Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2016-0753 (GCVE-0-2016-0753)
Vulnerability from cvelistv5 – Published: 2016-02-16 02:00 – Updated: 2024-08-05 22:30
VLAI
EPSS
Summary
Active Model in Ruby on Rails 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 supports the use of instance-level writers for class accessors, which allows remote attackers to bypass intended validation steps via crafted parameters.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
13 references
Date Public
2016-01-25 00:00
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T22:30:04.636Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "[oss-security] 20160125 [CVE-2016-0753] Possible Input Validation Circumvention in Active Model",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2016/01/25/14"
},
{
"name": "[ruby-security-ann] 20160125 [CVE-2016-0753] Possible Input Validation Circumvention in Active Model",
"tags": [
"mailing-list",
"x_refsource_MLIST",
"x_transferred"
],
"url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/6jQVC1geukQ/3Iy0GU1ZEgAJ"
},
{
"name": "openSUSE-SU-2016:0372",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html"
},
{
"name": "FEDORA-2016-94e71ee673",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178043.html"
},
{
"name": "FEDORA-2016-73fe05d878",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178041.html"
},
{
"name": "FEDORA-2016-cc465a34df",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178065.html"
},
{
"name": "SUSE-SU-2016:1146",
"tags": [
"vendor-advisory",
"x_refsource_SUSE",
"x_transferred"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"
},
{
"name": "1034816",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK",
"x_transferred"
],
"url": "http://www.securitytracker.com/id/1034816"
},
{
"name": "DSA-3464",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN",
"x_transferred"
],
"url": "http://www.debian.org/security/2016/dsa-3464"
},
{
"name": "RHSA-2016:0296",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT",
"x_transferred"
],
"url": "http://rhn.redhat.com/errata/RHSA-2016-0296.html"
},
{
"name": "FEDORA-2016-eb4d6e8aab",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178066.html"
},
{
"name": "FEDORA-2016-cb30088b06",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA",
"x_transferred"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178047.html"
},
{
"name": "82247",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/82247"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2016-01-25T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Active Model in Ruby on Rails 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 supports the use of instance-level writers for class accessors, which allows remote attackers to bypass intended validation steps via crafted parameters."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-09-09T09:57:01.000Z",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"name": "[oss-security] 20160125 [CVE-2016-0753] Possible Input Validation Circumvention in Active Model",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "http://www.openwall.com/lists/oss-security/2016/01/25/14"
},
{
"name": "[ruby-security-ann] 20160125 [CVE-2016-0753] Possible Input Validation Circumvention in Active Model",
"tags": [
"mailing-list",
"x_refsource_MLIST"
],
"url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/6jQVC1geukQ/3Iy0GU1ZEgAJ"
},
{
"name": "openSUSE-SU-2016:0372",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html"
},
{
"name": "FEDORA-2016-94e71ee673",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178043.html"
},
{
"name": "FEDORA-2016-73fe05d878",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178041.html"
},
{
"name": "FEDORA-2016-cc465a34df",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178065.html"
},
{
"name": "SUSE-SU-2016:1146",
"tags": [
"vendor-advisory",
"x_refsource_SUSE"
],
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"
},
{
"name": "1034816",
"tags": [
"vdb-entry",
"x_refsource_SECTRACK"
],
"url": "http://www.securitytracker.com/id/1034816"
},
{
"name": "DSA-3464",
"tags": [
"vendor-advisory",
"x_refsource_DEBIAN"
],
"url": "http://www.debian.org/security/2016/dsa-3464"
},
{
"name": "RHSA-2016:0296",
"tags": [
"vendor-advisory",
"x_refsource_REDHAT"
],
"url": "http://rhn.redhat.com/errata/RHSA-2016-0296.html"
},
{
"name": "FEDORA-2016-eb4d6e8aab",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178066.html"
},
{
"name": "FEDORA-2016-cb30088b06",
"tags": [
"vendor-advisory",
"x_refsource_FEDORA"
],
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178047.html"
},
{
"name": "82247",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/82247"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2016-0753",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Active Model in Ruby on Rails 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 supports the use of instance-level writers for class accessors, which allows remote attackers to bypass intended validation steps via crafted parameters."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "[oss-security] 20160125 [CVE-2016-0753] Possible Input Validation Circumvention in Active Model",
"refsource": "MLIST",
"url": "http://www.openwall.com/lists/oss-security/2016/01/25/14"
},
{
"name": "[ruby-security-ann] 20160125 [CVE-2016-0753] Possible Input Validation Circumvention in Active Model",
"refsource": "MLIST",
"url": "https://groups.google.com/forum/message/raw?msg=ruby-security-ann/6jQVC1geukQ/3Iy0GU1ZEgAJ"
},
{
"name": "openSUSE-SU-2016:0372",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html"
},
{
"name": "FEDORA-2016-94e71ee673",
"refsource": "FEDORA",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178043.html"
},
{
"name": "FEDORA-2016-73fe05d878",
"refsource": "FEDORA",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178041.html"
},
{
"name": "FEDORA-2016-cc465a34df",
"refsource": "FEDORA",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178065.html"
},
{
"name": "SUSE-SU-2016:1146",
"refsource": "SUSE",
"url": "http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"
},
{
"name": "1034816",
"refsource": "SECTRACK",
"url": "http://www.securitytracker.com/id/1034816"
},
{
"name": "DSA-3464",
"refsource": "DEBIAN",
"url": "http://www.debian.org/security/2016/dsa-3464"
},
{
"name": "RHSA-2016:0296",
"refsource": "REDHAT",
"url": "http://rhn.redhat.com/errata/RHSA-2016-0296.html"
},
{
"name": "FEDORA-2016-eb4d6e8aab",
"refsource": "FEDORA",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178066.html"
},
{
"name": "FEDORA-2016-cb30088b06",
"refsource": "FEDORA",
"url": "http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178047.html"
},
{
"name": "82247",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/82247"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2016-0753",
"datePublished": "2016-02-16T02:00:00.000Z",
"dateReserved": "2015-12-16T00:00:00.000Z",
"dateUpdated": "2024-08-05T22:30:04.636Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2016-0753",
"date": "2026-05-27",
"epss": "0.02328",
"percentile": "0.85039"
},
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"4.1.0\", \"versionEndExcluding\": \"4.1.14.1\", \"matchCriteriaId\": \"368EF708-1502-4DC8-9374-724A6BF565DE\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*\", \"versionStartIncluding\": \"4.2.0\", \"versionEndExcluding\": \"4.2.5.1\", \"matchCriteriaId\": \"B405A97A-7C41-4005-8E72-56F632D72B9E\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:rubyonrails:rails:5.0.0:beta1:*:*:*:*:*:*\", \"matchCriteriaId\": \"AF8F94CF-D504-4165-A69E-3F1198CB162A\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:fedoraproject:fedora:22:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"253C303A-E577-4488-93E6-68A8DD942C38\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:fedoraproject:fedora:23:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"E79AB8DD-C907-4038-A931-1A5A4CFB6A5B\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:o:opensuse:leap:42.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"4863BE36-D16A-4D75-90D9-FD76DB5B48B7\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"Active Model in Ruby on Rails 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 supports the use of instance-level writers for class accessors, which allows remote attackers to bypass intended validation steps via crafted parameters.\"}, {\"lang\": \"es\", \"value\": \"Active Model en Ruby on Rails 4.1.x en versiones anteriores a 4.1.14.1, 4.2.x en versiones anteriores a 4.2.5.1 y 5.x en versiones anteriores a 5.0.0.beta1.1 soporta el uso de los escritores a nivel de instancia para descriptores de acceso de clase, lo que permite a atacantes remotos eludir los pasos destinados a la validaci\\u00f3n a trav\\u00e9s de par\\u00e1metros manipulados.\"}]",
"id": "CVE-2016-0753",
"lastModified": "2024-11-21T02:42:18.643",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N\", \"baseScore\": 5.3, \"baseSeverity\": \"MEDIUM\", \"attackVector\": \"NETWORK\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"LOW\", \"availabilityImpact\": \"NONE\"}, \"exploitabilityScore\": 3.9, \"impactScore\": 1.4}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:N/C:N/I:P/A:N\", \"baseScore\": 5.0, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"NONE\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"NONE\"}, \"baseSeverity\": \"MEDIUM\", \"exploitabilityScore\": 10.0, \"impactScore\": 2.9, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false}]}",
"published": "2016-02-16T02:59:07.690",
