-postgresql95-postgresql-pglogical-debuginfo-0:2.1.0-4.el7cf.x86_64",
"7Server-RH7-CFME-5.9:rh-ruby23-rubygem-redhat_access_cfme-0:2.0.3-1.el7cf.noarch",
"7Server-RH7-CFME-5.9:rh-ruby23-rubygem-redhat_access_cfme-0:2.0.3-1.el7cf.src",
"7Server-RH7-CFME-5.9:rh-ruby23-rubygem-redhat_access_cfme-doc-0:2.0.3-1.el7cf.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "cfme: Improper access control in dRuby allows local users to execute arbitrary commands as root"
}
]
}
RHSA-2018_2244
Vulnerability from csaf_redhat - Published: 2018-07-24 07:47 - Updated: 2024-11-15 02:11Summary
Red Hat Security Advisory: rh-ror42-rubygem-sprockets security update
Notes
Topic
An update for rh-ror42-rubygem-sprockets is now available for Red Hat Software Collections.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Sprockets is a Ruby library for compiling and serving web assets. It features declarative dependency management for JavaScript and CSS assets, as well as a powerful preprocessor pipeline that allows to write assets in languages like CoffeeScript, Sass and SCSS.
Security Fix(es):
* rubygem-sprockets: Path traversal in forbidden_request?() can allow remote attackers to read arbitrary files (CVE-2018-3760)
For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for rh-ror42-rubygem-sprockets is now available for Red Hat Software Collections.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Sprockets is a Ruby library for compiling and serving web assets. It features declarative dependency management for JavaScript and CSS assets, as well as a powerful preprocessor pipeline that allows to write assets in languages like CoffeeScript, Sass and SCSS.\n\nSecurity Fix(es):\n\n* rubygem-sprockets: Path traversal in forbidden_request?() can allow remote attackers to read arbitrary files (CVE-2018-3760)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2018:2244",
"url": "https://access.redhat.com/errata/RHSA-2018:2244"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "1593058",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1593058"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2018/rhsa-2018_2244.json"
}
],
"title": "Red Hat Security Advisory: rh-ror42-rubygem-sprockets security update",
"tracking": {
"current_release_date": "2024-11-15T02:11:41+00:00",
"generator": {
"date": "2024-11-15T02:11:41+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2018:2244",
"initial_release_date": "2018-07-24T07:47:11+00:00",
"revision_history": [
{
"date": "2018-07-24T07:47:11+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2018-07-24T07:47:11+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-15T02:11:41+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 6)",
"product": {
"name": "Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 6)",
"product_id": "6Server-RHSCL-3.1",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_software_collections:3::el6"
}
}
},
{
"category": "product_name",
"name": "Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6)",
"product": {
"name": "Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6)",
"product_id": "6Workstation-RHSCL-3.1",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_software_collections:3::el6"
}
}
},
{
"category": "product_name",
"name": "Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.7)",
"product": {
"name": "Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.7)",
"product_id": "6Server-RHSCL-3.1-6.7.Z",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_software_collections:3::el6"
}
}
},
{
"category": "product_name",
"name": "Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7)",
"product": {
"name": "Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7)",
"product_id": "7Server-RHSCL-3.1",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_software_collections:3::el7"
}
}
},
{
"category": "product_name",
"name": "Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7)",
"product": {
"name": "Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7)",
"product_id": "7Workstation-RHSCL-3.1",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_software_collections:3::el7"
}
}
},
{
"category": "product_name",
"name": "Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.3)",
"product": {
"name": "Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.3)",
"product_id": "7Server-RHSCL-3.1-7.3.Z",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_software_collections:3::el7"
}
}
},
{
"category": "product_name",
"name": "Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.4)",
"product": {
"name": "Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.4)",
"product_id": "7Server-RHSCL-3.1-7.4.Z",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_software_collections:3::el7"
}
}
},
{
"category": "product_name",
"name": "Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.5)",
"product": {
"name": "Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.5)",
"product_id": "7Server-RHSCL-3.1-7.5.Z",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_software_collections:3::el7"
}
}
}
],
"category": "product_family",
"name": "Red Hat Software Collections"
},
{
"branches": [
{
"category": "product_version",
"name": "rh-ror42-rubygem-sprockets-0:3.2.0-5.el6.src",
"product": {
"name": "rh-ror42-rubygem-sprockets-0:3.2.0-5.el6.src",
"product_id": "rh-ror42-rubygem-sprockets-0:3.2.0-5.el6.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-ror42-rubygem-sprockets@3.2.0-5.el6?arch=src"
}
}
},
{
"category": "product_version",
"name": "rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.src",
"product": {
"name": "rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.src",
"product_id": "rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-ror42-rubygem-sprockets@3.2.0-5.el7?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "rh-ror42-rubygem-sprockets-0:3.2.0-5.el6.noarch",
"product": {
"name": "rh-ror42-rubygem-sprockets-0:3.2.0-5.el6.noarch",
"product_id": "rh-ror42-rubygem-sprockets-0:3.2.0-5.el6.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-ror42-rubygem-sprockets@3.2.0-5.el6?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "rh-ror42-rubygem-sprockets-doc-0:3.2.0-5.el6.noarch",
"product": {
"name": "rh-ror42-rubygem-sprockets-doc-0:3.2.0-5.el6.noarch",
"product_id": "rh-ror42-rubygem-sprockets-doc-0:3.2.0-5.el6.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-ror42-rubygem-sprockets-doc@3.2.0-5.el6?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.noarch",
"product": {
"name": "rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.noarch",
"product_id": "rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-ror42-rubygem-sprockets@3.2.0-5.el7?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "rh-ror42-rubygem-sprockets-doc-0:3.2.0-5.el7.noarch",
"product": {
"name": "rh-ror42-rubygem-sprockets-doc-0:3.2.0-5.el7.noarch",
"product_id": "rh-ror42-rubygem-sprockets-doc-0:3.2.0-5.el7.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-ror42-rubygem-sprockets-doc@3.2.0-5.el7?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-ror42-rubygem-sprockets-0:3.2.0-5.el6.noarch as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.7)",
"product_id": "6Server-RHSCL-3.1-6.7.Z:rh-ror42-rubygem-sprockets-0:3.2.0-5.el6.noarch"
},
"product_reference": "rh-ror42-rubygem-sprockets-0:3.2.0-5.el6.noarch",
"relates_to_product_reference": "6Server-RHSCL-3.1-6.7.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-ror42-rubygem-sprockets-0:3.2.0-5.el6.src as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.7)",
"product_id": "6Server-RHSCL-3.1-6.7.Z:rh-ror42-rubygem-sprockets-0:3.2.0-5.el6.src"
},
"product_reference": "rh-ror42-rubygem-sprockets-0:3.2.0-5.el6.src",
"relates_to_product_reference": "6Server-RHSCL-3.1-6.7.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-ror42-rubygem-sprockets-doc-0:3.2.0-5.el6.noarch as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.7)",
"product_id": "6Server-RHSCL-3.1-6.7.Z:rh-ror42-rubygem-sprockets-doc-0:3.2.0-5.el6.noarch"
},
"product_reference": "rh-ror42-rubygem-sprockets-doc-0:3.2.0-5.el6.noarch",
"relates_to_product_reference": "6Server-RHSCL-3.1-6.7.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-ror42-rubygem-sprockets-0:3.2.0-5.el6.noarch as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 6)",
"product_id": "6Server-RHSCL-3.1:rh-ror42-rubygem-sprockets-0:3.2.0-5.el6.noarch"
},
"product_reference": "rh-ror42-rubygem-sprockets-0:3.2.0-5.el6.noarch",
"relates_to_product_reference": "6Server-RHSCL-3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-ror42-rubygem-sprockets-0:3.2.0-5.el6.src as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 6)",
"product_id": "6Server-RHSCL-3.1:rh-ror42-rubygem-sprockets-0:3.2.0-5.el6.src"
},
"product_reference": "rh-ror42-rubygem-sprockets-0:3.2.0-5.el6.src",
"relates_to_product_reference": "6Server-RHSCL-3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-ror42-rubygem-sprockets-doc-0:3.2.0-5.el6.noarch as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 6)",
"product_id": "6Server-RHSCL-3.1:rh-ror42-rubygem-sprockets-doc-0:3.2.0-5.el6.noarch"
},
"product_reference": "rh-ror42-rubygem-sprockets-doc-0:3.2.0-5.el6.noarch",
"relates_to_product_reference": "6Server-RHSCL-3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-ror42-rubygem-sprockets-0:3.2.0-5.el6.noarch as a component of Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6)",
"product_id": "6Workstation-RHSCL-3.1:rh-ror42-rubygem-sprockets-0:3.2.0-5.el6.noarch"
},
"product_reference": "rh-ror42-rubygem-sprockets-0:3.2.0-5.el6.noarch",
"relates_to_product_reference": "6Workstation-RHSCL-3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-ror42-rubygem-sprockets-0:3.2.0-5.el6.src as a component of Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6)",
"product_id": "6Workstation-RHSCL-3.1:rh-ror42-rubygem-sprockets-0:3.2.0-5.el6.src"
},
"product_reference": "rh-ror42-rubygem-sprockets-0:3.2.0-5.el6.src",
"relates_to_product_reference": "6Workstation-RHSCL-3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-ror42-rubygem-sprockets-doc-0:3.2.0-5.el6.noarch as a component of Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6)",
"product_id": "6Workstation-RHSCL-3.1:rh-ror42-rubygem-sprockets-doc-0:3.2.0-5.el6.noarch"
},
"product_reference": "rh-ror42-rubygem-sprockets-doc-0:3.2.0-5.el6.noarch",
"relates_to_product_reference": "6Workstation-RHSCL-3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.noarch as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.3)",
"product_id": "7Server-RHSCL-3.1-7.3.Z:rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.noarch"
},
"product_reference": "rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.noarch",
"relates_to_product_reference": "7Server-RHSCL-3.1-7.3.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.src as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.3)",
"product_id": "7Server-RHSCL-3.1-7.3.Z:rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.src"
},
"product_reference": "rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.src",
"relates_to_product_reference": "7Server-RHSCL-3.1-7.3.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-ror42-rubygem-sprockets-doc-0:3.2.0-5.el7.noarch as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.3)",
"product_id": "7Server-RHSCL-3.1-7.3.Z:rh-ror42-rubygem-sprockets-doc-0:3.2.0-5.el7.noarch"
},
"product_reference": "rh-ror42-rubygem-sprockets-doc-0:3.2.0-5.el7.noarch",
"relates_to_product_reference": "7Server-RHSCL-3.1-7.3.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.noarch as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.4)",
"product_id": "7Server-RHSCL-3.1-7.4.Z:rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.noarch"
},
"product_reference": "rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.noarch",
"relates_to_product_reference": "7Server-RHSCL-3.1-7.4.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.src as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.4)",
"product_id": "7Server-RHSCL-3.1-7.4.Z:rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.src"
},
"product_reference": "rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.src",
"relates_to_product_reference": "7Server-RHSCL-3.1-7.4.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-ror42-rubygem-sprockets-doc-0:3.2.0-5.el7.noarch as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.4)",
"product_id": "7Server-RHSCL-3.1-7.4.Z:rh-ror42-rubygem-sprockets-doc-0:3.2.0-5.el7.noarch"
},
"product_reference": "rh-ror42-rubygem-sprockets-doc-0:3.2.0-5.el7.noarch",
"relates_to_product_reference": "7Server-RHSCL-3.1-7.4.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.noarch as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.5)",
"product_id": "7Server-RHSCL-3.1-7.5.Z:rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.noarch"
},
"product_reference": "rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.noarch",
"relates_to_product_reference": "7Server-RHSCL-3.1-7.5.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.src as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.5)",
"product_id": "7Server-RHSCL-3.1-7.5.Z:rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.src"
},
"product_reference": "rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.src",
"relates_to_product_reference": "7Server-RHSCL-3.1-7.5.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-ror42-rubygem-sprockets-doc-0:3.2.0-5.el7.noarch as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.5)",
"product_id": "7Server-RHSCL-3.1-7.5.Z:rh-ror42-rubygem-sprockets-doc-0:3.2.0-5.el7.noarch"
},
"product_reference": "rh-ror42-rubygem-sprockets-doc-0:3.2.0-5.el7.noarch",
"relates_to_product_reference": "7Server-RHSCL-3.1-7.5.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.noarch as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7)",
"product_id": "7Server-RHSCL-3.1:rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.noarch"
},
"product_reference": "rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.noarch",
"relates_to_product_reference": "7Server-RHSCL-3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.src as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7)",
"product_id": "7Server-RHSCL-3.1:rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.src"
},
"product_reference": "rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.src",
"relates_to_product_reference": "7Server-RHSCL-3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-ror42-rubygem-sprockets-doc-0:3.2.0-5.el7.noarch as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7)",
"product_id": "7Server-RHSCL-3.1:rh-ror42-rubygem-sprockets-doc-0:3.2.0-5.el7.noarch"
},
"product_reference": "rh-ror42-rubygem-sprockets-doc-0:3.2.0-5.el7.noarch",
"relates_to_product_reference": "7Server-RHSCL-3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.noarch as a component of Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7)",
"product_id": "7Workstation-RHSCL-3.1:rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.noarch"
},
"product_reference": "rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.noarch",
"relates_to_product_reference": "7Workstation-RHSCL-3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.src as a component of Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7)",
"product_id": "7Workstation-RHSCL-3.1:rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.src"
},
"product_reference": "rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.src",
"relates_to_product_reference": "7Workstation-RHSCL-3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-ror42-rubygem-sprockets-doc-0:3.2.0-5.el7.noarch as a component of Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7)",
"product_id": "7Workstation-RHSCL-3.1:rh-ror42-rubygem-sprockets-doc-0:3.2.0-5.el7.noarch"
},
"product_reference": "rh-ror42-rubygem-sprockets-doc-0:3.2.0-5.el7.noarch",
"relates_to_product_reference": "7Workstation-RHSCL-3.1"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2018-3760",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2018-06-20T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1593058"
}
],
"notes": [
{
"category": "description",
"text": "There is an information leak vulnerability in Sprockets. Versions Affected: 4.0.0.beta7 and lower, 3.7.1 and lower, 2.12.4 and lower. Specially crafted requests can be used to access files that exists on the filesystem that is outside an application\u0027s root directory, when the Sprockets server is used in production. All users running an affected release should either upgrade or use one of the work arounds immediately.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "rubygem-sprockets: Path traversal in forbidden_request?() can allow remote attackers to read arbitrary files",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"6Server-RHSCL-3.1-6.7.Z:rh-ror42-rubygem-sprockets-0:3.2.0-5.el6.noarch",
"6Server-RHSCL-3.1-6.7.Z:rh-ror42-rubygem-sprockets-0:3.2.0-5.el6.src",
"6Server-RHSCL-3.1-6.7.Z:rh-ror42-rubygem-sprockets-doc-0:3.2.0-5.el6.noarch",
"6Server-RHSCL-3.1:rh-ror42-rubygem-sprockets-0:3.2.0-5.el6.noarch",
"6Server-RHSCL-3.1:rh-ror42-rubygem-sprockets-0:3.2.0-5.el6.src",
"6Server-RHSCL-3.1:rh-ror42-rubygem-sprockets-doc-0:3.2.0-5.el6.noarch",
"6Workstation-RHSCL-3.1:rh-ror42-rubygem-sprockets-0:3.2.0-5.el6.noarch",
"6Workstation-RHSCL-3.1:rh-ror42-rubygem-sprockets-0:3.2.0-5.el6.src",
"6Workstation-RHSCL-3.1:rh-ror42-rubygem-sprockets-doc-0:3.2.0-5.el6.noarch",
"7Server-RHSCL-3.1-7.3.Z:rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.noarch",
"7Server-RHSCL-3.1-7.3.Z:rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.src",
"7Server-RHSCL-3.1-7.3.Z:rh-ror42-rubygem-sprockets-doc-0:3.2.0-5.el7.noarch",
"7Server-RHSCL-3.1-7.4.Z:rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.noarch",
"7Server-RHSCL-3.1-7.4.Z:rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.src",
"7Server-RHSCL-3.1-7.4.Z:rh-ror42-rubygem-sprockets-doc-0:3.2.0-5.el7.noarch",
"7Server-RHSCL-3.1-7.5.Z:rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.noarch",
"7Server-RHSCL-3.1-7.5.Z:rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.src",
"7Server-RHSCL-3.1-7.5.Z:rh-ror42-rubygem-sprockets-doc-0:3.2.0-5.el7.noarch",
"7Server-RHSCL-3.1:rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.noarch",
"7Server-RHSCL-3.1:rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.src",
"7Server-RHSCL-3.1:rh-ror42-rubygem-sprockets-doc-0:3.2.0-5.el7.noarch",
"7Workstation-RHSCL-3.1:rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.noarch",
"7Workstation-RHSCL-3.1:rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.src",
"7Workstation-RHSCL-3.1:rh-ror42-rubygem-sprockets-doc-0:3.2.0-5.el7.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-3760"
},
{
"category": "external",
"summary": "RHBZ#1593058",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1593058"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-3760",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-3760"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-3760",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-3760"
},
{
"category": "external",
"summary": "http://www.openwall.com/lists/oss-security/2018/06/19/2",
"url": "http://www.openwall.com/lists/oss-security/2018/06/19/2"
},
{
"category": "external",
"summary": "https://blog.heroku.com/rails-asset-pipeline-vulnerability",
"url": "https://blog.heroku.com/rails-asset-pipeline-vulnerability"
}
],
"release_date": "2018-06-20T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2018-07-24T07:47:11+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"6Server-RHSCL-3.1-6.7.Z:rh-ror42-rubygem-sprockets-0:3.2.0-5.el6.noarch",
"6Server-RHSCL-3.1-6.7.Z:rh-ror42-rubygem-sprockets-0:3.2.0-5.el6.src",
"6Server-RHSCL-3.1-6.7.Z:rh-ror42-rubygem-sprockets-doc-0:3.2.0-5.el6.noarch",
"6Server-RHSCL-3.1:rh-ror42-rubygem-sprockets-0:3.2.0-5.el6.noarch",
"6Server-RHSCL-3.1:rh-ror42-rubygem-sprockets-0:3.2.0-5.el6.src",
"6Server-RHSCL-3.1:rh-ror42-rubygem-sprockets-doc-0:3.2.0-5.el6.noarch",
"6Workstation-RHSCL-3.1:rh-ror42-rubygem-sprockets-0:3.2.0-5.el6.noarch",
"6Workstation-RHSCL-3.1:rh-ror42-rubygem-sprockets-0:3.2.0-5.el6.src",
"6Workstation-RHSCL-3.1:rh-ror42-rubygem-sprockets-doc-0:3.2.0-5.el6.noarch",
"7Server-RHSCL-3.1-7.3.Z:rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.noarch",
"7Server-RHSCL-3.1-7.3.Z:rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.src",
"7Server-RHSCL-3.1-7.3.Z:rh-ror42-rubygem-sprockets-doc-0:3.2.0-5.el7.noarch",
"7Server-RHSCL-3.1-7.4.Z:rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.noarch",
"7Server-RHSCL-3.1-7.4.Z:rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.src",
"7Server-RHSCL-3.1-7.4.Z:rh-ror42-rubygem-sprockets-doc-0:3.2.0-5.el7.noarch",
"7Server-RHSCL-3.1-7.5.Z:rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.noarch",
"7Server-RHSCL-3.1-7.5.Z:rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.src",
"7Server-RHSCL-3.1-7.5.Z:rh-ror42-rubygem-sprockets-doc-0:3.2.0-5.el7.noarch",
"7Server-RHSCL-3.1:rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.noarch",
"7Server-RHSCL-3.1:rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.src",
"7Server-RHSCL-3.1:rh-ror42-rubygem-sprockets-doc-0:3.2.0-5.el7.noarch",
"7Workstation-RHSCL-3.1:rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.noarch",
"7Workstation-RHSCL-3.1:rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.src",
"7Workstation-RHSCL-3.1:rh-ror42-rubygem-sprockets-doc-0:3.2.0-5.el7.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2018:2244"
},
{
"category": "workaround",
"details": "Ensure config.assets.compile = false in production.rb.",
"product_ids": [
"6Server-RHSCL-3.1-6.7.Z:rh-ror42-rubygem-sprockets-0:3.2.0-5.el6.noarch",
"6Server-RHSCL-3.1-6.7.Z:rh-ror42-rubygem-sprockets-0:3.2.0-5.el6.src",
"6Server-RHSCL-3.1-6.7.Z:rh-ror42-rubygem-sprockets-doc-0:3.2.0-5.el6.noarch",
"6Server-RHSCL-3.1:rh-ror42-rubygem-sprockets-0:3.2.0-5.el6.noarch",
"6Server-RHSCL-3.1:rh-ror42-rubygem-sprockets-0:3.2.0-5.el6.src",
"6Server-RHSCL-3.1:rh-ror42-rubygem-sprockets-doc-0:3.2.0-5.el6.noarch",
"6Workstation-RHSCL-3.1:rh-ror42-rubygem-sprockets-0:3.2.0-5.el6.noarch",
"6Workstation-RHSCL-3.1:rh-ror42-rubygem-sprockets-0:3.2.0-5.el6.src",
"6Workstation-RHSCL-3.1:rh-ror42-rubygem-sprockets-doc-0:3.2.0-5.el6.noarch",
"7Server-RHSCL-3.1-7.3.Z:rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.noarch",
"7Server-RHSCL-3.1-7.3.Z:rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.src",
"7Server-RHSCL-3.1-7.3.Z:rh-ror42-rubygem-sprockets-doc-0:3.2.0-5.el7.noarch",
"7Server-RHSCL-3.1-7.4.Z:rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.noarch",
"7Server-RHSCL-3.1-7.4.Z:rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.src",
"7Server-RHSCL-3.1-7.4.Z:rh-ror42-rubygem-sprockets-doc-0:3.2.0-5.el7.noarch",
"7Server-RHSCL-3.1-7.5.Z:rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.noarch",
"7Server-RHSCL-3.1-7.5.Z:rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.src",
"7Server-RHSCL-3.1-7.5.Z:rh-ror42-rubygem-sprockets-doc-0:3.2.0-5.el7.noarch",
"7Server-RHSCL-3.1:rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.noarch",
"7Server-RHSCL-3.1:rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.src",
"7Server-RHSCL-3.1:rh-ror42-rubygem-sprockets-doc-0:3.2.0-5.el7.noarch",
"7Workstation-RHSCL-3.1:rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.noarch",
"7Workstation-RHSCL-3.1:rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.src",
"7Workstation-RHSCL-3.1:rh-ror42-rubygem-sprockets-doc-0:3.2.0-5.el7.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"products": [
"6Server-RHSCL-3.1-6.7.Z:rh-ror42-rubygem-sprockets-0:3.2.0-5.el6.noarch",
"6Server-RHSCL-3.1-6.7.Z:rh-ror42-rubygem-sprockets-0:3.2.0-5.el6.src",
"6Server-RHSCL-3.1-6.7.Z:rh-ror42-rubygem-sprockets-doc-0:3.2.0-5.el6.noarch",
"6Server-RHSCL-3.1:rh-ror42-rubygem-sprockets-0:3.2.0-5.el6.noarch",
"6Server-RHSCL-3.1:rh-ror42-rubygem-sprockets-0:3.2.0-5.el6.src",
"6Server-RHSCL-3.1:rh-ror42-rubygem-sprockets-doc-0:3.2.0-5.el6.noarch",
"6Workstation-RHSCL-3.1:rh-ror42-rubygem-sprockets-0:3.2.0-5.el6.noarch",
"6Workstation-RHSCL-3.1:rh-ror42-rubygem-sprockets-0:3.2.0-5.el6.src",
"6Workstation-RHSCL-3.1:rh-ror42-rubygem-sprockets-doc-0:3.2.0-5.el6.noarch",
"7Server-RHSCL-3.1-7.3.Z:rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.noarch",
"7Server-RHSCL-3.1-7.3.Z:rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.src",
"7Server-RHSCL-3.1-7.3.Z:rh-ror42-rubygem-sprockets-doc-0:3.2.0-5.el7.noarch",
"7Server-RHSCL-3.1-7.4.Z:rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.noarch",
"7Server-RHSCL-3.1-7.4.Z:rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.src",
"7Server-RHSCL-3.1-7.4.Z:rh-ror42-rubygem-sprockets-doc-0:3.2.0-5.el7.noarch",
"7Server-RHSCL-3.1-7.5.Z:rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.noarch",
"7Server-RHSCL-3.1-7.5.Z:rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.src",
"7Server-RHSCL-3.1-7.5.Z:rh-ror42-rubygem-sprockets-doc-0:3.2.0-5.el7.noarch",
"7Server-RHSCL-3.1:rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.noarch",
"7Server-RHSCL-3.1:rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.src",
"7Server-RHSCL-3.1:rh-ror42-rubygem-sprockets-doc-0:3.2.0-5.el7.noarch",
"7Workstation-RHSCL-3.1:rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.noarch",
"7Workstation-RHSCL-3.1:rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.src",
"7Workstation-RHSCL-3.1:rh-ror42-rubygem-sprockets-doc-0:3.2.0-5.el7.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "rubygem-sprockets: Path traversal in forbidden_request?() can allow remote attackers to read arbitrary files"
}
]
}
RHSA-2018_2245
Vulnerability from csaf_redhat - Published: 2018-07-24 07:47 - Updated: 2024-11-15 02:11Summary
Red Hat Security Advisory: rh-ror50-rubygem-sprockets security update
Notes
Topic
An update for rh-ror50-rubygem-sprockets is now available for Red Hat Software Collections.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Sprockets is a Ruby library for compiling and serving web assets. It features declarative dependency management for JavaScript and CSS assets, as well as a powerful preprocessor pipeline that allows to write assets in languages like CoffeeScript, Sass and SCSS.
