rhba-2019_1076
Vulnerability from csaf_redhat
Published
2019-05-08 12:47
Modified
2024-11-13 22:06
Summary
Red Hat Bug Fix Advisory: ovirt-engine-api-explorer bug fix and enhancement update for RHV 4.3

Notes

Topic
Updated ovirt-engine-api-explorer packages that fix several bugs and add various enhancements are now available.
Details
The ovirt-engine-api-explorer package provides a web application for exploring the oVirt API documentation.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.



{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Updated ovirt-engine-api-explorer packages that fix several bugs and add various enhancements are now available.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "The ovirt-engine-api-explorer package provides a web application for exploring the oVirt API documentation.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHBA-2019:1076",
        "url": "https://access.redhat.com/errata/RHBA-2019:1076"
      },
      {
        "category": "external",
        "summary": "1639272",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1639272"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2019/rhba-2019_1076.json"
      }
    ],
    "title": "Red Hat Bug Fix Advisory: ovirt-engine-api-explorer bug fix and enhancement update for RHV 4.3",
    "tracking": {
      "current_release_date": "2024-11-13T22:06:02+00:00",
      "generator": {
        "date": "2024-11-13T22:06:02+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.2.0"
        }
      },
      "id": "RHBA-2019:1076",
      "initial_release_date": "2019-05-08T12:47:06+00:00",
      "revision_history": [
        {
          "date": "2019-05-08T12:47:06+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2019-05-08T12:47:06+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2024-11-13T22:06:02+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "RHV-M 4.3",
                "product": {
                  "name": "RHV-M 4.3",
                  "product_id": "7Server-RHV-S-4.3",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:rhev_manager:4.3"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat Virtualization"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ovirt-engine-api-explorer-0:0.0.4-1.el7ev.src",
                "product": {
                  "name": "ovirt-engine-api-explorer-0:0.0.4-1.el7ev.src",
                  "product_id": "ovirt-engine-api-explorer-0:0.0.4-1.el7ev.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/ovirt-engine-api-explorer@0.0.4-1.el7ev?arch=src"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "src"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ovirt-engine-api-explorer-0:0.0.4-1.el7ev.noarch",
                "product": {
                  "name": "ovirt-engine-api-explorer-0:0.0.4-1.el7ev.noarch",
                  "product_id": "ovirt-engine-api-explorer-0:0.0.4-1.el7ev.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/ovirt-engine-api-explorer@0.0.4-1.el7ev?arch=noarch"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ovirt-engine-api-explorer-0:0.0.4-1.el7ev.noarch as a component of RHV-M 4.3",
          "product_id": "7Server-RHV-S-4.3:ovirt-engine-api-explorer-0:0.0.4-1.el7ev.noarch"
        },
        "product_reference": "ovirt-engine-api-explorer-0:0.0.4-1.el7ev.noarch",
        "relates_to_product_reference": "7Server-RHV-S-4.3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ovirt-engine-api-explorer-0:0.0.4-1.el7ev.src as a component of RHV-M 4.3",
          "product_id": "7Server-RHV-S-4.3:ovirt-engine-api-explorer-0:0.0.4-1.el7ev.src"
        },
        "product_reference": "ovirt-engine-api-explorer-0:0.0.4-1.el7ev.src",
        "relates_to_product_reference": "7Server-RHV-S-4.3"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2016-10735",
      "cwe": {
        "id": "CWE-79",
        "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
      },
      "discovery_date": "2019-01-09T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1668097"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "In Bootstrap 3.x before 3.4.0 and 4.x-beta before 4.0.0-beta.2, XSS is possible in the data-target attribute, a different vulnerability than CVE-2018-14041.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "bootstrap: XSS in the data-target attribute",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "Red Hat Enterprise Satellite 5 is now in Maintenance Support 2 phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Satellite 5 Life Cycle: https://access.redhat.com/support/policy/updates/satellite.\n\nRed Hat Virtualization 4.2 EUS contains the affected version of bootstrap in the packages ovirt-js-dependencies and ovirt-engine-dashboard. These packages are deprecated in Red Hat Virtualization 4.3.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "7Server-RHV-S-4.3:ovirt-engine-api-explorer-0:0.0.4-1.el7ev.noarch",
          "7Server-RHV-S-4.3:ovirt-engine-api-explorer-0:0.0.4-1.el7ev.src"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2016-10735"
        },
        {
          "category": "external",
          "summary": "RHBZ#1668097",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1668097"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2016-10735",
          "url": "https://www.cve.org/CVERecord?id=CVE-2016-10735"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2016-10735",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-10735"
        }
      ],
      "release_date": "2016-06-27T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2019-05-08T12:47:06+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/2974891",
          "product_ids": [
            "7Server-RHV-S-4.3:ovirt-engine-api-explorer-0:0.0.4-1.el7ev.noarch",
            "7Server-RHV-S-4.3:ovirt-engine-api-explorer-0:0.0.4-1.el7ev.src"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHBA-2019:1076"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.0"
          },
          "products": [