"references": "[{\"url\": \"http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178041.html\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178043.html\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178047.html\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178065.html\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178066.html\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2016-0296.html\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"http://www.debian.org/security/2016/dsa-3464\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"http://www.openwall.com/lists/oss-security/2016/01/25/14\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"http://www.securityfocus.com/bid/82247\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Broken Link\", \"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"http://www.securitytracker.com/id/1034816\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Broken Link\", \"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"https://groups.google.com/forum/message/raw?msg=ruby-security-ann/6jQVC1geukQ/3Iy0GU1ZEgAJ\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Broken Link\"]}, {\"url\": \"http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178041.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178043.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178047.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178065.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178066.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2016-0296.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"http://www.debian.org/security/2016/dsa-3464\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"http://www.openwall.com/lists/oss-security/2016/01/25/14\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Mailing List\", \"Third Party Advisory\"]}, {\"url\": \"http://www.securityfocus.com/bid/82247\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Broken Link\", \"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"http://www.securitytracker.com/id/1034816\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Broken Link\", \"Third Party Advisory\", \"VDB Entry\"]}, {\"url\": \"https://groups.google.com/forum/message/raw?msg=ruby-security-ann/6jQVC1geukQ/3Iy0GU1ZEgAJ\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Broken Link\"]}]",
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"NVD-CWE-noinfo\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2016-0753\",\"sourceIdentifier\":\"secalert@redhat.com\",\"published\":\"2016-02-16T02:59:07.690\",\"lastModified\":\"2026-05-06T22:30:45.220\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Active Model in Ruby on Rails 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 supports the use of instance-level writers for class accessors, which allows remote attackers to bypass intended validation steps via crafted parameters.\"},{\"lang\":\"es\",\"value\":\"Active Model en Ruby on Rails 4.1.x en versiones anteriores a 4.1.14.1, 4.2.x en versiones anteriores a 4.2.5.1 y 5.x en versiones anteriores a 5.0.0.beta1.1 soporta el uso de los escritores a nivel de instancia para descriptores de acceso de clase, lo que permite a atacantes remotos eludir los pasos destinados a la validaci\u00f3n a trav\u00e9s de par\u00e1metros manipulados.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N\",\"baseScore\":5.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":1.4}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:N/I:P/A:N\",\"baseScore\":5.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":10.0,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.1.0\",\"versionEndExcluding\":\"4.1.14.1\",\"matchCriteriaId\":\"368EF708-1502-4DC8-9374-724A6BF565DE\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.2.0\",\"versionEndExcluding\":\"4.2.5.1\",\"matchCriteriaId\":\"B405A97A-7C41-4005-8E72-56F632D72B9E\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:rubyonrails:rails:5.0.0:beta1:*:*:*:*:*:*\",\"matchCriteriaId\":\"AF8F94CF-D504-4165-A69E-3F1198CB162A\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:22:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"253C303A-E577-4488-93E6-68A8DD942C38\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:23:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E79AB8DD-C907-4038-A931-1A5A4CFB6A5B\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:opensuse:leap:42.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"4863BE36-D16A-4D75-90D9-FD76DB5B48B7\"}]}]}],\"references\":[{\"url\":\"http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178041.html\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178043.html\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178047.html\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178065.html\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178066.html\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2016-0296.html\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://www.debian.org/security/2016/dsa-3464\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2016/01/25/14\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://www.securityfocus.com/bid/82247\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Broken Link\",\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://www.securitytracker.com/id/1034816\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Broken Link\",\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://groups.google.com/forum/message/raw?msg=ruby-security-ann/6jQVC1geukQ/3Iy0GU1ZEgAJ\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Broken Link\"]},{\"url\":\"http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178041.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178043.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178047.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178065.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://lists.fedoraproject.org/pipermail/package-announce/2016-February/178066.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://lists.opensuse.org/opensuse-updates/2016-02/msg00043.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2016-0296.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://www.debian.org/security/2016/dsa-3464\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"http://www.openwall.com/lists/oss-security/2016/01/25/14\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://www.securityfocus.com/bid/82247\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Broken Link\",\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"http://www.securitytracker.com/id/1034816\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Broken Link\",\"Third Party Advisory\",\"VDB Entry\"]},{\"url\":\"https://groups.google.com/forum/message/raw?msg=ruby-security-ann/6jQVC1geukQ/3Iy0GU1ZEgAJ\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Broken Link\"]}]}}"
}
}
SUSE-SU-2016:0435-1
Vulnerability from csaf_suse - Published: 2016-02-11 16:47 - Updated: 2016-02-11 16:47Summary
Security update for rubygem-activesupport-4_2
Severity
Moderate
Notes
Title of the patch: Security update for rubygem-activesupport-4_2
Description of the patch:
This update for rubygem-activesupport-4_2 fixes the following issues:
- CVE-2015-7576: Timing attack vulnerability in basic authentication in Action Controller (bsc#963329)
- CVE-2016-0753: Input Validation Circumvention (bsc#963334)
Patchnames: SUSE-Storage-2.1-2016-250
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
Affected products
Recommended
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Enterprise Storage 2.1:ruby2.1-rubygem-activesupport-4_2-4.2.2-6.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
low
5.3 (Medium)
Affected products
Recommended
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Enterprise Storage 2.1:ruby2.1-rubygem-activesupport-4_2-4.2.2-6.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
low
References
15 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for rubygem-activesupport-4_2",
"title": "Title of the patch"
},
{
"category": "description",
"text": "\nThis update for rubygem-activesupport-4_2 fixes the following issues:\n\n- CVE-2015-7576: Timing attack vulnerability in basic authentication in Action Controller (bsc#963329)\n- CVE-2016-0753: Input Validation Circumvention (bsc#963334)\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-Storage-2.1-2016-250",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2016_0435-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2016:0435-1",
"url": "https://www.suse.com/support/update/announcement/2016/suse-su-20160435-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2016:0435-1",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2016-February/001876.html"
},
{
"category": "self",
"summary": "SUSE Bug 963329",
"url": "https://bugzilla.suse.com/963329"
},
{
"category": "self",
"summary": "SUSE Bug 963334",
"url": "https://bugzilla.suse.com/963334"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2015-7576 page",
"url": "https://www.suse.com/security/cve/CVE-2015-7576/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2016-0753 page",
"url": "https://www.suse.com/security/cve/CVE-2016-0753/"
}
],
"title": "Security update for rubygem-activesupport-4_2",
"tracking": {
"current_release_date": "2016-02-11T16:47:38Z",
"generator": {
"date": "2016-02-11T16:47:38Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2016:0435-1",
"initial_release_date": "2016-02-11T16:47:38Z",
"revision_history": [
{
"date": "2016-02-11T16:47:38Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "ruby2.1-rubygem-activesupport-4_2-4.2.2-6.1.x86_64",
"product": {
"name": "ruby2.1-rubygem-activesupport-4_2-4.2.2-6.1.x86_64",
"product_id": "ruby2.1-rubygem-activesupport-4_2-4.2.2-6.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Enterprise Storage 2.1",
"product": {
"name": "SUSE Enterprise Storage 2.1",
"product_id": "SUSE Enterprise Storage 2.1",
"product_identification_helper": {
