Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2019-14849 (GCVE-0-2019-14849)
Vulnerability from cvelistv5 – Published: 2019-12-12 13:14 – Updated: 2024-08-05 00:26
VLAI?
EPSS
Summary
A vulnerability was found in 3scale before version 2.6, did not set the HTTPOnly attribute on the user session cookie. An attacker could use this to conduct cross site scripting attacks and gain access to unauthorized information.
Severity ?
4.6 (Medium)
CWE
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T00:26:39.075Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14849"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "3scale",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in 3scale before version 2.6, did not set the HTTPOnly attribute on the user session cookie. An attacker could use this to conduct cross site scripting attacks and gain access to unauthorized information."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-201",
"description": "CWE-201",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-12-12T13:14:53",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14849"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2019-14849",
"datePublished": "2019-12-12T13:14:53",
"dateReserved": "2019-08-10T00:00:00",
"dateUpdated": "2024-08-05T00:26:39.075Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:redhat:3scale:*:*:*:*:*:*:*:*\", \"versionEndExcluding\": \"2.6\", \"matchCriteriaId\": \"2700E9B2-AE29-44B4-B1F2-FBC912ED0A05\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"A vulnerability was found in 3scale before version 2.6, did not set the HTTPOnly attribute on the user session cookie. An attacker could use this to conduct cross site scripting attacks and gain access to unauthorized information.\"}, {\"lang\": \"es\", \"value\": \"Se encontr\\u00f3 una vulnerabilidad en 3scale versi\\u00f3n anterior a 2.6, no estableci\\u00f3 el atributo HTTPOnly en la cookie de sesi\\u00f3n del usuario. Un atacante podr\\u00eda usar esto para conducir ataques de tipo cross site scripting y conseguir acceso a informaci\\u00f3n no autorizada.\"}]",
"id": "CVE-2019-14849",
"lastModified": "2024-11-21T04:27:29.613",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\", \"baseScore\": 5.4, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"scope\": \"CHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.3, \"impactScore\": 2.7}], \"cvssMetricV30\": [{\"source\": \"secalert@redhat.com\", \"type\": \"Secondary\", \"cvssData\": {\"version\": \"3.0\", \"vectorString\": \"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N\", \"baseScore\": 4.6, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"REQUIRED\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"LOW\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 2.1, \"impactScore\": 2.5}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:M/Au:S/C:N/I:P/A:N\", \"baseScore\": 3.5, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"MEDIUM\", \"authentication\": \"SINGLE\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"LOW\", \"exploitabilityScore\": 6.8, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": true}]}",
"published": "2019-12-12T14:15:15.257",
"references": "[{\"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14849\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Issue Tracking\", \"Vendor Advisory\"]}, {\"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14849\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Issue Tracking\", \"Vendor Advisory\"]}]",
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"secalert@redhat.com\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-201\"}]}, {\"source\": \"nvd@nist.gov\", \"type\": \"Secondary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-79\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2019-14849\",\"sourceIdentifier\":\"secalert@redhat.com\",\"published\":\"2019-12-12T14:15:15.257\",\"lastModified\":\"2024-11-21T04:27:29.613\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A vulnerability was found in 3scale before version 2.6, did not set the HTTPOnly attribute on the user session cookie. An attacker could use this to conduct cross site scripting attacks and gain access to unauthorized information.\"},{\"lang\":\"es\",\"value\":\"Se encontr\u00f3 una vulnerabilidad en 3scale versi\u00f3n anterior a 2.6, no estableci\u00f3 el atributo HTTPOnly en la cookie de sesi\u00f3n del usuario. Un atacante podr\u00eda usar esto para conducir ataques de tipo cross site scripting y conseguir acceso a informaci\u00f3n no autorizada.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":5.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.3,\"impactScore\":2.7}],\"cvssMetricV30\":[{\"source\":\"secalert@redhat.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N\",\"baseScore\":4.6,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.1,\"impactScore\":2.5}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:S/C:N/I:P/A:N\",\"baseScore\":3.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"LOW\",\"exploitabilityScore\":6.8,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"secalert@redhat.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-201\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:3scale:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2.6\",\"matchCriteriaId\":\"2700E9B2-AE29-44B4-B1F2-FBC912ED0A05\"}]}]}],\"references\":[{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14849\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Issue Tracking\",\"Vendor Advisory\"]},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14849\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Issue Tracking\",\"Vendor Advisory\"]}]}}"
}
}
RHSA-2019_2534
Vulnerability from csaf_redhat - Published: 2019-08-21 11:44 - Updated: 2024-11-15 04:08Summary
Red Hat Security Advisory: Red Hat 3scale API Management 2.6.0 release and security update
Notes
Topic
A security update for Red Hat 3scale API Management Platform is now available from the Red Hat Container Catalog.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat 3scale API Management delivers centralized API management features through a distributed, cloud-hosted layer. It includes built-in features to help in building a more successful API program, including access control, rate limits, payment gateway integration, and developer experience tools.