            "7Server-RHV-S-4.3:ovirt-engine-api-explorer-0:0.0.4-1.el7ev.noarch",
            "7Server-RHV-S-4.3:ovirt-engine-api-explorer-0:0.0.4-1.el7ev.src"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "bootstrap: XSS in the data-target attribute"
    },
    {
      "cve": "CVE-2018-20676",
      "cwe": {
        "id": "CWE-79",
        "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
      },
      "discovery_date": "2019-01-09T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1668082"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Bootstrap, where it is vulnerable to Cross-site scripting, caused by improper validation of user-supplied input by the tooltip data-viewport attribute. This flaw allows a remote attacker to execute a script in a victim\u0027s Web browser within the security context of the hosting Web site, which can lead to stealing the victim\u0027s cookie-based authentication credentials.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "bootstrap: XSS in the tooltip data-viewport attribute",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "Red Hat CloudForms 4.6 and newer versions include the vulnerable component, but there is no risk of exploitation, since there is no possible vector to access the vulnerability. Older Red Hat CloudForms versions do not use the vulnerable component at all.\n\nRed Hat Virtualization 4.2 EUS contains the affected version of bootstrap in the packages ovirt-js-dependencies and ovirt-engine-dashboard. These packages are deprecated in Red Hat Virtualization 4.3.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "7Server-RHV-S-4.3:ovirt-engine-api-explorer-0:0.0.4-1.el7ev.noarch",
          "7Server-RHV-S-4.3:ovirt-engine-api-explorer-0:0.0.4-1.el7ev.src"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2018-20676"
        },
        {
          "category": "external",
          "summary": "RHBZ#1668082",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1668082"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2018-20676",
          "url": "https://www.cve.org/CVERecord?id=CVE-2018-20676"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-20676",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-20676"
        }
      ],
      "release_date": "2018-08-10T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2019-05-08T12:47:06+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/2974891",
          "product_ids": [
            "7Server-RHV-S-4.3:ovirt-engine-api-explorer-0:0.0.4-1.el7ev.noarch",
            "7Server-RHV-S-4.3:ovirt-engine-api-explorer-0:0.0.4-1.el7ev.src"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHBA-2019:1076"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.0"
          },
          "products": [
            "7Server-RHV-S-4.3:ovirt-engine-api-explorer-0:0.0.4-1.el7ev.noarch",
            "7Server-RHV-S-4.3:ovirt-engine-api-explorer-0:0.0.4-1.el7ev.src"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "bootstrap: XSS in the tooltip data-viewport attribute"
    },
    {
      "cve": "CVE-2018-20677",
      "cwe": {
        "id": "CWE-79",
        "name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
      },
      "discovery_date": "2019-01-09T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1668089"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A flaw was found in Bootstrap, where it is vulnerable to Cross-site scripting caused by improper validation of user-supplied input by the affix configuration target property. This flaw allows a remote attacker to execute a script in a victim\u0027s Web browser within the security context of the hosting Web site, which can lead to stealing the victim\u0027s cookie-based authentication credentials.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "bootstrap: XSS in the affix configuration target property",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "Red Hat CloudForms 4.6 and newer versions include the vulnerable component, but there is no risk of exploitation, since there is no possible vector to access the vulnerability. Older Red Hat CloudForms versions do not use the vulnerable component at all.\n\nRed Hat Virtualization 4.2 EUS contains the affected version of bootstrap in the packages ovirt-js-dependencies and ovirt-engine-dashboard. These packages are deprecated in Red Hat Virtualization 4.3.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "7Server-RHV-S-4.3:ovirt-engine-api-explorer-0:0.0.4-1.el7ev.noarch",
          "7Server-RHV-S-4.3:ovirt-engine-api-explorer-0:0.0.4-1.el7ev.src"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2018-20677"
        },
        {
          "category": "external",
          "summary": "RHBZ#1668089",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1668089"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2018-20677",
          "url": "https://www.cve.org/CVERecord?id=CVE-2018-20677"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-20677",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-20677"
        }
      ],
      "release_date": "2018-08-10T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2019-05-08T12:47:06+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/2974891",
          "product_ids": [
            "7Server-RHV-S-4.3:ovirt-engine-api-explorer-0:0.0.4-1.el7ev.noarch",
            "7Server-RHV-S-4.3:ovirt-engine-api-explorer-0:0.0.4-1.el7ev.src"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHBA-2019:1076"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.0"
          },
          "products": [
            "7Server-RHV-S-4.3:ovirt-engine-api-explorer-0:0.0.4-1.el7ev.noarch",
            "7Server-RHV-S-4.3:ovirt-engine-api-explorer-0:0.0.4-1.el7ev.src"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "bootstrap: XSS in the affix configuration target property"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading...

Loading...

Loading...

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.