cvelistv5 - CVE-2013-2068

CVE-2013-2068 (GCVE-0-2013-2068)

Vulnerability from cvelistv5

Published

2013-09-28 19:00

Modified

2024-08-06 15:27

Severity ?

CWE

Summary

Multiple directory traversal vulnerabilities in the AgentController in Red Hat CloudForms Management Engine 2.0 allow remote attackers to create and overwrite arbitrary files via a .. (dot dot) in the filename parameter to the (1) log, (2) upload, or (3) linuxpkgs method.

References

URL

	Vendor	Product	Version
	n/a	n/a	Version: n/a

fkie_cve-2013-2068

Vulnerability from fkie_nvd

Published

2013-09-28 19:55

Modified

2025-04-11 00:51

Severity ?

Summary

References

URL	Tags
secalert@redhat.com	http://rhn.redhat.com/errata/RHSA-2013-1206.html	Vendor Advisory
secalert@redhat.com	http://www.exploit-db.com/exploits/30469
secalert@redhat.com	https://bugzilla.redhat.com/show_bug.cgi?id=960422
af854a3a-2127-422b-91ae-364da2661108	http://rhn.redhat.com/errata/RHSA-2013-1206.html	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.exploit-db.com/exploits/30469
af854a3a-2127-422b-91ae-364da2661108	https://bugzilla.redhat.com/show_bug.cgi?id=960422

Impacted products

	Vendor	Product	Version
	redhat	cloudforms_management_engine	5.1

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:cloudforms_management_engine:5.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "2B33708F-3EBC-4D66-A0E1-E55816B2E067",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Multiple directory traversal vulnerabilities in the AgentController in Red Hat CloudForms Management Engine 2.0 allow remote attackers to create and overwrite arbitrary files via a .. (dot dot) in the filename parameter to the (1) log, (2) upload, or (3) linuxpkgs method."
    },
    {
      "lang": "es",
      "value": "M\u00faltiples vulnerabilidades de recorrido de directorios en AgentController de Red Hat CloudForms Management Engine 2.0, permite a un atacante remoto crear y sobreescribir archivos a discrecci\u00f3n a tra\u00e9s de un .. (punto punto) en el par\u00e1metro de nombre de archivo para (1) log, (2) upload, o (3) m\u00e9todo linuxpgks"
    }
  ],
  "id": "CVE-2013-2068",
  "lastModified": "2025-04-11T00:51:21.963",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "HIGH",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "COMPLETE",
          "baseScore": 9.4,
          "confidentialityImpact": "NONE",
          "integrityImpact": "COMPLETE",
          "vectorString": "AV:N/AC:L/Au:N/C:N/I:C/A:C",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 9.2,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ]
  },
  "published": "2013-09-28T19:55:02.977",
  "references": [
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://rhn.redhat.com/errata/RHSA-2013-1206.html"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://www.exploit-db.com/exploits/30469"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=960422"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://rhn.redhat.com/errata/RHSA-2013-1206.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.exploit-db.com/exploits/30469"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=960422"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-22"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

rhsa-2013_1206

Vulnerability from csaf_redhat

Published

2013-09-04 18:07

Modified

2024-11-22 07:04

Summary

Red Hat Security Advisory: Red Hat CloudForms Management Engine security update

Notes

Topic

The RHSA-2013:1157 update for Red Hat CloudForms Management Engine included an additional fix that was not documented in the erratum. The Red Hat Security Response Team has rated this update as having critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.

Details

Red Hat CloudForms Management Engine provides the insight, control, and automation needed to address the challenges of managing virtual environments. Multiple directory traversal flaws were found in Red Hat CloudForms Management Engine. A remote, unauthenticated attacker could use these flaws to upload arbitrary code, and have that code executed with root privileges on Red Hat CloudForms Management Engine. (CVE-2013-2068) This issue was discovered by Ramon de C Valle of the Red Hat Product Security Team. Note: This issue was already addressed in the fixpack released as part of RHSA-2013:1157, however it was not documented and therefore the erratum was incorrectly rated as having important security impact. No new packages are available in this erratum; please install the fixpack as noted in RHSA-2013:1157. Refer to the Solution section of this erratum for installation instructions.