This release of Red Hat 3scale API Management 2.6.0 replaces Red Hat 3scale API Management 2.5.1.
Security Fix(es):
* ghostscript: -dSAFER escape via .buildfont1 (CVE-2019-10216)
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "A security update for Red Hat 3scale API Management Platform is now available from the Red Hat Container Catalog.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat 3scale API Management delivers centralized API management features through a distributed, cloud-hosted layer. It includes built-in features to help in building a more successful API program, including access control, rate limits, payment gateway integration, and developer experience tools.\n\nThis release of Red Hat 3scale API Management 2.6.0 replaces Red Hat 3scale API Management 2.5.1.\n\nSecurity Fix(es):\n\n* ghostscript: -dSAFER escape via .buildfont1 (CVE-2019-10216)",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2019:2534",
"url": "https://access.redhat.com/errata/RHSA-2019:2534"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "1737080",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1737080"
},
{
"category": "external",
"summary": "THREESCALE-2852",
"url": "https://issues.redhat.com/browse/THREESCALE-2852"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2019/rhsa-2019_2534.json"
}
],
"title": "Red Hat Security Advisory: Red Hat 3scale API Management 2.6.0 release and security update",
"tracking": {
"current_release_date": "2024-11-15T04:08:50+00:00",
"generator": {
"date": "2024-11-15T04:08:50+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2019:2534",
"initial_release_date": "2019-08-21T11:44:18+00:00",
"revision_history": [
{
"date": "2019-08-21T11:44:18+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2019-08-21T11:44:18+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-15T04:08:50+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "RHAMP-2.6",
"product": {
"name": "RHAMP-2.6",
"product_id": "7Server-RH7-3scale-AMP-2.6",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:3scale_amp:2"
}
}
}
],
"category": "product_family",
"name": "3scale API Management"
},
{
"branches": [
{
"category": "product_version",
"name": "3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64",
"product": {
"name": "3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64",
"product_id": "3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64",
"product_identification_helper": {
"purl": "pkg:oci/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69?arch=amd64\u0026repository_url=registry.redhat.io/3scale-amp26/apicast-gateway\u0026tag=1.15-9"
}
}
},
{
"category": "product_version",
"name": "3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64",
"product": {
"name": "3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64",
"product_id": "3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64",
"product_identification_helper": {
"purl": "pkg:oci/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e?arch=amd64\u0026repository_url=registry.redhat.io/3scale-amp26/backend\u0026tag=1.9-24"
}
}
},
{
"category": "product_version",
"name": "3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64",
"product": {
"name": "3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64",
"product_id": "3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64",
"product_identification_helper": {
"purl": "pkg:oci/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43?arch=amd64\u0026repository_url=registry.redhat.io/3scale-amp26/zync\u0026tag=1.9-28"
}
}
},
{
"category": "product_version",
"name": "3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"product": {
"name": "3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"product_id": "3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"product_identification_helper": {
"purl": "pkg:oci/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926?arch=amd64\u0026repository_url=registry.redhat.io/3scale-amp26/3scale-operator\u0026tag=latest"
}
}
},
{
"category": "product_version",
"name": "3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"product": {
"name": "3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"product_id": "3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"product_identification_helper": {
"purl": "pkg:oci/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926?arch=amd64\u0026repository_url=registry.redhat.io/3scale-amp26/operator\u0026tag=latest"
}
}
},
{
"category": "product_version",
"name": "3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64",
"product": {
"name": "3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64",
"product_id": "3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64",
"product_identification_helper": {
"purl": "pkg:oci/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed?arch=amd64\u0026repository_url=registry.redhat.io/3scale-amp26/toolbox\u0026tag=latest"
}
}
}
],
"category": "architecture",
"name": "amd64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64 as a component of RHAMP-2.6",
"product_id": "7Server-RH7-3scale-AMP-2.6:3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64"
},
"product_reference": "3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"relates_to_product_reference": "7Server-RH7-3scale-AMP-2.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64 as a component of RHAMP-2.6",
"product_id": "7Server-RH7-3scale-AMP-2.6:3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64"
},
"product_reference": "3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64",
"relates_to_product_reference": "7Server-RH7-3scale-AMP-2.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64 as a component of RHAMP-2.6",
"product_id": "7Server-RH7-3scale-AMP-2.6:3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64"
},
"product_reference": "3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64",