Security Fix(es):
* rubygem-sprockets: Path traversal in forbidden_request?() can allow remote attackers to read arbitrary files (CVE-2018-3760)
For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for rh-ror50-rubygem-sprockets is now available for Red Hat Software Collections.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Sprockets is a Ruby library for compiling and serving web assets. It features declarative dependency management for JavaScript and CSS assets, as well as a powerful preprocessor pipeline that allows to write assets in languages like CoffeeScript, Sass and SCSS.\n\nSecurity Fix(es):\n\n* rubygem-sprockets: Path traversal in forbidden_request?() can allow remote attackers to read arbitrary files (CVE-2018-3760)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2018:2245",
"url": "https://access.redhat.com/errata/RHSA-2018:2245"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "1593058",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1593058"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2018/rhsa-2018_2245.json"
}
],
"title": "Red Hat Security Advisory: rh-ror50-rubygem-sprockets security update",
"tracking": {
"current_release_date": "2024-11-15T02:11:36+00:00",
"generator": {
"date": "2024-11-15T02:11:36+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2018:2245",
"initial_release_date": "2018-07-24T07:47:05+00:00",
"revision_history": [
{
"date": "2018-07-24T07:47:05+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2018-07-24T07:47:05+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-15T02:11:36+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 6)",
"product": {
"name": "Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 6)",
"product_id": "6Server-RHSCL-3.1",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_software_collections:3::el6"
}
}
},
{
"category": "product_name",
"name": "Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6)",
"product": {
"name": "Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6)",
"product_id": "6Workstation-RHSCL-3.1",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_software_collections:3::el6"
}
}
},
{
"category": "product_name",
"name": "Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.7)",
"product": {
"name": "Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.7)",
"product_id": "6Server-RHSCL-3.1-6.7.Z",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_software_collections:3::el6"
}
}
},
{
"category": "product_name",
"name": "Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7)",
"product": {
"name": "Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7)",
"product_id": "7Server-RHSCL-3.1",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_software_collections:3::el7"
}
}
},
{
"category": "product_name",
"name": "Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7)",
"product": {
"name": "Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7)",
"product_id": "7Workstation-RHSCL-3.1",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_software_collections:3::el7"
}
}
},
{
"category": "product_name",
"name": "Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.3)",
"product": {
"name": "Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.3)",
"product_id": "7Server-RHSCL-3.1-7.3.Z",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_software_collections:3::el7"
}
}
},
{
"category": "product_name",
"name": "Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.4)",
"product": {
"name": "Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.4)",
"product_id": "7Server-RHSCL-3.1-7.4.Z",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_software_collections:3::el7"
}
}
},
{
"category": "product_name",
"name": "Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.5)",
"product": {
"name": "Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.5)",
"product_id": "7Server-RHSCL-3.1-7.5.Z",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_software_collections:3::el7"
}
}
}
],
"category": "product_family",
"name": "Red Hat Software Collections"
},
{
"branches": [
{
"category": "product_version",
"name": "rh-ror50-rubygem-sprockets-0:3.7.1-2.el6.src",
"product": {
"name": "rh-ror50-rubygem-sprockets-0:3.7.1-2.el6.src",
"product_id": "rh-ror50-rubygem-sprockets-0:3.7.1-2.el6.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-ror50-rubygem-sprockets@3.7.1-2.el6?arch=src"
}
}
},
{
"category": "product_version",
"name": "rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.src",
"product": {
"name": "rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.src",
"product_id": "rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-ror50-rubygem-sprockets@3.7.1-2.el7?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "rh-ror50-rubygem-sprockets-0:3.7.1-2.el6.noarch",
"product": {
"name": "rh-ror50-rubygem-sprockets-0:3.7.1-2.el6.noarch",
"product_id": "rh-ror50-rubygem-sprockets-0:3.7.1-2.el6.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-ror50-rubygem-sprockets@3.7.1-2.el6?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "rh-ror50-rubygem-sprockets-doc-0:3.7.1-2.el6.noarch",
"product": {
"name": "rh-ror50-rubygem-sprockets-doc-0:3.7.1-2.el6.noarch",
"product_id": "rh-ror50-rubygem-sprockets-doc-0:3.7.1-2.el6.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-ror50-rubygem-sprockets-doc@3.7.1-2.el6?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "rh-ror50-rubygem-sprockets-doc-0:3.7.1-2.el7.noarch",
"product": {
"name": "rh-ror50-rubygem-sprockets-doc-0:3.7.1-2.el7.noarch",
"product_id": "rh-ror50-rubygem-sprockets-doc-0:3.7.1-2.el7.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-ror50-rubygem-sprockets-doc@3.7.1-2.el7?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.noarch",
"product": {
"name": "rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.noarch",
"product_id": "rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-ror50-rubygem-sprockets@3.7.1-2.el7?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-ror50-rubygem-sprockets-0:3.7.1-2.el6.noarch as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.7)",
"product_id": "6Server-RHSCL-3.1-6.7.Z:rh-ror50-rubygem-sprockets-0:3.7.1-2.el6.noarch"
},
"product_reference": "rh-ror50-rubygem-sprockets-0:3.7.1-2.el6.noarch",
"relates_to_product_reference": "6Server-RHSCL-3.1-6.7.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-ror50-rubygem-sprockets-0:3.7.1-2.el6.src as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.7)",
"product_id": "6Server-RHSCL-3.1-6.7.Z:rh-ror50-rubygem-sprockets-0:3.7.1-2.el6.src"
},
"product_reference": "rh-ror50-rubygem-sprockets-0:3.7.1-2.el6.src",
"relates_to_product_reference": "6Server-RHSCL-3.1-6.7.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-ror50-rubygem-sprockets-doc-0:3.7.1-2.el6.noarch as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.7)",
"product_id": "6Server-RHSCL-3.1-6.7.Z:rh-ror50-rubygem-sprockets-doc-0:3.7.1-2.el6.noarch"
},
"product_reference": "rh-ror50-rubygem-sprockets-doc-0:3.7.1-2.el6.noarch",
"relates_to_product_reference": "6Server-RHSCL-3.1-6.7.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-ror50-rubygem-sprockets-0:3.7.1-2.el6.noarch as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 6)",
"product_id": "6Server-RHSCL-3.1:rh-ror50-rubygem-sprockets-0:3.7.1-2.el6.noarch"
},
"product_reference": "rh-ror50-rubygem-sprockets-0:3.7.1-2.el6.noarch",
"relates_to_product_reference": "6Server-RHSCL-3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-ror50-rubygem-sprockets-0:3.7.1-2.el6.src as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 6)",
"product_id": "6Server-RHSCL-3.1:rh-ror50-rubygem-sprockets-0:3.7.1-2.el6.src"
},
"product_reference": "rh-ror50-rubygem-sprockets-0:3.7.1-2.el6.src",
"relates_to_product_reference": "6Server-RHSCL-3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-ror50-rubygem-sprockets-doc-0:3.7.1-2.el6.noarch as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 6)",
"product_id": "6Server-RHSCL-3.1:rh-ror50-rubygem-sprockets-doc-0:3.7.1-2.el6.noarch"
},
"product_reference": "rh-ror50-rubygem-sprockets-doc-0:3.7.1-2.el6.noarch",
"relates_to_product_reference": "6Server-RHSCL-3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-ror50-rubygem-sprockets-0:3.7.1-2.el6.noarch as a component of Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6)",
"product_id": "6Workstation-RHSCL-3.1:rh-ror50-rubygem-sprockets-0:3.7.1-2.el6.noarch"
},
"product_reference": "rh-ror50-rubygem-sprockets-0:3.7.1-2.el6.noarch",
"relates_to_product_reference": "6Workstation-RHSCL-3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-ror50-rubygem-sprockets-0:3.7.1-2.el6.src as a component of Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6)",
"product_id": "6Workstation-RHSCL-3.1:rh-ror50-rubygem-sprockets-0:3.7.1-2.el6.src"
},
"product_reference": "rh-ror50-rubygem-sprockets-0:3.7.1-2.el6.src",
"relates_to_product_reference": "6Workstation-RHSCL-3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-ror50-rubygem-sprockets-doc-0:3.7.1-2.el6.noarch as a component of Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6)",
"product_id": "6Workstation-RHSCL-3.1:rh-ror50-rubygem-sprockets-doc-0:3.7.1-2.el6.noarch"
},
"product_reference": "rh-ror50-rubygem-sprockets-doc-0:3.7.1-2.el6.noarch",
"relates_to_product_reference": "6Workstation-RHSCL-3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.noarch as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.3)",
"product_id": "7Server-RHSCL-3.1-7.3.Z:rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.noarch"
},
"product_reference": "rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.noarch",
"relates_to_product_reference": "7Server-RHSCL-3.1-7.3.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.src as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.3)",
"product_id": "7Server-RHSCL-3.1-7.3.Z:rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.src"
},
"product_reference": "rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.src",
"relates_to_product_reference": "7Server-RHSCL-3.1-7.3.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-ror50-rubygem-sprockets-doc-0:3.7.1-2.el7.noarch as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.3)",
"product_id": "7Server-RHSCL-3.1-7.3.Z:rh-ror50-rubygem-sprockets-doc-0:3.7.1-2.el7.noarch"
},
"product_reference": "rh-ror50-rubygem-sprockets-doc-0:3.7.1-2.el7.noarch",
"relates_to_product_reference": "7Server-RHSCL-3.1-7.3.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.noarch as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.4)",
"product_id": "7Server-RHSCL-3.1-7.4.Z:rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.noarch"
},
"product_reference": "rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.noarch",
"relates_to_product_reference": "7Server-RHSCL-3.1-7.4.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.src as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.4)",
"product_id": "7Server-RHSCL-3.1-7.4.Z:rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.src"
},
"product_reference": "rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.src",
"relates_to_product_reference": "7Server-RHSCL-3.1-7.4.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-ror50-rubygem-sprockets-doc-0:3.7.1-2.el7.noarch as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.4)",
"product_id": "7Server-RHSCL-3.1-7.4.Z:rh-ror50-rubygem-sprockets-doc-0:3.7.1-2.el7.noarch"
},
"product_reference": "rh-ror50-rubygem-sprockets-doc-0:3.7.1-2.el7.noarch",
"relates_to_product_reference": "7Server-RHSCL-3.1-7.4.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.noarch as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.5)",
"product_id": "7Server-RHSCL-3.1-7.5.Z:rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.noarch"
},
"product_reference": "rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.noarch",
"relates_to_product_reference": "7Server-RHSCL-3.1-7.5.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.src as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.5)",
"product_id": "7Server-RHSCL-3.1-7.5.Z:rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.src"
},
"product_reference": "rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.src",
"relates_to_product_reference": "7Server-RHSCL-3.1-7.5.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-ror50-rubygem-sprockets-doc-0:3.7.1-2.el7.noarch as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.5)",
"product_id": "7Server-RHSCL-3.1-7.5.Z:rh-ror50-rubygem-sprockets-doc-0:3.7.1-2.el7.noarch"
},
"product_reference": "rh-ror50-rubygem-sprockets-doc-0:3.7.1-2.el7.noarch",
"relates_to_product_reference": "7Server-RHSCL-3.1-7.5.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.noarch as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7)",
"product_id": "7Server-RHSCL-3.1:rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.noarch"
},
"product_reference": "rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.noarch",
"relates_to_product_reference": "7Server-RHSCL-3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.src as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7)",
"product_id": "7Server-RHSCL-3.1:rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.src"
},
"product_reference": "rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.src",
"relates_to_product_reference": "7Server-RHSCL-3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-ror50-rubygem-sprockets-doc-0:3.7.1-2.el7.noarch as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7)",
"product_id": "7Server-RHSCL-3.1:rh-ror50-rubygem-sprockets-doc-0:3.7.1-2.el7.noarch"
},
"product_reference": "rh-ror50-rubygem-sprockets-doc-0:3.7.1-2.el7.noarch",
"relates_to_product_reference": "7Server-RHSCL-3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.noarch as a component of Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7)",
"product_id": "7Workstation-RHSCL-3.1:rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.noarch"
},
"product_reference": "rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.noarch",
"relates_to_product_reference": "7Workstation-RHSCL-3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.src as a component of Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7)",
"product_id": "7Workstation-RHSCL-3.1:rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.src"
},
"product_reference": "rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.src",
"relates_to_product_reference": "7Workstation-RHSCL-3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-ror50-rubygem-sprockets-doc-0:3.7.1-2.el7.noarch as a component of Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7)",
"product_id": "7Workstation-RHSCL-3.1:rh-ror50-rubygem-sprockets-doc-0:3.7.1-2.el7.noarch"
},
"product_reference": "rh-ror50-rubygem-sprockets-doc-0:3.7.1-2.el7.noarch",
"relates_to_product_reference": "7Workstation-RHSCL-3.1"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2018-3760",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2018-06-20T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1593058"
}
],
"notes": [
{
"category": "description",
"text": "There is an information leak vulnerability in Sprockets. Versions Affected: 4.0.0.beta7 and lower, 3.7.1 and lower, 2.12.4 and lower. Specially crafted requests can be used to access files that exists on the filesystem that is outside an application\u0027s root directory, when the Sprockets server is used in production. All users running an affected release should either upgrade or use one of the work arounds immediately.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "rubygem-sprockets: Path traversal in forbidden_request?() can allow remote attackers to read arbitrary files",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"6Server-RHSCL-3.1-6.7.Z:rh-ror50-rubygem-sprockets-0:3.7.1-2.el6.noarch",
"6Server-RHSCL-3.1-6.7.Z:rh-ror50-rubygem-sprockets-0:3.7.1-2.el6.src",
"6Server-RHSCL-3.1-6.7.Z:rh-ror50-rubygem-sprockets-doc-0:3.7.1-2.el6.noarch",
"6Server-RHSCL-3.1:rh-ror50-rubygem-sprockets-0:3.7.1-2.el6.noarch",
"6Server-RHSCL-3.1:rh-ror50-rubygem-sprockets-0:3.7.1-2.el6.src",
"6Server-RHSCL-3.1:rh-ror50-rubygem-sprockets-doc-0:3.7.1-2.el6.noarch",
"6Workstation-RHSCL-3.1:rh-ror50-rubygem-sprockets-0:3.7.1-2.el6.noarch",
"6Workstation-RHSCL-3.1:rh-ror50-rubygem-sprockets-0:3.7.1-2.el6.src",
"6Workstation-RHSCL-3.1:rh-ror50-rubygem-sprockets-doc-0:3.7.1-2.el6.noarch",
"7Server-RHSCL-3.1-7.3.Z:rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.noarch",
"7Server-RHSCL-3.1-7.3.Z:rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.src",
"7Server-RHSCL-3.1-7.3.Z:rh-ror50-rubygem-sprockets-doc-0:3.7.1-2.el7.noarch",
"7Server-RHSCL-3.1-7.4.Z:rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.noarch",
"7Server-RHSCL-3.1-7.4.Z:rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.src",
"7Server-RHSCL-3.1-7.4.Z:rh-ror50-rubygem-sprockets-doc-0:3.7.1-2.el7.noarch",
"7Server-RHSCL-3.1-7.5.Z:rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.noarch",
"7Server-RHSCL-3.1-7.5.Z:rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.src",
"7Server-RHSCL-3.1-7.5.Z:rh-ror50-rubygem-sprockets-doc-0:3.7.1-2.el7.noarch",
"7Server-RHSCL-3.1:rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.noarch",
"7Server-RHSCL-3.1:rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.src",
"7Server-RHSCL-3.1:rh-ror50-rubygem-sprockets-doc-0:3.7.1-2.el7.noarch",
"7Workstation-RHSCL-3.1:rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.noarch",
"7Workstation-RHSCL-3.1:rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.src",
"7Workstation-RHSCL-3.1:rh-ror50-rubygem-sprockets-doc-0:3.7.1-2.el7.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-3760"
},
{
"category": "external",
"summary": "RHBZ#1593058",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1593058"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-3760",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-3760"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-3760",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-3760"
},
{
"category": "external",
"summary": "http://www.openwall.com/lists/oss-security/2018/06/19/2",
"url": "http://www.openwall.com/lists/oss-security/2018/06/19/2"
},
{
"category": "external",
"summary": "https://blog.heroku.com/rails-asset-pipeline-vulnerability",
"url": "https://blog.heroku.com/rails-asset-pipeline-vulnerability"
}
],
"release_date": "2018-06-20T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2018-07-24T07:47:05+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"6Server-RHSCL-3.1-6.7.Z:rh-ror50-rubygem-sprockets-0:3.7.1-2.el6.noarch",
"6Server-RHSCL-3.1-6.7.Z:rh-ror50-rubygem-sprockets-0:3.7.1-2.el6.src",
"6Server-RHSCL-3.1-6.7.Z:rh-ror50-rubygem-sprockets-doc-0:3.7.1-2.el6.noarch",
"6Server-RHSCL-3.1:rh-ror50-rubygem-sprockets-0:3.7.1-2.el6.noarch",
"6Server-RHSCL-3.1:rh-ror50-rubygem-sprockets-0:3.7.1-2.el6.src",
"6Server-RHSCL-3.1:rh-ror50-rubygem-sprockets-doc-0:3.7.1-2.el6.noarch",
"6Workstation-RHSCL-3.1:rh-ror50-rubygem-sprockets-0:3.7.1-2.el6.noarch",
"6Workstation-RHSCL-3.1:rh-ror50-rubygem-sprockets-0:3.7.1-2.el6.src",
"6Workstation-RHSCL-3.1:rh-ror50-rubygem-sprockets-doc-0:3.7.1-2.el6.noarch",
"7Server-RHSCL-3.1-7.3.Z:rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.noarch",
"7Server-RHSCL-3.1-7.3.Z:rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.src",
"7Server-RHSCL-3.1-7.3.Z:rh-ror50-rubygem-sprockets-doc-0:3.7.1-2.el7.noarch",
"7Server-RHSCL-3.1-7.4.Z:rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.noarch",
"7Server-RHSCL-3.1-7.4.Z:rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.src",
"7Server-RHSCL-3.1-7.4.Z:rh-ror50-rubygem-sprockets-doc-0:3.7.1-2.el7.noarch",
"7Server-RHSCL-3.1-7.5.Z:rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.noarch",
"7Server-RHSCL-3.1-7.5.Z:rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.src",
"7Server-RHSCL-3.1-7.5.Z:rh-ror50-rubygem-sprockets-doc-0:3.7.1-2.el7.noarch",
"7Server-RHSCL-3.1:rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.noarch",
"7Server-RHSCL-3.1:rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.src",
"7Server-RHSCL-3.1:rh-ror50-rubygem-sprockets-doc-0:3.7.1-2.el7.noarch",
"7Workstation-RHSCL-3.1:rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.noarch",
"7Workstation-RHSCL-3.1:rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.src",
"7Workstation-RHSCL-3.1:rh-ror50-rubygem-sprockets-doc-0:3.7.1-2.el7.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2018:2245"
},
{
"category": "workaround",
"details": "Ensure config.assets.compile = false in production.rb.",
"product_ids": [
"6Server-RHSCL-3.1-6.7.Z:rh-ror50-rubygem-sprockets-0:3.7.1-2.el6.noarch",
"6Server-RHSCL-3.1-6.7.Z:rh-ror50-rubygem-sprockets-0:3.7.1-2.el6.src",
"6Server-RHSCL-3.1-6.7.Z:rh-ror50-rubygem-sprockets-doc-0:3.7.1-2.el6.noarch",
"6Server-RHSCL-3.1:rh-ror50-rubygem-sprockets-0:3.7.1-2.el6.noarch",
"6Server-RHSCL-3.1:rh-ror50-rubygem-sprockets-0:3.7.1-2.el6.src",
"6Server-RHSCL-3.1:rh-ror50-rubygem-sprockets-doc-0:3.7.1-2.el6.noarch",
"6Workstation-RHSCL-3.1:rh-ror50-rubygem-sprockets-0:3.7.1-2.el6.noarch",
"6Workstation-RHSCL-3.1:rh-ror50-rubygem-sprockets-0:3.7.1-2.el6.src",
"6Workstation-RHSCL-3.1:rh-ror50-rubygem-sprockets-doc-0:3.7.1-2.el6.noarch",
"7Server-RHSCL-3.1-7.3.Z:rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.noarch",
"7Server-RHSCL-3.1-7.3.Z:rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.src",
"7Server-RHSCL-3.1-7.3.Z:rh-ror50-rubygem-sprockets-doc-0:3.7.1-2.el7.noarch",
"7Server-RHSCL-3.1-7.4.Z:rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.noarch",
"7Server-RHSCL-3.1-7.4.Z:rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.src",
"7Server-RHSCL-3.1-7.4.Z:rh-ror50-rubygem-sprockets-doc-0:3.7.1-2.el7.noarch",
"7Server-RHSCL-3.1-7.5.Z:rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.noarch",
"7Server-RHSCL-3.1-7.5.Z:rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.src",
"7Server-RHSCL-3.1-7.5.Z:rh-ror50-rubygem-sprockets-doc-0:3.7.1-2.el7.noarch",
"7Server-RHSCL-3.1:rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.noarch",
"7Server-RHSCL-3.1:rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.src",
"7Server-RHSCL-3.1:rh-ror50-rubygem-sprockets-doc-0:3.7.1-2.el7.noarch",
"7Workstation-RHSCL-3.1:rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.noarch",
"7Workstation-RHSCL-3.1:rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.src",
"7Workstation-RHSCL-3.1:rh-ror50-rubygem-sprockets-doc-0:3.7.1-2.el7.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"products": [
"6Server-RHSCL-3.1-6.7.Z:rh-ror50-rubygem-sprockets-0:3.7.1-2.el6.noarch",
"6Server-RHSCL-3.1-6.7.Z:rh-ror50-rubygem-sprockets-0:3.7.1-2.el6.src",
"6Server-RHSCL-3.1-6.7.Z:rh-ror50-rubygem-sprockets-doc-0:3.7.1-2.el6.noarch",
"6Server-RHSCL-3.1:rh-ror50-rubygem-sprockets-0:3.7.1-2.el6.noarch",
"6Server-RHSCL-3.1:rh-ror50-rubygem-sprockets-0:3.7.1-2.el6.src",
"6Server-RHSCL-3.1:rh-ror50-rubygem-sprockets-doc-0:3.7.1-2.el6.noarch",
"6Workstation-RHSCL-3.1:rh-ror50-rubygem-sprockets-0:3.7.1-2.el6.noarch",
"6Workstation-RHSCL-3.1:rh-ror50-rubygem-sprockets-0:3.7.1-2.el6.src",
"6Workstation-RHSCL-3.1:rh-ror50-rubygem-sprockets-doc-0:3.7.1-2.el6.noarch",
"7Server-RHSCL-3.1-7.3.Z:rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.noarch",
"7Server-RHSCL-3.1-7.3.Z:rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.src",
"7Server-RHSCL-3.1-7.3.Z:rh-ror50-rubygem-sprockets-doc-0:3.7.1-2.el7.noarch",
"7Server-RHSCL-3.1-7.4.Z:rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.noarch",
"7Server-RHSCL-3.1-7.4.Z:rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.src",
"7Server-RHSCL-3.1-7.4.Z:rh-ror50-rubygem-sprockets-doc-0:3.7.1-2.el7.noarch",
"7Server-RHSCL-3.1-7.5.Z:rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.noarch",
"7Server-RHSCL-3.1-7.5.Z:rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.src",
"7Server-RHSCL-3.1-7.5.Z:rh-ror50-rubygem-sprockets-doc-0:3.7.1-2.el7.noarch",
"7Server-RHSCL-3.1:rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.noarch",
"7Server-RHSCL-3.1:rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.src",
"7Server-RHSCL-3.1:rh-ror50-rubygem-sprockets-doc-0:3.7.1-2.el7.noarch",
"7Workstation-RHSCL-3.1:rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.noarch",
"7Workstation-RHSCL-3.1:rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.src",
"7Workstation-RHSCL-3.1:rh-ror50-rubygem-sprockets-doc-0:3.7.1-2.el7.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "rubygem-sprockets: Path traversal in forbidden_request?() can allow remote attackers to read arbitrary files"
}
]
}
RHSA-2018:2561
Vulnerability from csaf_redhat - Published: 2018-09-04 18:00 - Updated: 2025-11-21 18:05Summary
Red Hat Security Advisory: CloudForms 4.6.4 security, bug fix, and enhancement update
Notes
Topic
An update is now available for CloudForms Management Engine 5.9.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat CloudForms Management Engine delivers the insight, control, and automation needed to address the challenges of managing virtual environments. CloudForms Management Engine is built on Ruby on Rails, a model-view-controller (MVC) framework for web application development. Action Pack implements the controller and the view components.
Security Fix(es):
* cfme: Improper access control in dRuby allows local users to execute arbitrary commands as root (CVE-2018-10905)
* rubygem-sprockets: Path traversal in forbidden_request?() can allow remote attackers to read arbitrary files (CVE-2018-3760)
For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
Red Hat would like to thank Stephen Gappinger (American Express) for reporting CVE-2018-10905.
Additional Changes:
This update fixes various bugs and adds enhancements. Documentation for these changes is available from the Release Notes document.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update is now available for CloudForms Management Engine 5.9.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat CloudForms Management Engine delivers the insight, control, and automation needed to address the challenges of managing virtual environments. CloudForms Management Engine is built on Ruby on Rails, a model-view-controller (MVC) framework for web application development. Action Pack implements the controller and the view components.\n\nSecurity Fix(es):\n\n* cfme: Improper access control in dRuby allows local users to execute arbitrary commands as root (CVE-2018-10905)\n\n* rubygem-sprockets: Path traversal in forbidden_request?() can allow remote attackers to read arbitrary files (CVE-2018-3760)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.\n\nRed Hat would like to thank Stephen Gappinger (American Express) for reporting CVE-2018-10905.\n\nAdditional Changes:\n\nThis update fixes various bugs and adds enhancements. Documentation for these changes is available from the Release Notes document.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2018:2561",
"url": "https://access.redhat.com/errata/RHSA-2018:2561"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "1565259",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1565259"
},
{
"category": "external",
"summary": "1588527",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1588527"
},
{
"category": "external",
"summary": "1591494",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1591494"
},
{
"category": "external",
"summary": "1591495",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1591495"
},
{
"category": "external",
"summary": "1591496",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1591496"
},
{
"category": "external",
"summary": "1591497",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1591497"
},
{
"category": "external",
"summary": "1593058",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1593058"
},
{
"category": "external",
"summary": "1595416",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1595416"
},
{
"category": "external",
"summary": "1595445",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1595445"
},
{
"category": "external",
"summary": "1595447",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1595447"
},
{
"category": "external",
"summary": "1595448",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1595448"
},
{
"category": "external",
"summary": "1595450",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1595450"
},
{
"category": "external",
"summary": "1595451",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1595451"
},
{
"category": "external",
"summary": "1595454",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1595454"
},
{
"category": "external",
"summary": "1595456",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1595456"
},
{
"category": "external",
"summary": "1595461",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1595461"
},
{
"category": "external",
"summary": "1595776",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1595776"
},
{
"category": "external",
"summary": "1598528",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1598528"
},
{
"category": "external",
"summary": "1598532",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1598532"
},
{
"category": "external",
"summary": "1598873",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1598873"
},
{
"category": "external",
"summary": "1599350",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1599350"
},
{
"category": "external",
"summary": "1599353",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1599353"
},
{
"category": "external",
"summary": "1600191",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1600191"
},
{
"category": "external",
"summary": "1600670",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1600670"
},
{
"category": "external",
"summary": "1600738",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1600738"
},
{
"category": "external",
"summary": "1601587",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601587"
},
{
"category": "external",
"summary": "1601589",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1601589"
},
{
"category": "external",
"summary": "1602190",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1602190"
},
{
"category": "external",
"summary": "1603022",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1603022"
},
{
"category": "external",
"summary": "1603029",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1603029"
},
{
"category": "external",
"summary": "1603031",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1603031"
},
{
"category": "external",
"summary": "1603058",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1603058"
},
{
"category": "external",
"summary": "1603210",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1603210"
},
{
"category": "external",
"summary": "1607441",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1607441"
},
{
"category": "external",
"summary": "1608844",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1608844"
},
{
"category": "external",