"cpe": "cpe:/o:suse:ses:2.1"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.1-rubygem-activesupport-4_2-4.2.2-6.1.x86_64 as component of SUSE Enterprise Storage 2.1",
"product_id": "SUSE Enterprise Storage 2.1:ruby2.1-rubygem-activesupport-4_2-4.2.2-6.1.x86_64"
},
"product_reference": "ruby2.1-rubygem-activesupport-4_2-4.2.2-6.1.x86_64",
"relates_to_product_reference": "SUSE Enterprise Storage 2.1"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2015-7576",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2015-7576"
}
],
"notes": [
{
"category": "general",
"text": "The http_basic_authenticate_with method in actionpack/lib/action_controller/metal/http_authentication.rb in the Basic Authentication implementation in Action Controller in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not use a constant-time algorithm for verifying credentials, which makes it easier for remote attackers to bypass authentication by measuring timing differences.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Enterprise Storage 2.1:ruby2.1-rubygem-activesupport-4_2-4.2.2-6.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2015-7576",
"url": "https://www.suse.com/security/cve/CVE-2015-7576"
},
{
"category": "external",
"summary": "SUSE Bug 963329 for CVE-2015-7576",
"url": "https://bugzilla.suse.com/963329"
},
{
"category": "external",
"summary": "SUSE Bug 963563 for CVE-2015-7576",
"url": "https://bugzilla.suse.com/963563"
},
{
"category": "external",
"summary": "SUSE Bug 970715 for CVE-2015-7576",
"url": "https://bugzilla.suse.com/970715"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Enterprise Storage 2.1:ruby2.1-rubygem-activesupport-4_2-4.2.2-6.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.7,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
},
"products": [
"SUSE Enterprise Storage 2.1:ruby2.1-rubygem-activesupport-4_2-4.2.2-6.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2016-02-11T16:47:38Z",
"details": "low"
}
],
"title": "CVE-2015-7576"
},
{
"cve": "CVE-2016-0753",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2016-0753"
}
],
"notes": [
{
"category": "general",
"text": "Active Model in Ruby on Rails 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 supports the use of instance-level writers for class accessors, which allows remote attackers to bypass intended validation steps via crafted parameters.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Enterprise Storage 2.1:ruby2.1-rubygem-activesupport-4_2-4.2.2-6.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2016-0753",
"url": "https://www.suse.com/security/cve/CVE-2016-0753"
},
{
"category": "external",
"summary": "SUSE Bug 963334 for CVE-2016-0753",
"url": "https://bugzilla.suse.com/963334"
},
{
"category": "external",
"summary": "SUSE Bug 963617 for CVE-2016-0753",
"url": "https://bugzilla.suse.com/963617"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Enterprise Storage 2.1:ruby2.1-rubygem-activesupport-4_2-4.2.2-6.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"SUSE Enterprise Storage 2.1:ruby2.1-rubygem-activesupport-4_2-4.2.2-6.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2016-02-11T16:47:38Z",
"details": "low"
}
],
"title": "CVE-2016-0753"
}
]
}
SUSE-SU-2016:0458-1
Vulnerability from csaf_suse - Published: 2016-02-15 13:25 - Updated: 2016-02-15 13:25Summary
Security update for rubygem-activerecord-4_2
Severity
Moderate
Notes
Title of the patch: Security update for rubygem-activerecord-4_2
Description of the patch:
This update for rubygem-activerecord-4_2 fixes the following issues:
- CVE-2016-0753: Input Validation Circumvention (bsc#963334)
- CVE-2015-7577: Nested attributes rejection proc bypass (bsc#963330)
Patchnames: SUSE-Storage-2.1-2016-261
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
5.3 (Medium)
Affected products
Recommended
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Enterprise Storage 2.1:ruby2.1-rubygem-activerecord-4_2-4.2.2-5.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
low
5.3 (Medium)
Affected products
Recommended
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Enterprise Storage 2.1:ruby2.1-rubygem-activerecord-4_2-4.2.2-5.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
low
References
14 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for rubygem-activerecord-4_2",
"title": "Title of the patch"
},
{
"category": "description",
"text": "\nThis update for rubygem-activerecord-4_2 fixes the following issues:\n\n- CVE-2016-0753: Input Validation Circumvention (bsc#963334) \n- CVE-2015-7577: Nested attributes rejection proc bypass (bsc#963330)\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-Storage-2.1-2016-261",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2016_0458-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2016:0458-1",
"url": "https://www.suse.com/support/update/announcement/2016/suse-su-20160458-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2016:0458-1",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2016-February/001880.html"
},
{
"category": "self",
"summary": "SUSE Bug 963330",
"url": "https://bugzilla.suse.com/963330"
},
{
"category": "self",
"summary": "SUSE Bug 963334",
"url": "https://bugzilla.suse.com/963334"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2015-7577 page",
"url": "https://www.suse.com/security/cve/CVE-2015-7577/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2016-0753 page",
"url": "https://www.suse.com/security/cve/CVE-2016-0753/"
}
],
"title": "Security update for rubygem-activerecord-4_2",
"tracking": {
"current_release_date": "2016-02-15T13:25:30Z",
"generator": {
"date": "2016-02-15T13:25:30Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2016:0458-1",
"initial_release_date": "2016-02-15T13:25:30Z",
"revision_history": [
{
"date": "2016-02-15T13:25:30Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "ruby2.1-rubygem-activerecord-4_2-4.2.2-5.1.x86_64",
"product": {
"name": "ruby2.1-rubygem-activerecord-4_2-4.2.2-5.1.x86_64",
"product_id": "ruby2.1-rubygem-activerecord-4_2-4.2.2-5.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Enterprise Storage 2.1",
"product": {
"name": "SUSE Enterprise Storage 2.1",
"product_id": "SUSE Enterprise Storage 2.1",
"product_identification_helper": {
"cpe": "cpe:/o:suse:ses:2.1"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.1-rubygem-activerecord-4_2-4.2.2-5.1.x86_64 as component of SUSE Enterprise Storage 2.1",
"product_id": "SUSE Enterprise Storage 2.1:ruby2.1-rubygem-activerecord-4_2-4.2.2-5.1.x86_64"
},
"product_reference": "ruby2.1-rubygem-activerecord-4_2-4.2.2-5.1.x86_64",
"relates_to_product_reference": "SUSE Enterprise Storage 2.1"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2015-7577",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2015-7577"
}
],
"notes": [
{
"category": "general",
"text": "activerecord/lib/active_record/nested_attributes.rb in Active Record in Ruby on Rails 3.1.x and 3.2.x before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not properly implement a certain destroy option, which allows remote attackers to bypass intended change restrictions by leveraging use of the nested attributes feature.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Enterprise Storage 2.1:ruby2.1-rubygem-activerecord-4_2-4.2.2-5.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2015-7577",
"url": "https://www.suse.com/security/cve/CVE-2015-7577"
},
{
"category": "external",
"summary": "SUSE Bug 963330 for CVE-2015-7577",
"url": "https://bugzilla.suse.com/963330"
},
{
"category": "external",
"summary": "SUSE Bug 963604 for CVE-2015-7577",
"url": "https://bugzilla.suse.com/963604"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Enterprise Storage 2.1:ruby2.1-rubygem-activerecord-4_2-4.2.2-5.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.0"
},
"products": [
"SUSE Enterprise Storage 2.1:ruby2.1-rubygem-activerecord-4_2-4.2.2-5.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2016-02-15T13:25:30Z",
"details": "low"
}
],
"title": "CVE-2015-7577"
},
{
"cve": "CVE-2016-0753",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2016-0753"
}
],
"notes": [
{
"category": "general",
"text": "Active Model in Ruby on Rails 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 supports the use of instance-level writers for class accessors, which allows remote attackers to bypass intended validation steps via crafted parameters.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Enterprise Storage 2.1:ruby2.1-rubygem-activerecord-4_2-4.2.2-5.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2016-0753",
"url": "https://www.suse.com/security/cve/CVE-2016-0753"
},
{
"category": "external",
"summary": "SUSE Bug 963334 for CVE-2016-0753",
"url": "https://bugzilla.suse.com/963334"
},
{
"category": "external",
"summary": "SUSE Bug 963617 for CVE-2016-0753",
"url": "https://bugzilla.suse.com/963617"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Enterprise Storage 2.1:ruby2.1-rubygem-activerecord-4_2-4.2.2-5.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"SUSE Enterprise Storage 2.1:ruby2.1-rubygem-activerecord-4_2-4.2.2-5.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2016-02-15T13:25:30Z",
"details": "low"
}
],
"title": "CVE-2016-0753"
}
]
}
SUSE-SU-2016:0597-1
Vulnerability from csaf_suse - Published: 2016-02-26 15:08 - Updated: 2016-02-26 15:08Summary
Security update for rubygem-activemodel-4_1
Severity
Moderate
Notes
Title of the patch: Security update for rubygem-activemodel-4_1
Description of the patch:
This update for rubygem-activemodel-4_1 fixes the following issues:
- CVE-2016-0753: Input Validation Circumvention (bsc#963334)
Patchnames: sleclo50sp3-rubygem-activemodel-4_1-12422
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
5.3 (Medium)
Affected products