"relates_to_product_reference": "7Server-RH7-3scale-AMP-2.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64 as a component of RHAMP-2.6",
"product_id": "7Server-RH7-3scale-AMP-2.6:3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64"
},
"product_reference": "3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"relates_to_product_reference": "7Server-RH7-3scale-AMP-2.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64 as a component of RHAMP-2.6",
"product_id": "7Server-RH7-3scale-AMP-2.6:3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64"
},
"product_reference": "3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64",
"relates_to_product_reference": "7Server-RH7-3scale-AMP-2.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64 as a component of RHAMP-2.6",
"product_id": "7Server-RH7-3scale-AMP-2.6:3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64"
},
"product_reference": "3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64",
"relates_to_product_reference": "7Server-RH7-3scale-AMP-2.6"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Artifex Software"
]
},
{
"names": [
"Netanel"
],
"organization": "Cloudinary",
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2019-10216",
"cwe": {
"id": "CWE-648",
"name": "Incorrect Use of Privileged APIs"
},
"discovery_date": "2019-08-02T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1737080"
}
],
"notes": [
{
"category": "description",
"text": "It was found that the .buildfont1 procedure did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. An attacker could abuse this flaw by creating a specially crafted PostScript file that could escalate privileges and access files outside of restricted areas.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "ghostscript: -dSAFER escape via .buildfont1 (701394)",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2019-10216"
},
{
"category": "external",
"summary": "RHBZ#1737080",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1737080"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2019-10216",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-10216"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-10216",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10216"
}
],
"release_date": "2019-08-12T13:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-08-21T11:44:18+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/documentation/en-us/red_hat_3scale_api_management/2.6/html-single/installing_3scale/#onpremises-installation",
"product_ids": [
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:2534"
},
{
"category": "workaround",
"details": "Please refer to the \"Mitigation\" section of CVE-2018-16509 : https://access.redhat.com/security/cve/cve-2018-16509",
"product_ids": [
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"products": [
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "ghostscript: -dSAFER escape via .buildfont1 (701394)"
},
{
"acknowledgments": [
{
"names": [
"Artifex Software"
]
},
{
"names": [
"Hiroki MATSUKUMA"
],
"organization": "Cyber Defense Institute",
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2019-14811",
"cwe": {
"id": "CWE-648",
"name": "Incorrect Use of Privileged APIs"
},
"discovery_date": "2019-08-19T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1743757"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the .pdf_hook_DSC_Creator procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "ghostscript: Safer mode bypass by .forceput exposure in .pdf_hook_DSC_Creator (701445)",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2019-14811"
},
{
"category": "external",
"summary": "RHBZ#1743757",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1743757"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2019-14811",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-14811"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-14811",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14811"
}
],
"release_date": "2019-08-28T12:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-08-21T11:44:18+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/documentation/en-us/red_hat_3scale_api_management/2.6/html-single/installing_3scale/#onpremises-installation",
"product_ids": [
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:2534"
},
{
"category": "workaround",
"details": "Please refer to the \"Mitigation\" section of CVE-2018-16509 : https://access.redhat.com/security/cve/cve-2018-16509",
"product_ids": [
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"products": [
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "ghostscript: Safer mode bypass by .forceput exposure in .pdf_hook_DSC_Creator (701445)"
},
{
"acknowledgments": [
{
"names": [
"Artifex Software"
]
},
{
"names": [
"Hiroki MATSUKUMA"
],
"organization": "Cyber Defense Institute",
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2019-14812",
"cwe": {
"id": "CWE-648",
"name": "Incorrect Use of Privileged APIs"
},
"discovery_date": "2019-08-19T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1743754"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the .setuserparams2 procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "ghostscript: Safer mode bypass by .forceput exposure in setuserparams (701444)",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2019-14812"
},
{
"category": "external",
"summary": "RHBZ#1743754",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1743754"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2019-14812",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-14812"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-14812",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14812"
}
],
"release_date": "2019-08-28T12:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-08-21T11:44:18+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/documentation/en-us/red_hat_3scale_api_management/2.6/html-single/installing_3scale/#onpremises-installation",
