rhba-2019_1570
Vulnerability from csaf_redhat
Published
2019-06-20 14:47
Modified
2024-09-13 19:47
Summary
Red Hat Bug Fix Advisory: ovirt-engine-api-explorer bug fix and enhancement update for RHV 4.3.4
Notes
Topic
Updated ovirt-engine-api-explorer packages that fix several bugs and add various enhancements are now available.
Details
The ovirt-engine-api-explorer package provides a web application for exploring the oVirt API documentation.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Moderate"
},
"category": "csaf_vex",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Updated ovirt-engine-api-explorer packages that fix several bugs and add various enhancements are now available.",
"title": "Topic"
},
{
"category": "general",
"text": "The ovirt-engine-api-explorer package provides a web application for exploring the oVirt API documentation.",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat offerings.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHBA-2019:1570",
"url": "https://access.redhat.com/errata/RHBA-2019:1570"
},
{
"category": "external",
"summary": "1710688",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1710688"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/data/csaf/v2/advisories/2019/rhba-2019_1570.json"
}
],
"title": "Red Hat Bug Fix Advisory: ovirt-engine-api-explorer bug fix and enhancement update for RHV 4.3.4",
"tracking": {
"current_release_date": "2024-09-13T19:47:47+00:00",
"generator": {
"date": "2024-09-13T19:47:47+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "3.33.3"
}
},
"id": "RHBA-2019:1570",
"initial_release_date": "2019-06-20T14:47:51+00:00",
"revision_history": [
{
"date": "2019-06-20T14:47:51+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2019-06-20T14:47:51+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-09-13T19:47:47+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "RHV-M 4.3",
"product": {
"name": "RHV-M 4.3",
"product_id": "7Server-RHV-S-4.3",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:rhev_manager:4.3"
}
}
}
],
"category": "product_family",
"name": "Red Hat Virtualization"
},
{
"branches": [
{
"category": "product_version",
"name": "ovirt-engine-api-explorer-0:0.0.5-1.el7ev.src",
"product": {
"name": "ovirt-engine-api-explorer-0:0.0.5-1.el7ev.src",
"product_id": "ovirt-engine-api-explorer-0:0.0.5-1.el7ev.src",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ovirt-engine-api-explorer@0.0.5-1.el7ev?arch=src"
}
}
}
],
"category": "architecture",
"name": "src"
},
{
"branches": [
{
"category": "product_version",
"name": "ovirt-engine-api-explorer-0:0.0.5-1.el7ev.noarch",
"product": {
"name": "ovirt-engine-api-explorer-0:0.0.5-1.el7ev.noarch",
"product_id": "ovirt-engine-api-explorer-0:0.0.5-1.el7ev.noarch",
"product_identification_helper": {
"purl": "pkg:rpm/redhat/ovirt-engine-api-explorer@0.0.5-1.el7ev?arch=noarch"
}
}
}
],
"category": "architecture",
"name": "noarch"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "ovirt-engine-api-explorer-0:0.0.5-1.el7ev.noarch as a component of RHV-M 4.3",
"product_id": "7Server-RHV-S-4.3:ovirt-engine-api-explorer-0:0.0.5-1.el7ev.noarch"
},
"product_reference": "ovirt-engine-api-explorer-0:0.0.5-1.el7ev.noarch",
"relates_to_product_reference": "7Server-RHV-S-4.3"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "ovirt-engine-api-explorer-0:0.0.5-1.el7ev.src as a component of RHV-M 4.3",
"product_id": "7Server-RHV-S-4.3:ovirt-engine-api-explorer-0:0.0.5-1.el7ev.src"
},
"product_reference": "ovirt-engine-api-explorer-0:0.0.5-1.el7ev.src",
"relates_to_product_reference": "7Server-RHV-S-4.3"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2016-10735",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2019-01-09T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1668097"
}
],
"notes": [
{
"category": "description",
"text": "In Bootstrap 3.x before 3.4.0 and 4.x-beta before 4.0.0-beta.2, XSS is possible in the data-target attribute, a different vulnerability than CVE-2018-14041.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "bootstrap: XSS in the data-target attribute",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Enterprise Satellite 5 is now in Maintenance Support 2 phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Satellite 5 Life Cycle: https://access.redhat.com/support/policy/updates/satellite.\n\nRed Hat Virtualization 4.2 EUS contains the affected version of bootstrap in the packages ovirt-js-dependencies and ovirt-engine-dashboard. These packages are deprecated in Red Hat Virtualization 4.3.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHV-S-4.3:ovirt-engine-api-explorer-0:0.0.5-1.el7ev.noarch",