This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Critical"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "The RHSA-2013:1157 update for Red Hat CloudForms Management Engine included\nan additional fix that was not documented in the erratum.\n\nThe Red Hat Security Response Team has rated this update as having\ncritical security impact. A Common Vulnerability Scoring System (CVSS)\nbase score, which gives a detailed severity rating, is available from the\nCVE link in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Red Hat CloudForms Management Engine provides the insight, control, and\nautomation needed to address the challenges of managing virtual\nenvironments.\n\nMultiple directory traversal flaws were found in Red Hat CloudForms\nManagement Engine. A remote, unauthenticated attacker could use these flaws\nto upload arbitrary code, and have that code executed with root privileges\non Red Hat CloudForms Management Engine. (CVE-2013-2068)\n\nThis issue was discovered by Ramon de C Valle of the Red Hat Product\nSecurity Team.\n\nNote: This issue was already addressed in the fixpack released as part of\nRHSA-2013:1157, however it was not documented and therefore the erratum was\nincorrectly rated as having important security impact. No new packages are\navailable in this erratum; please install the fixpack as noted in\nRHSA-2013:1157.\n\nRefer to the Solution section of this erratum for installation\ninstructions.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2013:1206",
        "url": "https://access.redhat.com/errata/RHSA-2013:1206"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#critical",
        "url": "https://access.redhat.com/security/updates/classification/#critical"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/site/articles/450563",
        "url": "https://access.redhat.com/site/articles/450563"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/site/documentation/en-US/CloudForms/2.0/html/Management_Engine_5.1_Technical_Notes/index.html",
        "url": "https://access.redhat.com/site/documentation/en-US/CloudForms/2.0/html/Management_Engine_5.1_Technical_Notes/index.html"
      },
      {
        "category": "external",
        "summary": "https://rhn.redhat.com/errata/RHSA-2013-1157.html",
        "url": "https://rhn.redhat.com/errata/RHSA-2013-1157.html"
      },
      {
        "category": "external",
        "summary": "960422",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=960422"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2013/rhsa-2013_1206.json"
      }
    ],
    "title": "Red Hat Security Advisory: Red Hat CloudForms Management Engine security update",
    "tracking": {
      "current_release_date": "2024-11-22T07:04:49+00:00",
      "generator": {
        "date": "2024-11-22T07:04:49+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.2.1"
        }
      },
      "id": "RHSA-2013:1206",
      "initial_release_date": "2013-09-04T18:07:00+00:00",
      "revision_history": [
        {
          "date": "2013-09-04T18:07:00+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2013-09-12T09:06:50+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2024-11-22T07:04:49+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat CloudForms 2.0",
                "product": {
                  "name": "Red Hat CloudForms 2.0",
                  "product_id": "Red Hat CloudForms 2.0",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:cloudforms:2.0"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat CloudForms"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ]
  },
  "vulnerabilities": [
    {
      "acknowledgments": [
        {
          "names": [
            "Ramon de C Valle"
          ],
          "organization": "Red Hat Product Security Team",
          "summary": "This issue was discovered by Red Hat."
        }
      ],
      "cve": "CVE-2013-2068",
      "cwe": {
        "id": "CWE-22",
        "name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
      },
      "discovery_date": "2013-05-06T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "960422"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "Multiple directory traversal vulnerabilities in the AgentController in Red Hat CloudForms Management Engine 2.0 allow remote attackers to create and overwrite arbitrary files via a .. (dot dot) in the filename parameter to the (1) log, (2) upload, or (3) linuxpkgs method.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "cfme: CFME 2.0 multiple zip file upload path traversal vulnerabilities",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat CloudForms 2.0"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2013-2068"
        },
        {
          "category": "external",
          "summary": "RHBZ#960422",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=960422"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2013-2068",
          "url": "https://www.cve.org/CVERecord?id=CVE-2013-2068"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-2068",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-2068"
        }
      ],
      "release_date": "2013-09-04T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2013-09-04T18:07:00+00:00",
          "details": "The update is provided in a fixpack, available from:\n\nhttps://rhn.redhat.com/rhn/software/channel/downloads/Download.do?cid=17971\n\nTo install the fixpack, follow the instructions in the following Red Hat\nKnowledge Base article:\n\nhttps://access.redhat.com/site/articles/450563",
          "product_ids": [
            "Red Hat CloudForms 2.0"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2013:1206"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "COMPLETE",
            "baseScore": 10.0,
            "confidentialityImpact": "COMPLETE",
            "integrityImpact": "COMPLETE",
            "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
            "version": "2.0"
          },
          "products": [
            "Red Hat CloudForms 2.0"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Critical"
        }
      ],
      "title": "cfme: CFME 2.0 multiple zip file upload path traversal vulnerabilities"
    }
  ]
}