"product_ids": [
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:2534"
},
{
"category": "workaround",
"details": "Please refer to the \"Mitigation\" section of CVE-2018-16509 : https://access.redhat.com/security/cve/cve-2018-16509",
"product_ids": [
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"products": [
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "ghostscript: Safer mode bypass by .forceput exposure in setuserparams (701444)"
},
{
"acknowledgments": [
{
"names": [
"Artifex Software"
]
},
{
"names": [
"Hiroki MATSUKUMA"
],
"organization": "Cyber Defense Institute",
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2019-14813",
"cwe": {
"id": "CWE-648",
"name": "Incorrect Use of Privileged APIs"
},
"discovery_date": "2019-08-20T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1743737"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the setsystemparams procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "ghostscript: Safer mode bypass by .forceput exposure in setsystemparams (701443)",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2019-14813"
},
{
"category": "external",
"summary": "RHBZ#1743737",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1743737"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2019-14813",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-14813"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-14813",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14813"
}
],
"release_date": "2019-08-28T12:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-08-21T11:44:18+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/documentation/en-us/red_hat_3scale_api_management/2.6/html-single/installing_3scale/#onpremises-installation",
"product_ids": [
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:2534"
},
{
"category": "workaround",
"details": "Please refer to the \"Mitigation\" section of CVE-2018-16509 : https://access.redhat.com/security/cve/cve-2018-16509",
"product_ids": [
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"products": [
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "ghostscript: Safer mode bypass by .forceput exposure in setsystemparams (701443)"
},
{
"acknowledgments": [
{
"names": [
"Artifex Software"
]
}
],
"cve": "CVE-2019-14817",
"cwe": {
"id": "CWE-648",
"name": "Incorrect Use of Privileged APIs"
},
"discovery_date": "2019-08-21T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1744042"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the .pdfexectoken and other procedures where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "ghostscript: Safer mode bypass by .forceput exposure in .pdfexectoken and other procedures (701450)",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2019-14817"
},
{
"category": "external",
"summary": "RHBZ#1744042",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1744042"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2019-14817",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-14817"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-14817",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14817"
}
],
"release_date": "2019-08-28T12:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-08-21T11:44:18+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/documentation/en-us/red_hat_3scale_api_management/2.6/html-single/installing_3scale/#onpremises-installation",
"product_ids": [
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:2534"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"products": [
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "ghostscript: Safer mode bypass by .forceput exposure in .pdfexectoken and other procedures (701450)"
},
{
"cve": "CVE-2019-14849",
"cwe": {
"id": "CWE-201",
"name": "Insertion of Sensitive Information Into Sent Data"
},
"discovery_date": "2019-05-20T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1712167"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found where 3scale did not set the HTTPOnly attribute on the user session cookie. An attacker could abuse this flaw to conduct Cross-site Scripting attacks and gain access to unauthorized information.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "3scale: user session cookie does not set HTTPOnly",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2019-14849"
},
{
"category": "external",
"summary": "RHBZ#1712167",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1712167"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2019-14849",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-14849"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-14849",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14849"
}
],
"release_date": "2019-12-11T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-08-21T11:44:18+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/documentation/en-us/red_hat_3scale_api_management/2.6/html-single/installing_3scale/#onpremises-installation",
"product_ids": [
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:2534"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "3scale: user session cookie does not set HTTPOnly"
}
]
}
RHSA-2019:2534
Vulnerability from csaf_redhat - Published: 2019-08-21 11:44 - Updated: 2025-11-21 18:09Summary
Red Hat Security Advisory: Red Hat 3scale API Management 2.6.0 release and security update
Notes
Topic
A security update for Red Hat 3scale API Management Platform is now available from the Red Hat Container Catalog.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat 3scale API Management delivers centralized API management features through a distributed, cloud-hosted layer. It includes built-in features to help in building a more successful API program, including access control, rate limits, payment gateway integration, and developer experience tools.
This release of Red Hat 3scale API Management 2.6.0 replaces Red Hat 3scale API Management 2.5.1.