"summary": "1610055",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1610055"
},
{
"category": "external",
"summary": "1610425",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1610425"
},
{
"category": "external",
"summary": "1610685",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1610685"
},
{
"category": "external",
"summary": "1611002",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1611002"
},
{
"category": "external",
"summary": "1611660",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1611660"
},
{
"category": "external",
"summary": "1612062",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1612062"
},
{
"category": "external",
"summary": "1612856",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1612856"
},
{
"category": "external",
"summary": "1612889",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1612889"
},
{
"category": "external",
"summary": "1613295",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1613295"
},
{
"category": "external",
"summary": "1613387",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1613387"
},
{
"category": "external",
"summary": "1613757",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1613757"
},
{
"category": "external",
"summary": "1615633",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1615633"
},
{
"category": "external",
"summary": "1618219",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1618219"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2018/rhsa-2018_2561.json"
}
],
"title": "Red Hat Security Advisory: CloudForms 4.6.4 security, bug fix, and enhancement update",
"tracking": {
"current_release_date": "2025-11-21T18:05:54+00:00",
"generator": {
"date": "2025-11-21T18:05:54+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.12"
}
},
"id": "RHSA-2018:2561",
"initial_release_date": "2018-09-04T18:00:51+00:00",
"revision_history": [
{
"date": "2018-09-04T18:00:51+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2018-09-04T18:00:51+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-11-21T18:05:54+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "CloudForms Management Engine 5.9",
"product": {
"name": "CloudForms Management Engine 5.9",
"product_id": "7Server-RH7-CFME-5.9",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:cloudforms_managementengine:5.9::el7"
}
}
}
],
"category": "product_family",
"name": "Red Hat CloudForms"
},
{
"branches": [
{
"category": "product_version",
"name": "rh-ruby23-rubygem-redhat_access_cfme-doc-0:2.0.3-1.el7cf.noarch",
"product": {
"name": "rh-ruby23-rubygem-redhat_access_cfme-doc-0:2.0.3-1.el7cf.noarch",
"product_id": "rh-ruby23-rubygem-redhat_access_cfme-doc-0:2.0.3-1.el7cf.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-ruby23-rubygem-redhat_access_cfme-doc@2.0.3-1.el7cf?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "rh-ruby23-rubygem-redhat_access_cfme-0:2.0.3-1.el7cf.noarch",
"product": {
"name": "rh-ruby23-rubygem-redhat_access_cfme-0:2.0.3-1.el7cf.noarch",
"product_id": "rh-ruby23-rubygem-redhat_access_cfme-0:2.0.3-1.el7cf.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-ruby23-rubygem-redhat_access_cfme@2.0.3-1.el7cf?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_version",
"name": "rh-ruby23-rubygem-redhat_access_cfme-0:2.0.3-1.el7cf.src",
"product": {
"name": "rh-ruby23-rubygem-redhat_access_cfme-0:2.0.3-1.el7cf.src",
"product_id": "rh-ruby23-rubygem-redhat_access_cfme-0:2.0.3-1.el7cf.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-ruby23-rubygem-redhat_access_cfme@2.0.3-1.el7cf?arch=src"
}
}
},
{
"category": "product_version",
"name": "rh-postgresql95-postgresql-pglogical-0:2.1.0-4.el7cf.src",
"product": {
"name": "rh-postgresql95-postgresql-pglogical-0:2.1.0-4.el7cf.src",
"product_id": "rh-postgresql95-postgresql-pglogical-0:2.1.0-4.el7cf.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-postgresql95-postgresql-pglogical@2.1.0-4.el7cf?arch=src"
}
}
},
{
"category": "product_version",
"name": "cfme-0:5.9.4.7-1.el7cf.src",
"product": {
"name": "cfme-0:5.9.4.7-1.el7cf.src",
"product_id": "cfme-0:5.9.4.7-1.el7cf.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cfme@5.9.4.7-1.el7cf?arch=src"
}
}
},
{
"category": "product_version",
"name": "cfme-appliance-0:5.9.4.7-1.el7cf.src",
"product": {
"name": "cfme-appliance-0:5.9.4.7-1.el7cf.src",
"product_id": "cfme-appliance-0:5.9.4.7-1.el7cf.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cfme-appliance@5.9.4.7-1.el7cf?arch=src"
}
}
},
{
"category": "product_version",
"name": "cfme-gemset-0:5.9.4.7-1.el7cf.src",
"product": {
"name": "cfme-gemset-0:5.9.4.7-1.el7cf.src",
"product_id": "cfme-gemset-0:5.9.4.7-1.el7cf.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cfme-gemset@5.9.4.7-1.el7cf?arch=src"
}
}
},
{
"category": "product_version",
"name": "cfme-amazon-smartstate-0:5.9.4.7-1.el7cf.src",
"product": {
"name": "cfme-amazon-smartstate-0:5.9.4.7-1.el7cf.src",
"product_id": "cfme-amazon-smartstate-0:5.9.4.7-1.el7cf.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cfme-amazon-smartstate@5.9.4.7-1.el7cf?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "rh-postgresql95-postgresql-pglogical-0:2.1.0-4.el7cf.x86_64",
"product": {
"name": "rh-postgresql95-postgresql-pglogical-0:2.1.0-4.el7cf.x86_64",
"product_id": "rh-postgresql95-postgresql-pglogical-0:2.1.0-4.el7cf.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-postgresql95-postgresql-pglogical@2.1.0-4.el7cf?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "rh-postgresql95-postgresql-pglogical-debuginfo-0:2.1.0-4.el7cf.x86_64",
"product": {
"name": "rh-postgresql95-postgresql-pglogical-debuginfo-0:2.1.0-4.el7cf.x86_64",
"product_id": "rh-postgresql95-postgresql-pglogical-debuginfo-0:2.1.0-4.el7cf.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-postgresql95-postgresql-pglogical-debuginfo@2.1.0-4.el7cf?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "cfme-0:5.9.4.7-1.el7cf.x86_64",
"product": {
"name": "cfme-0:5.9.4.7-1.el7cf.x86_64",
"product_id": "cfme-0:5.9.4.7-1.el7cf.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cfme@5.9.4.7-1.el7cf?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "cfme-debuginfo-0:5.9.4.7-1.el7cf.x86_64",
"product": {
"name": "cfme-debuginfo-0:5.9.4.7-1.el7cf.x86_64",
"product_id": "cfme-debuginfo-0:5.9.4.7-1.el7cf.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cfme-debuginfo@5.9.4.7-1.el7cf?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "cfme-appliance-0:5.9.4.7-1.el7cf.x86_64",
"product": {
"name": "cfme-appliance-0:5.9.4.7-1.el7cf.x86_64",
"product_id": "cfme-appliance-0:5.9.4.7-1.el7cf.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cfme-appliance@5.9.4.7-1.el7cf?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "cfme-appliance-common-0:5.9.4.7-1.el7cf.x86_64",
"product": {
"name": "cfme-appliance-common-0:5.9.4.7-1.el7cf.x86_64",
"product_id": "cfme-appliance-common-0:5.9.4.7-1.el7cf.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cfme-appliance-common@5.9.4.7-1.el7cf?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "cfme-appliance-tools-0:5.9.4.7-1.el7cf.x86_64",
"product": {
"name": "cfme-appliance-tools-0:5.9.4.7-1.el7cf.x86_64",
"product_id": "cfme-appliance-tools-0:5.9.4.7-1.el7cf.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cfme-appliance-tools@5.9.4.7-1.el7cf?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "cfme-appliance-debuginfo-0:5.9.4.7-1.el7cf.x86_64",
"product": {
"name": "cfme-appliance-debuginfo-0:5.9.4.7-1.el7cf.x86_64",
"product_id": "cfme-appliance-debuginfo-0:5.9.4.7-1.el7cf.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cfme-appliance-debuginfo@5.9.4.7-1.el7cf?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "cfme-gemset-0:5.9.4.7-1.el7cf.x86_64",
"product": {
"name": "cfme-gemset-0:5.9.4.7-1.el7cf.x86_64",
"product_id": "cfme-gemset-0:5.9.4.7-1.el7cf.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cfme-gemset@5.9.4.7-1.el7cf?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "cfme-gemset-debuginfo-0:5.9.4.7-1.el7cf.x86_64",
"product": {
"name": "cfme-gemset-debuginfo-0:5.9.4.7-1.el7cf.x86_64",
"product_id": "cfme-gemset-debuginfo-0:5.9.4.7-1.el7cf.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cfme-gemset-debuginfo@5.9.4.7-1.el7cf?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "cfme-amazon-smartstate-0:5.9.4.7-1.el7cf.x86_64",
"product": {
"name": "cfme-amazon-smartstate-0:5.9.4.7-1.el7cf.x86_64",
"product_id": "cfme-amazon-smartstate-0:5.9.4.7-1.el7cf.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cfme-amazon-smartstate@5.9.4.7-1.el7cf?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "cfme-0:5.9.4.7-1.el7cf.src as a component of CloudForms Management Engine 5.9",
"product_id": "7Server-RH7-CFME-5.9:cfme-0:5.9.4.7-1.el7cf.src"
},
"product_reference": "cfme-0:5.9.4.7-1.el7cf.src",
"relates_to_product_reference": "7Server-RH7-CFME-5.9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cfme-0:5.9.4.7-1.el7cf.x86_64 as a component of CloudForms Management Engine 5.9",
"product_id": "7Server-RH7-CFME-5.9:cfme-0:5.9.4.7-1.el7cf.x86_64"
},
"product_reference": "cfme-0:5.9.4.7-1.el7cf.x86_64",
"relates_to_product_reference": "7Server-RH7-CFME-5.9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cfme-amazon-smartstate-0:5.9.4.7-1.el7cf.src as a component of CloudForms Management Engine 5.9",
"product_id": "7Server-RH7-CFME-5.9:cfme-amazon-smartstate-0:5.9.4.7-1.el7cf.src"
},
"product_reference": "cfme-amazon-smartstate-0:5.9.4.7-1.el7cf.src",
"relates_to_product_reference": "7Server-RH7-CFME-5.9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cfme-amazon-smartstate-0:5.9.4.7-1.el7cf.x86_64 as a component of CloudForms Management Engine 5.9",
"product_id": "7Server-RH7-CFME-5.9:cfme-amazon-smartstate-0:5.9.4.7-1.el7cf.x86_64"
},
"product_reference": "cfme-amazon-smartstate-0:5.9.4.7-1.el7cf.x86_64",
"relates_to_product_reference": "7Server-RH7-CFME-5.9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cfme-appliance-0:5.9.4.7-1.el7cf.src as a component of CloudForms Management Engine 5.9",
"product_id": "7Server-RH7-CFME-5.9:cfme-appliance-0:5.9.4.7-1.el7cf.src"
},
"product_reference": "cfme-appliance-0:5.9.4.7-1.el7cf.src",
"relates_to_product_reference": "7Server-RH7-CFME-5.9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cfme-appliance-0:5.9.4.7-1.el7cf.x86_64 as a component of CloudForms Management Engine 5.9",
"product_id": "7Server-RH7-CFME-5.9:cfme-appliance-0:5.9.4.7-1.el7cf.x86_64"
},
"product_reference": "cfme-appliance-0:5.9.4.7-1.el7cf.x86_64",
"relates_to_product_reference": "7Server-RH7-CFME-5.9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cfme-appliance-common-0:5.9.4.7-1.el7cf.x86_64 as a component of CloudForms Management Engine 5.9",
"product_id": "7Server-RH7-CFME-5.9:cfme-appliance-common-0:5.9.4.7-1.el7cf.x86_64"
},
"product_reference": "cfme-appliance-common-0:5.9.4.7-1.el7cf.x86_64",
"relates_to_product_reference": "7Server-RH7-CFME-5.9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cfme-appliance-debuginfo-0:5.9.4.7-1.el7cf.x86_64 as a component of CloudForms Management Engine 5.9",
"product_id": "7Server-RH7-CFME-5.9:cfme-appliance-debuginfo-0:5.9.4.7-1.el7cf.x86_64"
},
"product_reference": "cfme-appliance-debuginfo-0:5.9.4.7-1.el7cf.x86_64",
"relates_to_product_reference": "7Server-RH7-CFME-5.9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cfme-appliance-tools-0:5.9.4.7-1.el7cf.x86_64 as a component of CloudForms Management Engine 5.9",
"product_id": "7Server-RH7-CFME-5.9:cfme-appliance-tools-0:5.9.4.7-1.el7cf.x86_64"
},
"product_reference": "cfme-appliance-tools-0:5.9.4.7-1.el7cf.x86_64",
"relates_to_product_reference": "7Server-RH7-CFME-5.9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cfme-debuginfo-0:5.9.4.7-1.el7cf.x86_64 as a component of CloudForms Management Engine 5.9",
"product_id": "7Server-RH7-CFME-5.9:cfme-debuginfo-0:5.9.4.7-1.el7cf.x86_64"
},
"product_reference": "cfme-debuginfo-0:5.9.4.7-1.el7cf.x86_64",
"relates_to_product_reference": "7Server-RH7-CFME-5.9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cfme-gemset-0:5.9.4.7-1.el7cf.src as a component of CloudForms Management Engine 5.9",
"product_id": "7Server-RH7-CFME-5.9:cfme-gemset-0:5.9.4.7-1.el7cf.src"
},
"product_reference": "cfme-gemset-0:5.9.4.7-1.el7cf.src",
"relates_to_product_reference": "7Server-RH7-CFME-5.9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cfme-gemset-0:5.9.4.7-1.el7cf.x86_64 as a component of CloudForms Management Engine 5.9",
"product_id": "7Server-RH7-CFME-5.9:cfme-gemset-0:5.9.4.7-1.el7cf.x86_64"
},
"product_reference": "cfme-gemset-0:5.9.4.7-1.el7cf.x86_64",
"relates_to_product_reference": "7Server-RH7-CFME-5.9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cfme-gemset-debuginfo-0:5.9.4.7-1.el7cf.x86_64 as a component of CloudForms Management Engine 5.9",
"product_id": "7Server-RH7-CFME-5.9:cfme-gemset-debuginfo-0:5.9.4.7-1.el7cf.x86_64"
},
"product_reference": "cfme-gemset-debuginfo-0:5.9.4.7-1.el7cf.x86_64",
"relates_to_product_reference": "7Server-RH7-CFME-5.9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-postgresql95-postgresql-pglogical-0:2.1.0-4.el7cf.src as a component of CloudForms Management Engine 5.9",
"product_id": "7Server-RH7-CFME-5.9:rh-postgresql95-postgresql-pglogical-0:2.1.0-4.el7cf.src"
},
"product_reference": "rh-postgresql95-postgresql-pglogical-0:2.1.0-4.el7cf.src",
"relates_to_product_reference": "7Server-RH7-CFME-5.9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-postgresql95-postgresql-pglogical-0:2.1.0-4.el7cf.x86_64 as a component of CloudForms Management Engine 5.9",
"product_id": "7Server-RH7-CFME-5.9:rh-postgresql95-postgresql-pglogical-0:2.1.0-4.el7cf.x86_64"
},
"product_reference": "rh-postgresql95-postgresql-pglogical-0:2.1.0-4.el7cf.x86_64",
"relates_to_product_reference": "7Server-RH7-CFME-5.9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-postgresql95-postgresql-pglogical-debuginfo-0:2.1.0-4.el7cf.x86_64 as a component of CloudForms Management Engine 5.9",
"product_id": "7Server-RH7-CFME-5.9:rh-postgresql95-postgresql-pglogical-debuginfo-0:2.1.0-4.el7cf.x86_64"
},
"product_reference": "rh-postgresql95-postgresql-pglogical-debuginfo-0:2.1.0-4.el7cf.x86_64",
"relates_to_product_reference": "7Server-RH7-CFME-5.9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-ruby23-rubygem-redhat_access_cfme-0:2.0.3-1.el7cf.noarch as a component of CloudForms Management Engine 5.9",
"product_id": "7Server-RH7-CFME-5.9:rh-ruby23-rubygem-redhat_access_cfme-0:2.0.3-1.el7cf.noarch"
},
"product_reference": "rh-ruby23-rubygem-redhat_access_cfme-0:2.0.3-1.el7cf.noarch",
"relates_to_product_reference": "7Server-RH7-CFME-5.9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-ruby23-rubygem-redhat_access_cfme-0:2.0.3-1.el7cf.src as a component of CloudForms Management Engine 5.9",
"product_id": "7Server-RH7-CFME-5.9:rh-ruby23-rubygem-redhat_access_cfme-0:2.0.3-1.el7cf.src"
},
"product_reference": "rh-ruby23-rubygem-redhat_access_cfme-0:2.0.3-1.el7cf.src",
"relates_to_product_reference": "7Server-RH7-CFME-5.9"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-ruby23-rubygem-redhat_access_cfme-doc-0:2.0.3-1.el7cf.noarch as a component of CloudForms Management Engine 5.9",
"product_id": "7Server-RH7-CFME-5.9:rh-ruby23-rubygem-redhat_access_cfme-doc-0:2.0.3-1.el7cf.noarch"
},
"product_reference": "rh-ruby23-rubygem-redhat_access_cfme-doc-0:2.0.3-1.el7cf.noarch",
"relates_to_product_reference": "7Server-RH7-CFME-5.9"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2018-3760",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2018-06-20T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1593058"
}
],
"notes": [
{
"category": "description",
"text": "There is an information leak vulnerability in Sprockets. Versions Affected: 4.0.0.beta7 and lower, 3.7.1 and lower, 2.12.4 and lower. Specially crafted requests can be used to access files that exists on the filesystem that is outside an application\u0027s root directory, when the Sprockets server is used in production. All users running an affected release should either upgrade or use one of the work arounds immediately.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "rubygem-sprockets: Path traversal in forbidden_request?() can allow remote attackers to read arbitrary files",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-CFME-5.9:cfme-0:5.9.4.7-1.el7cf.src",
"7Server-RH7-CFME-5.9:cfme-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-amazon-smartstate-0:5.9.4.7-1.el7cf.src",
"7Server-RH7-CFME-5.9:cfme-amazon-smartstate-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-appliance-0:5.9.4.7-1.el7cf.src",
"7Server-RH7-CFME-5.9:cfme-appliance-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-appliance-common-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-appliance-debuginfo-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-appliance-tools-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-debuginfo-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-gemset-0:5.9.4.7-1.el7cf.src",
"7Server-RH7-CFME-5.9:cfme-gemset-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-gemset-debuginfo-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:rh-postgresql95-postgresql-pglogical-0:2.1.0-4.el7cf.src",
"7Server-RH7-CFME-5.9:rh-postgresql95-postgresql-pglogical-0:2.1.0-4.el7cf.x86_64",
"7Server-RH7-CFME-5.9:rh-postgresql95-postgresql-pglogical-debuginfo-0:2.1.0-4.el7cf.x86_64",
"7Server-RH7-CFME-5.9:rh-ruby23-rubygem-redhat_access_cfme-0:2.0.3-1.el7cf.noarch",
"7Server-RH7-CFME-5.9:rh-ruby23-rubygem-redhat_access_cfme-0:2.0.3-1.el7cf.src",
"7Server-RH7-CFME-5.9:rh-ruby23-rubygem-redhat_access_cfme-doc-0:2.0.3-1.el7cf.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-3760"
},
{
"category": "external",
"summary": "RHBZ#1593058",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1593058"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-3760",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-3760"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-3760",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-3760"
},
{
"category": "external",
"summary": "http://www.openwall.com/lists/oss-security/2018/06/19/2",
"url": "http://www.openwall.com/lists/oss-security/2018/06/19/2"
},
{
"category": "external",
"summary": "https://blog.heroku.com/rails-asset-pipeline-vulnerability",
"url": "https://blog.heroku.com/rails-asset-pipeline-vulnerability"
}
],
"release_date": "2018-06-20T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2018-09-04T18:00:51+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RH7-CFME-5.9:cfme-0:5.9.4.7-1.el7cf.src",
"7Server-RH7-CFME-5.9:cfme-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-amazon-smartstate-0:5.9.4.7-1.el7cf.src",
"7Server-RH7-CFME-5.9:cfme-amazon-smartstate-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-appliance-0:5.9.4.7-1.el7cf.src",
"7Server-RH7-CFME-5.9:cfme-appliance-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-appliance-common-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-appliance-debuginfo-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-appliance-tools-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-debuginfo-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-gemset-0:5.9.4.7-1.el7cf.src",
"7Server-RH7-CFME-5.9:cfme-gemset-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-gemset-debuginfo-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:rh-postgresql95-postgresql-pglogical-0:2.1.0-4.el7cf.src",
"7Server-RH7-CFME-5.9:rh-postgresql95-postgresql-pglogical-0:2.1.0-4.el7cf.x86_64",
"7Server-RH7-CFME-5.9:rh-postgresql95-postgresql-pglogical-debuginfo-0:2.1.0-4.el7cf.x86_64",
"7Server-RH7-CFME-5.9:rh-ruby23-rubygem-redhat_access_cfme-0:2.0.3-1.el7cf.noarch",
"7Server-RH7-CFME-5.9:rh-ruby23-rubygem-redhat_access_cfme-0:2.0.3-1.el7cf.src",
"7Server-RH7-CFME-5.9:rh-ruby23-rubygem-redhat_access_cfme-doc-0:2.0.3-1.el7cf.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2018:2561"
},
{
"category": "workaround",
"details": "Ensure config.assets.compile = false in production.rb.",
"product_ids": [
"7Server-RH7-CFME-5.9:cfme-0:5.9.4.7-1.el7cf.src",
"7Server-RH7-CFME-5.9:cfme-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-amazon-smartstate-0:5.9.4.7-1.el7cf.src",
"7Server-RH7-CFME-5.9:cfme-amazon-smartstate-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-appliance-0:5.9.4.7-1.el7cf.src",
"7Server-RH7-CFME-5.9:cfme-appliance-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-appliance-common-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-appliance-debuginfo-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-appliance-tools-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-debuginfo-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-gemset-0:5.9.4.7-1.el7cf.src",
"7Server-RH7-CFME-5.9:cfme-gemset-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-gemset-debuginfo-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:rh-postgresql95-postgresql-pglogical-0:2.1.0-4.el7cf.src",
"7Server-RH7-CFME-5.9:rh-postgresql95-postgresql-pglogical-0:2.1.0-4.el7cf.x86_64",
"7Server-RH7-CFME-5.9:rh-postgresql95-postgresql-pglogical-debuginfo-0:2.1.0-4.el7cf.x86_64",
"7Server-RH7-CFME-5.9:rh-ruby23-rubygem-redhat_access_cfme-0:2.0.3-1.el7cf.noarch",
"7Server-RH7-CFME-5.9:rh-ruby23-rubygem-redhat_access_cfme-0:2.0.3-1.el7cf.src",
"7Server-RH7-CFME-5.9:rh-ruby23-rubygem-redhat_access_cfme-doc-0:2.0.3-1.el7cf.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"products": [
"7Server-RH7-CFME-5.9:cfme-0:5.9.4.7-1.el7cf.src",
"7Server-RH7-CFME-5.9:cfme-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-amazon-smartstate-0:5.9.4.7-1.el7cf.src",
"7Server-RH7-CFME-5.9:cfme-amazon-smartstate-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-appliance-0:5.9.4.7-1.el7cf.src",
"7Server-RH7-CFME-5.9:cfme-appliance-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-appliance-common-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-appliance-debuginfo-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-appliance-tools-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-debuginfo-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-gemset-0:5.9.4.7-1.el7cf.src",
"7Server-RH7-CFME-5.9:cfme-gemset-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-gemset-debuginfo-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:rh-postgresql95-postgresql-pglogical-0:2.1.0-4.el7cf.src",
"7Server-RH7-CFME-5.9:rh-postgresql95-postgresql-pglogical-0:2.1.0-4.el7cf.x86_64",
"7Server-RH7-CFME-5.9:rh-postgresql95-postgresql-pglogical-debuginfo-0:2.1.0-4.el7cf.x86_64",
"7Server-RH7-CFME-5.9:rh-ruby23-rubygem-redhat_access_cfme-0:2.0.3-1.el7cf.noarch",
"7Server-RH7-CFME-5.9:rh-ruby23-rubygem-redhat_access_cfme-0:2.0.3-1.el7cf.src",
"7Server-RH7-CFME-5.9:rh-ruby23-rubygem-redhat_access_cfme-doc-0:2.0.3-1.el7cf.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "rubygem-sprockets: Path traversal in forbidden_request?() can allow remote attackers to read arbitrary files"
},
{
"acknowledgments": [
{
"names": [
"Stephen Gappinger"
],
"organization": "American Express"
}
],
"cve": "CVE-2018-10905",
"cwe": {
"id": "CWE-284",
"name": "Improper Access Control"
},
"discovery_date": "2018-07-18T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1602190"
}
],
"notes": [
{
"category": "description",
"text": "CloudForms Management Engine has a vulnerability that allows local users to execute arbitrary commands as root. An attacker with SSH access to the system can use the dRuby (DRb) module installed on the system to execute arbitrary shell commands using `instance_eval()`.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "cfme: Improper access control in dRuby allows local users to execute arbitrary commands as root",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-CFME-5.9:cfme-0:5.9.4.7-1.el7cf.src",
"7Server-RH7-CFME-5.9:cfme-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-amazon-smartstate-0:5.9.4.7-1.el7cf.src",
"7Server-RH7-CFME-5.9:cfme-amazon-smartstate-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-appliance-0:5.9.4.7-1.el7cf.src",
"7Server-RH7-CFME-5.9:cfme-appliance-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-appliance-common-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-appliance-debuginfo-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-appliance-tools-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-debuginfo-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-gemset-0:5.9.4.7-1.el7cf.src",
"7Server-RH7-CFME-5.9:cfme-gemset-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-gemset-debuginfo-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:rh-postgresql95-postgresql-pglogical-0:2.1.0-4.el7cf.src",
"7Server-RH7-CFME-5.9:rh-postgresql95-postgresql-pglogical-0:2.1.0-4.el7cf.x86_64",
"7Server-RH7-CFME-5.9:rh-postgresql95-postgresql-pglogical-debuginfo-0:2.1.0-4.el7cf.x86_64",
"7Server-RH7-CFME-5.9:rh-ruby23-rubygem-redhat_access_cfme-0:2.0.3-1.el7cf.noarch",
"7Server-RH7-CFME-5.9:rh-ruby23-rubygem-redhat_access_cfme-0:2.0.3-1.el7cf.src",
"7Server-RH7-CFME-5.9:rh-ruby23-rubygem-redhat_access_cfme-doc-0:2.0.3-1.el7cf.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-10905"
},
{
"category": "external",
"summary": "RHBZ#1602190",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1602190"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-10905",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-10905"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-10905",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-10905"
}
],
"release_date": "2018-07-20T19:54:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2018-09-04T18:00:51+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RH7-CFME-5.9:cfme-0:5.9.4.7-1.el7cf.src",
"7Server-RH7-CFME-5.9:cfme-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-amazon-smartstate-0:5.9.4.7-1.el7cf.src",
"7Server-RH7-CFME-5.9:cfme-amazon-smartstate-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-appliance-0:5.9.4.7-1.el7cf.src",
"7Server-RH7-CFME-5.9:cfme-appliance-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-appliance-common-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-appliance-debuginfo-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-appliance-tools-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-debuginfo-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-gemset-0:5.9.4.7-1.el7cf.src",
"7Server-RH7-CFME-5.9:cfme-gemset-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-gemset-debuginfo-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:rh-postgresql95-postgresql-pglogical-0:2.1.0-4.el7cf.src",
"7Server-RH7-CFME-5.9:rh-postgresql95-postgresql-pglogical-0:2.1.0-4.el7cf.x86_64",
"7Server-RH7-CFME-5.9:rh-postgresql95-postgresql-pglogical-debuginfo-0:2.1.0-4.el7cf.x86_64",
"7Server-RH7-CFME-5.9:rh-ruby23-rubygem-redhat_access_cfme-0:2.0.3-1.el7cf.noarch",
"7Server-RH7-CFME-5.9:rh-ruby23-rubygem-redhat_access_cfme-0:2.0.3-1.el7cf.src",
"7Server-RH7-CFME-5.9:rh-ruby23-rubygem-redhat_access_cfme-doc-0:2.0.3-1.el7cf.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2018:2561"
},
{
"category": "workaround",
"details": "Administrators of the CloudForms appliance can filter local packages going to the port where MIQ Server is listening, by using the following iptables command:\n# iptables -I OUTPUT 1 -o lo -d localhost/32 -p tcp -m tcp --dport \u003cMIQ Server port\u003e -m owner \u0027!\u0027 --uid-owner root -j DROP\n\nWhere the MIQ Server port can be found using netstat command:\n# netstat -nl --tcp -p | grep -i \"miq server\"",
"product_ids": [
"7Server-RH7-CFME-5.9:cfme-0:5.9.4.7-1.el7cf.src",
"7Server-RH7-CFME-5.9:cfme-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-amazon-smartstate-0:5.9.4.7-1.el7cf.src",
"7Server-RH7-CFME-5.9:cfme-amazon-smartstate-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-appliance-0:5.9.4.7-1.el7cf.src",
"7Server-RH7-CFME-5.9:cfme-appliance-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-appliance-common-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-appliance-debuginfo-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-appliance-tools-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-debuginfo-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-gemset-0:5.9.4.7-1.el7cf.src",
"7Server-RH7-CFME-5.9:cfme-gemset-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-gemset-debuginfo-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:rh-postgresql95-postgresql-pglogical-0:2.1.0-4.el7cf.src",
"7Server-RH7-CFME-5.9:rh-postgresql95-postgresql-pglogical-0:2.1.0-4.el7cf.x86_64",
"7Server-RH7-CFME-5.9:rh-postgresql95-postgresql-pglogical-debuginfo-0:2.1.0-4.el7cf.x86_64",
"7Server-RH7-CFME-5.9:rh-ruby23-rubygem-redhat_access_cfme-0:2.0.3-1.el7cf.noarch",
"7Server-RH7-CFME-5.9:rh-ruby23-rubygem-redhat_access_cfme-0:2.0.3-1.el7cf.src",
"7Server-RH7-CFME-5.9:rh-ruby23-rubygem-redhat_access_cfme-doc-0:2.0.3-1.el7cf.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"7Server-RH7-CFME-5.9:cfme-0:5.9.4.7-1.el7cf.src",
"7Server-RH7-CFME-5.9:cfme-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-amazon-smartstate-0:5.9.4.7-1.el7cf.src",
"7Server-RH7-CFME-5.9:cfme-amazon-smartstate-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-appliance-0:5.9.4.7-1.el7cf.src",
"7Server-RH7-CFME-5.9:cfme-appliance-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-appliance-common-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-appliance-debuginfo-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-appliance-tools-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-debuginfo-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-gemset-0:5.9.4.7-1.el7cf.src",
"7Server-RH7-CFME-5.9:cfme-gemset-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:cfme-gemset-debuginfo-0:5.9.4.7-1.el7cf.x86_64",
"7Server-RH7-CFME-5.9:rh-postgresql95-postgresql-pglogical-0:2.1.0-4.el7cf.src",
"7Server-RH7-CFME-5.9:rh-postgresql95-postgresql-pglogical-0:2.1.0-4.el7cf.x86_64",
"7Server-RH7-CFME-5.9:rh-postgresql95-postgresql-pglogical-debuginfo-0:2.1.0-4.el7cf.x86_64",
"7Server-RH7-CFME-5.9:rh-ruby23-rubygem-redhat_access_cfme-0:2.0.3-1.el7cf.noarch",
"7Server-RH7-CFME-5.9:rh-ruby23-rubygem-redhat_access_cfme-0:2.0.3-1.el7cf.src",
"7Server-RH7-CFME-5.9:rh-ruby23-rubygem-redhat_access_cfme-doc-0:2.0.3-1.el7cf.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "cfme: Improper access control in dRuby allows local users to execute arbitrary commands as root"
}
]
}
RHSA-2018:2244
Vulnerability from csaf_redhat - Published: 2018-07-24 07:47 - Updated: 2025-11-21 18:05Summary
Red Hat Security Advisory: rh-ror42-rubygem-sprockets security update
Notes
Topic
An update for rh-ror42-rubygem-sprockets is now available for Red Hat Software Collections.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Sprockets is a Ruby library for compiling and serving web assets. It features declarative dependency management for JavaScript and CSS assets, as well as a powerful preprocessor pipeline that allows to write assets in languages like CoffeeScript, Sass and SCSS.