Recommended
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE OpenStack Cloud 5:ruby2.1-rubygem-activemodel-4_1-4.1.9-9.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
low
References
9 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for rubygem-activemodel-4_1",
"title": "Title of the patch"
},
{
"category": "description",
"text": "\nThis update for rubygem-activemodel-4_1 fixes the following issues:\n\n- CVE-2016-0753: Input Validation Circumvention (bsc#963334)\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "sleclo50sp3-rubygem-activemodel-4_1-12422",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2016_0597-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2016:0597-1",
"url": "https://www.suse.com/support/update/announcement/2016/suse-su-20160597-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2016:0597-1",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2016-February/001896.html"
},
{
"category": "self",
"summary": "SUSE Bug 963334",
"url": "https://bugzilla.suse.com/963334"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2016-0753 page",
"url": "https://www.suse.com/security/cve/CVE-2016-0753/"
}
],
"title": "Security update for rubygem-activemodel-4_1",
"tracking": {
"current_release_date": "2016-02-26T15:08:35Z",
"generator": {
"date": "2016-02-26T15:08:35Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2016:0597-1",
"initial_release_date": "2016-02-26T15:08:35Z",
"revision_history": [
{
"date": "2016-02-26T15:08:35Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "ruby2.1-rubygem-activemodel-4_1-4.1.9-9.1.x86_64",
"product": {
"name": "ruby2.1-rubygem-activemodel-4_1-4.1.9-9.1.x86_64",
"product_id": "ruby2.1-rubygem-activemodel-4_1-4.1.9-9.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE OpenStack Cloud 5",
"product": {
"name": "SUSE OpenStack Cloud 5",
"product_id": "SUSE OpenStack Cloud 5",
"product_identification_helper": {
"cpe": "cpe:/o:suse:cloud:5"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.1-rubygem-activemodel-4_1-4.1.9-9.1.x86_64 as component of SUSE OpenStack Cloud 5",
"product_id": "SUSE OpenStack Cloud 5:ruby2.1-rubygem-activemodel-4_1-4.1.9-9.1.x86_64"
},
"product_reference": "ruby2.1-rubygem-activemodel-4_1-4.1.9-9.1.x86_64",
"relates_to_product_reference": "SUSE OpenStack Cloud 5"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2016-0753",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2016-0753"
}
],
"notes": [
{
"category": "general",
"text": "Active Model in Ruby on Rails 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 supports the use of instance-level writers for class accessors, which allows remote attackers to bypass intended validation steps via crafted parameters.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE OpenStack Cloud 5:ruby2.1-rubygem-activemodel-4_1-4.1.9-9.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2016-0753",
"url": "https://www.suse.com/security/cve/CVE-2016-0753"
},
{
"category": "external",
"summary": "SUSE Bug 963334 for CVE-2016-0753",
"url": "https://bugzilla.suse.com/963334"
},
{
"category": "external",
"summary": "SUSE Bug 963617 for CVE-2016-0753",
"url": "https://bugzilla.suse.com/963617"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE OpenStack Cloud 5:ruby2.1-rubygem-activemodel-4_1-4.1.9-9.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"SUSE OpenStack Cloud 5:ruby2.1-rubygem-activemodel-4_1-4.1.9-9.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2016-02-26T15:08:35Z",
"details": "low"
}
],
"title": "CVE-2016-0753"
}
]
}
SUSE-SU-2016:0598-1
Vulnerability from csaf_suse - Published: 2016-02-26 15:08 - Updated: 2016-02-26 15:08Summary
Security update for rubygem-activerecord-4_1
Severity
Moderate
Notes
Title of the patch: Security update for rubygem-activerecord-4_1
Description of the patch:
This update for rubygem-activerecord-4_1 fixes the following issues:
- CVE-2016-0753: Input Validation Circumvention (bsc#963334)
- CVE-2015-7577: Nested attributes rejection proc bypass (bsc#963330)
Patchnames: sleclo50sp3-rubygem-activerecord-4_1-12423
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
5.3 (Medium)
Affected products
Recommended
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE OpenStack Cloud 5:ruby2.1-rubygem-activerecord-4_1-4.1.9-9.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
low
5.3 (Medium)
Affected products
Recommended
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE OpenStack Cloud 5:ruby2.1-rubygem-activerecord-4_1-4.1.9-9.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
low
References
14 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for rubygem-activerecord-4_1",
"title": "Title of the patch"
},
{
"category": "description",
"text": "\nThis update for rubygem-activerecord-4_1 fixes the following issues:\n\n- CVE-2016-0753: Input Validation Circumvention (bsc#963334)\n- CVE-2015-7577: Nested attributes rejection proc bypass (bsc#963330)\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "sleclo50sp3-rubygem-activerecord-4_1-12423",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2016_0598-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2016:0598-1",
"url": "https://www.suse.com/support/update/announcement/2016/suse-su-20160598-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2016:0598-1",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2016-February/001897.html"
},
{
"category": "self",
"summary": "SUSE Bug 963330",
"url": "https://bugzilla.suse.com/963330"
},
{
"category": "self",
"summary": "SUSE Bug 963334",
"url": "https://bugzilla.suse.com/963334"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2015-7577 page",
"url": "https://www.suse.com/security/cve/CVE-2015-7577/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2016-0753 page",
"url": "https://www.suse.com/security/cve/CVE-2016-0753/"
}
],
"title": "Security update for rubygem-activerecord-4_1",
"tracking": {
"current_release_date": "2016-02-26T15:08:40Z",
"generator": {
"date": "2016-02-26T15:08:40Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2016:0598-1",
"initial_release_date": "2016-02-26T15:08:40Z",
"revision_history": [
{
"date": "2016-02-26T15:08:40Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "ruby2.1-rubygem-activerecord-4_1-4.1.9-9.1.x86_64",
"product": {
"name": "ruby2.1-rubygem-activerecord-4_1-4.1.9-9.1.x86_64",
"product_id": "ruby2.1-rubygem-activerecord-4_1-4.1.9-9.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE OpenStack Cloud 5",
"product": {
"name": "SUSE OpenStack Cloud 5",
"product_id": "SUSE OpenStack Cloud 5",
"product_identification_helper": {
"cpe": "cpe:/o:suse:cloud:5"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.1-rubygem-activerecord-4_1-4.1.9-9.1.x86_64 as component of SUSE OpenStack Cloud 5",
"product_id": "SUSE OpenStack Cloud 5:ruby2.1-rubygem-activerecord-4_1-4.1.9-9.1.x86_64"
},
"product_reference": "ruby2.1-rubygem-activerecord-4_1-4.1.9-9.1.x86_64",
"relates_to_product_reference": "SUSE OpenStack Cloud 5"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2015-7577",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2015-7577"
}
],
"notes": [
{
"category": "general",
"text": "activerecord/lib/active_record/nested_attributes.rb in Active Record in Ruby on Rails 3.1.x and 3.2.x before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not properly implement a certain destroy option, which allows remote attackers to bypass intended change restrictions by leveraging use of the nested attributes feature.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE OpenStack Cloud 5:ruby2.1-rubygem-activerecord-4_1-4.1.9-9.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2015-7577",
"url": "https://www.suse.com/security/cve/CVE-2015-7577"
},
{
"category": "external",
"summary": "SUSE Bug 963330 for CVE-2015-7577",
"url": "https://bugzilla.suse.com/963330"
},
{
"category": "external",
"summary": "SUSE Bug 963604 for CVE-2015-7577",
"url": "https://bugzilla.suse.com/963604"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE OpenStack Cloud 5:ruby2.1-rubygem-activerecord-4_1-4.1.9-9.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.0"
},
"products": [
"SUSE OpenStack Cloud 5:ruby2.1-rubygem-activerecord-4_1-4.1.9-9.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2016-02-26T15:08:40Z",
"details": "low"
}
],
"title": "CVE-2015-7577"
},
{
"cve": "CVE-2016-0753",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2016-0753"
}
],
"notes": [
{
"category": "general",
"text": "Active Model in Ruby on Rails 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 supports the use of instance-level writers for class accessors, which allows remote attackers to bypass intended validation steps via crafted parameters.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE OpenStack Cloud 5:ruby2.1-rubygem-activerecord-4_1-4.1.9-9.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2016-0753",
"url": "https://www.suse.com/security/cve/CVE-2016-0753"
},
{
"category": "external",
"summary": "SUSE Bug 963334 for CVE-2016-0753",
"url": "https://bugzilla.suse.com/963334"
},
{
"category": "external",
"summary": "SUSE Bug 963617 for CVE-2016-0753",
"url": "https://bugzilla.suse.com/963617"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE OpenStack Cloud 5:ruby2.1-rubygem-activerecord-4_1-4.1.9-9.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"SUSE OpenStack Cloud 5:ruby2.1-rubygem-activerecord-4_1-4.1.9-9.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2016-02-26T15:08:40Z",
"details": "low"
}
],
"title": "CVE-2016-0753"
}
]
}
SUSE-SU-2016:0600-1
Vulnerability from csaf_suse - Published: 2016-02-26 15:08 - Updated: 2016-02-26 15:08Summary
Security update for rubygem-activesupport-4_1
Severity
Moderate
Notes
Title of the patch: Security update for rubygem-activesupport-4_1