"7Server-RHV-S-4.3:ovirt-engine-api-explorer-0:0.0.5-1.el7ev.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2016-10735"
},
{
"category": "external",
"summary": "RHBZ#1668097",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1668097"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2016-10735",
"url": "https://www.cve.org/CVERecord?id=CVE-2016-10735"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2016-10735",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2016-10735"
}
],
"release_date": "2016-06-27T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/2974891",
"product_ids": [
"7Server-RHV-S-4.3:ovirt-engine-api-explorer-0:0.0.5-1.el7ev.noarch",
"7Server-RHV-S-4.3:ovirt-engine-api-explorer-0:0.0.5-1.el7ev.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHBA-2019:1570"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"7Server-RHV-S-4.3:ovirt-engine-api-explorer-0:0.0.5-1.el7ev.noarch",
"7Server-RHV-S-4.3:ovirt-engine-api-explorer-0:0.0.5-1.el7ev.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "bootstrap: XSS in the data-target attribute"
},
{
"cve": "CVE-2018-20676",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2019-01-09T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1668082"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Bootstrap, where it is vulnerable to Cross-site scripting, caused by improper validation of user-supplied input by the tooltip data-viewport attribute. This flaw allows a remote attacker to execute a script in a victim\u0027s Web browser within the security context of the hosting Web site, which can lead to stealing the victim\u0027s cookie-based authentication credentials.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "bootstrap: XSS in the tooltip data-viewport attribute",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat CloudForms 4.6 and newer versions include the vulnerable component, but there is no risk of exploitation, since there is no possible vector to access the vulnerability. Older Red Hat CloudForms versions do not use the vulnerable component at all.\n\nRed Hat Virtualization 4.2 EUS contains the affected version of bootstrap in the packages ovirt-js-dependencies and ovirt-engine-dashboard. These packages are deprecated in Red Hat Virtualization 4.3.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHV-S-4.3:ovirt-engine-api-explorer-0:0.0.5-1.el7ev.noarch",
"7Server-RHV-S-4.3:ovirt-engine-api-explorer-0:0.0.5-1.el7ev.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-20676"
},
{
"category": "external",
"summary": "RHBZ#1668082",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1668082"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-20676",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-20676"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-20676",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-20676"
}
],
"release_date": "2018-08-10T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/2974891",
"product_ids": [
"7Server-RHV-S-4.3:ovirt-engine-api-explorer-0:0.0.5-1.el7ev.noarch",
"7Server-RHV-S-4.3:ovirt-engine-api-explorer-0:0.0.5-1.el7ev.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHBA-2019:1570"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"7Server-RHV-S-4.3:ovirt-engine-api-explorer-0:0.0.5-1.el7ev.noarch",
"7Server-RHV-S-4.3:ovirt-engine-api-explorer-0:0.0.5-1.el7ev.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "bootstrap: XSS in the tooltip data-viewport attribute"
},
{
"cve": "CVE-2018-20677",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2019-01-09T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1668089"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in Bootstrap, where it is vulnerable to Cross-site scripting caused by improper validation of user-supplied input by the affix configuration target property. This flaw allows a remote attacker to execute a script in a victim\u0027s Web browser within the security context of the hosting Web site, which can lead to stealing the victim\u0027s cookie-based authentication credentials.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "bootstrap: XSS in the affix configuration target property",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat CloudForms 4.6 and newer versions include the vulnerable component, but there is no risk of exploitation, since there is no possible vector to access the vulnerability. Older Red Hat CloudForms versions do not use the vulnerable component at all.\n\nRed Hat Virtualization 4.2 EUS contains the affected version of bootstrap in the packages ovirt-js-dependencies and ovirt-engine-dashboard. These packages are deprecated in Red Hat Virtualization 4.3.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHV-S-4.3:ovirt-engine-api-explorer-0:0.0.5-1.el7ev.noarch",