RHSA-2013:1206

Vulnerability from csaf_redhat

Published

2013-09-04 18:07

Modified

2025-11-21 17:45

Summary

Red Hat Security Advisory: Red Hat CloudForms Management Engine security update

Notes

Topic

Details

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Critical"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "The RHSA-2013:1157 update for Red Hat CloudForms Management Engine included\nan additional fix that was not documented in the erratum.\n\nThe Red Hat Security Response Team has rated this update as having\ncritical security impact. A Common Vulnerability Scoring System (CVSS)\nbase score, which gives a detailed severity rating, is available from the\nCVE link in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Red Hat CloudForms Management Engine provides the insight, control, and\nautomation needed to address the challenges of managing virtual\nenvironments.\n\nMultiple directory traversal flaws were found in Red Hat CloudForms\nManagement Engine. A remote, unauthenticated attacker could use these flaws\nto upload arbitrary code, and have that code executed with root privileges\non Red Hat CloudForms Management Engine. (CVE-2013-2068)\n\nThis issue was discovered by Ramon de C Valle of the Red Hat Product\nSecurity Team.\n\nNote: This issue was already addressed in the fixpack released as part of\nRHSA-2013:1157, however it was not documented and therefore the erratum was\nincorrectly rated as having important security impact. No new packages are\navailable in this erratum; please install the fixpack as noted in\nRHSA-2013:1157.\n\nRefer to the Solution section of this erratum for installation\ninstructions.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2013:1206",
        "url": "https://access.redhat.com/errata/RHSA-2013:1206"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#critical",
        "url": "https://access.redhat.com/security/updates/classification/#critical"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/site/articles/450563",
        "url": "https://access.redhat.com/site/articles/450563"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/site/documentation/en-US/CloudForms/2.0/html/Management_Engine_5.1_Technical_Notes/index.html",
        "url": "https://access.redhat.com/site/documentation/en-US/CloudForms/2.0/html/Management_Engine_5.1_Technical_Notes/index.html"
      },
      {
        "category": "external",
        "summary": "https://rhn.redhat.com/errata/RHSA-2013-1157.html",
        "url": "https://rhn.redhat.com/errata/RHSA-2013-1157.html"
      },
      {
        "category": "external",
        "summary": "960422",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=960422"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2013/rhsa-2013_1206.json"
      }
    ],
    "title": "Red Hat Security Advisory: Red Hat CloudForms Management Engine security update",
    "tracking": {
      "current_release_date": "2025-11-21T17:45:13+00:00",
      "generator": {
        "date": "2025-11-21T17:45:13+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.6.12"
        }
      },
      "id": "RHSA-2013:1206",
      "initial_release_date": "2013-09-04T18:07:00+00:00",
      "revision_history": [
        {
          "date": "2013-09-04T18:07:00+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2013-09-12T09:06:50+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2025-11-21T17:45:13+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat CloudForms 2.0",
                "product": {
                  "name": "Red Hat CloudForms 2.0",
                  "product_id": "Red Hat CloudForms 2.0",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:cloudforms:2.0"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat CloudForms"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ]
  },
  "vulnerabilities": [
    {
      "acknowledgments": [
        {
          "names": [
            "Ramon de C Valle"
          ],
          "organization": "Red Hat Product Security Team",
          "summary": "This issue was discovered by Red Hat."
        }
      ],
      "cve": "CVE-2013-2068",
      "cwe": {
        "id": "CWE-22",
        "name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
      },
      "discovery_date": "2013-05-06T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "960422"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "Multiple directory traversal vulnerabilities in the AgentController in Red Hat CloudForms Management Engine 2.0 allow remote attackers to create and overwrite arbitrary files via a .. (dot dot) in the filename parameter to the (1) log, (2) upload, or (3) linuxpkgs method.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "cfme: CFME 2.0 multiple zip file upload path traversal vulnerabilities",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat CloudForms 2.0"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2013-2068"
        },
        {
          "category": "external",
          "summary": "RHBZ#960422",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=960422"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2013-2068",
          "url": "https://www.cve.org/CVERecord?id=CVE-2013-2068"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-2068",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-2068"
        }
      ],
      "release_date": "2013-09-04T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2013-09-04T18:07:00+00:00",
          "details": "The update is provided in a fixpack, available from:\n\nhttps://rhn.redhat.com/rhn/software/channel/downloads/Download.do?cid=17971\n\nTo install the fixpack, follow the instructions in the following Red Hat\nKnowledge Base article:\n\nhttps://access.redhat.com/site/articles/450563",
          "product_ids": [
            "Red Hat CloudForms 2.0"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2013:1206"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "COMPLETE",
            "baseScore": 10.0,
            "confidentialityImpact": "COMPLETE",
            "integrityImpact": "COMPLETE",
            "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
            "version": "2.0"
          },
          "products": [
            "Red Hat CloudForms 2.0"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Critical"
        }
      ],
      "title": "cfme: CFME 2.0 multiple zip file upload path traversal vulnerabilities"
    }
  ]
}