Description of the patch:
This update for rubygem-activesupport-4_1 fixes the following issues:
- CVE-2016-0753: Input Validation Circumvention (bsc#963334)
- CVE-2015-7576: Timing attack vulnerability in basic authentication in Action Controller (bsc#963329)
Patchnames: sleclo50sp3-rubygem-activesupport-4_1-12424
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
Affected products
Recommended
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE OpenStack Cloud 5:ruby2.1-rubygem-activesupport-4_1-4.1.9-12.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
low
5.3 (Medium)
Affected products
Recommended
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE OpenStack Cloud 5:ruby2.1-rubygem-activesupport-4_1-4.1.9-12.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
low
References
15 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for rubygem-activesupport-4_1",
"title": "Title of the patch"
},
{
"category": "description",
"text": "\nThis update for rubygem-activesupport-4_1 fixes the following issues:\n\n- CVE-2016-0753: Input Validation Circumvention (bsc#963334)\n- CVE-2015-7576: Timing attack vulnerability in basic authentication in Action Controller (bsc#963329)\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "sleclo50sp3-rubygem-activesupport-4_1-12424",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2016_0600-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2016:0600-1",
"url": "https://www.suse.com/support/update/announcement/2016/suse-su-20160600-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2016:0600-1",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2016-February/001899.html"
},
{
"category": "self",
"summary": "SUSE Bug 963329",
"url": "https://bugzilla.suse.com/963329"
},
{
"category": "self",
"summary": "SUSE Bug 963334",
"url": "https://bugzilla.suse.com/963334"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2015-7576 page",
"url": "https://www.suse.com/security/cve/CVE-2015-7576/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2016-0753 page",
"url": "https://www.suse.com/security/cve/CVE-2016-0753/"
}
],
"title": "Security update for rubygem-activesupport-4_1",
"tracking": {
"current_release_date": "2016-02-26T15:08:46Z",
"generator": {
"date": "2016-02-26T15:08:46Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2016:0600-1",
"initial_release_date": "2016-02-26T15:08:46Z",
"revision_history": [
{
"date": "2016-02-26T15:08:46Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "ruby2.1-rubygem-activesupport-4_1-4.1.9-12.1.x86_64",
"product": {
"name": "ruby2.1-rubygem-activesupport-4_1-4.1.9-12.1.x86_64",
"product_id": "ruby2.1-rubygem-activesupport-4_1-4.1.9-12.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE OpenStack Cloud 5",
"product": {
"name": "SUSE OpenStack Cloud 5",
"product_id": "SUSE OpenStack Cloud 5",
"product_identification_helper": {
"cpe": "cpe:/o:suse:cloud:5"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "ruby2.1-rubygem-activesupport-4_1-4.1.9-12.1.x86_64 as component of SUSE OpenStack Cloud 5",
"product_id": "SUSE OpenStack Cloud 5:ruby2.1-rubygem-activesupport-4_1-4.1.9-12.1.x86_64"
},
"product_reference": "ruby2.1-rubygem-activesupport-4_1-4.1.9-12.1.x86_64",
"relates_to_product_reference": "SUSE OpenStack Cloud 5"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2015-7576",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2015-7576"
}
],
"notes": [
{
"category": "general",
"text": "The http_basic_authenticate_with method in actionpack/lib/action_controller/metal/http_authentication.rb in the Basic Authentication implementation in Action Controller in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not use a constant-time algorithm for verifying credentials, which makes it easier for remote attackers to bypass authentication by measuring timing differences.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE OpenStack Cloud 5:ruby2.1-rubygem-activesupport-4_1-4.1.9-12.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2015-7576",
"url": "https://www.suse.com/security/cve/CVE-2015-7576"
},
{
"category": "external",
"summary": "SUSE Bug 963329 for CVE-2015-7576",
"url": "https://bugzilla.suse.com/963329"
},
{
"category": "external",
"summary": "SUSE Bug 963563 for CVE-2015-7576",
"url": "https://bugzilla.suse.com/963563"
},
{
"category": "external",
"summary": "SUSE Bug 970715 for CVE-2015-7576",
"url": "https://bugzilla.suse.com/970715"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE OpenStack Cloud 5:ruby2.1-rubygem-activesupport-4_1-4.1.9-12.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.7,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
},
"products": [
"SUSE OpenStack Cloud 5:ruby2.1-rubygem-activesupport-4_1-4.1.9-12.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2016-02-26T15:08:46Z",
"details": "low"
}
],
"title": "CVE-2015-7576"
},
{
"cve": "CVE-2016-0753",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2016-0753"
}
],
"notes": [
{
"category": "general",
"text": "Active Model in Ruby on Rails 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 supports the use of instance-level writers for class accessors, which allows remote attackers to bypass intended validation steps via crafted parameters.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE OpenStack Cloud 5:ruby2.1-rubygem-activesupport-4_1-4.1.9-12.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2016-0753",
"url": "https://www.suse.com/security/cve/CVE-2016-0753"
},
{
"category": "external",
"summary": "SUSE Bug 963334 for CVE-2016-0753",
"url": "https://bugzilla.suse.com/963334"
},
{
"category": "external",
"summary": "SUSE Bug 963617 for CVE-2016-0753",
"url": "https://bugzilla.suse.com/963617"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE OpenStack Cloud 5:ruby2.1-rubygem-activesupport-4_1-4.1.9-12.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"SUSE OpenStack Cloud 5:ruby2.1-rubygem-activesupport-4_1-4.1.9-12.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2016-02-26T15:08:46Z",
"details": "low"
}
],
"title": "CVE-2016-0753"
}
]
}
SUSE-SU-2016:1146-1
Vulnerability from csaf_suse - Published: 2016-04-25 14:28 - Updated: 2016-04-25 14:28Summary
Security update for portus
Severity
Important
Notes
Title of the patch: Security update for portus
Description of the patch:
Portus was updated to version 2.0.3, which brings several fixes and enhancements:
- Fixed crono job when a repository could not be found.
- Fixed compatibility issues with Docker 1.10 and Distribution 2.3.
- Handle multiple scopes in token requests.
- Add optional fields to token response.
- Fixed notification events for Distribution v2.3.
- Paginate through the catalog properly.
- Do not remove all the repositories if fetching one fails.
- Fixed SMTP setup.
- Don't let crono overflow the 'log' column on the DB.
- Show the actual LDAP error on invalid login.
- Fixed the location of crono logs.
- Always use relative paths.
- Set RUBYLIB when using portusctl.
- Don't count hidden teams on the admin panel.
- Warn developers on unsupported docker-compose versions.
- Directly invalidate LDAP logins without name and password.
- Don't show the 'I forgot my password' link on LDAP.
The following Rubygems bundled within Portus have been updated to fix security
issues:
- CVE-2016-2098: rubygem-actionpack (bsc#969943).
- CVE-2015-7578: rails-html-sanitizer (bsc#963326).
- CVE-2015-7579: rails-html-sanitizer (bsc#963327).
- CVE-2015-7580: rails-html-sanitizer (bsc#963328).
- CVE-2015-7576: rubygem-actionpack, rubygem-activesupport (bsc#963563).
- CVE-2015-7577: rubygem-activerecord (bsc#963604).
- CVE-2016-0751: rugygem-actionpack (bsc#963627).
- CVE-2016-0752: rubygem-actionpack, rubygem-actionview (bsc#963608).
- CVE-2016-0753: rubygem-activemodel, rubygem-activesupport, rubygem-activerecord (bsc#963617).
- CVE-2015-7581: rubygem-actionpack (bsc#963625).
Patchnames: SUSE-SLE-Module-Containers-12-2016-672
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
Affected products
Recommended
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Module for Containers 12:portus-2.0.3-2.4.x86_64 | — |
Vendor Fix
|
Threats
Impact
low
5.3 (Medium)
Affected products
Recommended
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Module for Containers 12:portus-2.0.3-2.4.x86_64 | — |
Vendor Fix
|
Threats
Impact
low
6.1 (Medium)
Affected products
Recommended
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Module for Containers 12:portus-2.0.3-2.4.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
6.1 (Medium)
Affected products
Recommended
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Module for Containers 12:portus-2.0.3-2.4.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
6.1 (Medium)
Affected products
Recommended
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Module for Containers 12:portus-2.0.3-2.4.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
7.5 (High)
Affected products
Recommended
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Module for Containers 12:portus-2.0.3-2.4.x86_64 | — |
Vendor Fix
|
Threats
Impact
low
7.5 (High)
Affected products
Recommended
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Module for Containers 12:portus-2.0.3-2.4.x86_64 | — |
Vendor Fix
|
Threats
Impact
low
7.5 (High)
Affected products
Recommended
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Module for Containers 12:portus-2.0.3-2.4.x86_64 | — |
Vendor Fix
|
Threats
Impact
low
5.3 (Medium)
Affected products
Recommended
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Module for Containers 12:portus-2.0.3-2.4.x86_64 | — |
Vendor Fix
|
Threats
Impact
low
7.3 (High)
Affected products
Recommended
1 product
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Module for Containers 12:portus-2.0.3-2.4.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