"7Server-RHV-S-4.3:ovirt-engine-api-explorer-0:0.0.5-1.el7ev.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2018-20677"
},
{
"category": "external",
"summary": "RHBZ#1668089",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1668089"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2018-20677",
"url": "https://www.cve.org/CVERecord?id=CVE-2018-20677"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2018-20677",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-20677"
}
],
"release_date": "2018-08-10T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/2974891",
"product_ids": [
"7Server-RHV-S-4.3:ovirt-engine-api-explorer-0:0.0.5-1.el7ev.noarch",
"7Server-RHV-S-4.3:ovirt-engine-api-explorer-0:0.0.5-1.el7ev.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHBA-2019:1570"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"7Server-RHV-S-4.3:ovirt-engine-api-explorer-0:0.0.5-1.el7ev.noarch",
"7Server-RHV-S-4.3:ovirt-engine-api-explorer-0:0.0.5-1.el7ev.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "bootstrap: XSS in the affix configuration target property"
},
{
"cve": "CVE-2019-11358",
"cwe": {
"id": "CWE-79",
"name": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)"
},
"discovery_date": "2019-03-28T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1701972"
}
],
"notes": [
{
"category": "description",
"text": "A Prototype Pollution vulnerability was found in jquery. Untrusted JSON passed to the `extend` function could lead to modifying objects up the prototype chain, including the global Object. A crafted JSON object passed to a vulnerable method could lead to denial of service or data injection, with various consequences.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "jquery: Prototype pollution in object\u0027s prototype leading to denial of service, remote code execution, or property injection",
"title": "Vulnerability summary"
},
{
"category": "other",
"text": "Red Hat Virtualization 4.2 EUS contains the affected version of bootstrap in the packages ovirt-js-dependencies and ovirt-engine-dashboard. These packages are deprecated in Red Hat Virtualization 4.3.",
"title": "Statement"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RHV-S-4.3:ovirt-engine-api-explorer-0:0.0.5-1.el7ev.noarch",
"7Server-RHV-S-4.3:ovirt-engine-api-explorer-0:0.0.5-1.el7ev.src"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2019-11358"
},
{
"category": "external",
"summary": "RHBZ#1701972",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1701972"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2019-11358",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11358"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-11358",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-11358"
},
{
"category": "external",
"summary": "https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/",
"url": "https://blog.jquery.com/2019/04/10/jquery-3-4-0-released/"
},
{
"category": "external",
"summary": "https://www.drupal.org/sa-core-2019-006",
"url": "https://www.drupal.org/sa-core-2019-006"
}
],
"release_date": "2019-03-27T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/articles/2974891",
"product_ids": [
"7Server-RHV-S-4.3:ovirt-engine-api-explorer-0:0.0.5-1.el7ev.noarch",
"7Server-RHV-S-4.3:ovirt-engine-api-explorer-0:0.0.5-1.el7ev.src"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHBA-2019:1570"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"products": [
"7Server-RHV-S-4.3:ovirt-engine-api-explorer-0:0.0.5-1.el7ev.noarch",
"7Server-RHV-S-4.3:ovirt-engine-api-explorer-0:0.0.5-1.el7ev.src"
]
}
],
"threats": [
{
"category": "impact",
"details": "Moderate"
}
],
"title": "jquery: Prototype pollution in object\u0027s prototype leading to denial of service, remote code execution, or property injection"
}
]
}
Loading...