rhsa-2013:1206

Vulnerability from csaf_redhat

Published

2013-09-04 18:07

Modified

2025-11-21 17:45

Summary

Red Hat Security Advisory: Red Hat CloudForms Management Engine security update

Notes

Topic

Details

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Critical"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "The RHSA-2013:1157 update for Red Hat CloudForms Management Engine included\nan additional fix that was not documented in the erratum.\n\nThe Red Hat Security Response Team has rated this update as having\ncritical security impact. A Common Vulnerability Scoring System (CVSS)\nbase score, which gives a detailed severity rating, is available from the\nCVE link in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Red Hat CloudForms Management Engine provides the insight, control, and\nautomation needed to address the challenges of managing virtual\nenvironments.\n\nMultiple directory traversal flaws were found in Red Hat CloudForms\nManagement Engine. A remote, unauthenticated attacker could use these flaws\nto upload arbitrary code, and have that code executed with root privileges\non Red Hat CloudForms Management Engine. (CVE-2013-2068)\n\nThis issue was discovered by Ramon de C Valle of the Red Hat Product\nSecurity Team.\n\nNote: This issue was already addressed in the fixpack released as part of\nRHSA-2013:1157, however it was not documented and therefore the erratum was\nincorrectly rated as having important security impact. No new packages are\navailable in this erratum; please install the fixpack as noted in\nRHSA-2013:1157.\n\nRefer to the Solution section of this erratum for installation\ninstructions.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2013:1206",
        "url": "https://access.redhat.com/errata/RHSA-2013:1206"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#critical",
        "url": "https://access.redhat.com/security/updates/classification/#critical"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/site/articles/450563",
        "url": "https://access.redhat.com/site/articles/450563"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/site/documentation/en-US/CloudForms/2.0/html/Management_Engine_5.1_Technical_Notes/index.html",
        "url": "https://access.redhat.com/site/documentation/en-US/CloudForms/2.0/html/Management_Engine_5.1_Technical_Notes/index.html"
      },
      {
        "category": "external",
        "summary": "https://rhn.redhat.com/errata/RHSA-2013-1157.html",
        "url": "https://rhn.redhat.com/errata/RHSA-2013-1157.html"
      },
      {
        "category": "external",
        "summary": "960422",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=960422"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2013/rhsa-2013_1206.json"
      }
    ],
    "title": "Red Hat Security Advisory: Red Hat CloudForms Management Engine security update",
    "tracking": {
      "current_release_date": "2025-11-21T17:45:13+00:00",
      "generator": {
        "date": "2025-11-21T17:45:13+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.6.12"
        }
      },
      "id": "RHSA-2013:1206",
      "initial_release_date": "2013-09-04T18:07:00+00:00",
      "revision_history": [