57 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for portus",
"title": "Title of the patch"
},
{
"category": "description",
"text": "\nPortus was updated to version 2.0.3, which brings several fixes and enhancements:\n\n- Fixed crono job when a repository could not be found.\n- Fixed compatibility issues with Docker 1.10 and Distribution 2.3.\n- Handle multiple scopes in token requests.\n- Add optional fields to token response.\n- Fixed notification events for Distribution v2.3.\n- Paginate through the catalog properly.\n- Do not remove all the repositories if fetching one fails.\n- Fixed SMTP setup.\n- Don\u0027t let crono overflow the \u0027log\u0027 column on the DB.\n- Show the actual LDAP error on invalid login.\n- Fixed the location of crono logs.\n- Always use relative paths.\n- Set RUBYLIB when using portusctl.\n- Don\u0027t count hidden teams on the admin panel.\n- Warn developers on unsupported docker-compose versions.\n- Directly invalidate LDAP logins without name and password.\n- Don\u0027t show the \u0027I forgot my password\u0027 link on LDAP.\n\nThe following Rubygems bundled within Portus have been updated to fix security\nissues:\n\n- CVE-2016-2098: rubygem-actionpack (bsc#969943).\n- CVE-2015-7578: rails-html-sanitizer (bsc#963326).\n- CVE-2015-7579: rails-html-sanitizer (bsc#963327).\n- CVE-2015-7580: rails-html-sanitizer (bsc#963328).\n- CVE-2015-7576: rubygem-actionpack, rubygem-activesupport (bsc#963563).\n- CVE-2015-7577: rubygem-activerecord (bsc#963604).\n- CVE-2016-0751: rugygem-actionpack (bsc#963627).\n- CVE-2016-0752: rubygem-actionpack, rubygem-actionview (bsc#963608).\n- CVE-2016-0753: rubygem-activemodel, rubygem-activesupport, rubygem-activerecord (bsc#963617).\n- CVE-2015-7581: rubygem-actionpack (bsc#963625).\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-SLE-Module-Containers-12-2016-672",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2016_1146-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2016:1146-1",
"url": "https://www.suse.com/support/update/announcement/2016/suse-su-20161146-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2016:1146-1",
"url": "https://lists.suse.com/pipermail/sle-security-updates/2016-April/002027.html"
},
{
"category": "self",
"summary": "SUSE Bug 963326",
"url": "https://bugzilla.suse.com/963326"
},
{
"category": "self",
"summary": "SUSE Bug 963327",
"url": "https://bugzilla.suse.com/963327"
},
{
"category": "self",
"summary": "SUSE Bug 963328",
"url": "https://bugzilla.suse.com/963328"
},
{
"category": "self",
"summary": "SUSE Bug 963563",
"url": "https://bugzilla.suse.com/963563"
},
{
"category": "self",
"summary": "SUSE Bug 963604",
"url": "https://bugzilla.suse.com/963604"
},
{
"category": "self",
"summary": "SUSE Bug 963608",
"url": "https://bugzilla.suse.com/963608"
},
{
"category": "self",
"summary": "SUSE Bug 963617",
"url": "https://bugzilla.suse.com/963617"
},
{
"category": "self",
"summary": "SUSE Bug 963625",
"url": "https://bugzilla.suse.com/963625"
},
{
"category": "self",
"summary": "SUSE Bug 963627",
"url": "https://bugzilla.suse.com/963627"
},
{
"category": "self",
"summary": "SUSE Bug 969943",
"url": "https://bugzilla.suse.com/969943"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2015-7576 page",
"url": "https://www.suse.com/security/cve/CVE-2015-7576/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2015-7577 page",
"url": "https://www.suse.com/security/cve/CVE-2015-7577/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2015-7578 page",
"url": "https://www.suse.com/security/cve/CVE-2015-7578/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2015-7579 page",
"url": "https://www.suse.com/security/cve/CVE-2015-7579/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2015-7580 page",
"url": "https://www.suse.com/security/cve/CVE-2015-7580/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2015-7581 page",
"url": "https://www.suse.com/security/cve/CVE-2015-7581/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2016-0751 page",
"url": "https://www.suse.com/security/cve/CVE-2016-0751/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2016-0752 page",
"url": "https://www.suse.com/security/cve/CVE-2016-0752/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2016-0753 page",
"url": "https://www.suse.com/security/cve/CVE-2016-0753/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2016-2098 page",
"url": "https://www.suse.com/security/cve/CVE-2016-2098/"
}
],
"title": "Security update for portus",
"tracking": {
"current_release_date": "2016-04-25T14:28:51Z",
"generator": {
"date": "2016-04-25T14:28:51Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2016:1146-1",
"initial_release_date": "2016-04-25T14:28:51Z",
"revision_history": [
{
"date": "2016-04-25T14:28:51Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "portus-2.0.3-2.4.x86_64",
"product": {
"name": "portus-2.0.3-2.4.x86_64",
"product_id": "portus-2.0.3-2.4.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Module for Containers 12",
"product": {
"name": "SUSE Linux Enterprise Module for Containers 12",
"product_id": "SUSE Linux Enterprise Module for Containers 12",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sle-module-containers:12"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "portus-2.0.3-2.4.x86_64 as component of SUSE Linux Enterprise Module for Containers 12",
"product_id": "SUSE Linux Enterprise Module for Containers 12:portus-2.0.3-2.4.x86_64"
},
"product_reference": "portus-2.0.3-2.4.x86_64",
"relates_to_product_reference": "SUSE Linux Enterprise Module for Containers 12"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2015-7576",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2015-7576"
}
],
"notes": [
{
"category": "general",
"text": "The http_basic_authenticate_with method in actionpack/lib/action_controller/metal/http_authentication.rb in the Basic Authentication implementation in Action Controller in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not use a constant-time algorithm for verifying credentials, which makes it easier for remote attackers to bypass authentication by measuring timing differences.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Containers 12:portus-2.0.3-2.4.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2015-7576",
"url": "https://www.suse.com/security/cve/CVE-2015-7576"
},
{
"category": "external",
"summary": "SUSE Bug 963329 for CVE-2015-7576",
"url": "https://bugzilla.suse.com/963329"
},
{
"category": "external",
"summary": "SUSE Bug 963563 for CVE-2015-7576",
"url": "https://bugzilla.suse.com/963563"
},
{
"category": "external",
"summary": "SUSE Bug 970715 for CVE-2015-7576",
"url": "https://bugzilla.suse.com/970715"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Containers 12:portus-2.0.3-2.4.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 3.7,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.0"
},
"products": [
"SUSE Linux Enterprise Module for Containers 12:portus-2.0.3-2.4.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2016-04-25T14:28:51Z",
"details": "low"
}
],
"title": "CVE-2015-7576"
},
{
"cve": "CVE-2015-7577",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2015-7577"
}
],
"notes": [
{
"category": "general",
"text": "activerecord/lib/active_record/nested_attributes.rb in Active Record in Ruby on Rails 3.1.x and 3.2.x before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not properly implement a certain destroy option, which allows remote attackers to bypass intended change restrictions by leveraging use of the nested attributes feature.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Containers 12:portus-2.0.3-2.4.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2015-7577",
"url": "https://www.suse.com/security/cve/CVE-2015-7577"
},
{
"category": "external",
"summary": "SUSE Bug 963330 for CVE-2015-7577",
"url": "https://bugzilla.suse.com/963330"
},
{
"category": "external",
"summary": "SUSE Bug 963604 for CVE-2015-7577",
"url": "https://bugzilla.suse.com/963604"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Containers 12:portus-2.0.3-2.4.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.0"
},
"products": [
"SUSE Linux Enterprise Module for Containers 12:portus-2.0.3-2.4.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2016-04-25T14:28:51Z",
"details": "low"
}
],
"title": "CVE-2015-7577"
},
{
"cve": "CVE-2015-7578",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2015-7578"
}
],
"notes": [
{
"category": "general",
"text": "Cross-site scripting (XSS) vulnerability in the rails-html-sanitizer gem before 1.0.3 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via crafted tag attributes.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Containers 12:portus-2.0.3-2.4.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2015-7578",
"url": "https://www.suse.com/security/cve/CVE-2015-7578"
},
{
"category": "external",
"summary": "SUSE Bug 963326 for CVE-2015-7578",
"url": "https://bugzilla.suse.com/963326"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Containers 12:portus-2.0.3-2.4.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"SUSE Linux Enterprise Module for Containers 12:portus-2.0.3-2.4.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2016-04-25T14:28:51Z",
"details": "moderate"
}
],
"title": "CVE-2015-7578"
},
{
"cve": "CVE-2015-7579",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2015-7579"
}
],
"notes": [
{
"category": "general",
"text": "Cross-site scripting (XSS) vulnerability in the rails-html-sanitizer gem 1.0.2 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via an HTML entity that is mishandled by the Rails::Html::FullSanitizer class.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Containers 12:portus-2.0.3-2.4.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2015-7579",