Security Fix(es):
* rubygem-sprockets: Path traversal in forbidden_request?() can allow remote attackers to read arbitrary files (CVE-2018-3760)
For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for rh-ror42-rubygem-sprockets is now available for Red Hat Software Collections.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Sprockets is a Ruby library for compiling and serving web assets. It features declarative dependency management for JavaScript and CSS assets, as well as a powerful preprocessor pipeline that allows to write assets in languages like CoffeeScript, Sass and SCSS.\n\nSecurity Fix(es):\n\n* rubygem-sprockets: Path traversal in forbidden_request?() can allow remote attackers to read arbitrary files (CVE-2018-3760)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2018:2244",
"url": "https://access.redhat.com/errata/RHSA-2018:2244"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "1593058",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1593058"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2018/rhsa-2018_2244.json"
}
],
"title": "Red Hat Security Advisory: rh-ror42-rubygem-sprockets security update",
"tracking": {
"current_release_date": "2025-11-21T18:05:34+00:00",
"generator": {
"date": "2025-11-21T18:05:34+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.12"
}
},
"id": "RHSA-2018:2244",
"initial_release_date": "2018-07-24T07:47:11+00:00",
"revision_history": [
{
"date": "2018-07-24T07:47:11+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2018-07-24T07:47:11+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-11-21T18:05:34+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 6)",
"product": {
"name": "Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 6)",
"product_id": "6Server-RHSCL-3.1",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_software_collections:3::el6"
}
}
},
{
"category": "product_name",
"name": "Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6)",
"product": {
"name": "Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6)",
"product_id": "6Workstation-RHSCL-3.1",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_software_collections:3::el6"
}
}
},
{
"category": "product_name",
"name": "Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.7)",
"product": {
"name": "Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.7)",
"product_id": "6Server-RHSCL-3.1-6.7.Z",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_software_collections:3::el6"
}
}
},
{
"category": "product_name",
"name": "Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7)",
"product": {
"name": "Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7)",
"product_id": "7Server-RHSCL-3.1",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_software_collections:3::el7"
}
}
},
{
"category": "product_name",
"name": "Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7)",
"product": {
"name": "Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7)",
"product_id": "7Workstation-RHSCL-3.1",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_software_collections:3::el7"
}
}
},
{
"category": "product_name",
"name": "Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.3)",
"product": {
"name": "Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.3)",
"product_id": "7Server-RHSCL-3.1-7.3.Z",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_software_collections:3::el7"
}
}
},
{
"category": "product_name",
"name": "Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.4)",
"product": {
"name": "Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.4)",
"product_id": "7Server-RHSCL-3.1-7.4.Z",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_software_collections:3::el7"
}
}
},
{
"category": "product_name",
"name": "Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.5)",
"product": {
"name": "Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.5)",
"product_id": "7Server-RHSCL-3.1-7.5.Z",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_software_collections:3::el7"
}
}
}
],
"category": "product_family",
"name": "Red Hat Software Collections"
},
{
"branches": [
{
"category": "product_version",
"name": "rh-ror42-rubygem-sprockets-0:3.2.0-5.el6.src",
"product": {
"name": "rh-ror42-rubygem-sprockets-0:3.2.0-5.el6.src",
"product_id": "rh-ror42-rubygem-sprockets-0:3.2.0-5.el6.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-ror42-rubygem-sprockets@3.2.0-5.el6?arch=src"
}
}
},
{
"category": "product_version",
"name": "rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.src",
"product": {
"name": "rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.src",
"product_id": "rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-ror42-rubygem-sprockets@3.2.0-5.el7?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "rh-ror42-rubygem-sprockets-0:3.2.0-5.el6.noarch",
"product": {
"name": "rh-ror42-rubygem-sprockets-0:3.2.0-5.el6.noarch",
"product_id": "rh-ror42-rubygem-sprockets-0:3.2.0-5.el6.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-ror42-rubygem-sprockets@3.2.0-5.el6?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "rh-ror42-rubygem-sprockets-doc-0:3.2.0-5.el6.noarch",
"product": {
"name": "rh-ror42-rubygem-sprockets-doc-0:3.2.0-5.el6.noarch",
"product_id": "rh-ror42-rubygem-sprockets-doc-0:3.2.0-5.el6.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-ror42-rubygem-sprockets-doc@3.2.0-5.el6?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.noarch",
"product": {
"name": "rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.noarch",
"product_id": "rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-ror42-rubygem-sprockets@3.2.0-5.el7?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "rh-ror42-rubygem-sprockets-doc-0:3.2.0-5.el7.noarch",
"product": {
"name": "rh-ror42-rubygem-sprockets-doc-0:3.2.0-5.el7.noarch",
"product_id": "rh-ror42-rubygem-sprockets-doc-0:3.2.0-5.el7.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-ror42-rubygem-sprockets-doc@3.2.0-5.el7?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-ror42-rubygem-sprockets-0:3.2.0-5.el6.noarch as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.7)",
"product_id": "6Server-RHSCL-3.1-6.7.Z:rh-ror42-rubygem-sprockets-0:3.2.0-5.el6.noarch"
},
"product_reference": "rh-ror42-rubygem-sprockets-0:3.2.0-5.el6.noarch",
"relates_to_product_reference": "6Server-RHSCL-3.1-6.7.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-ror42-rubygem-sprockets-0:3.2.0-5.el6.src as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.7)",
"product_id": "6Server-RHSCL-3.1-6.7.Z:rh-ror42-rubygem-sprockets-0:3.2.0-5.el6.src"
},
"product_reference": "rh-ror42-rubygem-sprockets-0:3.2.0-5.el6.src",
"relates_to_product_reference": "6Server-RHSCL-3.1-6.7.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-ror42-rubygem-sprockets-doc-0:3.2.0-5.el6.noarch as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.7)",
"product_id": "6Server-RHSCL-3.1-6.7.Z:rh-ror42-rubygem-sprockets-doc-0:3.2.0-5.el6.noarch"
},
"product_reference": "rh-ror42-rubygem-sprockets-doc-0:3.2.0-5.el6.noarch",
"relates_to_product_reference": "6Server-RHSCL-3.1-6.7.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-ror42-rubygem-sprockets-0:3.2.0-5.el6.noarch as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 6)",
"product_id": "6Server-RHSCL-3.1:rh-ror42-rubygem-sprockets-0:3.2.0-5.el6.noarch"
},
"product_reference": "rh-ror42-rubygem-sprockets-0:3.2.0-5.el6.noarch",
"relates_to_product_reference": "6Server-RHSCL-3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-ror42-rubygem-sprockets-0:3.2.0-5.el6.src as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 6)",
"product_id": "6Server-RHSCL-3.1:rh-ror42-rubygem-sprockets-0:3.2.0-5.el6.src"
},
"product_reference": "rh-ror42-rubygem-sprockets-0:3.2.0-5.el6.src",
"relates_to_product_reference": "6Server-RHSCL-3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-ror42-rubygem-sprockets-doc-0:3.2.0-5.el6.noarch as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 6)",
"product_id": "6Server-RHSCL-3.1:rh-ror42-rubygem-sprockets-doc-0:3.2.0-5.el6.noarch"
},
"product_reference": "rh-ror42-rubygem-sprockets-doc-0:3.2.0-5.el6.noarch",
"relates_to_product_reference": "6Server-RHSCL-3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-ror42-rubygem-sprockets-0:3.2.0-5.el6.noarch as a component of Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6)",
"product_id": "6Workstation-RHSCL-3.1:rh-ror42-rubygem-sprockets-0:3.2.0-5.el6.noarch"
},
"product_reference": "rh-ror42-rubygem-sprockets-0:3.2.0-5.el6.noarch",
"relates_to_product_reference": "6Workstation-RHSCL-3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-ror42-rubygem-sprockets-0:3.2.0-5.el6.src as a component of Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6)",
"product_id": "6Workstation-RHSCL-3.1:rh-ror42-rubygem-sprockets-0:3.2.0-5.el6.src"
},
"product_reference": "rh-ror42-rubygem-sprockets-0:3.2.0-5.el6.src",
"relates_to_product_reference": "6Workstation-RHSCL-3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-ror42-rubygem-sprockets-doc-0:3.2.0-5.el6.noarch as a component of Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6)",
"product_id": "6Workstation-RHSCL-3.1:rh-ror42-rubygem-sprockets-doc-0:3.2.0-5.el6.noarch"
},
"product_reference": "rh-ror42-rubygem-sprockets-doc-0:3.2.0-5.el6.noarch",
"relates_to_product_reference": "6Workstation-RHSCL-3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.noarch as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.3)",
"product_id": "7Server-RHSCL-3.1-7.3.Z:rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.noarch"
},
"product_reference": "rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.noarch",
"relates_to_product_reference": "7Server-RHSCL-3.1-7.3.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.src as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.3)",
"product_id": "7Server-RHSCL-3.1-7.3.Z:rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.src"
},
"product_reference": "rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.src",
"relates_to_product_reference": "7Server-RHSCL-3.1-7.3.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-ror42-rubygem-sprockets-doc-0:3.2.0-5.el7.noarch as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.3)",
"product_id": "7Server-RHSCL-3.1-7.3.Z:rh-ror42-rubygem-sprockets-doc-0:3.2.0-5.el7.noarch"
},
"product_reference": "rh-ror42-rubygem-sprockets-doc-0:3.2.0-5.el7.noarch",
"relates_to_product_reference": "7Server-RHSCL-3.1-7.3.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.noarch as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.4)",
"product_id": "7Server-RHSCL-3.1-7.4.Z:rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.noarch"
},
"product_reference": "rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.noarch",
"relates_to_product_reference": "7Server-RHSCL-3.1-7.4.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.src as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.4)",
"product_id": "7Server-RHSCL-3.1-7.4.Z:rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.src"
},
"product_reference": "rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.src",
"relates_to_product_reference": "7Server-RHSCL-3.1-7.4.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-ror42-rubygem-sprockets-doc-0:3.2.0-5.el7.noarch as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.4)",
"product_id": "7Server-RHSCL-3.1-7.4.Z:rh-ror42-rubygem-sprockets-doc-0:3.2.0-5.el7.noarch"
},
"product_reference": "rh-ror42-rubygem-sprockets-doc-0:3.2.0-5.el7.noarch",
"relates_to_product_reference": "7Server-RHSCL-3.1-7.4.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.noarch as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.5)",
"product_id": "7Server-RHSCL-3.1-7.5.Z:rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.noarch"
},
"product_reference": "rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.noarch",
"relates_to_product_reference": "7Server-RHSCL-3.1-7.5.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.src as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.5)",
"product_id": "7Server-RHSCL-3.1-7.5.Z:rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.src"
},
"product_reference": "rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.src",
"relates_to_product_reference": "7Server-RHSCL-3.1-7.5.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-ror42-rubygem-sprockets-doc-0:3.2.0-5.el7.noarch as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.5)",
"product_id": "7Server-RHSCL-3.1-7.5.Z:rh-ror42-rubygem-sprockets-doc-0:3.2.0-5.el7.noarch"
},
"product_reference": "rh-ror42-rubygem-sprockets-doc-0:3.2.0-5.el7.noarch",
"relates_to_product_reference": "7Server-RHSCL-3.1-7.5.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.noarch as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7)",
"product_id": "7Server-RHSCL-3.1:rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.noarch"
},
"product_reference": "rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.noarch",
"relates_to_product_reference": "7Server-RHSCL-3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.src as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7)",
"product_id": "7Server-RHSCL-3.1:rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.src"
},
"product_reference": "rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.src",
"relates_to_product_reference": "7Server-RHSCL-3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-ror42-rubygem-sprockets-doc-0:3.2.0-5.el7.noarch as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7)",
"product_id": "7Server-RHSCL-3.1:rh-ror42-rubygem-sprockets-doc-0:3.2.0-5.el7.noarch"
},
"product_reference": "rh-ror42-rubygem-sprockets-doc-0:3.2.0-5.el7.noarch",
"relates_to_product_reference": "7Server-RHSCL-3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.noarch as a component of Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7)",
"product_id": "7Workstation-RHSCL-3.1:rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.noarch"
},
"product_reference": "rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.noarch",
"relates_to_product_reference": "7Workstation-RHSCL-3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.src as a component of Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7)",
"product_id": "7Workstation-RHSCL-3.1:rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.src"
},
"product_reference": "rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.src",
"relates_to_product_reference": "7Workstation-RHSCL-3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-ror42-rubygem-sprockets-doc-0:3.2.0-5.el7.noarch as a component of Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7)",
"product_id": "7Workstation-RHSCL-3.1:rh-ror42-rubygem-sprockets-doc-0:3.2.0-5.el7.noarch"
},
"product_reference": "rh-ror42-rubygem-sprockets-doc-0:3.2.0-5.el7.noarch",
"relates_to_product_reference": "7Workstation-RHSCL-3.1"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2018-3760",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2018-06-20T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1593058"
}
],
"notes": [
{
"category": "description",
"text": "There is an information leak vulnerability in Sprockets. Versions Affected: 4.0.0.beta7 and lower, 3.7.1 and lower, 2.12.4 and lower. Specially crafted requests can be used to access files that exists on the filesystem that is outside an application\u0027s root directory, when the Sprockets server is used in production. All users running an affected release should either upgrade or use one of the work arounds immediately.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "rubygem-sprockets: Path traversal in forbidden_request?() can allow remote attackers to read arbitrary files",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"6Server-RHSCL-3.1-6.7.Z:rh-ror42-rubygem-sprockets-0:3.2.0-5.el6.noarch",
"6Server-RHSCL-3.1-6.7.Z:rh-ror42-rubygem-sprockets-0:3.2.0-5.el6.src",
"6Server-RHSCL-3.1-6.7.Z:rh-ror42-rubygem-sprockets-doc-0:3.2.0-5.el6.noarch",
"6Server-RHSCL-3.1:rh-ror42-rubygem-sprockets-0:3.2.0-5.el6.noarch",
"6Server-RHSCL-3.1:rh-ror42-rubygem-sprockets-0:3.2.0-5.el6.src",
"6Server-RHSCL-3.1:rh-ror42-rubygem-sprockets-doc-0:3.2.0-5.el6.noarch",
"6Workstation-RHSCL-3.1:rh-ror42-rubygem-sprockets-0:3.2.0-5.el6.noarch",
"6Workstation-RHSCL-3.1:rh-ror42-rubygem-sprockets-0:3.2.0-5.el6.src",
"6Workstation-RHSCL-3.1:rh-ror42-rubygem-sprockets-doc-0:3.2.0-5.el6.noarch",
"7Server-RHSCL-3.1-7.3.Z:rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.noarch",
"7Server-RHSCL-3.1-7.3.Z:rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.src",
"7Server-RHSCL-3.1-7.3.Z:rh-ror42-rubygem-sprockets-doc-0:3.2.0-5.el7.noarch",
"7Server-RHSCL-3.1-7.4.Z:rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.noarch",
"7Server-RHSCL-3.1-7.4.Z:rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.src",
"7Server-RHSCL-3.1-7.4.Z:rh-ror42-rubygem-sprockets-doc-0:3.2.0-5.el7.noarch",
"7Server-RHSCL-3.1-7.5.Z:rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.noarch",
"7Server-RHSCL-3.1-7.5.Z:rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.src",
"7Server-RHSCL-3.1-7.5.Z:rh-ror42-rubygem-sprockets-doc-0:3.2.0-5.el7.noarch",
"7Server-RHSCL-3.1:rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.noarch",
"7Server-RHSCL-3.1:rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.src",
"7Server-RHSCL-3.1:rh-ror42-rubygem-sprockets-doc-0:3.2.0-5.el7.noarch",
"7Workstation-RHSCL-3.1:rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.noarch",
"7Workstation-RHSCL-3.1:rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.src",
"7Workstation-RHSCL-3.1:rh-ror42-rubygem-sprockets-doc-0:3.2.0-5.el7.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-3760"
},
{
"category": "external",
"summary": "RHBZ#1593058",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1593058"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-3760",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-3760"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-3760",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-3760"
},
{
"category": "external",
"summary": "http://www.openwall.com/lists/oss-security/2018/06/19/2",
"url": "http://www.openwall.com/lists/oss-security/2018/06/19/2"
},
{
"category": "external",
"summary": "https://blog.heroku.com/rails-asset-pipeline-vulnerability",
"url": "https://blog.heroku.com/rails-asset-pipeline-vulnerability"
}
],
"release_date": "2018-06-20T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2018-07-24T07:47:11+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"6Server-RHSCL-3.1-6.7.Z:rh-ror42-rubygem-sprockets-0:3.2.0-5.el6.noarch",
"6Server-RHSCL-3.1-6.7.Z:rh-ror42-rubygem-sprockets-0:3.2.0-5.el6.src",
"6Server-RHSCL-3.1-6.7.Z:rh-ror42-rubygem-sprockets-doc-0:3.2.0-5.el6.noarch",
"6Server-RHSCL-3.1:rh-ror42-rubygem-sprockets-0:3.2.0-5.el6.noarch",
"6Server-RHSCL-3.1:rh-ror42-rubygem-sprockets-0:3.2.0-5.el6.src",
"6Server-RHSCL-3.1:rh-ror42-rubygem-sprockets-doc-0:3.2.0-5.el6.noarch",
"6Workstation-RHSCL-3.1:rh-ror42-rubygem-sprockets-0:3.2.0-5.el6.noarch",
"6Workstation-RHSCL-3.1:rh-ror42-rubygem-sprockets-0:3.2.0-5.el6.src",
"6Workstation-RHSCL-3.1:rh-ror42-rubygem-sprockets-doc-0:3.2.0-5.el6.noarch",
"7Server-RHSCL-3.1-7.3.Z:rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.noarch",
"7Server-RHSCL-3.1-7.3.Z:rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.src",
"7Server-RHSCL-3.1-7.3.Z:rh-ror42-rubygem-sprockets-doc-0:3.2.0-5.el7.noarch",
"7Server-RHSCL-3.1-7.4.Z:rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.noarch",
"7Server-RHSCL-3.1-7.4.Z:rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.src",
"7Server-RHSCL-3.1-7.4.Z:rh-ror42-rubygem-sprockets-doc-0:3.2.0-5.el7.noarch",
"7Server-RHSCL-3.1-7.5.Z:rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.noarch",
"7Server-RHSCL-3.1-7.5.Z:rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.src",
"7Server-RHSCL-3.1-7.5.Z:rh-ror42-rubygem-sprockets-doc-0:3.2.0-5.el7.noarch",
"7Server-RHSCL-3.1:rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.noarch",
"7Server-RHSCL-3.1:rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.src",
"7Server-RHSCL-3.1:rh-ror42-rubygem-sprockets-doc-0:3.2.0-5.el7.noarch",
"7Workstation-RHSCL-3.1:rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.noarch",
"7Workstation-RHSCL-3.1:rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.src",
"7Workstation-RHSCL-3.1:rh-ror42-rubygem-sprockets-doc-0:3.2.0-5.el7.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2018:2244"
},
{
"category": "workaround",
"details": "Ensure config.assets.compile = false in production.rb.",
"product_ids": [
"6Server-RHSCL-3.1-6.7.Z:rh-ror42-rubygem-sprockets-0:3.2.0-5.el6.noarch",
"6Server-RHSCL-3.1-6.7.Z:rh-ror42-rubygem-sprockets-0:3.2.0-5.el6.src",
"6Server-RHSCL-3.1-6.7.Z:rh-ror42-rubygem-sprockets-doc-0:3.2.0-5.el6.noarch",
"6Server-RHSCL-3.1:rh-ror42-rubygem-sprockets-0:3.2.0-5.el6.noarch",
"6Server-RHSCL-3.1:rh-ror42-rubygem-sprockets-0:3.2.0-5.el6.src",
"6Server-RHSCL-3.1:rh-ror42-rubygem-sprockets-doc-0:3.2.0-5.el6.noarch",
"6Workstation-RHSCL-3.1:rh-ror42-rubygem-sprockets-0:3.2.0-5.el6.noarch",
"6Workstation-RHSCL-3.1:rh-ror42-rubygem-sprockets-0:3.2.0-5.el6.src",
"6Workstation-RHSCL-3.1:rh-ror42-rubygem-sprockets-doc-0:3.2.0-5.el6.noarch",
"7Server-RHSCL-3.1-7.3.Z:rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.noarch",
"7Server-RHSCL-3.1-7.3.Z:rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.src",
"7Server-RHSCL-3.1-7.3.Z:rh-ror42-rubygem-sprockets-doc-0:3.2.0-5.el7.noarch",
"7Server-RHSCL-3.1-7.4.Z:rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.noarch",
"7Server-RHSCL-3.1-7.4.Z:rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.src",
"7Server-RHSCL-3.1-7.4.Z:rh-ror42-rubygem-sprockets-doc-0:3.2.0-5.el7.noarch",
"7Server-RHSCL-3.1-7.5.Z:rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.noarch",
"7Server-RHSCL-3.1-7.5.Z:rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.src",
"7Server-RHSCL-3.1-7.5.Z:rh-ror42-rubygem-sprockets-doc-0:3.2.0-5.el7.noarch",
"7Server-RHSCL-3.1:rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.noarch",
"7Server-RHSCL-3.1:rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.src",
"7Server-RHSCL-3.1:rh-ror42-rubygem-sprockets-doc-0:3.2.0-5.el7.noarch",
"7Workstation-RHSCL-3.1:rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.noarch",
"7Workstation-RHSCL-3.1:rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.src",
"7Workstation-RHSCL-3.1:rh-ror42-rubygem-sprockets-doc-0:3.2.0-5.el7.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"products": [
"6Server-RHSCL-3.1-6.7.Z:rh-ror42-rubygem-sprockets-0:3.2.0-5.el6.noarch",
"6Server-RHSCL-3.1-6.7.Z:rh-ror42-rubygem-sprockets-0:3.2.0-5.el6.src",
"6Server-RHSCL-3.1-6.7.Z:rh-ror42-rubygem-sprockets-doc-0:3.2.0-5.el6.noarch",
"6Server-RHSCL-3.1:rh-ror42-rubygem-sprockets-0:3.2.0-5.el6.noarch",
"6Server-RHSCL-3.1:rh-ror42-rubygem-sprockets-0:3.2.0-5.el6.src",
"6Server-RHSCL-3.1:rh-ror42-rubygem-sprockets-doc-0:3.2.0-5.el6.noarch",
"6Workstation-RHSCL-3.1:rh-ror42-rubygem-sprockets-0:3.2.0-5.el6.noarch",
"6Workstation-RHSCL-3.1:rh-ror42-rubygem-sprockets-0:3.2.0-5.el6.src",
"6Workstation-RHSCL-3.1:rh-ror42-rubygem-sprockets-doc-0:3.2.0-5.el6.noarch",
"7Server-RHSCL-3.1-7.3.Z:rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.noarch",
"7Server-RHSCL-3.1-7.3.Z:rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.src",
"7Server-RHSCL-3.1-7.3.Z:rh-ror42-rubygem-sprockets-doc-0:3.2.0-5.el7.noarch",
"7Server-RHSCL-3.1-7.4.Z:rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.noarch",
"7Server-RHSCL-3.1-7.4.Z:rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.src",
"7Server-RHSCL-3.1-7.4.Z:rh-ror42-rubygem-sprockets-doc-0:3.2.0-5.el7.noarch",
"7Server-RHSCL-3.1-7.5.Z:rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.noarch",
"7Server-RHSCL-3.1-7.5.Z:rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.src",
"7Server-RHSCL-3.1-7.5.Z:rh-ror42-rubygem-sprockets-doc-0:3.2.0-5.el7.noarch",
"7Server-RHSCL-3.1:rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.noarch",
"7Server-RHSCL-3.1:rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.src",
"7Server-RHSCL-3.1:rh-ror42-rubygem-sprockets-doc-0:3.2.0-5.el7.noarch",
"7Workstation-RHSCL-3.1:rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.noarch",
"7Workstation-RHSCL-3.1:rh-ror42-rubygem-sprockets-0:3.2.0-5.el7.src",
"7Workstation-RHSCL-3.1:rh-ror42-rubygem-sprockets-doc-0:3.2.0-5.el7.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "rubygem-sprockets: Path traversal in forbidden_request?() can allow remote attackers to read arbitrary files"
}
]
}
RHSA-2018_2745
Vulnerability from csaf_redhat - Published: 2018-09-26 18:36 - Updated: 2024-11-22 12:11Summary
Red Hat Security Advisory: CloudForms 4.5.5 security, bug fix and enhancement update
Notes
Topic
An update is now available for CloudForms Management Engine 5.8.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat CloudForms Management Engine delivers the insight, control, and automation needed to address the challenges of managing virtual environments. CloudForms Management Engine is built on Ruby on Rails, a model-view-controller (MVC) framework for web application development.
Security Fix(es):
* rubygem-sprockets: Path traversal in forbidden_request?() can allow remote attackers to read arbitrary files (CVE-2018-3760)
* cfme: Improper access control in dRuby allows local users to execute arbitrary commands as root (CVE-2018-10905)
For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
Red Hat would like to thank Stephen Gappinger (American Express) for reporting CVE-2018-10905.
Additional Changes:
This update fixes various bugs and adds enhancements. Documentation for these changes is available from the Release Notes document.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update is now available for CloudForms Management Engine 5.8.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat CloudForms Management Engine delivers the insight, control, and automation needed to address the challenges of managing virtual environments. CloudForms Management Engine is built on Ruby on Rails, a model-view-controller (MVC) framework for web application development.\n\nSecurity Fix(es):\n\n* rubygem-sprockets: Path traversal in forbidden_request?() can allow remote attackers to read arbitrary files (CVE-2018-3760)\n\n* cfme: Improper access control in dRuby allows local users to execute arbitrary commands as root (CVE-2018-10905)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.\n\nRed Hat would like to thank Stephen Gappinger (American Express) for reporting CVE-2018-10905.\n\nAdditional Changes:\n\nThis update fixes various bugs and adds enhancements. Documentation for these changes is available from the Release Notes document.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2018:2745",
"url": "https://access.redhat.com/errata/RHSA-2018:2745"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "https://access.redhat.com/documentation/en-us/red_hat_cloudforms/4.5/html/release_notes",
"url": "https://access.redhat.com/documentation/en-us/red_hat_cloudforms/4.5/html/release_notes"
},
{
"category": "external",
"summary": "1586214",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1586214"
},
{
"category": "external",
"summary": "1590761",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1590761"
},
{
"category": "external",
"summary": "1591443",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1591443"
},
{
"category": "external",
"summary": "1593058",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1593058"
},
{
"category": "external",
"summary": "1593353",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1593353"
},
{
"category": "external",
"summary": "1593678",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1593678"
},
{
"category": "external",
"summary": "1593798",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1593798"
},
{
"category": "external",
"summary": "1593914",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1593914"
},
{
"category": "external",
"summary": "1594008",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1594008"
},
{
"category": "external",
"summary": "1594028",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1594028"
},
{
"category": "external",
"summary": "1594326",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1594326"
},
{
"category": "external",
"summary": "1594387",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1594387"
},
{
"category": "external",
"summary": "1595457",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1595457"
},
{
"category": "external",
"summary": "1595462",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1595462"
},
{
"category": "external",
"summary": "1595771",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1595771"
},
{
"category": "external",
"summary": "1596336",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1596336"
},
{
"category": "external",
"summary": "1602190",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1602190"
},
{
"category": "external",
"summary": "1607442",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1607442"
},
{
"category": "external",
"summary": "1608849",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1608849"
},
{
"category": "external",
"summary": "1613388",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1613388"
},
{
"category": "external",
"summary": "1613758",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1613758"
},
{
"category": "external",
"summary": "1622632",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1622632"
},
{
"category": "external",
"summary": "1623574",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1623574"
},
{
"category": "external",
"summary": "1625250",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1625250"
},
{
"category": "external",
"summary": "1626475",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1626475"
},
{
"category": "external",
"summary": "1626502",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1626502"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2018/rhsa-2018_2745.json"
}
],
"title": "Red Hat Security Advisory: CloudForms 4.5.5 security, bug fix and enhancement update",
"tracking": {
"current_release_date": "2024-11-22T12:11:03+00:00",
"generator": {
"date": "2024-11-22T12:11:03+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2018:2745",
"initial_release_date": "2018-09-26T18:36:57+00:00",
"revision_history": [
{
"date": "2018-09-26T18:36:57+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2018-09-26T18:36:57+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-22T12:11:03+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "CloudForms Management Engine 5.8",
"product": {
"name": "CloudForms Management Engine 5.8",
"product_id": "7Server-RH7-CFME-5.8",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:cloudforms_managementengine:5.8::el7"
}
}
}
],
"category": "product_family",
"name": "Red Hat CloudForms"
},
{
"branches": [
{
"category": "product_version",
"name": "rh-postgresql95-postgresql-pglogical-debuginfo-0:1.2.1-2.el7cf.x86_64",
"product": {
"name": "rh-postgresql95-postgresql-pglogical-debuginfo-0:1.2.1-2.el7cf.x86_64",
"product_id": "rh-postgresql95-postgresql-pglogical-debuginfo-0:1.2.1-2.el7cf.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-postgresql95-postgresql-pglogical-debuginfo@1.2.1-2.el7cf?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "rh-postgresql95-postgresql-pglogical-0:1.2.1-2.el7cf.x86_64",
"product": {
"name": "rh-postgresql95-postgresql-pglogical-0:1.2.1-2.el7cf.x86_64",
"product_id": "rh-postgresql95-postgresql-pglogical-0:1.2.1-2.el7cf.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-postgresql95-postgresql-pglogical@1.2.1-2.el7cf?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "ansible-tower-server-0:3.1.8-1.el7at.x86_64",
"product": {
"name": "ansible-tower-server-0:3.1.8-1.el7at.x86_64",
"product_id": "ansible-tower-server-0:3.1.8-1.el7at.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ansible-tower-server@3.1.8-1.el7at?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "ansible-tower-setup-0:3.1.8-1.el7at.x86_64",
"product": {
"name": "ansible-tower-setup-0:3.1.8-1.el7at.x86_64",
"product_id": "ansible-tower-setup-0:3.1.8-1.el7at.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ansible-tower-setup@3.1.8-1.el7at?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "cfme-0:5.8.5.1-1.el7cf.x86_64",
"product": {
"name": "cfme-0:5.8.5.1-1.el7cf.x86_64",
"product_id": "cfme-0:5.8.5.1-1.el7cf.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cfme@5.8.5.1-1.el7cf?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "cfme-debuginfo-0:5.8.5.1-1.el7cf.x86_64",
"product": {
"name": "cfme-debuginfo-0:5.8.5.1-1.el7cf.x86_64",
"product_id": "cfme-debuginfo-0:5.8.5.1-1.el7cf.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cfme-debuginfo@5.8.5.1-1.el7cf?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "cfme-appliance-0:5.8.5.1-1.el7cf.x86_64",
"product": {
"name": "cfme-appliance-0:5.8.5.1-1.el7cf.x86_64",
"product_id": "cfme-appliance-0:5.8.5.1-1.el7cf.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cfme-appliance@5.8.5.1-1.el7cf?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "cfme-appliance-debuginfo-0:5.8.5.1-1.el7cf.x86_64",
"product": {
"name": "cfme-appliance-debuginfo-0:5.8.5.1-1.el7cf.x86_64",
"product_id": "cfme-appliance-debuginfo-0:5.8.5.1-1.el7cf.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cfme-appliance-debuginfo@5.8.5.1-1.el7cf?arch=x86_64"
}
}
},
{
"category": "product_version",
"name": "cfme-gemset-0:5.8.5.1-1.el7cf.x86_64",
"product": {
"name": "cfme-gemset-0:5.8.5.1-1.el7cf.x86_64",
"product_id": "cfme-gemset-0:5.8.5.1-1.el7cf.x86_64",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cfme-gemset@5.8.5.1-1.el7cf?arch=x86_64"
}
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_version",
"name": "rh-postgresql95-postgresql-pglogical-0:1.2.1-2.el7cf.src",
"product": {
"name": "rh-postgresql95-postgresql-pglogical-0:1.2.1-2.el7cf.src",
"product_id": "rh-postgresql95-postgresql-pglogical-0:1.2.1-2.el7cf.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-postgresql95-postgresql-pglogical@1.2.1-2.el7cf?arch=src"
}
}
},
{
"category": "product_version",
"name": "cfme-0:5.8.5.1-1.el7cf.src",
"product": {
"name": "cfme-0:5.8.5.1-1.el7cf.src",
"product_id": "cfme-0:5.8.5.1-1.el7cf.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cfme@5.8.5.1-1.el7cf?arch=src"
}
}
},
{
"category": "product_version",
"name": "cfme-appliance-0:5.8.5.1-1.el7cf.src",
"product": {
"name": "cfme-appliance-0:5.8.5.1-1.el7cf.src",
"product_id": "cfme-appliance-0:5.8.5.1-1.el7cf.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cfme-appliance@5.8.5.1-1.el7cf?arch=src"
}
}
},
{
"category": "product_version",
"name": "cfme-gemset-0:5.8.5.1-1.el7cf.src",
"product": {
"name": "cfme-gemset-0:5.8.5.1-1.el7cf.src",
"product_id": "cfme-gemset-0:5.8.5.1-1.el7cf.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/cfme-gemset@5.8.5.1-1.el7cf?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "ansible-tower-server-0:3.1.8-1.el7at.x86_64 as a component of CloudForms Management Engine 5.8",
"product_id": "7Server-RH7-CFME-5.8:ansible-tower-server-0:3.1.8-1.el7at.x86_64"
},
"product_reference": "ansible-tower-server-0:3.1.8-1.el7at.x86_64",
"relates_to_product_reference": "7Server-RH7-CFME-5.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ansible-tower-setup-0:3.1.8-1.el7at.x86_64 as a component of CloudForms Management Engine 5.8",
"product_id": "7Server-RH7-CFME-5.8:ansible-tower-setup-0:3.1.8-1.el7at.x86_64"
},
"product_reference": "ansible-tower-setup-0:3.1.8-1.el7at.x86_64",
"relates_to_product_reference": "7Server-RH7-CFME-5.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cfme-0:5.8.5.1-1.el7cf.src as a component of CloudForms Management Engine 5.8",
"product_id": "7Server-RH7-CFME-5.8:cfme-0:5.8.5.1-1.el7cf.src"
},
"product_reference": "cfme-0:5.8.5.1-1.el7cf.src",
"relates_to_product_reference": "7Server-RH7-CFME-5.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cfme-0:5.8.5.1-1.el7cf.x86_64 as a component of CloudForms Management Engine 5.8",
"product_id": "7Server-RH7-CFME-5.8:cfme-0:5.8.5.1-1.el7cf.x86_64"
},
"product_reference": "cfme-0:5.8.5.1-1.el7cf.x86_64",
"relates_to_product_reference": "7Server-RH7-CFME-5.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cfme-appliance-0:5.8.5.1-1.el7cf.src as a component of CloudForms Management Engine 5.8",
"product_id": "7Server-RH7-CFME-5.8:cfme-appliance-0:5.8.5.1-1.el7cf.src"
},
"product_reference": "cfme-appliance-0:5.8.5.1-1.el7cf.src",
"relates_to_product_reference": "7Server-RH7-CFME-5.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cfme-appliance-0:5.8.5.1-1.el7cf.x86_64 as a component of CloudForms Management Engine 5.8",
"product_id": "7Server-RH7-CFME-5.8:cfme-appliance-0:5.8.5.1-1.el7cf.x86_64"
},
"product_reference": "cfme-appliance-0:5.8.5.1-1.el7cf.x86_64",
"relates_to_product_reference": "7Server-RH7-CFME-5.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cfme-appliance-debuginfo-0:5.8.5.1-1.el7cf.x86_64 as a component of CloudForms Management Engine 5.8",
"product_id": "7Server-RH7-CFME-5.8:cfme-appliance-debuginfo-0:5.8.5.1-1.el7cf.x86_64"
},
"product_reference": "cfme-appliance-debuginfo-0:5.8.5.1-1.el7cf.x86_64",
"relates_to_product_reference": "7Server-RH7-CFME-5.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cfme-debuginfo-0:5.8.5.1-1.el7cf.x86_64 as a component of CloudForms Management Engine 5.8",
"product_id": "7Server-RH7-CFME-5.8:cfme-debuginfo-0:5.8.5.1-1.el7cf.x86_64"
},
"product_reference": "cfme-debuginfo-0:5.8.5.1-1.el7cf.x86_64",
"relates_to_product_reference": "7Server-RH7-CFME-5.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cfme-gemset-0:5.8.5.1-1.el7cf.src as a component of CloudForms Management Engine 5.8",
"product_id": "7Server-RH7-CFME-5.8:cfme-gemset-0:5.8.5.1-1.el7cf.src"
},
"product_reference": "cfme-gemset-0:5.8.5.1-1.el7cf.src",
"relates_to_product_reference": "7Server-RH7-CFME-5.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "cfme-gemset-0:5.8.5.1-1.el7cf.x86_64 as a component of CloudForms Management Engine 5.8",
"product_id": "7Server-RH7-CFME-5.8:cfme-gemset-0:5.8.5.1-1.el7cf.x86_64"
},
"product_reference": "cfme-gemset-0:5.8.5.1-1.el7cf.x86_64",