        {
          "date": "2013-09-04T18:07:00+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2013-09-12T09:06:50+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2025-11-21T17:45:13+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Red Hat CloudForms 2.0",
                "product": {
                  "name": "Red Hat CloudForms 2.0",
                  "product_id": "Red Hat CloudForms 2.0",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:cloudforms:2.0"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat CloudForms"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ]
  },
  "vulnerabilities": [
    {
      "acknowledgments": [
        {
          "names": [
            "Ramon de C Valle"
          ],
          "organization": "Red Hat Product Security Team",
          "summary": "This issue was discovered by Red Hat."
        }
      ],
      "cve": "CVE-2013-2068",
      "cwe": {
        "id": "CWE-22",
        "name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
      },
      "discovery_date": "2013-05-06T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "960422"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "Multiple directory traversal vulnerabilities in the AgentController in Red Hat CloudForms Management Engine 2.0 allow remote attackers to create and overwrite arbitrary files via a .. (dot dot) in the filename parameter to the (1) log, (2) upload, or (3) linuxpkgs method.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "cfme: CFME 2.0 multiple zip file upload path traversal vulnerabilities",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "Red Hat CloudForms 2.0"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2013-2068"
        },
        {
          "category": "external",
          "summary": "RHBZ#960422",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=960422"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2013-2068",
          "url": "https://www.cve.org/CVERecord?id=CVE-2013-2068"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-2068",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-2068"
        }
      ],
      "release_date": "2013-09-04T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2013-09-04T18:07:00+00:00",
          "details": "The update is provided in a fixpack, available from:\n\nhttps://rhn.redhat.com/rhn/software/channel/downloads/Download.do?cid=17971\n\nTo install the fixpack, follow the instructions in the following Red Hat\nKnowledge Base article:\n\nhttps://access.redhat.com/site/articles/450563",
          "product_ids": [
            "Red Hat CloudForms 2.0"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2013:1206"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "COMPLETE",
            "baseScore": 10.0,
            "confidentialityImpact": "COMPLETE",
            "integrityImpact": "COMPLETE",
            "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C",
            "version": "2.0"
          },
          "products": [
            "Red Hat CloudForms 2.0"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Critical"
        }
      ],
      "title": "cfme: CFME 2.0 multiple zip file upload path traversal vulnerabilities"
    }
  ]
}