"url": "https://www.suse.com/security/cve/CVE-2015-7579"
},
{
"category": "external",
"summary": "SUSE Bug 963326 for CVE-2015-7579",
"url": "https://bugzilla.suse.com/963326"
},
{
"category": "external",
"summary": "SUSE Bug 963327 for CVE-2015-7579",
"url": "https://bugzilla.suse.com/963327"
},
{
"category": "external",
"summary": "SUSE Bug 963328 for CVE-2015-7579",
"url": "https://bugzilla.suse.com/963328"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Containers 12:portus-2.0.3-2.4.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"SUSE Linux Enterprise Module for Containers 12:portus-2.0.3-2.4.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2016-04-25T14:28:51Z",
"details": "moderate"
}
],
"title": "CVE-2015-7579"
},
{
"cve": "CVE-2015-7580",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2015-7580"
}
],
"notes": [
{
"category": "general",
"text": "Cross-site scripting (XSS) vulnerability in lib/rails/html/scrubbers.rb in the rails-html-sanitizer gem before 1.0.3 for Ruby on Rails 4.2.x and 5.x allows remote attackers to inject arbitrary web script or HTML via a crafted CDATA node.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Containers 12:portus-2.0.3-2.4.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2015-7580",
"url": "https://www.suse.com/security/cve/CVE-2015-7580"
},
{
"category": "external",
"summary": "SUSE Bug 963326 for CVE-2015-7580",
"url": "https://bugzilla.suse.com/963326"
},
{
"category": "external",
"summary": "SUSE Bug 963327 for CVE-2015-7580",
"url": "https://bugzilla.suse.com/963327"
},
{
"category": "external",
"summary": "SUSE Bug 963328 for CVE-2015-7580",
"url": "https://bugzilla.suse.com/963328"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Containers 12:portus-2.0.3-2.4.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"SUSE Linux Enterprise Module for Containers 12:portus-2.0.3-2.4.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2016-04-25T14:28:51Z",
"details": "moderate"
}
],
"title": "CVE-2015-7580"
},
{
"cve": "CVE-2015-7581",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2015-7581"
}
],
"notes": [
{
"category": "general",
"text": "actionpack/lib/action_dispatch/routing/route_set.rb in Action Pack in Ruby on Rails 4.x before 4.2.5.1 and 5.x before 5.0.0.beta1.1 allows remote attackers to cause a denial of service (superfluous caching and memory consumption) by leveraging an application\u0027s use of a wildcard controller route.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Containers 12:portus-2.0.3-2.4.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2015-7581",
"url": "https://www.suse.com/security/cve/CVE-2015-7581"
},
{
"category": "external",
"summary": "SUSE Bug 963335 for CVE-2015-7581",
"url": "https://bugzilla.suse.com/963335"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Containers 12:portus-2.0.3-2.4.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
},
"products": [
"SUSE Linux Enterprise Module for Containers 12:portus-2.0.3-2.4.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2016-04-25T14:28:51Z",
"details": "low"
}
],
"title": "CVE-2015-7581"
},
{
"cve": "CVE-2016-0751",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2016-0751"
}
],
"notes": [
{
"category": "general",
"text": "actionpack/lib/action_dispatch/http/mime_type.rb in Action Pack in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not properly restrict use of the MIME type cache, which allows remote attackers to cause a denial of service (memory consumption) via a crafted HTTP Accept header.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Containers 12:portus-2.0.3-2.4.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2016-0751",
"url": "https://www.suse.com/security/cve/CVE-2016-0751"
},
{
"category": "external",
"summary": "SUSE Bug 963331 for CVE-2016-0751",
"url": "https://bugzilla.suse.com/963331"
},
{
"category": "external",
"summary": "SUSE Bug 963627 for CVE-2016-0751",
"url": "https://bugzilla.suse.com/963627"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Containers 12:portus-2.0.3-2.4.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.0"
},
"products": [
"SUSE Linux Enterprise Module for Containers 12:portus-2.0.3-2.4.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2016-04-25T14:28:51Z",
"details": "low"
}
],
"title": "CVE-2016-0751"
},
{
"cve": "CVE-2016-0752",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2016-0752"
}
],
"notes": [
{
"category": "general",
"text": "Directory traversal vulnerability in Action View in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 allows remote attackers to read arbitrary files by leveraging an application\u0027s unrestricted use of the render method and providing a .. (dot dot) in a pathname.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Containers 12:portus-2.0.3-2.4.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2016-0752",
"url": "https://www.suse.com/security/cve/CVE-2016-0752"
},
{
"category": "external",
"summary": "SUSE Bug 963332 for CVE-2016-0752",
"url": "https://bugzilla.suse.com/963332"
},
{
"category": "external",
"summary": "SUSE Bug 963608 for CVE-2016-0752",
"url": "https://bugzilla.suse.com/963608"
},
{
"category": "external",
"summary": "SUSE Bug 968850 for CVE-2016-0752",
"url": "https://bugzilla.suse.com/968850"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Containers 12:portus-2.0.3-2.4.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Module for Containers 12:portus-2.0.3-2.4.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2016-04-25T14:28:51Z",
"details": "low"
}
],
"title": "CVE-2016-0752"
},
{
"cve": "CVE-2016-0753",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2016-0753"
}
],
"notes": [
{
"category": "general",
"text": "Active Model in Ruby on Rails 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 supports the use of instance-level writers for class accessors, which allows remote attackers to bypass intended validation steps via crafted parameters.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Containers 12:portus-2.0.3-2.4.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2016-0753",
"url": "https://www.suse.com/security/cve/CVE-2016-0753"
},
{
"category": "external",
"summary": "SUSE Bug 963334 for CVE-2016-0753",
"url": "https://bugzilla.suse.com/963334"
},
{
"category": "external",
"summary": "SUSE Bug 963617 for CVE-2016-0753",
"url": "https://bugzilla.suse.com/963617"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Containers 12:portus-2.0.3-2.4.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Module for Containers 12:portus-2.0.3-2.4.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2016-04-25T14:28:51Z",
"details": "low"
}
],
"title": "CVE-2016-0753"
},
{
"cve": "CVE-2016-2098",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2016-2098"
}
],
"notes": [
{
"category": "general",
"text": "Action Pack in Ruby on Rails before 3.2.22.2, 4.x before 4.1.14.2, and 4.2.x before 4.2.5.2 allows remote attackers to execute arbitrary Ruby code by leveraging an application\u0027s unrestricted use of the render method.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Module for Containers 12:portus-2.0.3-2.4.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2016-2098",
"url": "https://www.suse.com/security/cve/CVE-2016-2098"
},
{
"category": "external",
"summary": "SUSE Bug 968849 for CVE-2016-2098",
"url": "https://bugzilla.suse.com/968849"
},
{
"category": "external",
"summary": "SUSE Bug 969943 for CVE-2016-2098",
"url": "https://bugzilla.suse.com/969943"
},
{
"category": "external",
"summary": "SUSE Bug 993313 for CVE-2016-2098",
"url": "https://bugzilla.suse.com/993313"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Module for Containers 12:portus-2.0.3-2.4.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"products": [
"SUSE Linux Enterprise Module for Containers 12:portus-2.0.3-2.4.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2016-04-25T14:28:51Z",
"details": "important"
}
],
"title": "CVE-2016-2098"
}
]
}
WID-SEC-W-2025-1085
Vulnerability from csaf_certbund - Published: 2016-01-25 23:00 - Updated: 2025-05-18 22:00Summary
Ruby on Rails: Mehrere Schwachstellen
Severity
Hoch
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung: Ruby on Rails ist ein in der Programmiersprache Ruby geschriebenes und quelloffenes Web Application Framework.
Angriff: Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Ruby on Rails ausnutzen, um Sicherheitsfunktionen zu umgehen, um Dateien zu manipulieren oder um einen Denial of Service Zustand herbeizuführen.
Betroffene Betriebssysteme: - Linux
- UNIX
- Windows
Affected products
Known affected
7 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SUSE Linux Enterprise Server
SUSE
|
cpe:/o:suse:linux_enterprise_server:suseenterprisehighavailabilityextension11sp3
|
— | |
|
Debian Linux
Debian
|
cpe:/o:debian:debian_linux:-
|
— | |
|
SUSE Linux
SUSE
|
cpe:/o:suse:suse_linux:-
|
— | |
|
SUSE openSUSE
SUSE
|
cpe:/o:suse:opensuse:-
|
— | |
|
Open Source Ruby on Rails <4.2.5.1
Open Source / Ruby on Rails
|
<4.2.5.1 | ||
|
Open Source Ruby on Rails <3.2.22.1
Open Source / Ruby on Rails
|
<3.2.22.1 | ||
|
Open Source Ruby on Rails <4.1.14.1
Open Source / Ruby on Rails
|
<4.1.14.1 |
Affected products
Known affected
5 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SUSE Linux
SUSE
|
cpe:/o:suse:suse_linux:-
|
— | |
|
SUSE openSUSE
SUSE
|
cpe:/o:suse:opensuse:-
|
— | |
|
Open Source Ruby on Rails <4.2.5.1
Open Source / Ruby on Rails
|
<4.2.5.1 | ||
|
Open Source Ruby on Rails <3.2.22.1
Open Source / Ruby on Rails
|
<3.2.22.1 | ||
|
Open Source Ruby on Rails <4.1.14.1
Open Source / Ruby on Rails
|
<4.1.14.1 |
Affected products
Known affected