"relates_to_product_reference": "7Server-RH7-CFME-5.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-postgresql95-postgresql-pglogical-0:1.2.1-2.el7cf.src as a component of CloudForms Management Engine 5.8",
"product_id": "7Server-RH7-CFME-5.8:rh-postgresql95-postgresql-pglogical-0:1.2.1-2.el7cf.src"
},
"product_reference": "rh-postgresql95-postgresql-pglogical-0:1.2.1-2.el7cf.src",
"relates_to_product_reference": "7Server-RH7-CFME-5.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-postgresql95-postgresql-pglogical-0:1.2.1-2.el7cf.x86_64 as a component of CloudForms Management Engine 5.8",
"product_id": "7Server-RH7-CFME-5.8:rh-postgresql95-postgresql-pglogical-0:1.2.1-2.el7cf.x86_64"
},
"product_reference": "rh-postgresql95-postgresql-pglogical-0:1.2.1-2.el7cf.x86_64",
"relates_to_product_reference": "7Server-RH7-CFME-5.8"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-postgresql95-postgresql-pglogical-debuginfo-0:1.2.1-2.el7cf.x86_64 as a component of CloudForms Management Engine 5.8",
"product_id": "7Server-RH7-CFME-5.8:rh-postgresql95-postgresql-pglogical-debuginfo-0:1.2.1-2.el7cf.x86_64"
},
"product_reference": "rh-postgresql95-postgresql-pglogical-debuginfo-0:1.2.1-2.el7cf.x86_64",
"relates_to_product_reference": "7Server-RH7-CFME-5.8"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2018-3760",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2018-06-20T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1593058"
}
],
"notes": [
{
"category": "description",
"text": "There is an information leak vulnerability in Sprockets. Versions Affected: 4.0.0.beta7 and lower, 3.7.1 and lower, 2.12.4 and lower. Specially crafted requests can be used to access files that exists on the filesystem that is outside an application\u0027s root directory, when the Sprockets server is used in production. All users running an affected release should either upgrade or use one of the work arounds immediately.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "rubygem-sprockets: Path traversal in forbidden_request?() can allow remote attackers to read arbitrary files",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-CFME-5.8:ansible-tower-server-0:3.1.8-1.el7at.x86_64",
"7Server-RH7-CFME-5.8:ansible-tower-setup-0:3.1.8-1.el7at.x86_64",
"7Server-RH7-CFME-5.8:cfme-0:5.8.5.1-1.el7cf.src",
"7Server-RH7-CFME-5.8:cfme-0:5.8.5.1-1.el7cf.x86_64",
"7Server-RH7-CFME-5.8:cfme-appliance-0:5.8.5.1-1.el7cf.src",
"7Server-RH7-CFME-5.8:cfme-appliance-0:5.8.5.1-1.el7cf.x86_64",
"7Server-RH7-CFME-5.8:cfme-appliance-debuginfo-0:5.8.5.1-1.el7cf.x86_64",
"7Server-RH7-CFME-5.8:cfme-debuginfo-0:5.8.5.1-1.el7cf.x86_64",
"7Server-RH7-CFME-5.8:cfme-gemset-0:5.8.5.1-1.el7cf.src",
"7Server-RH7-CFME-5.8:cfme-gemset-0:5.8.5.1-1.el7cf.x86_64",
"7Server-RH7-CFME-5.8:rh-postgresql95-postgresql-pglogical-0:1.2.1-2.el7cf.src",
"7Server-RH7-CFME-5.8:rh-postgresql95-postgresql-pglogical-0:1.2.1-2.el7cf.x86_64",
"7Server-RH7-CFME-5.8:rh-postgresql95-postgresql-pglogical-debuginfo-0:1.2.1-2.el7cf.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-3760"
},
{
"category": "external",
"summary": "RHBZ#1593058",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1593058"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-3760",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-3760"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-3760",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-3760"
},
{
"category": "external",
"summary": "http://www.openwall.com/lists/oss-security/2018/06/19/2",
"url": "http://www.openwall.com/lists/oss-security/2018/06/19/2"
},
{
"category": "external",
"summary": "https://blog.heroku.com/rails-asset-pipeline-vulnerability",
"url": "https://blog.heroku.com/rails-asset-pipeline-vulnerability"
}
],
"release_date": "2018-06-20T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2018-09-26T18:36:57+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RH7-CFME-5.8:ansible-tower-server-0:3.1.8-1.el7at.x86_64",
"7Server-RH7-CFME-5.8:ansible-tower-setup-0:3.1.8-1.el7at.x86_64",
"7Server-RH7-CFME-5.8:cfme-0:5.8.5.1-1.el7cf.src",
"7Server-RH7-CFME-5.8:cfme-0:5.8.5.1-1.el7cf.x86_64",
"7Server-RH7-CFME-5.8:cfme-appliance-0:5.8.5.1-1.el7cf.src",
"7Server-RH7-CFME-5.8:cfme-appliance-0:5.8.5.1-1.el7cf.x86_64",
"7Server-RH7-CFME-5.8:cfme-appliance-debuginfo-0:5.8.5.1-1.el7cf.x86_64",
"7Server-RH7-CFME-5.8:cfme-debuginfo-0:5.8.5.1-1.el7cf.x86_64",
"7Server-RH7-CFME-5.8:cfme-gemset-0:5.8.5.1-1.el7cf.src",
"7Server-RH7-CFME-5.8:cfme-gemset-0:5.8.5.1-1.el7cf.x86_64",
"7Server-RH7-CFME-5.8:rh-postgresql95-postgresql-pglogical-0:1.2.1-2.el7cf.src",
"7Server-RH7-CFME-5.8:rh-postgresql95-postgresql-pglogical-0:1.2.1-2.el7cf.x86_64",
"7Server-RH7-CFME-5.8:rh-postgresql95-postgresql-pglogical-debuginfo-0:1.2.1-2.el7cf.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2018:2745"
},
{
"category": "workaround",
"details": "Ensure config.assets.compile = false in production.rb.",
"product_ids": [
"7Server-RH7-CFME-5.8:ansible-tower-server-0:3.1.8-1.el7at.x86_64",
"7Server-RH7-CFME-5.8:ansible-tower-setup-0:3.1.8-1.el7at.x86_64",
"7Server-RH7-CFME-5.8:cfme-0:5.8.5.1-1.el7cf.src",
"7Server-RH7-CFME-5.8:cfme-0:5.8.5.1-1.el7cf.x86_64",
"7Server-RH7-CFME-5.8:cfme-appliance-0:5.8.5.1-1.el7cf.src",
"7Server-RH7-CFME-5.8:cfme-appliance-0:5.8.5.1-1.el7cf.x86_64",
"7Server-RH7-CFME-5.8:cfme-appliance-debuginfo-0:5.8.5.1-1.el7cf.x86_64",
"7Server-RH7-CFME-5.8:cfme-debuginfo-0:5.8.5.1-1.el7cf.x86_64",
"7Server-RH7-CFME-5.8:cfme-gemset-0:5.8.5.1-1.el7cf.src",
"7Server-RH7-CFME-5.8:cfme-gemset-0:5.8.5.1-1.el7cf.x86_64",
"7Server-RH7-CFME-5.8:rh-postgresql95-postgresql-pglogical-0:1.2.1-2.el7cf.src",
"7Server-RH7-CFME-5.8:rh-postgresql95-postgresql-pglogical-0:1.2.1-2.el7cf.x86_64",
"7Server-RH7-CFME-5.8:rh-postgresql95-postgresql-pglogical-debuginfo-0:1.2.1-2.el7cf.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"products": [
"7Server-RH7-CFME-5.8:ansible-tower-server-0:3.1.8-1.el7at.x86_64",
"7Server-RH7-CFME-5.8:ansible-tower-setup-0:3.1.8-1.el7at.x86_64",
"7Server-RH7-CFME-5.8:cfme-0:5.8.5.1-1.el7cf.src",
"7Server-RH7-CFME-5.8:cfme-0:5.8.5.1-1.el7cf.x86_64",
"7Server-RH7-CFME-5.8:cfme-appliance-0:5.8.5.1-1.el7cf.src",
"7Server-RH7-CFME-5.8:cfme-appliance-0:5.8.5.1-1.el7cf.x86_64",
"7Server-RH7-CFME-5.8:cfme-appliance-debuginfo-0:5.8.5.1-1.el7cf.x86_64",
"7Server-RH7-CFME-5.8:cfme-debuginfo-0:5.8.5.1-1.el7cf.x86_64",
"7Server-RH7-CFME-5.8:cfme-gemset-0:5.8.5.1-1.el7cf.src",
"7Server-RH7-CFME-5.8:cfme-gemset-0:5.8.5.1-1.el7cf.x86_64",
"7Server-RH7-CFME-5.8:rh-postgresql95-postgresql-pglogical-0:1.2.1-2.el7cf.src",
"7Server-RH7-CFME-5.8:rh-postgresql95-postgresql-pglogical-0:1.2.1-2.el7cf.x86_64",
"7Server-RH7-CFME-5.8:rh-postgresql95-postgresql-pglogical-debuginfo-0:1.2.1-2.el7cf.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "rubygem-sprockets: Path traversal in forbidden_request?() can allow remote attackers to read arbitrary files"
},
{
"acknowledgments": [
{
"names": [
"Stephen Gappinger"
],
"organization": "American Express"
}
],
"cve": "CVE-2018-10905",
"cwe": {
"id": "CWE-284",
"name": "Improper Access Control"
},
"discovery_date": "2018-07-18T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1602190"
}
],
"notes": [
{
"category": "description",
"text": "CloudForms Management Engine has a vulnerability that allows local users to execute arbitrary commands as root. An attacker with SSH access to the system can use the dRuby (DRb) module installed on the system to execute arbitrary shell commands using `instance_eval()`.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "cfme: Improper access control in dRuby allows local users to execute arbitrary commands as root",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-CFME-5.8:ansible-tower-server-0:3.1.8-1.el7at.x86_64",
"7Server-RH7-CFME-5.8:ansible-tower-setup-0:3.1.8-1.el7at.x86_64",
"7Server-RH7-CFME-5.8:cfme-0:5.8.5.1-1.el7cf.src",
"7Server-RH7-CFME-5.8:cfme-0:5.8.5.1-1.el7cf.x86_64",
"7Server-RH7-CFME-5.8:cfme-appliance-0:5.8.5.1-1.el7cf.src",
"7Server-RH7-CFME-5.8:cfme-appliance-0:5.8.5.1-1.el7cf.x86_64",
"7Server-RH7-CFME-5.8:cfme-appliance-debuginfo-0:5.8.5.1-1.el7cf.x86_64",
"7Server-RH7-CFME-5.8:cfme-debuginfo-0:5.8.5.1-1.el7cf.x86_64",
"7Server-RH7-CFME-5.8:cfme-gemset-0:5.8.5.1-1.el7cf.src",
"7Server-RH7-CFME-5.8:cfme-gemset-0:5.8.5.1-1.el7cf.x86_64",
"7Server-RH7-CFME-5.8:rh-postgresql95-postgresql-pglogical-0:1.2.1-2.el7cf.src",
"7Server-RH7-CFME-5.8:rh-postgresql95-postgresql-pglogical-0:1.2.1-2.el7cf.x86_64",
"7Server-RH7-CFME-5.8:rh-postgresql95-postgresql-pglogical-debuginfo-0:1.2.1-2.el7cf.x86_64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-10905"
},
{
"category": "external",
"summary": "RHBZ#1602190",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1602190"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-10905",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-10905"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-10905",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-10905"
}
],
"release_date": "2018-07-20T19:54:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2018-09-26T18:36:57+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"7Server-RH7-CFME-5.8:ansible-tower-server-0:3.1.8-1.el7at.x86_64",
"7Server-RH7-CFME-5.8:ansible-tower-setup-0:3.1.8-1.el7at.x86_64",
"7Server-RH7-CFME-5.8:cfme-0:5.8.5.1-1.el7cf.src",
"7Server-RH7-CFME-5.8:cfme-0:5.8.5.1-1.el7cf.x86_64",
"7Server-RH7-CFME-5.8:cfme-appliance-0:5.8.5.1-1.el7cf.src",
"7Server-RH7-CFME-5.8:cfme-appliance-0:5.8.5.1-1.el7cf.x86_64",
"7Server-RH7-CFME-5.8:cfme-appliance-debuginfo-0:5.8.5.1-1.el7cf.x86_64",
"7Server-RH7-CFME-5.8:cfme-debuginfo-0:5.8.5.1-1.el7cf.x86_64",
"7Server-RH7-CFME-5.8:cfme-gemset-0:5.8.5.1-1.el7cf.src",
"7Server-RH7-CFME-5.8:cfme-gemset-0:5.8.5.1-1.el7cf.x86_64",
"7Server-RH7-CFME-5.8:rh-postgresql95-postgresql-pglogical-0:1.2.1-2.el7cf.src",
"7Server-RH7-CFME-5.8:rh-postgresql95-postgresql-pglogical-0:1.2.1-2.el7cf.x86_64",
"7Server-RH7-CFME-5.8:rh-postgresql95-postgresql-pglogical-debuginfo-0:1.2.1-2.el7cf.x86_64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2018:2745"
},
{
"category": "workaround",
"details": "Administrators of the CloudForms appliance can filter local packages going to the port where MIQ Server is listening, by using the following iptables command:\n# iptables -I OUTPUT 1 -o lo -d localhost/32 -p tcp -m tcp --dport \u003cMIQ Server port\u003e -m owner \u0027!\u0027 --uid-owner root -j DROP\n\nWhere the MIQ Server port can be found using netstat command:\n# netstat -nl --tcp -p | grep -i \"miq server\"",
"product_ids": [
"7Server-RH7-CFME-5.8:ansible-tower-server-0:3.1.8-1.el7at.x86_64",
"7Server-RH7-CFME-5.8:ansible-tower-setup-0:3.1.8-1.el7at.x86_64",
"7Server-RH7-CFME-5.8:cfme-0:5.8.5.1-1.el7cf.src",
"7Server-RH7-CFME-5.8:cfme-0:5.8.5.1-1.el7cf.x86_64",
"7Server-RH7-CFME-5.8:cfme-appliance-0:5.8.5.1-1.el7cf.src",
"7Server-RH7-CFME-5.8:cfme-appliance-0:5.8.5.1-1.el7cf.x86_64",
"7Server-RH7-CFME-5.8:cfme-appliance-debuginfo-0:5.8.5.1-1.el7cf.x86_64",
"7Server-RH7-CFME-5.8:cfme-debuginfo-0:5.8.5.1-1.el7cf.x86_64",
"7Server-RH7-CFME-5.8:cfme-gemset-0:5.8.5.1-1.el7cf.src",
"7Server-RH7-CFME-5.8:cfme-gemset-0:5.8.5.1-1.el7cf.x86_64",
"7Server-RH7-CFME-5.8:rh-postgresql95-postgresql-pglogical-0:1.2.1-2.el7cf.src",
"7Server-RH7-CFME-5.8:rh-postgresql95-postgresql-pglogical-0:1.2.1-2.el7cf.x86_64",
"7Server-RH7-CFME-5.8:rh-postgresql95-postgresql-pglogical-debuginfo-0:1.2.1-2.el7cf.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.0"
},
"products": [
"7Server-RH7-CFME-5.8:ansible-tower-server-0:3.1.8-1.el7at.x86_64",
"7Server-RH7-CFME-5.8:ansible-tower-setup-0:3.1.8-1.el7at.x86_64",
"7Server-RH7-CFME-5.8:cfme-0:5.8.5.1-1.el7cf.src",
"7Server-RH7-CFME-5.8:cfme-0:5.8.5.1-1.el7cf.x86_64",
"7Server-RH7-CFME-5.8:cfme-appliance-0:5.8.5.1-1.el7cf.src",
"7Server-RH7-CFME-5.8:cfme-appliance-0:5.8.5.1-1.el7cf.x86_64",
"7Server-RH7-CFME-5.8:cfme-appliance-debuginfo-0:5.8.5.1-1.el7cf.x86_64",
"7Server-RH7-CFME-5.8:cfme-debuginfo-0:5.8.5.1-1.el7cf.x86_64",
"7Server-RH7-CFME-5.8:cfme-gemset-0:5.8.5.1-1.el7cf.src",
"7Server-RH7-CFME-5.8:cfme-gemset-0:5.8.5.1-1.el7cf.x86_64",
"7Server-RH7-CFME-5.8:rh-postgresql95-postgresql-pglogical-0:1.2.1-2.el7cf.src",
"7Server-RH7-CFME-5.8:rh-postgresql95-postgresql-pglogical-0:1.2.1-2.el7cf.x86_64",
"7Server-RH7-CFME-5.8:rh-postgresql95-postgresql-pglogical-debuginfo-0:1.2.1-2.el7cf.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "cfme: Improper access control in dRuby allows local users to execute arbitrary commands as root"
}
]
}
RHSA-2018:2245
Vulnerability from csaf_redhat - Published: 2018-07-24 07:47 - Updated: 2025-11-21 18:05Summary
Red Hat Security Advisory: rh-ror50-rubygem-sprockets security update
Notes
Topic
An update for rh-ror50-rubygem-sprockets is now available for Red Hat Software Collections.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Sprockets is a Ruby library for compiling and serving web assets. It features declarative dependency management for JavaScript and CSS assets, as well as a powerful preprocessor pipeline that allows to write assets in languages like CoffeeScript, Sass and SCSS.
Security Fix(es):
* rubygem-sprockets: Path traversal in forbidden_request?() can allow remote attackers to read arbitrary files (CVE-2018-3760)
For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "An update for rh-ror50-rubygem-sprockets is now available for Red Hat Software Collections.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Sprockets is a Ruby library for compiling and serving web assets. It features declarative dependency management for JavaScript and CSS assets, as well as a powerful preprocessor pipeline that allows to write assets in languages like CoffeeScript, Sass and SCSS.\n\nSecurity Fix(es):\n\n* rubygem-sprockets: Path traversal in forbidden_request?() can allow remote attackers to read arbitrary files (CVE-2018-3760)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2018:2245",
"url": "https://access.redhat.com/errata/RHSA-2018:2245"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "1593058",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1593058"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2018/rhsa-2018_2245.json"
}
],
"title": "Red Hat Security Advisory: rh-ror50-rubygem-sprockets security update",
"tracking": {
"current_release_date": "2025-11-21T18:05:35+00:00",
"generator": {
"date": "2025-11-21T18:05:35+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.12"
}
},
"id": "RHSA-2018:2245",
"initial_release_date": "2018-07-24T07:47:05+00:00",
"revision_history": [
{
"date": "2018-07-24T07:47:05+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2018-07-24T07:47:05+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-11-21T18:05:35+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 6)",
"product": {
"name": "Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 6)",
"product_id": "6Server-RHSCL-3.1",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_software_collections:3::el6"
}
}
},
{
"category": "product_name",
"name": "Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6)",
"product": {
"name": "Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6)",
"product_id": "6Workstation-RHSCL-3.1",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_software_collections:3::el6"
}
}
},
{
"category": "product_name",
"name": "Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.7)",
"product": {
"name": "Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.7)",
"product_id": "6Server-RHSCL-3.1-6.7.Z",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_software_collections:3::el6"
}
}
},
{
"category": "product_name",
"name": "Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7)",
"product": {
"name": "Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7)",
"product_id": "7Server-RHSCL-3.1",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_software_collections:3::el7"
}
}
},
{
"category": "product_name",
"name": "Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7)",
"product": {
"name": "Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7)",
"product_id": "7Workstation-RHSCL-3.1",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_software_collections:3::el7"
}
}
},
{
"category": "product_name",
"name": "Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.3)",
"product": {
"name": "Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.3)",
"product_id": "7Server-RHSCL-3.1-7.3.Z",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_software_collections:3::el7"
}
}
},
{
"category": "product_name",
"name": "Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.4)",
"product": {
"name": "Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.4)",
"product_id": "7Server-RHSCL-3.1-7.4.Z",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_software_collections:3::el7"
}
}
},
{
"category": "product_name",
"name": "Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.5)",
"product": {
"name": "Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.5)",
"product_id": "7Server-RHSCL-3.1-7.5.Z",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhel_software_collections:3::el7"
}
}
}
],
"category": "product_family",
"name": "Red Hat Software Collections"
},
{
"branches": [
{
"category": "product_version",
"name": "rh-ror50-rubygem-sprockets-0:3.7.1-2.el6.src",
"product": {
"name": "rh-ror50-rubygem-sprockets-0:3.7.1-2.el6.src",
"product_id": "rh-ror50-rubygem-sprockets-0:3.7.1-2.el6.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-ror50-rubygem-sprockets@3.7.1-2.el6?arch=src"
}
}
},
{
"category": "product_version",
"name": "rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.src",
"product": {
"name": "rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.src",
"product_id": "rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-ror50-rubygem-sprockets@3.7.1-2.el7?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "rh-ror50-rubygem-sprockets-0:3.7.1-2.el6.noarch",
"product": {
"name": "rh-ror50-rubygem-sprockets-0:3.7.1-2.el6.noarch",
"product_id": "rh-ror50-rubygem-sprockets-0:3.7.1-2.el6.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-ror50-rubygem-sprockets@3.7.1-2.el6?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "rh-ror50-rubygem-sprockets-doc-0:3.7.1-2.el6.noarch",
"product": {
"name": "rh-ror50-rubygem-sprockets-doc-0:3.7.1-2.el6.noarch",
"product_id": "rh-ror50-rubygem-sprockets-doc-0:3.7.1-2.el6.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-ror50-rubygem-sprockets-doc@3.7.1-2.el6?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "rh-ror50-rubygem-sprockets-doc-0:3.7.1-2.el7.noarch",
"product": {
"name": "rh-ror50-rubygem-sprockets-doc-0:3.7.1-2.el7.noarch",
"product_id": "rh-ror50-rubygem-sprockets-doc-0:3.7.1-2.el7.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-ror50-rubygem-sprockets-doc@3.7.1-2.el7?arch=noarch"
}
}
},
{
"category": "product_version",
"name": "rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.noarch",
"product": {
"name": "rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.noarch",
"product_id": "rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/rh-ror50-rubygem-sprockets@3.7.1-2.el7?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-ror50-rubygem-sprockets-0:3.7.1-2.el6.noarch as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.7)",
"product_id": "6Server-RHSCL-3.1-6.7.Z:rh-ror50-rubygem-sprockets-0:3.7.1-2.el6.noarch"
},
"product_reference": "rh-ror50-rubygem-sprockets-0:3.7.1-2.el6.noarch",
"relates_to_product_reference": "6Server-RHSCL-3.1-6.7.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-ror50-rubygem-sprockets-0:3.7.1-2.el6.src as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.7)",
"product_id": "6Server-RHSCL-3.1-6.7.Z:rh-ror50-rubygem-sprockets-0:3.7.1-2.el6.src"
},
"product_reference": "rh-ror50-rubygem-sprockets-0:3.7.1-2.el6.src",
"relates_to_product_reference": "6Server-RHSCL-3.1-6.7.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-ror50-rubygem-sprockets-doc-0:3.7.1-2.el6.noarch as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 6.7)",
"product_id": "6Server-RHSCL-3.1-6.7.Z:rh-ror50-rubygem-sprockets-doc-0:3.7.1-2.el6.noarch"
},
"product_reference": "rh-ror50-rubygem-sprockets-doc-0:3.7.1-2.el6.noarch",
"relates_to_product_reference": "6Server-RHSCL-3.1-6.7.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-ror50-rubygem-sprockets-0:3.7.1-2.el6.noarch as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 6)",
"product_id": "6Server-RHSCL-3.1:rh-ror50-rubygem-sprockets-0:3.7.1-2.el6.noarch"
},
"product_reference": "rh-ror50-rubygem-sprockets-0:3.7.1-2.el6.noarch",
"relates_to_product_reference": "6Server-RHSCL-3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-ror50-rubygem-sprockets-0:3.7.1-2.el6.src as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 6)",
"product_id": "6Server-RHSCL-3.1:rh-ror50-rubygem-sprockets-0:3.7.1-2.el6.src"
},
"product_reference": "rh-ror50-rubygem-sprockets-0:3.7.1-2.el6.src",
"relates_to_product_reference": "6Server-RHSCL-3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-ror50-rubygem-sprockets-doc-0:3.7.1-2.el6.noarch as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 6)",
"product_id": "6Server-RHSCL-3.1:rh-ror50-rubygem-sprockets-doc-0:3.7.1-2.el6.noarch"
},
"product_reference": "rh-ror50-rubygem-sprockets-doc-0:3.7.1-2.el6.noarch",
"relates_to_product_reference": "6Server-RHSCL-3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-ror50-rubygem-sprockets-0:3.7.1-2.el6.noarch as a component of Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6)",
"product_id": "6Workstation-RHSCL-3.1:rh-ror50-rubygem-sprockets-0:3.7.1-2.el6.noarch"
},
"product_reference": "rh-ror50-rubygem-sprockets-0:3.7.1-2.el6.noarch",
"relates_to_product_reference": "6Workstation-RHSCL-3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-ror50-rubygem-sprockets-0:3.7.1-2.el6.src as a component of Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6)",
"product_id": "6Workstation-RHSCL-3.1:rh-ror50-rubygem-sprockets-0:3.7.1-2.el6.src"
},
"product_reference": "rh-ror50-rubygem-sprockets-0:3.7.1-2.el6.src",
"relates_to_product_reference": "6Workstation-RHSCL-3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-ror50-rubygem-sprockets-doc-0:3.7.1-2.el6.noarch as a component of Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 6)",
"product_id": "6Workstation-RHSCL-3.1:rh-ror50-rubygem-sprockets-doc-0:3.7.1-2.el6.noarch"
},
"product_reference": "rh-ror50-rubygem-sprockets-doc-0:3.7.1-2.el6.noarch",
"relates_to_product_reference": "6Workstation-RHSCL-3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.noarch as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.3)",
"product_id": "7Server-RHSCL-3.1-7.3.Z:rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.noarch"
},
"product_reference": "rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.noarch",
"relates_to_product_reference": "7Server-RHSCL-3.1-7.3.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.src as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.3)",
"product_id": "7Server-RHSCL-3.1-7.3.Z:rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.src"
},
"product_reference": "rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.src",
"relates_to_product_reference": "7Server-RHSCL-3.1-7.3.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-ror50-rubygem-sprockets-doc-0:3.7.1-2.el7.noarch as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.3)",
"product_id": "7Server-RHSCL-3.1-7.3.Z:rh-ror50-rubygem-sprockets-doc-0:3.7.1-2.el7.noarch"
},
"product_reference": "rh-ror50-rubygem-sprockets-doc-0:3.7.1-2.el7.noarch",
"relates_to_product_reference": "7Server-RHSCL-3.1-7.3.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.noarch as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.4)",
"product_id": "7Server-RHSCL-3.1-7.4.Z:rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.noarch"
},
"product_reference": "rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.noarch",
"relates_to_product_reference": "7Server-RHSCL-3.1-7.4.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.src as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.4)",
"product_id": "7Server-RHSCL-3.1-7.4.Z:rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.src"
},
"product_reference": "rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.src",
"relates_to_product_reference": "7Server-RHSCL-3.1-7.4.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-ror50-rubygem-sprockets-doc-0:3.7.1-2.el7.noarch as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.4)",
"product_id": "7Server-RHSCL-3.1-7.4.Z:rh-ror50-rubygem-sprockets-doc-0:3.7.1-2.el7.noarch"
},
"product_reference": "rh-ror50-rubygem-sprockets-doc-0:3.7.1-2.el7.noarch",
"relates_to_product_reference": "7Server-RHSCL-3.1-7.4.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.noarch as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.5)",
"product_id": "7Server-RHSCL-3.1-7.5.Z:rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.noarch"
},
"product_reference": "rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.noarch",
"relates_to_product_reference": "7Server-RHSCL-3.1-7.5.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.src as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.5)",
"product_id": "7Server-RHSCL-3.1-7.5.Z:rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.src"
},
"product_reference": "rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.src",
"relates_to_product_reference": "7Server-RHSCL-3.1-7.5.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-ror50-rubygem-sprockets-doc-0:3.7.1-2.el7.noarch as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server EUS (v. 7.5)",
"product_id": "7Server-RHSCL-3.1-7.5.Z:rh-ror50-rubygem-sprockets-doc-0:3.7.1-2.el7.noarch"
},
"product_reference": "rh-ror50-rubygem-sprockets-doc-0:3.7.1-2.el7.noarch",
"relates_to_product_reference": "7Server-RHSCL-3.1-7.5.Z"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.noarch as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7)",
"product_id": "7Server-RHSCL-3.1:rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.noarch"
},
"product_reference": "rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.noarch",
"relates_to_product_reference": "7Server-RHSCL-3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.src as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7)",
"product_id": "7Server-RHSCL-3.1:rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.src"
},
"product_reference": "rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.src",
"relates_to_product_reference": "7Server-RHSCL-3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-ror50-rubygem-sprockets-doc-0:3.7.1-2.el7.noarch as a component of Red Hat Software Collections for Red Hat Enterprise Linux Server (v. 7)",
"product_id": "7Server-RHSCL-3.1:rh-ror50-rubygem-sprockets-doc-0:3.7.1-2.el7.noarch"
},
"product_reference": "rh-ror50-rubygem-sprockets-doc-0:3.7.1-2.el7.noarch",
"relates_to_product_reference": "7Server-RHSCL-3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.noarch as a component of Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7)",
"product_id": "7Workstation-RHSCL-3.1:rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.noarch"
},
"product_reference": "rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.noarch",
"relates_to_product_reference": "7Workstation-RHSCL-3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.src as a component of Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7)",
"product_id": "7Workstation-RHSCL-3.1:rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.src"
},
"product_reference": "rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.src",
"relates_to_product_reference": "7Workstation-RHSCL-3.1"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "rh-ror50-rubygem-sprockets-doc-0:3.7.1-2.el7.noarch as a component of Red Hat Software Collections for Red Hat Enterprise Linux Workstation (v. 7)",
"product_id": "7Workstation-RHSCL-3.1:rh-ror50-rubygem-sprockets-doc-0:3.7.1-2.el7.noarch"
},
"product_reference": "rh-ror50-rubygem-sprockets-doc-0:3.7.1-2.el7.noarch",
"relates_to_product_reference": "7Workstation-RHSCL-3.1"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2018-3760",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"discovery_date": "2018-06-20T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1593058"
}
],
"notes": [
{
"category": "description",
"text": "There is an information leak vulnerability in Sprockets. Versions Affected: 4.0.0.beta7 and lower, 3.7.1 and lower, 2.12.4 and lower. Specially crafted requests can be used to access files that exists on the filesystem that is outside an application\u0027s root directory, when the Sprockets server is used in production. All users running an affected release should either upgrade or use one of the work arounds immediately.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "rubygem-sprockets: Path traversal in forbidden_request?() can allow remote attackers to read arbitrary files",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"6Server-RHSCL-3.1-6.7.Z:rh-ror50-rubygem-sprockets-0:3.7.1-2.el6.noarch",
"6Server-RHSCL-3.1-6.7.Z:rh-ror50-rubygem-sprockets-0:3.7.1-2.el6.src",
"6Server-RHSCL-3.1-6.7.Z:rh-ror50-rubygem-sprockets-doc-0:3.7.1-2.el6.noarch",
"6Server-RHSCL-3.1:rh-ror50-rubygem-sprockets-0:3.7.1-2.el6.noarch",
"6Server-RHSCL-3.1:rh-ror50-rubygem-sprockets-0:3.7.1-2.el6.src",
"6Server-RHSCL-3.1:rh-ror50-rubygem-sprockets-doc-0:3.7.1-2.el6.noarch",
"6Workstation-RHSCL-3.1:rh-ror50-rubygem-sprockets-0:3.7.1-2.el6.noarch",
"6Workstation-RHSCL-3.1:rh-ror50-rubygem-sprockets-0:3.7.1-2.el6.src",
"6Workstation-RHSCL-3.1:rh-ror50-rubygem-sprockets-doc-0:3.7.1-2.el6.noarch",
"7Server-RHSCL-3.1-7.3.Z:rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.noarch",
"7Server-RHSCL-3.1-7.3.Z:rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.src",
"7Server-RHSCL-3.1-7.3.Z:rh-ror50-rubygem-sprockets-doc-0:3.7.1-2.el7.noarch",
"7Server-RHSCL-3.1-7.4.Z:rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.noarch",
"7Server-RHSCL-3.1-7.4.Z:rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.src",
"7Server-RHSCL-3.1-7.4.Z:rh-ror50-rubygem-sprockets-doc-0:3.7.1-2.el7.noarch",
"7Server-RHSCL-3.1-7.5.Z:rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.noarch",
"7Server-RHSCL-3.1-7.5.Z:rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.src",
"7Server-RHSCL-3.1-7.5.Z:rh-ror50-rubygem-sprockets-doc-0:3.7.1-2.el7.noarch",
"7Server-RHSCL-3.1:rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.noarch",
"7Server-RHSCL-3.1:rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.src",
"7Server-RHSCL-3.1:rh-ror50-rubygem-sprockets-doc-0:3.7.1-2.el7.noarch",
"7Workstation-RHSCL-3.1:rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.noarch",
"7Workstation-RHSCL-3.1:rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.src",
"7Workstation-RHSCL-3.1:rh-ror50-rubygem-sprockets-doc-0:3.7.1-2.el7.noarch"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-3760"
},
{
"category": "external",
"summary": "RHBZ#1593058",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1593058"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-3760",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-3760"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-3760",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-3760"
},
{
"category": "external",
"summary": "http://www.openwall.com/lists/oss-security/2018/06/19/2",
"url": "http://www.openwall.com/lists/oss-security/2018/06/19/2"
},
{
"category": "external",
"summary": "https://blog.heroku.com/rails-asset-pipeline-vulnerability",
"url": "https://blog.heroku.com/rails-asset-pipeline-vulnerability"
}
],
"release_date": "2018-06-20T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2018-07-24T07:47:05+00:00",
"details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258",
"product_ids": [
"6Server-RHSCL-3.1-6.7.Z:rh-ror50-rubygem-sprockets-0:3.7.1-2.el6.noarch",
"6Server-RHSCL-3.1-6.7.Z:rh-ror50-rubygem-sprockets-0:3.7.1-2.el6.src",
"6Server-RHSCL-3.1-6.7.Z:rh-ror50-rubygem-sprockets-doc-0:3.7.1-2.el6.noarch",
"6Server-RHSCL-3.1:rh-ror50-rubygem-sprockets-0:3.7.1-2.el6.noarch",
"6Server-RHSCL-3.1:rh-ror50-rubygem-sprockets-0:3.7.1-2.el6.src",
"6Server-RHSCL-3.1:rh-ror50-rubygem-sprockets-doc-0:3.7.1-2.el6.noarch",
"6Workstation-RHSCL-3.1:rh-ror50-rubygem-sprockets-0:3.7.1-2.el6.noarch",
"6Workstation-RHSCL-3.1:rh-ror50-rubygem-sprockets-0:3.7.1-2.el6.src",
"6Workstation-RHSCL-3.1:rh-ror50-rubygem-sprockets-doc-0:3.7.1-2.el6.noarch",
"7Server-RHSCL-3.1-7.3.Z:rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.noarch",
"7Server-RHSCL-3.1-7.3.Z:rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.src",
"7Server-RHSCL-3.1-7.3.Z:rh-ror50-rubygem-sprockets-doc-0:3.7.1-2.el7.noarch",
"7Server-RHSCL-3.1-7.4.Z:rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.noarch",
"7Server-RHSCL-3.1-7.4.Z:rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.src",
"7Server-RHSCL-3.1-7.4.Z:rh-ror50-rubygem-sprockets-doc-0:3.7.1-2.el7.noarch",
"7Server-RHSCL-3.1-7.5.Z:rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.noarch",
"7Server-RHSCL-3.1-7.5.Z:rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.src",
"7Server-RHSCL-3.1-7.5.Z:rh-ror50-rubygem-sprockets-doc-0:3.7.1-2.el7.noarch",
"7Server-RHSCL-3.1:rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.noarch",
"7Server-RHSCL-3.1:rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.src",
"7Server-RHSCL-3.1:rh-ror50-rubygem-sprockets-doc-0:3.7.1-2.el7.noarch",
"7Workstation-RHSCL-3.1:rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.noarch",
"7Workstation-RHSCL-3.1:rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.src",
"7Workstation-RHSCL-3.1:rh-ror50-rubygem-sprockets-doc-0:3.7.1-2.el7.noarch"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2018:2245"
},
{
"category": "workaround",
"details": "Ensure config.assets.compile = false in production.rb.",
"product_ids": [
"6Server-RHSCL-3.1-6.7.Z:rh-ror50-rubygem-sprockets-0:3.7.1-2.el6.noarch",
"6Server-RHSCL-3.1-6.7.Z:rh-ror50-rubygem-sprockets-0:3.7.1-2.el6.src",
"6Server-RHSCL-3.1-6.7.Z:rh-ror50-rubygem-sprockets-doc-0:3.7.1-2.el6.noarch",
"6Server-RHSCL-3.1:rh-ror50-rubygem-sprockets-0:3.7.1-2.el6.noarch",
"6Server-RHSCL-3.1:rh-ror50-rubygem-sprockets-0:3.7.1-2.el6.src",
"6Server-RHSCL-3.1:rh-ror50-rubygem-sprockets-doc-0:3.7.1-2.el6.noarch",
"6Workstation-RHSCL-3.1:rh-ror50-rubygem-sprockets-0:3.7.1-2.el6.noarch",
"6Workstation-RHSCL-3.1:rh-ror50-rubygem-sprockets-0:3.7.1-2.el6.src",
"6Workstation-RHSCL-3.1:rh-ror50-rubygem-sprockets-doc-0:3.7.1-2.el6.noarch",
"7Server-RHSCL-3.1-7.3.Z:rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.noarch",
"7Server-RHSCL-3.1-7.3.Z:rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.src",
"7Server-RHSCL-3.1-7.3.Z:rh-ror50-rubygem-sprockets-doc-0:3.7.1-2.el7.noarch",
"7Server-RHSCL-3.1-7.4.Z:rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.noarch",
"7Server-RHSCL-3.1-7.4.Z:rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.src",
"7Server-RHSCL-3.1-7.4.Z:rh-ror50-rubygem-sprockets-doc-0:3.7.1-2.el7.noarch",
"7Server-RHSCL-3.1-7.5.Z:rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.noarch",
"7Server-RHSCL-3.1-7.5.Z:rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.src",
"7Server-RHSCL-3.1-7.5.Z:rh-ror50-rubygem-sprockets-doc-0:3.7.1-2.el7.noarch",
"7Server-RHSCL-3.1:rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.noarch",
"7Server-RHSCL-3.1:rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.src",
"7Server-RHSCL-3.1:rh-ror50-rubygem-sprockets-doc-0:3.7.1-2.el7.noarch",
"7Workstation-RHSCL-3.1:rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.noarch",
"7Workstation-RHSCL-3.1:rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.src",
"7Workstation-RHSCL-3.1:rh-ror50-rubygem-sprockets-doc-0:3.7.1-2.el7.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"products": [
"6Server-RHSCL-3.1-6.7.Z:rh-ror50-rubygem-sprockets-0:3.7.1-2.el6.noarch",
"6Server-RHSCL-3.1-6.7.Z:rh-ror50-rubygem-sprockets-0:3.7.1-2.el6.src",
"6Server-RHSCL-3.1-6.7.Z:rh-ror50-rubygem-sprockets-doc-0:3.7.1-2.el6.noarch",
"6Server-RHSCL-3.1:rh-ror50-rubygem-sprockets-0:3.7.1-2.el6.noarch",
"6Server-RHSCL-3.1:rh-ror50-rubygem-sprockets-0:3.7.1-2.el6.src",
"6Server-RHSCL-3.1:rh-ror50-rubygem-sprockets-doc-0:3.7.1-2.el6.noarch",
"6Workstation-RHSCL-3.1:rh-ror50-rubygem-sprockets-0:3.7.1-2.el6.noarch",
"6Workstation-RHSCL-3.1:rh-ror50-rubygem-sprockets-0:3.7.1-2.el6.src",
"6Workstation-RHSCL-3.1:rh-ror50-rubygem-sprockets-doc-0:3.7.1-2.el6.noarch",
"7Server-RHSCL-3.1-7.3.Z:rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.noarch",
"7Server-RHSCL-3.1-7.3.Z:rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.src",
"7Server-RHSCL-3.1-7.3.Z:rh-ror50-rubygem-sprockets-doc-0:3.7.1-2.el7.noarch",
"7Server-RHSCL-3.1-7.4.Z:rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.noarch",
"7Server-RHSCL-3.1-7.4.Z:rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.src",
"7Server-RHSCL-3.1-7.4.Z:rh-ror50-rubygem-sprockets-doc-0:3.7.1-2.el7.noarch",
"7Server-RHSCL-3.1-7.5.Z:rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.noarch",
"7Server-RHSCL-3.1-7.5.Z:rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.src",
"7Server-RHSCL-3.1-7.5.Z:rh-ror50-rubygem-sprockets-doc-0:3.7.1-2.el7.noarch",
"7Server-RHSCL-3.1:rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.noarch",
"7Server-RHSCL-3.1:rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.src",
"7Server-RHSCL-3.1:rh-ror50-rubygem-sprockets-doc-0:3.7.1-2.el7.noarch",
"7Workstation-RHSCL-3.1:rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.noarch",
"7Workstation-RHSCL-3.1:rh-ror50-rubygem-sprockets-0:3.7.1-2.el7.src",
"7Workstation-RHSCL-3.1:rh-ror50-rubygem-sprockets-doc-0:3.7.1-2.el7.noarch"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "rubygem-sprockets: Path traversal in forbidden_request?() can allow remote attackers to read arbitrary files"
}
]
}
OPENSUSE-SU-2025:15128-1
Vulnerability from csaf_opensuse - Published: 2025-05-17 00:00 - Updated: 2025-05-17 00:00Summary
ruby3.4-rubygem-sprockets-3.7-3.7.5-1.3 on GA media
Notes
Title of the patch
ruby3.4-rubygem-sprockets-3.7-3.7.5-1.3 on GA media
Description of the patch
These are all security issues fixed in the ruby3.4-rubygem-sprockets-3.7-3.7.5-1.3 package on the GA media of openSUSE Tumbleweed.