Security Fix(es):
* ghostscript: -dSAFER escape via .buildfont1 (CVE-2019-10216)
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "A security update for Red Hat 3scale API Management Platform is now available from the Red Hat Container Catalog.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat 3scale API Management delivers centralized API management features through a distributed, cloud-hosted layer. It includes built-in features to help in building a more successful API program, including access control, rate limits, payment gateway integration, and developer experience tools.\n\nThis release of Red Hat 3scale API Management 2.6.0 replaces Red Hat 3scale API Management 2.5.1.\n\nSecurity Fix(es):\n\n* ghostscript: -dSAFER escape via .buildfont1 (CVE-2019-10216)",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2019:2534",
"url": "https://access.redhat.com/errata/RHSA-2019:2534"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "1737080",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1737080"
},
{
"category": "external",
"summary": "THREESCALE-2852",
"url": "https://issues.redhat.com/browse/THREESCALE-2852"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2019/rhsa-2019_2534.json"
}
],
"title": "Red Hat Security Advisory: Red Hat 3scale API Management 2.6.0 release and security update",
"tracking": {
"current_release_date": "2025-11-21T18:09:50+00:00",
"generator": {
"date": "2025-11-21T18:09:50+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.6.12"
}
},
"id": "RHSA-2019:2534",
"initial_release_date": "2019-08-21T11:44:18+00:00",
"revision_history": [
{
"date": "2019-08-21T11:44:18+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2019-08-21T11:44:18+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2025-11-21T18:09:50+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "RHAMP-2.6",
"product": {
"name": "RHAMP-2.6",
"product_id": "7Server-RH7-3scale-AMP-2.6",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:3scale_amp:2"
}
}
}
],
"category": "product_family",
"name": "3scale API Management"
},
{
"branches": [
{
"category": "product_version",
"name": "3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64",
"product": {
"name": "3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64",
"product_id": "3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64",
"product_identification_helper": {
"purl": "pkg:oci/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69?arch=amd64\u0026repository_url=registry.redhat.io/3scale-amp26/apicast-gateway\u0026tag=1.15-9"
}
}
},
{
"category": "product_version",
"name": "3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64",
"product": {
"name": "3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64",
"product_id": "3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64",
"product_identification_helper": {
"purl": "pkg:oci/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e?arch=amd64\u0026repository_url=registry.redhat.io/3scale-amp26/backend\u0026tag=1.9-24"
}
}
},
{
"category": "product_version",
"name": "3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64",
"product": {
"name": "3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64",
"product_id": "3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64",
"product_identification_helper": {
"purl": "pkg:oci/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43?arch=amd64\u0026repository_url=registry.redhat.io/3scale-amp26/zync\u0026tag=1.9-28"
}
}
},
{
"category": "product_version",
"name": "3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"product": {
"name": "3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"product_id": "3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"product_identification_helper": {
"purl": "pkg:oci/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926?arch=amd64\u0026repository_url=registry.redhat.io/3scale-amp26/3scale-operator\u0026tag=latest"
}
}
},
{
"category": "product_version",
"name": "3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"product": {
"name": "3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"product_id": "3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"product_identification_helper": {
"purl": "pkg:oci/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926?arch=amd64\u0026repository_url=registry.redhat.io/3scale-amp26/operator\u0026tag=latest"
}
}
},
{
"category": "product_version",
"name": "3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64",
"product": {
"name": "3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64",
"product_id": "3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64",
"product_identification_helper": {
"purl": "pkg:oci/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed?arch=amd64\u0026repository_url=registry.redhat.io/3scale-amp26/toolbox\u0026tag=latest"
}
}
}
],
"category": "architecture",
"name": "amd64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64 as a component of RHAMP-2.6",
"product_id": "7Server-RH7-3scale-AMP-2.6:3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64"
},
"product_reference": "3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"relates_to_product_reference": "7Server-RH7-3scale-AMP-2.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64 as a component of RHAMP-2.6",
"product_id": "7Server-RH7-3scale-AMP-2.6:3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64"
},
"product_reference": "3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64",
"relates_to_product_reference": "7Server-RH7-3scale-AMP-2.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64 as a component of RHAMP-2.6",
"product_id": "7Server-RH7-3scale-AMP-2.6:3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64"
},
"product_reference": "3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64",
"relates_to_product_reference": "7Server-RH7-3scale-AMP-2.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64 as a component of RHAMP-2.6",
"product_id": "7Server-RH7-3scale-AMP-2.6:3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64"
},
"product_reference": "3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"relates_to_product_reference": "7Server-RH7-3scale-AMP-2.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64 as a component of RHAMP-2.6",
"product_id": "7Server-RH7-3scale-AMP-2.6:3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64"
},
"product_reference": "3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64",
"relates_to_product_reference": "7Server-RH7-3scale-AMP-2.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64 as a component of RHAMP-2.6",
"product_id": "7Server-RH7-3scale-AMP-2.6:3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64"
},
