Executive Summary
Summary | |
---|---|
Title | ruby193-rubygem-actionpack security update |
Informations | |||
---|---|---|---|
Name | RHSA-2014:0008 | First vendor Publication | 2014-01-06 |
Vendor | RedHat | Last vendor Modification | 2014-01-06 |
Severity (Vendor) | Important | Revision | 01 |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:N) | |||
---|---|---|---|
Cvss Base Score | 6.4 | Attack Range | Network |
Cvss Impact Score | 4.9 | Attack Complexity | Low |
Cvss Expoit Score | 10 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Problem Description: Updated ruby193-rubygem-actionpack packages that fix multiple security issues are now available for Red Hat OpenStack 3.0. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: OpenStack 3 - noarch 3. Description: Ruby on Rails is a model-view-controller (MVC) framework for web application development. Action Pack implements the controller and the view components. A flaw was found in the way Ruby on Rails performed JSON parameter parsing. An application using a third party library, which uses the Rack::Request interface, or custom Rack middleware could bypass the protection implemented to fix the CVE-2013-0155 vulnerability, causing the application to receive unsafe parameters and become vulnerable to CVE-2013-0155. (CVE-2013-6417) It was discovered that the internationalization component of Ruby on Rails could, under certain circumstances, return a fallback HTML string that contained user input. A remote attacker could possibly use this flaw to perform a reflective cross-site scripting (XSS) attack by providing a specially crafted input to an application using the aforementioned component. (CVE-2013-4491) A denial of service flaw was found in the header handling component of Action View. A remote attacker could send strings in specially crafted headers that would be cached indefinitely, which would result in all available system memory eventually being consumed. (CVE-2013-6414) It was found that the number_to_currency Action View helper did not properly escape the unit parameter. An attacker could use this flaw to perform a cross-site scripting (XSS) attack on an application that uses data submitted by a user in the unit parameter. (CVE-2013-6415) Users of Red Hat OpenStack 3.0 are advised to upgrade to these updated packages, which correct these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/site/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1036409 - CVE-2013-6417 rubygem-actionpack: unsafe query generation risk (incomplete fix for CVE-2013-0155) 1036483 - CVE-2013-6414 rubygem-actionpack: Action View DoS 1036910 - CVE-2013-6415 rubygem-actionpack: number_to_currency XSS 1036922 - CVE-2013-4491 rubygem-actionpack: i18n missing translation XSS |
Original Source
Url : https://rhn.redhat.com/errata/RHSA-2014-0008.html |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
40 % | CWE-264 | Permissions, Privileges, and Access Controls |
40 % | CWE-79 | Failure to Preserve Web Page Structure ('Cross-site Scripting') (CWE/SANS Top 25) |
20 % | CWE-20 | Improper Input Validation |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:17800 | |||
Oval ID: | oval:org.mitre.oval:def:17800 | ||
Title: | DSA-2609-1 rails - SQL query manipulation | ||
Description: | An interpretation conflict can cause the Active Record component of Rails, a web framework for the Ruby programming language, to truncate queries in unexpected ways. This may allow attackers to elevate their privileges. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-2609-1 CVE-2013-0155 | Version: | 7 |
Platform(s): | Debian GNU/Linux 6.0 Debian GNU/kFreeBSD 6.0 | Product(s): | rails |
Definition Synopsis: | |||
|
CPE : Common Platform Enumeration
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2016-10-17 | Name : The remote FreeBSD host is missing a security-related update. File : freebsd_pkg_7e61cf44654911e6828600248c0c745d.nasl - Type : ACT_GATHER_INFO |
2014-12-15 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201412-28.nasl - Type : ACT_GATHER_INFO |
2014-11-19 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2014-1863.nasl - Type : ACT_GATHER_INFO |
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : openSUSE-2014-1.nasl - Type : ACT_GATHER_INFO |
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : openSUSE-2013-990.nasl - Type : ACT_GATHER_INFO |
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : openSUSE-2013-989.nasl - Type : ACT_GATHER_INFO |
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : openSUSE-2013-988.nasl - Type : ACT_GATHER_INFO |
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : openSUSE-2013-987.nasl - Type : ACT_GATHER_INFO |
2014-06-13 | Name : The remote openSUSE host is missing a security update. File : openSUSE-2013-106.nasl - Type : ACT_GATHER_INFO |
2014-03-28 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-2888.nasl - Type : ACT_GATHER_INFO |
2014-03-21 | Name : A web application on the remote host is affected by multiple vulnerabilities. File : puppet_enterprise_311.nasl - Type : ACT_GATHER_INFO |
2014-03-11 | Name : The remote Fedora host is missing a security update. File : fedora_2014-3232.nasl - Type : ACT_GATHER_INFO |
2014-03-07 | Name : The remote Fedora host is missing a security update. File : fedora_2013-23636.nasl - Type : ACT_GATHER_INFO |
2013-12-09 | Name : The remote FreeBSD host is missing one or more security-related updates. File : freebsd_pkg_6a806960301644ed85758614a7cb57c7.nasl - Type : ACT_GATHER_INFO |
2013-06-05 | Name : The remote host is missing a Mac OS X update that fixes several security issues. File : macosx_SecUpd2013-002.nasl - Type : ACT_GATHER_INFO |
2013-01-24 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2013-0154.nasl - Type : ACT_GATHER_INFO |
2013-01-23 | Name : The remote Fedora host is missing one or more security updates. File : fedora_2013-0686.nasl - Type : ACT_GATHER_INFO |
2013-01-23 | Name : The remote Fedora host is missing one or more security updates. File : fedora_2013-0635.nasl - Type : ACT_GATHER_INFO |
2013-01-21 | Name : The remote Fedora host is missing one or more security updates. File : fedora_2013-0568.nasl - Type : ACT_GATHER_INFO |
2013-01-17 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-2609.nasl - Type : ACT_GATHER_INFO |
2013-01-09 | Name : The remote FreeBSD host is missing one or more security-related updates. File : freebsd_pkg_ca5d327259e311e2853b00262d5ed8ee.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-01-06 21:19:04 |
|