Patchnames
openSUSE-Tumbleweed-2025-15128
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "ruby3.4-rubygem-sprockets-3.7-3.7.5-1.3 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the ruby3.4-rubygem-sprockets-3.7-3.7.5-1.3 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2025-15128",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2025_15128-1.json"
},
{
"category": "self",
"summary": "URL for openSUSE-SU-2025:15128-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/5RRXSPGRXVMLQ5YNC7KQPFZOP56ZV6NB/"
},
{
"category": "self",
"summary": "E-Mail link for openSUSE-SU-2025:15128-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/5RRXSPGRXVMLQ5YNC7KQPFZOP56ZV6NB/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2018-3760 page",
"url": "https://www.suse.com/security/cve/CVE-2018-3760/"
}
],
"title": "ruby3.4-rubygem-sprockets-3.7-3.7.5-1.3 on GA media",
"tracking": {
"current_release_date": "2025-05-17T00:00:00Z",
"generator": {
"date": "2025-05-17T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2025:15128-1",
"initial_release_date": "2025-05-17T00:00:00Z",
"revision_history": [
{
"date": "2025-05-17T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "ruby3.4-rubygem-sprockets-3.7-3.7.5-1.3.aarch64",
"product": {
"name": "ruby3.4-rubygem-sprockets-3.7-3.7.5-1.3.aarch64",
"product_id": "ruby3.4-rubygem-sprockets-3.7-3.7.5-1.3.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby3.4-rubygem-sprockets-3.7-3.7.5-1.3.ppc64le",
"product": {
"name": "ruby3.4-rubygem-sprockets-3.7-3.7.5-1.3.ppc64le",
"product_id": "ruby3.4-rubygem-sprockets-3.7-3.7.5-1.3.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby3.4-rubygem-sprockets-3.7-3.7.5-1.3.s390x",
"product": {
"name": "ruby3.4-rubygem-sprockets-3.7-3.7.5-1.3.s390x",
"product_id": "ruby3.4-rubygem-sprockets-3.7-3.7.5-1.3.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby3.4-rubygem-sprockets-3.7-3.7.5-1.3.x86_64",
"product": {
"name": "ruby3.4-rubygem-sprockets-3.7-3.7.5-1.3.x86_64",
"product_id": "ruby3.4-rubygem-sprockets-3.7-3.7.5-1.3.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby3.4-rubygem-sprockets-3.7-3.7.5-1.3.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby3.4-rubygem-sprockets-3.7-3.7.5-1.3.aarch64"
},
"product_reference": "ruby3.4-rubygem-sprockets-3.7-3.7.5-1.3.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby3.4-rubygem-sprockets-3.7-3.7.5-1.3.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby3.4-rubygem-sprockets-3.7-3.7.5-1.3.ppc64le"
},
"product_reference": "ruby3.4-rubygem-sprockets-3.7-3.7.5-1.3.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby3.4-rubygem-sprockets-3.7-3.7.5-1.3.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby3.4-rubygem-sprockets-3.7-3.7.5-1.3.s390x"
},
"product_reference": "ruby3.4-rubygem-sprockets-3.7-3.7.5-1.3.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby3.4-rubygem-sprockets-3.7-3.7.5-1.3.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby3.4-rubygem-sprockets-3.7-3.7.5-1.3.x86_64"
},
"product_reference": "ruby3.4-rubygem-sprockets-3.7-3.7.5-1.3.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2018-3760",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2018-3760"
}
],
"notes": [
{
"category": "general",
"text": "There is an information leak vulnerability in Sprockets. Versions Affected: 4.0.0.beta7 and lower, 3.7.1 and lower, 2.12.4 and lower. Specially crafted requests can be used to access files that exists on the filesystem that is outside an application\u0027s root directory, when the Sprockets server is used in production. All users running an affected release should either upgrade or use one of the work arounds immediately.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:ruby3.4-rubygem-sprockets-3.7-3.7.5-1.3.aarch64",
"openSUSE Tumbleweed:ruby3.4-rubygem-sprockets-3.7-3.7.5-1.3.ppc64le",
"openSUSE Tumbleweed:ruby3.4-rubygem-sprockets-3.7-3.7.5-1.3.s390x",
"openSUSE Tumbleweed:ruby3.4-rubygem-sprockets-3.7-3.7.5-1.3.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2018-3760",
"url": "https://www.suse.com/security/cve/CVE-2018-3760"
},
{
"category": "external",
"summary": "SUSE Bug 1098369 for CVE-2018-3760",
"url": "https://bugzilla.suse.com/1098369"
},
{
"category": "external",
"summary": "SUSE Bug 1182167 for CVE-2018-3760",
"url": "https://bugzilla.suse.com/1182167"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:ruby3.4-rubygem-sprockets-3.7-3.7.5-1.3.aarch64",
"openSUSE Tumbleweed:ruby3.4-rubygem-sprockets-3.7-3.7.5-1.3.ppc64le",
"openSUSE Tumbleweed:ruby3.4-rubygem-sprockets-3.7-3.7.5-1.3.s390x",
"openSUSE Tumbleweed:ruby3.4-rubygem-sprockets-3.7-3.7.5-1.3.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"products": [
"openSUSE Tumbleweed:ruby3.4-rubygem-sprockets-3.7-3.7.5-1.3.aarch64",
"openSUSE Tumbleweed:ruby3.4-rubygem-sprockets-3.7-3.7.5-1.3.ppc64le",
"openSUSE Tumbleweed:ruby3.4-rubygem-sprockets-3.7-3.7.5-1.3.s390x",
"openSUSE Tumbleweed:ruby3.4-rubygem-sprockets-3.7-3.7.5-1.3.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-05-17T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2018-3760"
}
]
}
OPENSUSE-SU-2024:14177-1
Vulnerability from csaf_opensuse - Published: 2024-07-12 00:00 - Updated: 2024-07-12 00:00Summary
ruby3.3-rubygem-sprockets-4.2.1-1.5 on GA media
Notes
Title of the patch
ruby3.3-rubygem-sprockets-4.2.1-1.5 on GA media
Description of the patch
These are all security issues fixed in the ruby3.3-rubygem-sprockets-4.2.1-1.5 package on the GA media of openSUSE Tumbleweed.
Patchnames
openSUSE-Tumbleweed-2024-14177
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "ruby3.3-rubygem-sprockets-4.2.1-1.5 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the ruby3.3-rubygem-sprockets-4.2.1-1.5 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2024-14177",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_14177-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2018-3760 page",
"url": "https://www.suse.com/security/cve/CVE-2018-3760/"
}
],
"title": "ruby3.3-rubygem-sprockets-4.2.1-1.5 on GA media",
"tracking": {
"current_release_date": "2024-07-12T00:00:00Z",
"generator": {
"date": "2024-07-12T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2024:14177-1",
"initial_release_date": "2024-07-12T00:00:00Z",
"revision_history": [
{
"date": "2024-07-12T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "ruby3.3-rubygem-sprockets-4.2.1-1.5.aarch64",
"product": {
"name": "ruby3.3-rubygem-sprockets-4.2.1-1.5.aarch64",
"product_id": "ruby3.3-rubygem-sprockets-4.2.1-1.5.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby3.3-rubygem-sprockets-4.2.1-1.5.ppc64le",
"product": {
"name": "ruby3.3-rubygem-sprockets-4.2.1-1.5.ppc64le",
"product_id": "ruby3.3-rubygem-sprockets-4.2.1-1.5.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby3.3-rubygem-sprockets-4.2.1-1.5.s390x",
"product": {
"name": "ruby3.3-rubygem-sprockets-4.2.1-1.5.s390x",
"product_id": "ruby3.3-rubygem-sprockets-4.2.1-1.5.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby3.3-rubygem-sprockets-4.2.1-1.5.x86_64",
"product": {
"name": "ruby3.3-rubygem-sprockets-4.2.1-1.5.x86_64",
"product_id": "ruby3.3-rubygem-sprockets-4.2.1-1.5.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby3.3-rubygem-sprockets-4.2.1-1.5.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby3.3-rubygem-sprockets-4.2.1-1.5.aarch64"
},
"product_reference": "ruby3.3-rubygem-sprockets-4.2.1-1.5.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby3.3-rubygem-sprockets-4.2.1-1.5.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby3.3-rubygem-sprockets-4.2.1-1.5.ppc64le"
},
"product_reference": "ruby3.3-rubygem-sprockets-4.2.1-1.5.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby3.3-rubygem-sprockets-4.2.1-1.5.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby3.3-rubygem-sprockets-4.2.1-1.5.s390x"
},
"product_reference": "ruby3.3-rubygem-sprockets-4.2.1-1.5.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby3.3-rubygem-sprockets-4.2.1-1.5.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby3.3-rubygem-sprockets-4.2.1-1.5.x86_64"
},
"product_reference": "ruby3.3-rubygem-sprockets-4.2.1-1.5.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2018-3760",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2018-3760"
}
],
"notes": [
{
"category": "general",
"text": "There is an information leak vulnerability in Sprockets. Versions Affected: 4.0.0.beta7 and lower, 3.7.1 and lower, 2.12.4 and lower. Specially crafted requests can be used to access files that exists on the filesystem that is outside an application\u0027s root directory, when the Sprockets server is used in production. All users running an affected release should either upgrade or use one of the work arounds immediately.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:ruby3.3-rubygem-sprockets-4.2.1-1.5.aarch64",
"openSUSE Tumbleweed:ruby3.3-rubygem-sprockets-4.2.1-1.5.ppc64le",
"openSUSE Tumbleweed:ruby3.3-rubygem-sprockets-4.2.1-1.5.s390x",
"openSUSE Tumbleweed:ruby3.3-rubygem-sprockets-4.2.1-1.5.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2018-3760",
"url": "https://www.suse.com/security/cve/CVE-2018-3760"
},
{
"category": "external",
"summary": "SUSE Bug 1098369 for CVE-2018-3760",
"url": "https://bugzilla.suse.com/1098369"
},
{
"category": "external",
"summary": "SUSE Bug 1182167 for CVE-2018-3760",
"url": "https://bugzilla.suse.com/1182167"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:ruby3.3-rubygem-sprockets-4.2.1-1.5.aarch64",
"openSUSE Tumbleweed:ruby3.3-rubygem-sprockets-4.2.1-1.5.ppc64le",
"openSUSE Tumbleweed:ruby3.3-rubygem-sprockets-4.2.1-1.5.s390x",
"openSUSE Tumbleweed:ruby3.3-rubygem-sprockets-4.2.1-1.5.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"products": [
"openSUSE Tumbleweed:ruby3.3-rubygem-sprockets-4.2.1-1.5.aarch64",
"openSUSE Tumbleweed:ruby3.3-rubygem-sprockets-4.2.1-1.5.ppc64le",
"openSUSE Tumbleweed:ruby3.3-rubygem-sprockets-4.2.1-1.5.s390x",
"openSUSE Tumbleweed:ruby3.3-rubygem-sprockets-4.2.1-1.5.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-07-12T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2018-3760"
}
]
}
OPENSUSE-SU-2024:13169-1
Vulnerability from csaf_opensuse - Published: 2024-06-15 00:00 - Updated: 2024-06-15 00:00Summary
ruby3.2-rubygem-sprockets-4.1.1-1.6 on GA media
Notes
Title of the patch
ruby3.2-rubygem-sprockets-4.1.1-1.6 on GA media
Description of the patch
These are all security issues fixed in the ruby3.2-rubygem-sprockets-4.1.1-1.6 package on the GA media of openSUSE Tumbleweed.
Patchnames
openSUSE-Tumbleweed-2024-13169
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "ruby3.2-rubygem-sprockets-4.1.1-1.6 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the ruby3.2-rubygem-sprockets-4.1.1-1.6 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2024-13169",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_13169-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2018-3760 page",
"url": "https://www.suse.com/security/cve/CVE-2018-3760/"
}
],
"title": "ruby3.2-rubygem-sprockets-4.1.1-1.6 on GA media",
"tracking": {
"current_release_date": "2024-06-15T00:00:00Z",
"generator": {
"date": "2024-06-15T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2024:13169-1",
"initial_release_date": "2024-06-15T00:00:00Z",
"revision_history": [
{
"date": "2024-06-15T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "ruby3.2-rubygem-sprockets-4.1.1-1.6.aarch64",
"product": {
"name": "ruby3.2-rubygem-sprockets-4.1.1-1.6.aarch64",
"product_id": "ruby3.2-rubygem-sprockets-4.1.1-1.6.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby3.2-rubygem-sprockets-4.1.1-1.6.ppc64le",
"product": {
"name": "ruby3.2-rubygem-sprockets-4.1.1-1.6.ppc64le",
"product_id": "ruby3.2-rubygem-sprockets-4.1.1-1.6.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby3.2-rubygem-sprockets-4.1.1-1.6.s390x",
"product": {
"name": "ruby3.2-rubygem-sprockets-4.1.1-1.6.s390x",
"product_id": "ruby3.2-rubygem-sprockets-4.1.1-1.6.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby3.2-rubygem-sprockets-4.1.1-1.6.x86_64",
"product": {
"name": "ruby3.2-rubygem-sprockets-4.1.1-1.6.x86_64",
"product_id": "ruby3.2-rubygem-sprockets-4.1.1-1.6.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby3.2-rubygem-sprockets-4.1.1-1.6.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby3.2-rubygem-sprockets-4.1.1-1.6.aarch64"
},
"product_reference": "ruby3.2-rubygem-sprockets-4.1.1-1.6.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby3.2-rubygem-sprockets-4.1.1-1.6.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby3.2-rubygem-sprockets-4.1.1-1.6.ppc64le"
},
"product_reference": "ruby3.2-rubygem-sprockets-4.1.1-1.6.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby3.2-rubygem-sprockets-4.1.1-1.6.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby3.2-rubygem-sprockets-4.1.1-1.6.s390x"
},
"product_reference": "ruby3.2-rubygem-sprockets-4.1.1-1.6.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby3.2-rubygem-sprockets-4.1.1-1.6.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby3.2-rubygem-sprockets-4.1.1-1.6.x86_64"
},
"product_reference": "ruby3.2-rubygem-sprockets-4.1.1-1.6.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2018-3760",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2018-3760"
}
],
"notes": [
{
"category": "general",
"text": "There is an information leak vulnerability in Sprockets. Versions Affected: 4.0.0.beta7 and lower, 3.7.1 and lower, 2.12.4 and lower. Specially crafted requests can be used to access files that exists on the filesystem that is outside an application\u0027s root directory, when the Sprockets server is used in production. All users running an affected release should either upgrade or use one of the work arounds immediately.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:ruby3.2-rubygem-sprockets-4.1.1-1.6.aarch64",
"openSUSE Tumbleweed:ruby3.2-rubygem-sprockets-4.1.1-1.6.ppc64le",
"openSUSE Tumbleweed:ruby3.2-rubygem-sprockets-4.1.1-1.6.s390x",
"openSUSE Tumbleweed:ruby3.2-rubygem-sprockets-4.1.1-1.6.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2018-3760",
"url": "https://www.suse.com/security/cve/CVE-2018-3760"
},
{
"category": "external",
"summary": "SUSE Bug 1098369 for CVE-2018-3760",
"url": "https://bugzilla.suse.com/1098369"
},
{
"category": "external",
"summary": "SUSE Bug 1182167 for CVE-2018-3760",
"url": "https://bugzilla.suse.com/1182167"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:ruby3.2-rubygem-sprockets-4.1.1-1.6.aarch64",
"openSUSE Tumbleweed:ruby3.2-rubygem-sprockets-4.1.1-1.6.ppc64le",
"openSUSE Tumbleweed:ruby3.2-rubygem-sprockets-4.1.1-1.6.s390x",
"openSUSE Tumbleweed:ruby3.2-rubygem-sprockets-4.1.1-1.6.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"products": [
"openSUSE Tumbleweed:ruby3.2-rubygem-sprockets-4.1.1-1.6.aarch64",
"openSUSE Tumbleweed:ruby3.2-rubygem-sprockets-4.1.1-1.6.ppc64le",
"openSUSE Tumbleweed:ruby3.2-rubygem-sprockets-4.1.1-1.6.s390x",
"openSUSE Tumbleweed:ruby3.2-rubygem-sprockets-4.1.1-1.6.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2018-3760"
}
]
}
OPENSUSE-SU-2025:15127-1
Vulnerability from csaf_opensuse - Published: 2025-05-17 00:00 - Updated: 2025-05-17 00:00Summary
ruby3.4-rubygem-sprockets-4.2.1-1.7 on GA media
Notes
Title of the patch
ruby3.4-rubygem-sprockets-4.2.1-1.7 on GA media
Description of the patch
These are all security issues fixed in the ruby3.4-rubygem-sprockets-4.2.1-1.7 package on the GA media of openSUSE Tumbleweed.
Patchnames
openSUSE-Tumbleweed-2025-15127
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "ruby3.4-rubygem-sprockets-4.2.1-1.7 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the ruby3.4-rubygem-sprockets-4.2.1-1.7 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2025-15127",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2025_15127-1.json"
},
{
"category": "self",
"summary": "URL for openSUSE-SU-2025:15127-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/WTUL6Z6BEZPYXPSOOLULWWB5HXRXARXY/"
},
{
"category": "self",
"summary": "E-Mail link for openSUSE-SU-2025:15127-1",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/WTUL6Z6BEZPYXPSOOLULWWB5HXRXARXY/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2018-3760 page",
"url": "https://www.suse.com/security/cve/CVE-2018-3760/"
}
],
"title": "ruby3.4-rubygem-sprockets-4.2.1-1.7 on GA media",
"tracking": {
"current_release_date": "2025-05-17T00:00:00Z",
"generator": {
"date": "2025-05-17T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2025:15127-1",
"initial_release_date": "2025-05-17T00:00:00Z",
"revision_history": [
{
"date": "2025-05-17T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "ruby3.4-rubygem-sprockets-4.2.1-1.7.aarch64",
"product": {
"name": "ruby3.4-rubygem-sprockets-4.2.1-1.7.aarch64",
"product_id": "ruby3.4-rubygem-sprockets-4.2.1-1.7.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby3.4-rubygem-sprockets-4.2.1-1.7.ppc64le",
"product": {
"name": "ruby3.4-rubygem-sprockets-4.2.1-1.7.ppc64le",
"product_id": "ruby3.4-rubygem-sprockets-4.2.1-1.7.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby3.4-rubygem-sprockets-4.2.1-1.7.s390x",
"product": {
"name": "ruby3.4-rubygem-sprockets-4.2.1-1.7.s390x",
"product_id": "ruby3.4-rubygem-sprockets-4.2.1-1.7.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby3.4-rubygem-sprockets-4.2.1-1.7.x86_64",
"product": {
"name": "ruby3.4-rubygem-sprockets-4.2.1-1.7.x86_64",
"product_id": "ruby3.4-rubygem-sprockets-4.2.1-1.7.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby3.4-rubygem-sprockets-4.2.1-1.7.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby3.4-rubygem-sprockets-4.2.1-1.7.aarch64"
},
"product_reference": "ruby3.4-rubygem-sprockets-4.2.1-1.7.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby3.4-rubygem-sprockets-4.2.1-1.7.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby3.4-rubygem-sprockets-4.2.1-1.7.ppc64le"
},
"product_reference": "ruby3.4-rubygem-sprockets-4.2.1-1.7.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby3.4-rubygem-sprockets-4.2.1-1.7.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby3.4-rubygem-sprockets-4.2.1-1.7.s390x"
},
"product_reference": "ruby3.4-rubygem-sprockets-4.2.1-1.7.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby3.4-rubygem-sprockets-4.2.1-1.7.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby3.4-rubygem-sprockets-4.2.1-1.7.x86_64"
},
"product_reference": "ruby3.4-rubygem-sprockets-4.2.1-1.7.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2018-3760",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2018-3760"
}
],
"notes": [
{
"category": "general",
"text": "There is an information leak vulnerability in Sprockets. Versions Affected: 4.0.0.beta7 and lower, 3.7.1 and lower, 2.12.4 and lower. Specially crafted requests can be used to access files that exists on the filesystem that is outside an application\u0027s root directory, when the Sprockets server is used in production. All users running an affected release should either upgrade or use one of the work arounds immediately.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:ruby3.4-rubygem-sprockets-4.2.1-1.7.aarch64",
"openSUSE Tumbleweed:ruby3.4-rubygem-sprockets-4.2.1-1.7.ppc64le",
"openSUSE Tumbleweed:ruby3.4-rubygem-sprockets-4.2.1-1.7.s390x",
"openSUSE Tumbleweed:ruby3.4-rubygem-sprockets-4.2.1-1.7.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2018-3760",
"url": "https://www.suse.com/security/cve/CVE-2018-3760"
},
{
"category": "external",
"summary": "SUSE Bug 1098369 for CVE-2018-3760",
"url": "https://bugzilla.suse.com/1098369"
},
{
"category": "external",
"summary": "SUSE Bug 1182167 for CVE-2018-3760",
"url": "https://bugzilla.suse.com/1182167"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:ruby3.4-rubygem-sprockets-4.2.1-1.7.aarch64",
"openSUSE Tumbleweed:ruby3.4-rubygem-sprockets-4.2.1-1.7.ppc64le",
"openSUSE Tumbleweed:ruby3.4-rubygem-sprockets-4.2.1-1.7.s390x",
"openSUSE Tumbleweed:ruby3.4-rubygem-sprockets-4.2.1-1.7.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"products": [
"openSUSE Tumbleweed:ruby3.4-rubygem-sprockets-4.2.1-1.7.aarch64",
"openSUSE Tumbleweed:ruby3.4-rubygem-sprockets-4.2.1-1.7.ppc64le",
"openSUSE Tumbleweed:ruby3.4-rubygem-sprockets-4.2.1-1.7.s390x",
"openSUSE Tumbleweed:ruby3.4-rubygem-sprockets-4.2.1-1.7.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2025-05-17T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2018-3760"
}
]
}
OPENSUSE-SU-2024:11906-1
Vulnerability from csaf_opensuse - Published: 2024-06-15 00:00 - Updated: 2024-06-15 00:00Summary
ruby3.1-rubygem-sprockets-4.0.3-1.1 on GA media
Notes
Title of the patch
ruby3.1-rubygem-sprockets-4.0.3-1.1 on GA media
Description of the patch
These are all security issues fixed in the ruby3.1-rubygem-sprockets-4.0.3-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames
openSUSE-Tumbleweed-2024-11906
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "ruby3.1-rubygem-sprockets-4.0.3-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the ruby3.1-rubygem-sprockets-4.0.3-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2024-11906",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_11906-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2018-3760 page",
"url": "https://www.suse.com/security/cve/CVE-2018-3760/"
}
],
"title": "ruby3.1-rubygem-sprockets-4.0.3-1.1 on GA media",
"tracking": {
"current_release_date": "2024-06-15T00:00:00Z",
"generator": {
"date": "2024-06-15T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2024:11906-1",
"initial_release_date": "2024-06-15T00:00:00Z",
"revision_history": [
{
"date": "2024-06-15T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "ruby3.1-rubygem-sprockets-4.0.3-1.1.aarch64",
"product": {
"name": "ruby3.1-rubygem-sprockets-4.0.3-1.1.aarch64",
"product_id": "ruby3.1-rubygem-sprockets-4.0.3-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby3.1-rubygem-sprockets-4.0.3-1.1.ppc64le",
"product": {
"name": "ruby3.1-rubygem-sprockets-4.0.3-1.1.ppc64le",
"product_id": "ruby3.1-rubygem-sprockets-4.0.3-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby3.1-rubygem-sprockets-4.0.3-1.1.s390x",
"product": {
"name": "ruby3.1-rubygem-sprockets-4.0.3-1.1.s390x",
"product_id": "ruby3.1-rubygem-sprockets-4.0.3-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby3.1-rubygem-sprockets-4.0.3-1.1.x86_64",
"product": {
"name": "ruby3.1-rubygem-sprockets-4.0.3-1.1.x86_64",
"product_id": "ruby3.1-rubygem-sprockets-4.0.3-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby3.1-rubygem-sprockets-4.0.3-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby3.1-rubygem-sprockets-4.0.3-1.1.aarch64"
},
"product_reference": "ruby3.1-rubygem-sprockets-4.0.3-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby3.1-rubygem-sprockets-4.0.3-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby3.1-rubygem-sprockets-4.0.3-1.1.ppc64le"
},
"product_reference": "ruby3.1-rubygem-sprockets-4.0.3-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby3.1-rubygem-sprockets-4.0.3-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby3.1-rubygem-sprockets-4.0.3-1.1.s390x"
},
"product_reference": "ruby3.1-rubygem-sprockets-4.0.3-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby3.1-rubygem-sprockets-4.0.3-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby3.1-rubygem-sprockets-4.0.3-1.1.x86_64"
},
"product_reference": "ruby3.1-rubygem-sprockets-4.0.3-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2018-3760",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2018-3760"
}
],
"notes": [
{
"category": "general",
"text": "There is an information leak vulnerability in Sprockets. Versions Affected: 4.0.0.beta7 and lower, 3.7.1 and lower, 2.12.4 and lower. Specially crafted requests can be used to access files that exists on the filesystem that is outside an application\u0027s root directory, when the Sprockets server is used in production. All users running an affected release should either upgrade or use one of the work arounds immediately.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:ruby3.1-rubygem-sprockets-4.0.3-1.1.aarch64",
"openSUSE Tumbleweed:ruby3.1-rubygem-sprockets-4.0.3-1.1.ppc64le",
"openSUSE Tumbleweed:ruby3.1-rubygem-sprockets-4.0.3-1.1.s390x",
"openSUSE Tumbleweed:ruby3.1-rubygem-sprockets-4.0.3-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2018-3760",
"url": "https://www.suse.com/security/cve/CVE-2018-3760"
},
{
"category": "external",
"summary": "SUSE Bug 1098369 for CVE-2018-3760",
"url": "https://bugzilla.suse.com/1098369"
},
{
"category": "external",
"summary": "SUSE Bug 1182167 for CVE-2018-3760",
"url": "https://bugzilla.suse.com/1182167"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:ruby3.1-rubygem-sprockets-4.0.3-1.1.aarch64",
"openSUSE Tumbleweed:ruby3.1-rubygem-sprockets-4.0.3-1.1.ppc64le",
"openSUSE Tumbleweed:ruby3.1-rubygem-sprockets-4.0.3-1.1.s390x",
"openSUSE Tumbleweed:ruby3.1-rubygem-sprockets-4.0.3-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"products": [
"openSUSE Tumbleweed:ruby3.1-rubygem-sprockets-4.0.3-1.1.aarch64",
"openSUSE Tumbleweed:ruby3.1-rubygem-sprockets-4.0.3-1.1.ppc64le",
"openSUSE Tumbleweed:ruby3.1-rubygem-sprockets-4.0.3-1.1.s390x",
"openSUSE Tumbleweed:ruby3.1-rubygem-sprockets-4.0.3-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2018-3760"
}
]
}
OPENSUSE-SU-2024:11355-1
Vulnerability from csaf_opensuse - Published: 2024-06-15 00:00 - Updated: 2024-06-15 00:00Summary
ruby2.7-rubygem-sprockets-3.7-3.7.2-1.10 on GA media
Notes
Title of the patch
ruby2.7-rubygem-sprockets-3.7-3.7.2-1.10 on GA media
Description of the patch
These are all security issues fixed in the ruby2.7-rubygem-sprockets-3.7-3.7.2-1.10 package on the GA media of openSUSE Tumbleweed.