"product_reference": "3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64",
"relates_to_product_reference": "7Server-RH7-3scale-AMP-2.6"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Artifex Software"
]
},
{
"names": [
"Netanel"
],
"organization": "Cloudinary",
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2019-10216",
"cwe": {
"id": "CWE-648",
"name": "Incorrect Use of Privileged APIs"
},
"discovery_date": "2019-08-02T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1737080"
}
],
"notes": [
{
"category": "description",
"text": "It was found that the .buildfont1 procedure did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. An attacker could abuse this flaw by creating a specially crafted PostScript file that could escalate privileges and access files outside of restricted areas.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "ghostscript: -dSAFER escape via .buildfont1 (701394)",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2019-10216"
},
{
"category": "external",
"summary": "RHBZ#1737080",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1737080"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2019-10216",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-10216"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-10216",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10216"
}
],
"release_date": "2019-08-12T13:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-08-21T11:44:18+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/documentation/en-us/red_hat_3scale_api_management/2.6/html-single/installing_3scale/#onpremises-installation",
"product_ids": [
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:2534"
},
{
"category": "workaround",
"details": "Please refer to the \"Mitigation\" section of CVE-2018-16509 : https://access.redhat.com/security/cve/cve-2018-16509",
"product_ids": [
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"products": [
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "ghostscript: -dSAFER escape via .buildfont1 (701394)"
},
{
"acknowledgments": [
{
"names": [
"Artifex Software"
]
},
{
"names": [
"Hiroki MATSUKUMA"
],
"organization": "Cyber Defense Institute",
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2019-14811",
"cwe": {
"id": "CWE-648",
"name": "Incorrect Use of Privileged APIs"
},
"discovery_date": "2019-08-19T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1743757"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the .pdf_hook_DSC_Creator procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "ghostscript: Safer mode bypass by .forceput exposure in .pdf_hook_DSC_Creator (701445)",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2019-14811"
},
{
"category": "external",
"summary": "RHBZ#1743757",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1743757"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2019-14811",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-14811"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-14811",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14811"
}
],
"release_date": "2019-08-28T12:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-08-21T11:44:18+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/documentation/en-us/red_hat_3scale_api_management/2.6/html-single/installing_3scale/#onpremises-installation",
"product_ids": [
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:2534"
},
{
"category": "workaround",
"details": "Please refer to the \"Mitigation\" section of CVE-2018-16509 : https://access.redhat.com/security/cve/cve-2018-16509",
"product_ids": [
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"products": [
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "ghostscript: Safer mode bypass by .forceput exposure in .pdf_hook_DSC_Creator (701445)"
},
{
"acknowledgments": [
{
"names": [
"Artifex Software"
]
},
{
"names": [
"Hiroki MATSUKUMA"
],
"organization": "Cyber Defense Institute",
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2019-14812",
"cwe": {
"id": "CWE-648",
"name": "Incorrect Use of Privileged APIs"
},
"discovery_date": "2019-08-19T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1743754"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the .setuserparams2 procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "ghostscript: Safer mode bypass by .forceput exposure in setuserparams (701444)",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2019-14812"
},
{
"category": "external",
"summary": "RHBZ#1743754",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1743754"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2019-14812",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-14812"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-14812",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14812"
}
],
"release_date": "2019-08-28T12:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-08-21T11:44:18+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/documentation/en-us/red_hat_3scale_api_management/2.6/html-single/installing_3scale/#onpremises-installation",
"product_ids": [
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:2534"
},
{
"category": "workaround",
"details": "Please refer to the \"Mitigation\" section of CVE-2018-16509 : https://access.redhat.com/security/cve/cve-2018-16509",
"product_ids": [
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"products": [
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "ghostscript: Safer mode bypass by .forceput exposure in setuserparams (701444)"
},
{
"acknowledgments": [
{
"names": [
"Artifex Software"
]
},
{
"names": [
"Hiroki MATSUKUMA"
],
"organization": "Cyber Defense Institute",
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2019-14813",
"cwe": {
"id": "CWE-648",
"name": "Incorrect Use of Privileged APIs"
},
"discovery_date": "2019-08-20T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1743737"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the setsystemparams procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "ghostscript: Safer mode bypass by .forceput exposure in setsystemparams (701443)",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2019-14813"
},
{
"category": "external",
"summary": "RHBZ#1743737",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1743737"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2019-14813",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-14813"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-14813",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14813"
}
],
"release_date": "2019-08-28T12:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-08-21T11:44:18+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/documentation/en-us/red_hat_3scale_api_management/2.6/html-single/installing_3scale/#onpremises-installation",