gsd-2013-2068

Vulnerability from gsd

Modified

2023-12-13 01:22

Details

Aliases

CVE-2013-2068

Aliases

CVE-2013-2068

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2013-2068",
    "description": "Multiple directory traversal vulnerabilities in the AgentController in Red Hat CloudForms Management Engine 2.0 allow remote attackers to create and overwrite arbitrary files via a .. (dot dot) in the filename parameter to the (1) log, (2) upload, or (3) linuxpkgs method.",
    "id": "GSD-2013-2068",
    "references": [
      "https://access.redhat.com/errata/RHSA-2013:1206",
      "https://packetstormsecurity.com/files/cve/CVE-2013-2068"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2013-2068"
      ],
      "details": "Multiple directory traversal vulnerabilities in the AgentController in Red Hat CloudForms Management Engine 2.0 allow remote attackers to create and overwrite arbitrary files via a .. (dot dot) in the filename parameter to the (1) log, (2) upload, or (3) linuxpkgs method.",
      "id": "GSD-2013-2068",
      "modified": "2023-12-13T01:22:17.619494Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "secalert@redhat.com",
        "ID": "CVE-2013-2068",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_affected": "=",
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Multiple directory traversal vulnerabilities in the AgentController in Red Hat CloudForms Management Engine 2.0 allow remote attackers to create and overwrite arbitrary files via a .. (dot dot) in the filename parameter to the (1) log, (2) upload, or (3) linuxpkgs method."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "http://rhn.redhat.com/errata/RHSA-2013-1206.html",
            "refsource": "MISC",
            "url": "http://rhn.redhat.com/errata/RHSA-2013-1206.html"
          },
          {
            "name": "http://www.exploit-db.com/exploits/30469",
            "refsource": "MISC",
            "url": "http://www.exploit-db.com/exploits/30469"
          },
          {
            "name": "https://bugzilla.redhat.com/show_bug.cgi?id=960422",
            "refsource": "MISC",
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=960422"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:redhat:cloudforms_management_engine:5.1:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2013-2068"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Multiple directory traversal vulnerabilities in the AgentController in Red Hat CloudForms Management Engine 2.0 allow remote attackers to create and overwrite arbitrary files via a .. (dot dot) in the filename parameter to the (1) log, (2) upload, or (3) linuxpkgs method."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-22"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "RHSA-2013:1206",
              "refsource": "REDHAT",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "http://rhn.redhat.com/errata/RHSA-2013-1206.html"
            },
            {
              "name": "https://bugzilla.redhat.com/show_bug.cgi?id=960422",
              "refsource": "CONFIRM",
              "tags": [],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=960422"
            },
            {
              "name": "30469",
              "refsource": "EXPLOIT-DB",
              "tags": [],
              "url": "http://www.exploit-db.com/exploits/30469"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "COMPLETE",
            "baseScore": 9.4,
            "confidentialityImpact": "NONE",
            "integrityImpact": "COMPLETE",
            "vectorString": "AV:N/AC:L/Au:N/C:N/I:C/A:C",
            "version": "2.0"
          },
          "exploitabilityScore": 10.0,
          "impactScore": 9.2,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "HIGH",
          "userInteractionRequired": false
        }
      },
      "lastModifiedDate": "2014-01-14T04:24Z",
      "publishedDate": "2013-09-28T19:55Z"
    }
  }
}

ghsa-ggp4-2h22-73vm

Vulnerability from github

Published

2022-05-17 04:54

Modified

2022-05-17 04:54

Details

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2013-2068"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2013-09-28T19:55:00Z",
    "severity": "HIGH"
  },
  "details": "Multiple directory traversal vulnerabilities in the AgentController in Red Hat CloudForms Management Engine 2.0 allow remote attackers to create and overwrite arbitrary files via a .. (dot dot) in the filename parameter to the (1) log, (2) upload, or (3) linuxpkgs method.",
  "id": "GHSA-ggp4-2h22-73vm",
  "modified": "2022-05-17T04:54:47Z",
  "published": "2022-05-17T04:54:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-2068"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=960422"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2013-1206.html"
    },
    {
      "type": "WEB",
      "url": "http://www.exploit-db.com/exploits/30469"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2013-2068 (GCVE-0-2013-2068)

Vulnerability from cvelistv5

fkie_cve-2013-2068

Vulnerability from fkie_nvd

rhsa-2013_1206

Vulnerability from csaf_redhat

RHSA-2013:1206

Vulnerability from csaf_redhat

rhsa-2013:1206

Vulnerability from csaf_redhat

gsd-2013-2068

Vulnerability from gsd

ghsa-ggp4-2h22-73vm

Vulnerability from github

Tags

Sightings

Nomenclature