Patchnames
openSUSE-Tumbleweed-2024-11355
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "ruby2.7-rubygem-sprockets-3.7-3.7.2-1.10 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the ruby2.7-rubygem-sprockets-3.7-3.7.2-1.10 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2024-11355",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_11355-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2018-3760 page",
"url": "https://www.suse.com/security/cve/CVE-2018-3760/"
}
],
"title": "ruby2.7-rubygem-sprockets-3.7-3.7.2-1.10 on GA media",
"tracking": {
"current_release_date": "2024-06-15T00:00:00Z",
"generator": {
"date": "2024-06-15T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2024:11355-1",
"initial_release_date": "2024-06-15T00:00:00Z",
"revision_history": [
{
"date": "2024-06-15T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "ruby2.7-rubygem-sprockets-3.7-3.7.2-1.10.aarch64",
"product": {
"name": "ruby2.7-rubygem-sprockets-3.7-3.7.2-1.10.aarch64",
"product_id": "ruby2.7-rubygem-sprockets-3.7-3.7.2-1.10.aarch64"
}
},
{
"category": "product_version",
"name": "ruby3.0-rubygem-sprockets-3.7-3.7.2-1.10.aarch64",
"product": {
"name": "ruby3.0-rubygem-sprockets-3.7-3.7.2-1.10.aarch64",
"product_id": "ruby3.0-rubygem-sprockets-3.7-3.7.2-1.10.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby2.7-rubygem-sprockets-3.7-3.7.2-1.10.ppc64le",
"product": {
"name": "ruby2.7-rubygem-sprockets-3.7-3.7.2-1.10.ppc64le",
"product_id": "ruby2.7-rubygem-sprockets-3.7-3.7.2-1.10.ppc64le"
}
},
{
"category": "product_version",
"name": "ruby3.0-rubygem-sprockets-3.7-3.7.2-1.10.ppc64le",
"product": {
"name": "ruby3.0-rubygem-sprockets-3.7-3.7.2-1.10.ppc64le",
"product_id": "ruby3.0-rubygem-sprockets-3.7-3.7.2-1.10.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby2.7-rubygem-sprockets-3.7-3.7.2-1.10.s390x",
"product": {
"name": "ruby2.7-rubygem-sprockets-3.7-3.7.2-1.10.s390x",
"product_id": "ruby2.7-rubygem-sprockets-3.7-3.7.2-1.10.s390x"
}
},
{
"category": "product_version",
"name": "ruby3.0-rubygem-sprockets-3.7-3.7.2-1.10.s390x",
"product": {
"name": "ruby3.0-rubygem-sprockets-3.7-3.7.2-1.10.s390x",
"product_id": "ruby3.0-rubygem-sprockets-3.7-3.7.2-1.10.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby2.7-rubygem-sprockets-3.7-3.7.2-1.10.x86_64",
"product": {
"name": "ruby2.7-rubygem-sprockets-3.7-3.7.2-1.10.x86_64",
"product_id": "ruby2.7-rubygem-sprockets-3.7-3.7.2-1.10.x86_64"
}
},
{
"category": "product_version",
"name": "ruby3.0-rubygem-sprockets-3.7-3.7.2-1.10.x86_64",
"product": {
"name": "ruby3.0-rubygem-sprockets-3.7-3.7.2-1.10.x86_64",
"product_id": "ruby3.0-rubygem-sprockets-3.7-3.7.2-1.10.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.7-rubygem-sprockets-3.7-3.7.2-1.10.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby2.7-rubygem-sprockets-3.7-3.7.2-1.10.aarch64"
},
"product_reference": "ruby2.7-rubygem-sprockets-3.7-3.7.2-1.10.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.7-rubygem-sprockets-3.7-3.7.2-1.10.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby2.7-rubygem-sprockets-3.7-3.7.2-1.10.ppc64le"
},
"product_reference": "ruby2.7-rubygem-sprockets-3.7-3.7.2-1.10.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.7-rubygem-sprockets-3.7-3.7.2-1.10.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby2.7-rubygem-sprockets-3.7-3.7.2-1.10.s390x"
},
"product_reference": "ruby2.7-rubygem-sprockets-3.7-3.7.2-1.10.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.7-rubygem-sprockets-3.7-3.7.2-1.10.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby2.7-rubygem-sprockets-3.7-3.7.2-1.10.x86_64"
},
"product_reference": "ruby2.7-rubygem-sprockets-3.7-3.7.2-1.10.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby3.0-rubygem-sprockets-3.7-3.7.2-1.10.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby3.0-rubygem-sprockets-3.7-3.7.2-1.10.aarch64"
},
"product_reference": "ruby3.0-rubygem-sprockets-3.7-3.7.2-1.10.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby3.0-rubygem-sprockets-3.7-3.7.2-1.10.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby3.0-rubygem-sprockets-3.7-3.7.2-1.10.ppc64le"
},
"product_reference": "ruby3.0-rubygem-sprockets-3.7-3.7.2-1.10.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby3.0-rubygem-sprockets-3.7-3.7.2-1.10.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby3.0-rubygem-sprockets-3.7-3.7.2-1.10.s390x"
},
"product_reference": "ruby3.0-rubygem-sprockets-3.7-3.7.2-1.10.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby3.0-rubygem-sprockets-3.7-3.7.2-1.10.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby3.0-rubygem-sprockets-3.7-3.7.2-1.10.x86_64"
},
"product_reference": "ruby3.0-rubygem-sprockets-3.7-3.7.2-1.10.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2018-3760",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2018-3760"
}
],
"notes": [
{
"category": "general",
"text": "There is an information leak vulnerability in Sprockets. Versions Affected: 4.0.0.beta7 and lower, 3.7.1 and lower, 2.12.4 and lower. Specially crafted requests can be used to access files that exists on the filesystem that is outside an application\u0027s root directory, when the Sprockets server is used in production. All users running an affected release should either upgrade or use one of the work arounds immediately.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:ruby2.7-rubygem-sprockets-3.7-3.7.2-1.10.aarch64",
"openSUSE Tumbleweed:ruby2.7-rubygem-sprockets-3.7-3.7.2-1.10.ppc64le",
"openSUSE Tumbleweed:ruby2.7-rubygem-sprockets-3.7-3.7.2-1.10.s390x",
"openSUSE Tumbleweed:ruby2.7-rubygem-sprockets-3.7-3.7.2-1.10.x86_64",
"openSUSE Tumbleweed:ruby3.0-rubygem-sprockets-3.7-3.7.2-1.10.aarch64",
"openSUSE Tumbleweed:ruby3.0-rubygem-sprockets-3.7-3.7.2-1.10.ppc64le",
"openSUSE Tumbleweed:ruby3.0-rubygem-sprockets-3.7-3.7.2-1.10.s390x",
"openSUSE Tumbleweed:ruby3.0-rubygem-sprockets-3.7-3.7.2-1.10.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2018-3760",
"url": "https://www.suse.com/security/cve/CVE-2018-3760"
},
{
"category": "external",
"summary": "SUSE Bug 1098369 for CVE-2018-3760",
"url": "https://bugzilla.suse.com/1098369"
},
{
"category": "external",
"summary": "SUSE Bug 1182167 for CVE-2018-3760",
"url": "https://bugzilla.suse.com/1182167"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:ruby2.7-rubygem-sprockets-3.7-3.7.2-1.10.aarch64",
"openSUSE Tumbleweed:ruby2.7-rubygem-sprockets-3.7-3.7.2-1.10.ppc64le",
"openSUSE Tumbleweed:ruby2.7-rubygem-sprockets-3.7-3.7.2-1.10.s390x",
"openSUSE Tumbleweed:ruby2.7-rubygem-sprockets-3.7-3.7.2-1.10.x86_64",
"openSUSE Tumbleweed:ruby3.0-rubygem-sprockets-3.7-3.7.2-1.10.aarch64",
"openSUSE Tumbleweed:ruby3.0-rubygem-sprockets-3.7-3.7.2-1.10.ppc64le",
"openSUSE Tumbleweed:ruby3.0-rubygem-sprockets-3.7-3.7.2-1.10.s390x",
"openSUSE Tumbleweed:ruby3.0-rubygem-sprockets-3.7-3.7.2-1.10.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"products": [
"openSUSE Tumbleweed:ruby2.7-rubygem-sprockets-3.7-3.7.2-1.10.aarch64",
"openSUSE Tumbleweed:ruby2.7-rubygem-sprockets-3.7-3.7.2-1.10.ppc64le",
"openSUSE Tumbleweed:ruby2.7-rubygem-sprockets-3.7-3.7.2-1.10.s390x",
"openSUSE Tumbleweed:ruby2.7-rubygem-sprockets-3.7-3.7.2-1.10.x86_64",
"openSUSE Tumbleweed:ruby3.0-rubygem-sprockets-3.7-3.7.2-1.10.aarch64",
"openSUSE Tumbleweed:ruby3.0-rubygem-sprockets-3.7-3.7.2-1.10.ppc64le",
"openSUSE Tumbleweed:ruby3.0-rubygem-sprockets-3.7-3.7.2-1.10.s390x",
"openSUSE Tumbleweed:ruby3.0-rubygem-sprockets-3.7-3.7.2-1.10.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2018-3760"
}
]
}
OPENSUSE-SU-2024:14075-1
Vulnerability from csaf_opensuse - Published: 2024-06-24 00:00 - Updated: 2024-06-24 00:00Summary
ruby3.3-rubygem-sprockets-3.7-3.7.3-1.1 on GA media
Notes
Title of the patch
ruby3.3-rubygem-sprockets-3.7-3.7.3-1.1 on GA media
Description of the patch
These are all security issues fixed in the ruby3.3-rubygem-sprockets-3.7-3.7.3-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames
openSUSE-Tumbleweed-2024-14075
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "ruby3.3-rubygem-sprockets-3.7-3.7.3-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the ruby3.3-rubygem-sprockets-3.7-3.7.3-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2024-14075",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_14075-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2018-3760 page",
"url": "https://www.suse.com/security/cve/CVE-2018-3760/"
}
],
"title": "ruby3.3-rubygem-sprockets-3.7-3.7.3-1.1 on GA media",
"tracking": {
"current_release_date": "2024-06-24T00:00:00Z",
"generator": {
"date": "2024-06-24T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2024:14075-1",
"initial_release_date": "2024-06-24T00:00:00Z",
"revision_history": [
{
"date": "2024-06-24T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "ruby3.3-rubygem-sprockets-3.7-3.7.3-1.1.aarch64",
"product": {
"name": "ruby3.3-rubygem-sprockets-3.7-3.7.3-1.1.aarch64",
"product_id": "ruby3.3-rubygem-sprockets-3.7-3.7.3-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby3.3-rubygem-sprockets-3.7-3.7.3-1.1.ppc64le",
"product": {
"name": "ruby3.3-rubygem-sprockets-3.7-3.7.3-1.1.ppc64le",
"product_id": "ruby3.3-rubygem-sprockets-3.7-3.7.3-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby3.3-rubygem-sprockets-3.7-3.7.3-1.1.s390x",
"product": {
"name": "ruby3.3-rubygem-sprockets-3.7-3.7.3-1.1.s390x",
"product_id": "ruby3.3-rubygem-sprockets-3.7-3.7.3-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby3.3-rubygem-sprockets-3.7-3.7.3-1.1.x86_64",
"product": {
"name": "ruby3.3-rubygem-sprockets-3.7-3.7.3-1.1.x86_64",
"product_id": "ruby3.3-rubygem-sprockets-3.7-3.7.3-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby3.3-rubygem-sprockets-3.7-3.7.3-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby3.3-rubygem-sprockets-3.7-3.7.3-1.1.aarch64"
},
"product_reference": "ruby3.3-rubygem-sprockets-3.7-3.7.3-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby3.3-rubygem-sprockets-3.7-3.7.3-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby3.3-rubygem-sprockets-3.7-3.7.3-1.1.ppc64le"
},
"product_reference": "ruby3.3-rubygem-sprockets-3.7-3.7.3-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby3.3-rubygem-sprockets-3.7-3.7.3-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby3.3-rubygem-sprockets-3.7-3.7.3-1.1.s390x"
},
"product_reference": "ruby3.3-rubygem-sprockets-3.7-3.7.3-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby3.3-rubygem-sprockets-3.7-3.7.3-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby3.3-rubygem-sprockets-3.7-3.7.3-1.1.x86_64"
},
"product_reference": "ruby3.3-rubygem-sprockets-3.7-3.7.3-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2018-3760",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2018-3760"
}
],
"notes": [
{
"category": "general",
"text": "There is an information leak vulnerability in Sprockets. Versions Affected: 4.0.0.beta7 and lower, 3.7.1 and lower, 2.12.4 and lower. Specially crafted requests can be used to access files that exists on the filesystem that is outside an application\u0027s root directory, when the Sprockets server is used in production. All users running an affected release should either upgrade or use one of the work arounds immediately.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:ruby3.3-rubygem-sprockets-3.7-3.7.3-1.1.aarch64",
"openSUSE Tumbleweed:ruby3.3-rubygem-sprockets-3.7-3.7.3-1.1.ppc64le",
"openSUSE Tumbleweed:ruby3.3-rubygem-sprockets-3.7-3.7.3-1.1.s390x",
"openSUSE Tumbleweed:ruby3.3-rubygem-sprockets-3.7-3.7.3-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2018-3760",
"url": "https://www.suse.com/security/cve/CVE-2018-3760"
},
{
"category": "external",
"summary": "SUSE Bug 1098369 for CVE-2018-3760",
"url": "https://bugzilla.suse.com/1098369"
},
{
"category": "external",
"summary": "SUSE Bug 1182167 for CVE-2018-3760",
"url": "https://bugzilla.suse.com/1182167"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:ruby3.3-rubygem-sprockets-3.7-3.7.3-1.1.aarch64",
"openSUSE Tumbleweed:ruby3.3-rubygem-sprockets-3.7-3.7.3-1.1.ppc64le",
"openSUSE Tumbleweed:ruby3.3-rubygem-sprockets-3.7-3.7.3-1.1.s390x",
"openSUSE Tumbleweed:ruby3.3-rubygem-sprockets-3.7-3.7.3-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"products": [
"openSUSE Tumbleweed:ruby3.3-rubygem-sprockets-3.7-3.7.3-1.1.aarch64",
"openSUSE Tumbleweed:ruby3.3-rubygem-sprockets-3.7-3.7.3-1.1.ppc64le",
"openSUSE Tumbleweed:ruby3.3-rubygem-sprockets-3.7-3.7.3-1.1.s390x",
"openSUSE Tumbleweed:ruby3.3-rubygem-sprockets-3.7-3.7.3-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-24T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2018-3760"
}
]
}
OPENSUSE-SU-2024:11354-1
Vulnerability from csaf_opensuse - Published: 2024-06-15 00:00 - Updated: 2024-06-15 00:00Summary
ruby2.7-rubygem-sprockets-4.0.2-1.7 on GA media
Notes
Title of the patch
ruby2.7-rubygem-sprockets-4.0.2-1.7 on GA media
Description of the patch
These are all security issues fixed in the ruby2.7-rubygem-sprockets-4.0.2-1.7 package on the GA media of openSUSE Tumbleweed.
Patchnames
openSUSE-Tumbleweed-2024-11354
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "ruby2.7-rubygem-sprockets-4.0.2-1.7 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the ruby2.7-rubygem-sprockets-4.0.2-1.7 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2024-11354",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_11354-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2018-3760 page",
"url": "https://www.suse.com/security/cve/CVE-2018-3760/"
}
],
"title": "ruby2.7-rubygem-sprockets-4.0.2-1.7 on GA media",
"tracking": {
"current_release_date": "2024-06-15T00:00:00Z",
"generator": {
"date": "2024-06-15T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2024:11354-1",
"initial_release_date": "2024-06-15T00:00:00Z",
"revision_history": [
{
"date": "2024-06-15T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "ruby2.7-rubygem-sprockets-4.0.2-1.7.aarch64",
"product": {
"name": "ruby2.7-rubygem-sprockets-4.0.2-1.7.aarch64",
"product_id": "ruby2.7-rubygem-sprockets-4.0.2-1.7.aarch64"
}
},
{
"category": "product_version",
"name": "ruby3.0-rubygem-sprockets-4.0.2-1.7.aarch64",
"product": {
"name": "ruby3.0-rubygem-sprockets-4.0.2-1.7.aarch64",
"product_id": "ruby3.0-rubygem-sprockets-4.0.2-1.7.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby2.7-rubygem-sprockets-4.0.2-1.7.ppc64le",
"product": {
"name": "ruby2.7-rubygem-sprockets-4.0.2-1.7.ppc64le",
"product_id": "ruby2.7-rubygem-sprockets-4.0.2-1.7.ppc64le"
}
},
{
"category": "product_version",
"name": "ruby3.0-rubygem-sprockets-4.0.2-1.7.ppc64le",
"product": {
"name": "ruby3.0-rubygem-sprockets-4.0.2-1.7.ppc64le",
"product_id": "ruby3.0-rubygem-sprockets-4.0.2-1.7.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby2.7-rubygem-sprockets-4.0.2-1.7.s390x",
"product": {
"name": "ruby2.7-rubygem-sprockets-4.0.2-1.7.s390x",
"product_id": "ruby2.7-rubygem-sprockets-4.0.2-1.7.s390x"
}
},
{
"category": "product_version",
"name": "ruby3.0-rubygem-sprockets-4.0.2-1.7.s390x",
"product": {
"name": "ruby3.0-rubygem-sprockets-4.0.2-1.7.s390x",
"product_id": "ruby3.0-rubygem-sprockets-4.0.2-1.7.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby2.7-rubygem-sprockets-4.0.2-1.7.x86_64",
"product": {
"name": "ruby2.7-rubygem-sprockets-4.0.2-1.7.x86_64",
"product_id": "ruby2.7-rubygem-sprockets-4.0.2-1.7.x86_64"
}
},
{
"category": "product_version",
"name": "ruby3.0-rubygem-sprockets-4.0.2-1.7.x86_64",
"product": {
"name": "ruby3.0-rubygem-sprockets-4.0.2-1.7.x86_64",
"product_id": "ruby3.0-rubygem-sprockets-4.0.2-1.7.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.7-rubygem-sprockets-4.0.2-1.7.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby2.7-rubygem-sprockets-4.0.2-1.7.aarch64"
},
"product_reference": "ruby2.7-rubygem-sprockets-4.0.2-1.7.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.7-rubygem-sprockets-4.0.2-1.7.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby2.7-rubygem-sprockets-4.0.2-1.7.ppc64le"
},
"product_reference": "ruby2.7-rubygem-sprockets-4.0.2-1.7.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.7-rubygem-sprockets-4.0.2-1.7.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby2.7-rubygem-sprockets-4.0.2-1.7.s390x"
},
"product_reference": "ruby2.7-rubygem-sprockets-4.0.2-1.7.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.7-rubygem-sprockets-4.0.2-1.7.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby2.7-rubygem-sprockets-4.0.2-1.7.x86_64"
},
"product_reference": "ruby2.7-rubygem-sprockets-4.0.2-1.7.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby3.0-rubygem-sprockets-4.0.2-1.7.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby3.0-rubygem-sprockets-4.0.2-1.7.aarch64"
},
"product_reference": "ruby3.0-rubygem-sprockets-4.0.2-1.7.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby3.0-rubygem-sprockets-4.0.2-1.7.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby3.0-rubygem-sprockets-4.0.2-1.7.ppc64le"
},
"product_reference": "ruby3.0-rubygem-sprockets-4.0.2-1.7.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby3.0-rubygem-sprockets-4.0.2-1.7.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby3.0-rubygem-sprockets-4.0.2-1.7.s390x"
},
"product_reference": "ruby3.0-rubygem-sprockets-4.0.2-1.7.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby3.0-rubygem-sprockets-4.0.2-1.7.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby3.0-rubygem-sprockets-4.0.2-1.7.x86_64"
},
"product_reference": "ruby3.0-rubygem-sprockets-4.0.2-1.7.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2018-3760",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2018-3760"
}
],
"notes": [
{
"category": "general",
"text": "There is an information leak vulnerability in Sprockets. Versions Affected: 4.0.0.beta7 and lower, 3.7.1 and lower, 2.12.4 and lower. Specially crafted requests can be used to access files that exists on the filesystem that is outside an application\u0027s root directory, when the Sprockets server is used in production. All users running an affected release should either upgrade or use one of the work arounds immediately.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:ruby2.7-rubygem-sprockets-4.0.2-1.7.aarch64",
"openSUSE Tumbleweed:ruby2.7-rubygem-sprockets-4.0.2-1.7.ppc64le",
"openSUSE Tumbleweed:ruby2.7-rubygem-sprockets-4.0.2-1.7.s390x",
"openSUSE Tumbleweed:ruby2.7-rubygem-sprockets-4.0.2-1.7.x86_64",
"openSUSE Tumbleweed:ruby3.0-rubygem-sprockets-4.0.2-1.7.aarch64",
"openSUSE Tumbleweed:ruby3.0-rubygem-sprockets-4.0.2-1.7.ppc64le",
"openSUSE Tumbleweed:ruby3.0-rubygem-sprockets-4.0.2-1.7.s390x",
"openSUSE Tumbleweed:ruby3.0-rubygem-sprockets-4.0.2-1.7.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2018-3760",
"url": "https://www.suse.com/security/cve/CVE-2018-3760"
},
{
"category": "external",
"summary": "SUSE Bug 1098369 for CVE-2018-3760",
"url": "https://bugzilla.suse.com/1098369"
},
{
"category": "external",
"summary": "SUSE Bug 1182167 for CVE-2018-3760",
"url": "https://bugzilla.suse.com/1182167"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:ruby2.7-rubygem-sprockets-4.0.2-1.7.aarch64",
"openSUSE Tumbleweed:ruby2.7-rubygem-sprockets-4.0.2-1.7.ppc64le",
"openSUSE Tumbleweed:ruby2.7-rubygem-sprockets-4.0.2-1.7.s390x",
"openSUSE Tumbleweed:ruby2.7-rubygem-sprockets-4.0.2-1.7.x86_64",
"openSUSE Tumbleweed:ruby3.0-rubygem-sprockets-4.0.2-1.7.aarch64",
"openSUSE Tumbleweed:ruby3.0-rubygem-sprockets-4.0.2-1.7.ppc64le",
"openSUSE Tumbleweed:ruby3.0-rubygem-sprockets-4.0.2-1.7.s390x",
"openSUSE Tumbleweed:ruby3.0-rubygem-sprockets-4.0.2-1.7.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"products": [
"openSUSE Tumbleweed:ruby2.7-rubygem-sprockets-4.0.2-1.7.aarch64",
"openSUSE Tumbleweed:ruby2.7-rubygem-sprockets-4.0.2-1.7.ppc64le",
"openSUSE Tumbleweed:ruby2.7-rubygem-sprockets-4.0.2-1.7.s390x",
"openSUSE Tumbleweed:ruby2.7-rubygem-sprockets-4.0.2-1.7.x86_64",
"openSUSE Tumbleweed:ruby3.0-rubygem-sprockets-4.0.2-1.7.aarch64",
"openSUSE Tumbleweed:ruby3.0-rubygem-sprockets-4.0.2-1.7.ppc64le",
"openSUSE Tumbleweed:ruby3.0-rubygem-sprockets-4.0.2-1.7.s390x",
"openSUSE Tumbleweed:ruby3.0-rubygem-sprockets-4.0.2-1.7.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2018-3760"
}
]
}
OPENSUSE-SU-2024:13170-1
Vulnerability from csaf_opensuse - Published: 2024-06-15 00:00 - Updated: 2024-06-15 00:00Summary
ruby3.2-rubygem-sprockets-3.7-3.7.2-1.20 on GA media
Notes
Title of the patch
ruby3.2-rubygem-sprockets-3.7-3.7.2-1.20 on GA media
Description of the patch
These are all security issues fixed in the ruby3.2-rubygem-sprockets-3.7-3.7.2-1.20 package on the GA media of openSUSE Tumbleweed.