"product_ids": [
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:2534"
},
{
"category": "workaround",
"details": "Please refer to the \"Mitigation\" section of CVE-2018-16509 : https://access.redhat.com/security/cve/cve-2018-16509",
"product_ids": [
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"products": [
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "ghostscript: Safer mode bypass by .forceput exposure in setsystemparams (701443)"
},
{
"acknowledgments": [
{
"names": [
"Artifex Software"
]
}
],
"cve": "CVE-2019-14817",
"cwe": {
"id": "CWE-648",
"name": "Incorrect Use of Privileged APIs"
},
"discovery_date": "2019-08-21T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1744042"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the .pdfexectoken and other procedures where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "ghostscript: Safer mode bypass by .forceput exposure in .pdfexectoken and other procedures (701450)",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2019-14817"
},
{
"category": "external",
"summary": "RHBZ#1744042",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1744042"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2019-14817",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-14817"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-14817",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14817"
}
],
"release_date": "2019-08-28T12:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-08-21T11:44:18+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/documentation/en-us/red_hat_3scale_api_management/2.6/html-single/installing_3scale/#onpremises-installation",
"product_ids": [
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:2534"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"products": [
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "ghostscript: Safer mode bypass by .forceput exposure in .pdfexectoken and other procedures (701450)"
},
{
"cve": "CVE-2019-14849",
"cwe": {
"id": "CWE-201",
"name": "Insertion of Sensitive Information Into Sent Data"
},
"discovery_date": "2019-05-20T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1712167"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found where 3scale did not set the HTTPOnly attribute on the user session cookie. An attacker could abuse this flaw to conduct Cross-site Scripting attacks and gain access to unauthorized information.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "3scale: user session cookie does not set HTTPOnly",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2019-14849"
},
{
"category": "external",
"summary": "RHBZ#1712167",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1712167"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2019-14849",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-14849"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-14849",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14849"
}
],
"release_date": "2019-12-11T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-08-21T11:44:18+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/documentation/en-us/red_hat_3scale_api_management/2.6/html-single/installing_3scale/#onpremises-installation",
"product_ids": [
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:2534"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "3scale: user session cookie does not set HTTPOnly"
}
]
}
GSD-2019-14849
Vulnerability from gsd - Updated: 2023-12-13 01:23Details
A vulnerability was found in 3scale before version 2.6, did not set the HTTPOnly attribute on the user session cookie. An attacker could use this to conduct cross site scripting attacks and gain access to unauthorized information.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2019-14849",
"description": "A vulnerability was found in 3scale before version 2.6, did not set the HTTPOnly attribute on the user session cookie. An attacker could use this to conduct cross site scripting attacks and gain access to unauthorized information.",
"id": "GSD-2019-14849",
"references": [
"https://access.redhat.com/errata/RHSA-2019:2534"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2019-14849"
],
"details": "A vulnerability was found in 3scale before version 2.6, did not set the HTTPOnly attribute on the user session cookie. An attacker could use this to conduct cross site scripting attacks and gain access to unauthorized information.",
"id": "GSD-2019-14849",
"modified": "2023-12-13T01:23:52.662572Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2019-14849",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "3scale",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A vulnerability was found in 3scale before version 2.6, did not set the HTTPOnly attribute on the user session cookie. An attacker could use this to conduct cross site scripting attacks and gain access to unauthorized information."
}
]
},
"impact": {
"cvss": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
"version": "3.0"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"cweId": "CWE-201",
"lang": "eng",
"value": "CWE-201"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14849",
"refsource": "MISC",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14849"
}
]
}
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:redhat:3scale:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "2.6",
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2019-14849"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "A vulnerability was found in 3scale before version 2.6, did not set the HTTPOnly attribute on the user session cookie. An attacker could use this to conduct cross site scripting attacks and gain access to unauthorized information."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-201"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14849",
"refsource": "CONFIRM",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14849"
}
]
}
},
"impact": {
"baseMetricV2": {
"acInsufInfo": false,
"cvssV2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "LOW",
"userInteractionRequired": true
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7
}
},
"lastModifiedDate": "2023-02-12T23:35Z",
"publishedDate": "2019-12-12T14:15Z"
}
}
}
GHSA-8V4X-G74W-CGG6
Vulnerability from github – Published: 2022-05-24 17:03 – Updated: 2023-02-02 21:33
VLAI?
Details
A vulnerability was found in 3scale before version 2.6, did not set the HTTPOnly attribute on the user session cookie. An attacker could use this to conduct cross site scripting attacks and gain access to unauthorized information.
Severity ?
5.4 (Medium)
{
"affected": [],
"aliases": [
"CVE-2019-14849"
],
"database_specific": {
"cwe_ids": [
"CWE-201",
"CWE-79"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-12-12T14:15:00Z",
"severity": "MODERATE"
},
"details": "A vulnerability was found in 3scale before version 2.6, did not set the HTTPOnly attribute on the user session cookie. An attacker could use this to conduct cross site scripting attacks and gain access to unauthorized information.",
"id": "GHSA-8v4x-g74w-cgg6",
"modified": "2023-02-02T21:33:45Z",
"published": "2022-05-24T17:03:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14849"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:2534"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2019-14849"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1712167"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14849"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
CNVD-2020-01021
Vulnerability from cnvd - Published: 2020-01-08
VLAI Severity ?
Title
Red Hat 3scale跨站脚本漏洞
Description
Red Hat 3scale是美国红帽(Red Hat)公司的一套API(应用程序编程接口)生命周期管理软件。
Red Hat 3scale中存在跨站脚本漏洞,该漏洞源于用户会话cookie未能设置HTTPOnly,攻击者可利用该漏洞实施跨站脚本攻击并获取未授权信息的访问权限。
Severity
低
Formal description
厂商尚未提供漏洞修复方案,请关注厂商主页更新: https://www.3scale.net/
Reference
https://access.redhat.com/security/cve/cve-2019-14849
Impacted products
| Name | Red Hat 3scale <2.6 |
|---|
{
"cves": {
"cve": {
"cveNumber": "CVE-2019-14849",
"cveUrl": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14849"
}
},
"description": "Red Hat 3scale\u662f\u7f8e\u56fd\u7ea2\u5e3d\uff08Red Hat\uff09\u516c\u53f8\u7684\u4e00\u5957API\uff08\u5e94\u7528\u7a0b\u5e8f\u7f16\u7a0b\u63a5\u53e3\uff09\u751f\u547d\u5468\u671f\u7ba1\u7406\u8f6f\u4ef6\u3002\n\nRed Hat 3scale\u4e2d\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u7528\u6237\u4f1a\u8bddcookie\u672a\u80fd\u8bbe\u7f6eHTTPOnly\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5b9e\u65bd\u8de8\u7ad9\u811a\u672c\u653b\u51fb\u5e76\u83b7\u53d6\u672a\u6388\u6743\u4fe1\u606f\u7684\u8bbf\u95ee\u6743\u9650\u3002",
"formalWay": "\u5382\u5546\u5c1a\u672a\u63d0\u4f9b\u6f0f\u6d1e\u4fee\u590d\u65b9\u6848\uff0c\u8bf7\u5173\u6ce8\u5382\u5546\u4e3b\u9875\u66f4\u65b0\uff1a\r\nhttps://www.3scale.net/",
"isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
"number": "CNVD-2020-01021",
"openTime": "2020-01-08",
"products": {
"product": "Red Hat 3scale \u003c2.6"
},
"referenceLink": "https://access.redhat.com/security/cve/cve-2019-14849",
"serverity": "\u4f4e",
"submitTime": "2019-12-11",
"title": "Red Hat 3scale\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e"
}
FKIE_CVE-2019-14849
Vulnerability from fkie_nvd - Published: 2019-12-12 14:15 - Updated: 2024-11-21 04:27
Severity ?
Summary
A vulnerability was found in 3scale before version 2.6, did not set the HTTPOnly attribute on the user session cookie. An attacker could use this to conduct cross site scripting attacks and gain access to unauthorized information.
References
| URL | Tags | ||
|---|---|---|---|
| secalert@redhat.com | https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14849 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14849 | Issue Tracking, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:redhat:3scale:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2700E9B2-AE29-44B4-B1F2-FBC912ED0A05",
"versionEndExcluding": "2.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in 3scale before version 2.6, did not set the HTTPOnly attribute on the user session cookie. An attacker could use this to conduct cross site scripting attacks and gain access to unauthorized information."
},
{
"lang": "es",
"value": "Se encontr\u00f3 una vulnerabilidad en 3scale versi\u00f3n anterior a 2.6, no estableci\u00f3 el atributo HTTPOnly en la cookie de sesi\u00f3n del usuario. Un atacante podr\u00eda usar esto para conducir ataques de tipo cross site scripting y conseguir acceso a informaci\u00f3n no autorizada."
}
],
"id": "CVE-2019-14849",
"lastModified": "2024-11-21T04:27:29.613",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.1,
"impactScore": 2.5,
"source": "secalert@redhat.com",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-12-12T14:15:15.257",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14849"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14849"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-201"
}
],
"source": "secalert@redhat.com",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Secondary"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…