Patchnames
openSUSE-Tumbleweed-2024-13170
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "ruby3.2-rubygem-sprockets-3.7-3.7.2-1.20 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the ruby3.2-rubygem-sprockets-3.7-3.7.2-1.20 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2024-13170",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2024_13170-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2018-3760 page",
"url": "https://www.suse.com/security/cve/CVE-2018-3760/"
}
],
"title": "ruby3.2-rubygem-sprockets-3.7-3.7.2-1.20 on GA media",
"tracking": {
"current_release_date": "2024-06-15T00:00:00Z",
"generator": {
"date": "2024-06-15T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2024:13170-1",
"initial_release_date": "2024-06-15T00:00:00Z",
"revision_history": [
{
"date": "2024-06-15T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "ruby3.2-rubygem-sprockets-3.7-3.7.2-1.20.aarch64",
"product": {
"name": "ruby3.2-rubygem-sprockets-3.7-3.7.2-1.20.aarch64",
"product_id": "ruby3.2-rubygem-sprockets-3.7-3.7.2-1.20.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby3.2-rubygem-sprockets-3.7-3.7.2-1.20.ppc64le",
"product": {
"name": "ruby3.2-rubygem-sprockets-3.7-3.7.2-1.20.ppc64le",
"product_id": "ruby3.2-rubygem-sprockets-3.7-3.7.2-1.20.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby3.2-rubygem-sprockets-3.7-3.7.2-1.20.s390x",
"product": {
"name": "ruby3.2-rubygem-sprockets-3.7-3.7.2-1.20.s390x",
"product_id": "ruby3.2-rubygem-sprockets-3.7-3.7.2-1.20.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "ruby3.2-rubygem-sprockets-3.7-3.7.2-1.20.x86_64",
"product": {
"name": "ruby3.2-rubygem-sprockets-3.7-3.7.2-1.20.x86_64",
"product_id": "ruby3.2-rubygem-sprockets-3.7-3.7.2-1.20.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby3.2-rubygem-sprockets-3.7-3.7.2-1.20.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby3.2-rubygem-sprockets-3.7-3.7.2-1.20.aarch64"
},
"product_reference": "ruby3.2-rubygem-sprockets-3.7-3.7.2-1.20.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby3.2-rubygem-sprockets-3.7-3.7.2-1.20.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby3.2-rubygem-sprockets-3.7-3.7.2-1.20.ppc64le"
},
"product_reference": "ruby3.2-rubygem-sprockets-3.7-3.7.2-1.20.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby3.2-rubygem-sprockets-3.7-3.7.2-1.20.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby3.2-rubygem-sprockets-3.7-3.7.2-1.20.s390x"
},
"product_reference": "ruby3.2-rubygem-sprockets-3.7-3.7.2-1.20.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby3.2-rubygem-sprockets-3.7-3.7.2-1.20.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:ruby3.2-rubygem-sprockets-3.7-3.7.2-1.20.x86_64"
},
"product_reference": "ruby3.2-rubygem-sprockets-3.7-3.7.2-1.20.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2018-3760",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2018-3760"
}
],
"notes": [
{
"category": "general",
"text": "There is an information leak vulnerability in Sprockets. Versions Affected: 4.0.0.beta7 and lower, 3.7.1 and lower, 2.12.4 and lower. Specially crafted requests can be used to access files that exists on the filesystem that is outside an application\u0027s root directory, when the Sprockets server is used in production. All users running an affected release should either upgrade or use one of the work arounds immediately.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:ruby3.2-rubygem-sprockets-3.7-3.7.2-1.20.aarch64",
"openSUSE Tumbleweed:ruby3.2-rubygem-sprockets-3.7-3.7.2-1.20.ppc64le",
"openSUSE Tumbleweed:ruby3.2-rubygem-sprockets-3.7-3.7.2-1.20.s390x",
"openSUSE Tumbleweed:ruby3.2-rubygem-sprockets-3.7-3.7.2-1.20.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2018-3760",
"url": "https://www.suse.com/security/cve/CVE-2018-3760"
},
{
"category": "external",
"summary": "SUSE Bug 1098369 for CVE-2018-3760",
"url": "https://bugzilla.suse.com/1098369"
},
{
"category": "external",
"summary": "SUSE Bug 1182167 for CVE-2018-3760",
"url": "https://bugzilla.suse.com/1182167"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:ruby3.2-rubygem-sprockets-3.7-3.7.2-1.20.aarch64",
"openSUSE Tumbleweed:ruby3.2-rubygem-sprockets-3.7-3.7.2-1.20.ppc64le",
"openSUSE Tumbleweed:ruby3.2-rubygem-sprockets-3.7-3.7.2-1.20.s390x",
"openSUSE Tumbleweed:ruby3.2-rubygem-sprockets-3.7-3.7.2-1.20.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"products": [
"openSUSE Tumbleweed:ruby3.2-rubygem-sprockets-3.7-3.7.2-1.20.aarch64",
"openSUSE Tumbleweed:ruby3.2-rubygem-sprockets-3.7-3.7.2-1.20.ppc64le",
"openSUSE Tumbleweed:ruby3.2-rubygem-sprockets-3.7-3.7.2-1.20.s390x",
"openSUSE Tumbleweed:ruby3.2-rubygem-sprockets-3.7-3.7.2-1.20.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2024-06-15T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2018-3760"
}
]
}
CERTFR-2018-AVI-297
Vulnerability from certfr_avis - Published: - Updated:
Une vulnérabilité a été découverte dans Ruby On Rails. Elle permet à un attaquant de provoquer une atteinte à la confidentialité des données.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Ruby on Rails | Ruby on Rails | Ruby On Rails versions 4.0.0.beta7 et antérieures | ||
| Ruby on Rails | Ruby on Rails | Ruby On Rails versions 2.12.4 et antérieures | ||
| Ruby on Rails | Ruby on Rails | Ruby On Rails versions 3.7.1 et antérieures |
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Ruby On Rails versions 4.0.0.beta7 et ant\u00e9rieures",
"product": {
"name": "Ruby on Rails",
"vendor": {
"name": "Ruby on Rails",
"scada": false
}
}
},
{
"description": "Ruby On Rails versions 2.12.4 et ant\u00e9rieures",
"product": {
"name": "Ruby on Rails",
"vendor": {
"name": "Ruby on Rails",
"scada": false
}
}
},
{
"description": "Ruby On Rails versions 3.7.1 et ant\u00e9rieures",
"product": {
"name": "Ruby on Rails",
"vendor": {
"name": "Ruby on Rails",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2018-3760",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-3760"
}
],
"links": [],
"reference": "CERTFR-2018-AVI-297",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2018-06-20T00:00:00.000000"
}
],
"risks": [
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "Une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 d\u00e9couverte dans Ruby On Rails. Elle permet \u00e0 un\nattaquant de provoquer une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es.\n",
"title": "Vuln\u00e9rabilit\u00e9 dans Ruby On Rails",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Ruby On Rails [CVE-2018-3760] du 19 juin 2018",
"url": "https://groups.google.com/forum/#!topic/rubyonrails-security/ft_J--l55fM"
}
]
}
CERTFR-2018-AVI-297
Vulnerability from certfr_avis - Published: - Updated:
Une vulnérabilité a été découverte dans Ruby On Rails. Elle permet à un attaquant de provoquer une atteinte à la confidentialité des données.
Solution
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
NoneImpacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| Ruby on Rails | Ruby on Rails | Ruby On Rails versions 4.0.0.beta7 et antérieures | ||
| Ruby on Rails | Ruby on Rails | Ruby On Rails versions 2.12.4 et antérieures | ||
| Ruby on Rails | Ruby on Rails | Ruby On Rails versions 3.7.1 et antérieures |
References
| Title | Publication Time | Tags | |||
|---|---|---|---|---|---|
|
|||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Ruby On Rails versions 4.0.0.beta7 et ant\u00e9rieures",
"product": {
"name": "Ruby on Rails",
"vendor": {
"name": "Ruby on Rails",
"scada": false
}
}
},
{
"description": "Ruby On Rails versions 2.12.4 et ant\u00e9rieures",
"product": {
"name": "Ruby on Rails",
"vendor": {
"name": "Ruby on Rails",
"scada": false
}
}
},
{
"description": "Ruby On Rails versions 3.7.1 et ant\u00e9rieures",
"product": {
"name": "Ruby on Rails",
"vendor": {
"name": "Ruby on Rails",
"scada": false
}
}
}
],
"affected_systems_content": null,
"content": "## Solution\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des\ncorrectifs (cf. section Documentation).\n",
"cves": [
{
"name": "CVE-2018-3760",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-3760"
}
],
"links": [],
"reference": "CERTFR-2018-AVI-297",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2018-06-20T00:00:00.000000"
}
],
"risks": [
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
}
],
"summary": "Une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 d\u00e9couverte dans Ruby On Rails. Elle permet \u00e0 un\nattaquant de provoquer une atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es.\n",
"title": "Vuln\u00e9rabilit\u00e9 dans Ruby On Rails",
"vendor_advisories": [
{
"published_at": null,
"title": "Bulletin de s\u00e9curit\u00e9 Ruby On Rails [CVE-2018-3760] du 19 juin 2018",
"url": "https://groups.google.com/forum/#!topic/rubyonrails-security/ft_J--l55fM"
}
]
}
FKIE_CVE-2018-3760
Vulnerability from fkie_nvd - Published: 2018-06-26 19:29 - Updated: 2024-11-21 04:06
Severity ?
Summary
There is an information leak vulnerability in Sprockets. Versions Affected: 4.0.0.beta7 and lower, 3.7.1 and lower, 2.12.4 and lower. Specially crafted requests can be used to access files that exists on the filesystem that is outside an application's root directory, when the Sprockets server is used in production. All users running an affected release should either upgrade or use one of the work arounds immediately.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| redhat | cloudforms | 4.5 | |
| redhat | cloudforms | 4.6 | |
| redhat | enterprise_linux | 6.0 | |
| redhat | enterprise_linux | 6.7 | |
| redhat | enterprise_linux | 7.0 | |
| redhat | enterprise_linux | 7.3 | |
| redhat | enterprise_linux | 7.4 | |
| redhat | enterprise_linux | 7.5 | |
| redhat | enterprise_linux | 7.6 | |
| sprockets_project | sprockets | * | |
| sprockets_project | sprockets | * | |
| sprockets_project | sprockets | 4.0.0 | |
| sprockets_project | sprockets | 4.0.0 | |
| sprockets_project | sprockets | 4.0.0 | |
| sprockets_project | sprockets | 4.0.0 | |
| sprockets_project | sprockets | 4.0.0 | |
| sprockets_project | sprockets | 4.0.0 | |
| sprockets_project | sprockets | 4.0.0 | |
| debian | debian_linux | 9.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:redhat:cloudforms:4.5:*:*:*:*:*:*:*",
"matchCriteriaId": "32E1BA91-4695-4E64-A9D7-4A6CB6904D41",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:redhat:cloudforms:4.6:*:*:*:*:*:*:*",
"matchCriteriaId": "67F7263F-113D-4BAE-B8CB-86A61531A2AC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*",
"matchCriteriaId": "2F6AB192-9D7D-4A9A-8995-E53A9DE9EAFC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:redhat:enterprise_linux:6.7:*:*:*:*:*:*:*",
"matchCriteriaId": "84FF61DF-D634-4FB5-8DF1-01F631BE1A7A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*",
"matchCriteriaId": "142AD0DD-4CF3-4D74-9442-459CE3347E3A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:redhat:enterprise_linux:7.3:*:*:*:*:*:*:*",
"matchCriteriaId": "B99A2411-7F6A-457F-A7BF-EB13C630F902",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:redhat:enterprise_linux:7.4:*:*:*:*:*:*:*",
"matchCriteriaId": "041F9200-4C01-4187-AE34-240E8277B54D",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:redhat:enterprise_linux:7.5:*:*:*:*:*:*:*",
"matchCriteriaId": "4EB48767-F095-444F-9E05-D9AC345AB803",
"vulnerable": true
},
{
"criteria": "cpe:2.3:o:redhat:enterprise_linux:7.6:*:*:*:*:*:*:*",
"matchCriteriaId": "5F6FA12B-504C-4DBF-A32E-0548557AA2ED",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:sprockets_project:sprockets:*:*:*:*:*:*:*:*",
"matchCriteriaId": "679411A0-8348-42CE-9077-11E82FADA9FC",
"versionEndIncluding": "2.12.4",
"versionStartIncluding": "2.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sprockets_project:sprockets:*:*:*:*:*:*:*:*",
"matchCriteriaId": "6ADAEC05-67A2-4861-A986-4C0A4428EAA8",
"versionEndIncluding": "3.7.1",
"versionStartIncluding": "3.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sprockets_project:sprockets:4.0.0:beta1:*:*:*:*:*:*",
"matchCriteriaId": "E476722A-DCFD-427D-8F67-3C2A996817EC",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sprockets_project:sprockets:4.0.0:beta2:*:*:*:*:*:*",
"matchCriteriaId": "7D018749-4416-4ADA-B701-892F3581F31A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sprockets_project:sprockets:4.0.0:beta3:*:*:*:*:*:*",
"matchCriteriaId": "3248E9DE-D943-48E3-B611-A65E351C79ED",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sprockets_project:sprockets:4.0.0:beta4:*:*:*:*:*:*",
"matchCriteriaId": "A82607FD-015B-4740-9950-EE783A79C4F3",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sprockets_project:sprockets:4.0.0:beta5:*:*:*:*:*:*",
"matchCriteriaId": "EBCEA292-1CD8-45D6-A495-2085F40B9423",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sprockets_project:sprockets:4.0.0:beta6:*:*:*:*:*:*",
"matchCriteriaId": "79C7FBAE-F4C2-458A-AD65-CC85A956F93F",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:sprockets_project:sprockets:4.0.0:beta7:*:*:*:*:*:*",
"matchCriteriaId": "D873B105-7A65-4EB1-87A2-72C7CF365BF5",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
"matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "There is an information leak vulnerability in Sprockets. Versions Affected: 4.0.0.beta7 and lower, 3.7.1 and lower, 2.12.4 and lower. Specially crafted requests can be used to access files that exists on the filesystem that is outside an application\u0027s root directory, when the Sprockets server is used in production. All users running an affected release should either upgrade or use one of the work arounds immediately."
},
{
"lang": "es",
"value": "Existe una vulnerabilidad de fuga de informaci\u00f3n en Sprockets. Versiones afectadas: 4.0.0.beta7 y anteriores, 3.7.1 y anteriores y 2.12.4 y anteriores. Las peticiones especialmente manipuladas se pueden utilizar para acceder a archivos que existen en el sistema de archivos que est\u00e1 fuera del directorio root de la aplicaci\u00f3n, cuando el servidor de Sprockets se utiliza en producci\u00f3n. Todos los usuarios que ejecuten una distribuci\u00f3n afectada deben actualizarla o utilizar una de las alternativas inmediatamente."
}
],
"id": "CVE-2018-3760",
"lastModified": "2024-11-21T04:06:01.503",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": true,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2018-06-26T19:29:00.343",
"references": [
{
"source": "support@hackerone.com",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2018:2244"
},
{
"source": "support@hackerone.com",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2018:2245"
},
{
"source": "support@hackerone.com",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2018:2561"
},
{
"source": "support@hackerone.com",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2018:2745"
},
{
"source": "support@hackerone.com",
"tags": [
"Broken Link"
],
"url": "https://github.com/rails/sprockets/commit/c09131cf5b2c479263939c8582e22b98ed616c5fhttps://github.com/rails/sprockets/commit/9c34fa05900b968d74f08ccf40917848a7be9441https://github.com/rails/sprockets/commit/18b8a7f07a50c245e9aee7854ecdbe606bbd8bb5"
},
{
"source": "support@hackerone.com",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://groups.google.com/d/msg/rubyonrails-security/ft_J--l55fM/7roDfQ50BwAJ"
},
{
"source": "support@hackerone.com",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2018/dsa-4242"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2018:2244"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2018:2245"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2018:2561"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2018:2745"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Broken Link"
],
"url": "https://github.com/rails/sprockets/commit/c09131cf5b2c479263939c8582e22b98ed616c5fhttps://github.com/rails/sprockets/commit/9c34fa05900b968d74f08ccf40917848a7be9441https://github.com/rails/sprockets/commit/18b8a7f07a50c245e9aee7854ecdbe606bbd8bb5"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://groups.google.com/d/msg/rubyonrails-security/ft_J--l55fM/7roDfQ50BwAJ"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2018/dsa-4242"
}
],
"sourceIdentifier": "support@hackerone.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-22"
}
],
"source": "support@hackerone.com",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
GHSA-PR3H-JJHJ-573X
Vulnerability from github – Published: 2018-06-20 22:18 – Updated: 2023-09-05 21:05
VLAI?
Summary
Sprockets path traversal leads to information leak
Details
Specially crafted requests can be used to access files that exist on the filesystem that is outside an application's root directory, when the Sprockets server is used in production.
All users running an affected release should either upgrade or use one of the work arounds immediately.
Workaround:
In Rails applications, work around this issue, set config.assets.compile = false and config.public_file_server.enabled = true in an initializer and precompile the assets.
This work around will not be possible in all hosting environments and upgrading is advised.
Severity ?
7.5 (High)
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "sprockets"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.0"
},
{
"fixed": "3.7.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 4.0.0.beta7"
},
"package": {
"ecosystem": "RubyGems",
"name": "sprockets"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0.beta1"
},
{
"fixed": "4.0.0.beta8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "sprockets"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.12.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2018-3760"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-22"
],
"github_reviewed": true,
"github_reviewed_at": "2020-06-16T21:49:53Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "Specially crafted requests can be used to access files that exist on the filesystem that is outside an application\u0027s root directory, when the Sprockets server is used in production.\n \nAll users running an affected release should either upgrade or use one of the work arounds immediately.\n \n### Workaround:\n \nIn Rails applications, work around this issue, set `config.assets.compile = false` and `config.public_file_server.enabled = true` in an initializer and precompile the assets.\n\nThis work around will not be possible in all hosting environments and upgrading is advised.",
"id": "GHSA-pr3h-jjhj-573x",
"modified": "2023-09-05T21:05:18Z",
"published": "2018-06-20T22:18:58Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-3760"
},
{
"type": "WEB",
"url": "https://github.com/rails/sprockets/commit/18b8a7f07a50c245e9aee7854ecdbe606bbd8bb5"
},
{
"type": "WEB",
"url": "https://github.com/rails/sprockets/commit/9c34fa05900b968d74f08ccf40917848a7be9441"
},
{
"type": "WEB",
"url": "https://github.com/rails/sprockets/commit/c09131cf5b2c479263939c8582e22b98ed616c5f"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:2244"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:2245"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:2561"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:2745"
},
{
"type": "PACKAGE",
"url": "https://github.com/rails/sprockets"
},
{
"type": "WEB",
"url": "https://groups.google.com/d/msg/rubyonrails-security/ft_J--l55fM/7roDfQ50BwAJ"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2018/dsa-4242"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Sprockets path traversal leads to information leak"
}
WID-SEC-W-2025-1086
Vulnerability from csaf_certbund - Published: 2018-07-24 22:00 - Updated: 2025-05-18 22:00Summary
Red Hat Enterprise Linux: Schwachstelle ermöglicht Offenlegung von Informationen
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
Die Produkte der Red Hat Enterprise Linux Produktfamilie sind Linux-Distribution der Firma Red Hat.
Angriff
Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Red Hat Enterprise Linux ausnutzen, um Informationen offenzulegen.
Betroffene Betriebssysteme
- Linux
{
"document": {
"aggregate_severity": {
"text": "mittel"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "Die Produkte der Red Hat Enterprise Linux Produktfamilie sind Linux-Distribution der Firma Red Hat.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein entfernter, anonymer Angreifer kann eine Schwachstelle in Red Hat Enterprise Linux ausnutzen, um Informationen offenzulegen.",
"title": "Angriff"
},
{
"category": "general",
"text": "- Linux",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2025-1086 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2018/wid-sec-w-2025-1086.json"
},
{
"category": "self",
"summary": "WID-SEC-2025-1086 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2025-1086"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2018:2244 vom 2018-07-24",
"url": "https://access.redhat.com/errata/RHSA-2018:2244"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2018:2245 vom 2018-07-24",
"url": "https://access.redhat.com/errata/RHSA-2018:2245"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2018:2561 vom 2018-09-05",
"url": "https://access.redhat.com/errata/RHSA-2018:2561"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2018:2745 vom 2018-09-27",
"url": "https://access.redhat.com/errata/RHSA-2018:2745"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2018:3073-1 vom 2018-10-08",
"url": "https://www.suse.com/support/update/announcement/2018/suse-su-20183073-1.html"
},
{
"category": "external",
"summary": "openSUSE Security Update OPENSUSE-SU-2025:15127-1 vom 2025-05-18",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/WTUL6Z6BEZPYXPSOOLULWWB5HXRXARXY/"
},
{
"category": "external",
"summary": "openSUSE Security Update OPENSUSE-SU-2025:15128-1 vom 2025-05-18",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/5RRXSPGRXVMLQ5YNC7KQPFZOP56ZV6NB/"
}
],
"source_lang": "en-US",
"title": "Red Hat Enterprise Linux: Schwachstelle erm\u00f6glicht Offenlegung von Informationen",
"tracking": {
"current_release_date": "2025-05-18T22:00:00.000+00:00",
"generator": {
"date": "2025-05-19T08:27:28.987+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.3.12"
}
},
"id": "WID-SEC-W-2025-1086",
"initial_release_date": "2018-07-24T22:00:00.000+00:00",
"revision_history": [
{
"date": "2018-07-24T22:00:00.000+00:00",
"number": "1",
"summary": "Initial Release"
},
{
"date": "2018-07-24T22:00:00.000+00:00",
"number": "2",
"summary": "Version nicht vorhanden"
},
{
"date": "2018-08-02T22:00:00.000+00:00",
"number": "3",
"summary": "Added references"
},
{
"date": "2018-08-02T22:00:00.000+00:00",
"number": "4",
"summary": "Version nicht vorhanden"
},
{
"date": "2018-09-04T22:00:00.000+00:00",
"number": "5",
"summary": "New remediations available"
},
{
"date": "2018-09-26T22:00:00.000+00:00",
"number": "6",
"summary": "New remediations available"
},
{
"date": "2018-10-08T22:00:00.000+00:00",
"number": "7",
"summary": "New remediations available"
},
{
"date": "2018-10-09T22:00:00.000+00:00",
"number": "8",
"summary": "?"
},
{
"date": "2025-05-18T22:00:00.000+00:00",
"number": "9",
"summary": "Neue Updates von openSUSE aufgenommen"
}
],
"status": "final",
"version": "9"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Red Hat Enterprise Linux",
"product": {
"name": "Red Hat Enterprise Linux",
"product_id": "67646",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:-"
}
}
}
],
"category": "vendor",
"name": "Red Hat"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux",
"product": {
"name": "SUSE Linux",
"product_id": "T002207",
"product_identification_helper": {
"cpe": "cpe:/o:suse:suse_linux:-"
}
}
},
{
"category": "product_name",
"name": "SUSE openSUSE",
"product": {
"name": "SUSE openSUSE",
"product_id": "T027843",
"product_identification_helper": {
"cpe": "cpe:/o:suse:opensuse:-"
}
}
}
],
"category": "vendor",
"name": "SUSE"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2018-3760",
"product_status": {
"known_affected": [
"T002207",
"67646",
"T027843"
]
},
"release_date": "2018-07-24T22:00:00.000+00:00",
"title": "CVE-2018-3760"
}
]
}
GSD-2018-3760
Vulnerability from gsd - Updated: 2018-06-19 00:00Details
Specially crafted requests can be used to access files that exist on
the filesystem that is outside an application's root directory, when the
Sprockets server is used in production.
All users running an affected release should either upgrade or use one of the work arounds immediately.
Workaround:
In Rails applications, work around this issue, set `config.assets.compile = false` and
`config.public_file_server.enabled = true` in an initializer and precompile the assets.
This work around will not be possible in all hosting environments and upgrading is advised.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2018-3760",
"description": "There is an information leak vulnerability in Sprockets. Versions Affected: 4.0.0.beta7 and lower, 3.7.1 and lower, 2.12.4 and lower. Specially crafted requests can be used to access files that exists on the filesystem that is outside an application\u0027s root directory, when the Sprockets server is used in production. All users running an affected release should either upgrade or use one of the work arounds immediately.",
"id": "GSD-2018-3760",
"references": [
"https://www.suse.com/security/cve/CVE-2018-3760.html",
"https://www.debian.org/security/2018/dsa-4242",
"https://access.redhat.com/errata/RHSA-2018:2745",
"https://access.redhat.com/errata/RHSA-2018:2561",
"https://access.redhat.com/errata/RHSA-2018:2245",
"https://access.redhat.com/errata/RHSA-2018:2244"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "sprockets",
"purl": "pkg:gem/sprockets"
}
}
],
"aliases": [
"CVE-2018-3760",
"GHSA-pr3h-jjhj-573x"
],
"details": "Specially crafted requests can be used to access files that exist on\nthe filesystem that is outside an application\u0027s root directory, when the\nSprockets server is used in production.\n\nAll users running an affected release should either upgrade or use one of the work arounds immediately.\n\nWorkaround:\nIn Rails applications, work around this issue, set `config.assets.compile = false` and\n`config.public_file_server.enabled = true` in an initializer and precompile the assets.\n\n This work around will not be possible in all hosting environments and upgrading is advised.\n",
"id": "GSD-2018-3760",
"modified": "2018-06-19T00:00:00.000Z",
"published": "2018-06-19T00:00:00.000Z",
"references": [
{
"type": "WEB",
"url": "https://groups.google.com/forum/#!topic/ruby-security-ann/2S9Pwz2i16k"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": 7.5,
"type": "CVSS_V3"
}
],
"summary": "Path Traversal in Sprockets"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "support@hackerone.com",
"DATE_PUBLIC": "2018-06-19T00:00:00",
"ID": "CVE-2018-3760",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Sprockets",
"version": {
"version_data": [
{
"version_value": "4.0.0.beta8, 3.7.2, 2.12.5"
}
]
}
}
]
},
"vendor_name": "HackerOne"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "There is an information leak vulnerability in Sprockets. Versions Affected: 4.0.0.beta7 and lower, 3.7.1 and lower, 2.12.4 and lower. Specially crafted requests can be used to access files that exists on the filesystem that is outside an application\u0027s root directory, when the Sprockets server is used in production. All users running an affected release should either upgrade or use one of the work arounds immediately."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Path Traversal (CWE-22)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/rails/sprockets/commit/c09131cf5b2c479263939c8582e22b98ed616c5fhttps://github.com/rails/sprockets/commit/9c34fa05900b968d74f08ccf40917848a7be9441https://github.com/rails/sprockets/commit/18b8a7f07a50c245e9aee7854ecdbe606bbd8bb5",
"refsource": "MISC",
"url": "https://github.com/rails/sprockets/commit/c09131cf5b2c479263939c8582e22b98ed616c5fhttps://github.com/rails/sprockets/commit/9c34fa05900b968d74f08ccf40917848a7be9441https://github.com/rails/sprockets/commit/18b8a7f07a50c245e9aee7854ecdbe606bbd8bb5"
},
{
"name": "RHSA-2018:2745",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2018:2745"
},
{
"name": "https://groups.google.com/d/msg/rubyonrails-security/ft_J--l55fM/7roDfQ50BwAJ",
"refsource": "MISC",
"url": "https://groups.google.com/d/msg/rubyonrails-security/ft_J--l55fM/7roDfQ50BwAJ"
},
{
"name": "RHSA-2018:2244",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2018:2244"
},
{
"name": "RHSA-2018:2561",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2018:2561"
},
{
"name": "RHSA-2018:2245",
"refsource": "REDHAT",
"url": "https://access.redhat.com/errata/RHSA-2018:2245"
},
{
"name": "DSA-4242",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2018/dsa-4242"
}
]
}
},
"github.com/rubysec/ruby-advisory-db": {
"cve": "2018-3760",
"cvss_v3": 7.5,
"date": "2018-06-19",
"description": "Specially crafted requests can be used to access files that exist on\nthe filesystem that is outside an application\u0027s root directory, when the\nSprockets server is used in production.\n\nAll users running an affected release should either upgrade or use one of the work arounds immediately.\n\nWorkaround:\nIn Rails applications, work around this issue, set `config.assets.compile = false` and\n`config.public_file_server.enabled = true` in an initializer and precompile the assets.\n\n This work around will not be possible in all hosting environments and upgrading is advised.\n",
"gem": "sprockets",
"ghsa": "pr3h-jjhj-573x",
"patched_versions": [
"\u003e= 2.12.5, \u003c 3.0.0",
"\u003e= 3.7.2, \u003c 4.0.0",
"\u003e= 4.0.0.beta8"
],
"title": "Path Traversal in Sprockets",
"url": "https://groups.google.com/forum/#!topic/ruby-security-ann/2S9Pwz2i16k"
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003c2.12.5||\u003e=3.0.0 \u003c3.7.2",
"affected_versions": "All versions before 2.12.5, all versions starting from 3.0.0 before 3.7.2",
"cvss_v2": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"cvss_v3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-200",
"CWE-937"
],
"date": "2023-06-23",
"description": "The package sprockets may leak confidential information. Specially crafted requests can be used to access files that exist on the filesystem that are outside an application\u0027s root directory when the server is used in production. All users running an affected release should either upgrade or use one of the work arounds immediately.",
"fixed_versions": [
"2.12.5",
"3.7.2",
"4.0.0"
],
"identifier": "CVE-2018-3760",
"identifiers": [
"CVE-2018-3760"
],
"not_impacted": "All versions starting from 2.12.5 before 3.0.0, all versions starting from 3.7.2",
"package_slug": "gem/sprockets",
"pubdate": "2018-06-26",
"solution": "Upgrade to versions 2.12.5, 3.7.2 or above.",
"title": "Information Exposure",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2018-3760",
"https://groups.google.com/g/ruby-security-ann/c/2S9Pwz2i16k",
"https://github.com/rails/sprockets/commit/c09131cf5b2c479263939c8582e22b98ed616c5f",
"https://github.com/rails/sprockets/commit/9c34fa05900b968d74f08ccf40917848a7be9441",
"https://github.com/rails/sprockets/commit/18b8a7f07a50c245e9aee7854ecdbe606bbd8bb5"
],
"uuid": "f7ce2186-d55b-4f87-8263-f068862734ad"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:redhat:enterprise_linux:7.6:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:cloudforms:4.6:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:redhat:enterprise_linux:6.7:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:redhat:enterprise_linux:7.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:redhat:enterprise_linux:7.4:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:redhat:enterprise_linux:7.5:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:redhat:cloudforms:4.5:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:sprockets_project:sprockets:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "2.12.4",
"versionStartIncluding": "2.0.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:sprockets_project:sprockets:4.0.0:beta7:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:sprockets_project:sprockets:4.0.0:beta6:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:sprockets_project:sprockets:4.0.0:beta5:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:sprockets_project:sprockets:4.0.0:beta4:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:sprockets_project:sprockets:4.0.0:beta2:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:sprockets_project:sprockets:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "3.7.1",
"versionStartIncluding": "3.0.0",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:sprockets_project:sprockets:4.0.0:beta3:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:sprockets_project:sprockets:4.0.0:beta1:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "cve-assignments@hackerone.com",
"ID": "CVE-2018-3760"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "There is an information leak vulnerability in Sprockets. Versions Affected: 4.0.0.beta7 and lower, 3.7.1 and lower, 2.12.4 and lower. Specially crafted requests can be used to access files that exists on the filesystem that is outside an application\u0027s root directory, when the Sprockets server is used in production. All users running an affected release should either upgrade or use one of the work arounds immediately."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-200"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://groups.google.com/d/msg/rubyonrails-security/ft_J--l55fM/7roDfQ50BwAJ",
"refsource": "MISC",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://groups.google.com/d/msg/rubyonrails-security/ft_J--l55fM/7roDfQ50BwAJ"
},
{
"name": "https://github.com/rails/sprockets/commit/c09131cf5b2c479263939c8582e22b98ed616c5fhttps://github.com/rails/sprockets/commit/9c34fa05900b968d74f08ccf40917848a7be9441https://github.com/rails/sprockets/commit/18b8a7f07a50c245e9aee7854ecdbe606bbd8bb5",
"refsource": "MISC",
"tags": [
"Broken Link"
],
"url": "https://github.com/rails/sprockets/commit/c09131cf5b2c479263939c8582e22b98ed616c5fhttps://github.com/rails/sprockets/commit/9c34fa05900b968d74f08ccf40917848a7be9441https://github.com/rails/sprockets/commit/18b8a7f07a50c245e9aee7854ecdbe606bbd8bb5"
},
{
"name": "DSA-4242",
"refsource": "DEBIAN",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2018/dsa-4242"
},
{
"name": "RHSA-2018:2245",
"refsource": "REDHAT",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2018:2245"
},
{
"name": "RHSA-2018:2244",
"refsource": "REDHAT",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2018:2244"
},
{
"name": "RHSA-2018:2561",
"refsource": "REDHAT",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2018:2561"
},
{
"name": "RHSA-2018:2745",
"refsource": "REDHAT",
"tags": [
"Third Party Advisory"
],
"url": "https://access.redhat.com/errata/RHSA-2018:2745"
}
]
}
},
"impact": {
"baseMetricV2": {
"acInsufInfo": true,
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": false
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.0"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6
}
},
"lastModifiedDate": "2019-10-09T23:40Z",
"publishedDate": "2018-06-26T19:29Z"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…