5 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SUSE Linux
SUSE
|
cpe:/o:suse:suse_linux:-
|
— | |
|
SUSE openSUSE
SUSE
|
cpe:/o:suse:opensuse:-
|
— | |
|
Open Source Ruby on Rails <4.2.5.1
Open Source / Ruby on Rails
|
<4.2.5.1 | ||
|
Open Source Ruby on Rails <3.2.22.1
Open Source / Ruby on Rails
|
<3.2.22.1 | ||
|
Open Source Ruby on Rails <4.1.14.1
Open Source / Ruby on Rails
|
<4.1.14.1 |
Affected products
Known affected
5 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SUSE Linux
SUSE
|
cpe:/o:suse:suse_linux:-
|
— | |
|
SUSE openSUSE
SUSE
|
cpe:/o:suse:opensuse:-
|
— | |
|
Open Source Ruby on Rails <4.2.5.1
Open Source / Ruby on Rails
|
<4.2.5.1 | ||
|
Open Source Ruby on Rails <3.2.22.1
Open Source / Ruby on Rails
|
<3.2.22.1 | ||
|
Open Source Ruby on Rails <4.1.14.1
Open Source / Ruby on Rails
|
<4.1.14.1 |
Affected products
Known affected
5 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SUSE Linux
SUSE
|
cpe:/o:suse:suse_linux:-
|
— | |
|
SUSE openSUSE
SUSE
|
cpe:/o:suse:opensuse:-
|
— | |
|
Open Source Ruby on Rails <4.2.5.1
Open Source / Ruby on Rails
|
<4.2.5.1 | ||
|
Open Source Ruby on Rails <3.2.22.1
Open Source / Ruby on Rails
|
<3.2.22.1 | ||
|
Open Source Ruby on Rails <4.1.14.1
Open Source / Ruby on Rails
|
<4.1.14.1 |
Affected products
Known affected
5 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SUSE Linux
SUSE
|
cpe:/o:suse:suse_linux:-
|
— | |
|
SUSE openSUSE
SUSE
|
cpe:/o:suse:opensuse:-
|
— | |
|
Open Source Ruby on Rails <4.2.5.1
Open Source / Ruby on Rails
|
<4.2.5.1 | ||
|
Open Source Ruby on Rails <3.2.22.1
Open Source / Ruby on Rails
|
<3.2.22.1 | ||
|
Open Source Ruby on Rails <4.1.14.1
Open Source / Ruby on Rails
|
<4.1.14.1 |
Affected products
Known affected
5 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SUSE Linux
SUSE
|
cpe:/o:suse:suse_linux:-
|
— | |
|
SUSE openSUSE
SUSE
|
cpe:/o:suse:opensuse:-
|
— | |
|
Open Source Ruby on Rails <4.2.5.1
Open Source / Ruby on Rails
|
<4.2.5.1 | ||
|
Open Source Ruby on Rails <3.2.22.1
Open Source / Ruby on Rails
|
<3.2.22.1 | ||
|
Open Source Ruby on Rails <4.1.14.1
Open Source / Ruby on Rails
|
<4.1.14.1 |
Affected products
Known affected
9 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SUSE Linux Enterprise Server
SUSE
|
cpe:/o:suse:linux_enterprise_server:suseenterprisehighavailabilityextension11sp3
|
— | |
|
Debian Linux
Debian
|
cpe:/o:debian:debian_linux:-
|
— | |
|
SUSE Linux
SUSE
|
cpe:/o:suse:suse_linux:-
|
— | |
|
Red Hat Enterprise Linux 6
Red Hat / Enterprise Linux
|
cpe:/o:redhat:enterprise_linux:6
|
6 | |
|
SUSE openSUSE
SUSE
|
cpe:/o:suse:opensuse:-
|
— | |
|
Open Source Ruby on Rails <4.2.5.1
Open Source / Ruby on Rails
|
<4.2.5.1 | ||
|
Red Hat Enterprise Linux 7
Red Hat / Enterprise Linux
|
cpe:/o:redhat:enterprise_linux:7
|
7 | |
|
Open Source Ruby on Rails <3.2.22.1
Open Source / Ruby on Rails
|
<3.2.22.1 | ||
|
Open Source Ruby on Rails <4.1.14.1
Open Source / Ruby on Rails
|
<4.1.14.1 |
Affected products
Known affected
5 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
SUSE Linux
SUSE
|
cpe:/o:suse:suse_linux:-
|
— | |
|
SUSE openSUSE
SUSE
|
cpe:/o:suse:opensuse:-
|
— | |
|
Open Source Ruby on Rails <4.2.5.1
Open Source / Ruby on Rails
|
<4.2.5.1 | ||
|
Open Source Ruby on Rails <3.2.22.1
Open Source / Ruby on Rails
|
<3.2.22.1 | ||
|
Open Source Ruby on Rails <4.1.14.1
Open Source / Ruby on Rails
|
<4.1.14.1 |
References
27 references
{
"document": {
"aggregate_severity": {
"text": "hoch"
},
"category": "csaf_base",
"csaf_version": "2.0",
"distribution": {
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "de-DE",
"notes": [
{
"category": "legal_disclaimer",
"text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
},
{
"category": "description",
"text": "Ruby on Rails ist ein in der Programmiersprache Ruby geschriebenes und quelloffenes Web Application Framework.",
"title": "Produktbeschreibung"
},
{
"category": "summary",
"text": "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in Ruby on Rails ausnutzen, um Sicherheitsfunktionen zu umgehen, um Dateien zu manipulieren oder um einen Denial of Service Zustand herbeizuf\u00fchren.",
"title": "Angriff"
},
{
"category": "general",
"text": "- Linux\n- UNIX\n- Windows",
"title": "Betroffene Betriebssysteme"
}
],
"publisher": {
"category": "other",
"contact_details": "csaf-provider@cert-bund.de",
"name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
"namespace": "https://www.bsi.bund.de"
},
"references": [
{
"category": "self",
"summary": "WID-SEC-W-2025-1085 - CSAF Version",
"url": "https://wid.cert-bund.de/.well-known/csaf/white/2016/wid-sec-w-2025-1085.json"
},
{
"category": "self",
"summary": "WID-SEC-2025-1085 - Portal Version",
"url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2025-1085"
},
{
"category": "external",
"summary": "Weblog Rubyonrails vom 2016-01-25",
"url": "http://weblog.rubyonrails.org/2016/1/25/Rails-5-0-0-beta1-1-4-2-5-1-4-1-14-1-3-2-22-1-and-rails-html-sanitizer-1-0-3-have-been-released/"
},
{
"category": "external",
"summary": "Debian Security Advisory DSA-3464 vom 2016-02-01",
"url": "http://www.debian.org/security/2016/dsa-3464"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2016:0391-1 vom 2016-02-09",
"url": "https://www.suse.com/support/update/announcement/2016/suse-su-20160391-1.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2016:0432-1 vom 2016-02-12",
"url": "https://www.suse.com/support/update/announcement/2016/suse-su-20160432-1.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2016:0435-1 vom 2016-02-12",
"url": "https://www.suse.com/support/update/announcement/2016/suse-su-20160435-1.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2016:0457-1 vom 2016-02-15",
"url": "https://www.suse.com/support/update/announcement/2016/suse-su-20160457-1.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2016:0458-1 vom 2016-02-15",
"url": "https://www.suse.com/support/update/announcement/2016/suse-su-20160458-1.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2016:0456-1 vom 2016-02-15",
"url": "https://www.suse.com/support/update/announcement/2016/suse-su-20160456-1.html"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2016:0296 vom 2016-02-25",
"url": "https://rhn.redhat.com/errata/RHSA-2016-0296.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2016:0600-1 vom 2016-02-26",
"url": "https://www.suse.com/support/update/announcement/2016/suse-su-20160600-1.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2016:0598-1 vom 2016-02-26",
"url": "https://www.suse.com/support/update/announcement/2016/suse-su-20160598-1.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2016:0597-1 vom 2016-02-26",
"url": "https://www.suse.com/support/update/announcement/2016/suse-su-20160597-1.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2016:0599-1 vom 2016-02-26",
"url": "https://www.suse.com/support/update/announcement/2016/suse-su-20160599-1.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2016:0619-1 vom 2016-03-01",
"url": "https://www.suse.com/support/update/announcement/2016/suse-su-20160619-1.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2016:0623-1 vom 2016-03-01",
"url": "https://www.suse.com/support/update/announcement/2016/suse-su-20160623-1.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2016:0618-1 vom 2016-03-01",
"url": "https://www.suse.com/support/update/announcement/2016/suse-su-20160618-1.html"
},
{
"category": "external",
"summary": "Debian Security Advisory DSA-3509 vom 2016-03-09",
"url": "https://www.debian.org/security/2016/dsa-3509"
},
{
"category": "external",
"summary": "Red Hat Security Advisory RHSA-2016:0454 vom 2016-03-16",
"url": "https://rhn.redhat.com/errata/RHSA-2016-0454.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2016:0857-1 vom 2016-03-23",
"url": "https://www.suse.com/support/update/announcement/2016/suse-su-20160857-1.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2016:0858-1 vom 2016-03-23",
"url": "https://www.suse.com/support/update/announcement/2016/suse-su-20160858-1.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2016:0968-1 vom 2016-04-07",
"url": "https://www.suse.com/support/update/announcement/2016/suse-su-20160968-1.html"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2016:1146-1 vom 2016-04-25",
"url": "https://lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.html"
},
{
"category": "external",
"summary": "CXSecurity #WLB-2016100137 vom 2016-10-23",
"url": "https://cxsecurity.com/issue/WLB-2016100137"
},
{
"category": "external",
"summary": "SUSE Security Update SUSE-SU-2017:0475-1 vom 2017-02-16",
"url": "https://www.suse.com/support/update/announcement/2017/suse-su-20170475-1.html"
},
{
"category": "external",
"summary": "openSUSE Security Update OPENSUSE-SU-2025:15125-1 vom 2025-05-18",
"url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/4QQONV4QKIWHRILZMO26H7FGDPO7KJAF/"
}
],
"source_lang": "en-US",
"title": "Ruby on Rails: Mehrere Schwachstellen",
"tracking": {
"current_release_date": "2025-05-18T22:00:00.000+00:00",
"generator": {
"date": "2025-05-19T08:27:28.505+00:00",
"engine": {
"name": "BSI-WID",
"version": "1.3.12"
}
},
"id": "WID-SEC-W-2025-1085",
"initial_release_date": "2016-01-25T23:00:00.000+00:00",
"revision_history": [
{
"date": "2016-01-25T23:00:00.000+00:00",
"number": "1",
"summary": "Initial Release"
},
{
"date": "2016-01-25T23:00:00.000+00:00",
"number": "2",
"summary": "Version nicht vorhanden"
},
{
"date": "2016-01-31T23:00:00.000+00:00",
"number": "3",
"summary": "New remediations available"
},
{
"date": "2016-01-31T23:00:00.000+00:00",
"number": "4",
"summary": "Version nicht vorhanden"
},
{
"date": "2016-02-09T23:00:00.000+00:00",
"number": "5",
"summary": "New remediations available"
},
{
"date": "2016-02-09T23:00:00.000+00:00",
"number": "6",
"summary": "Version nicht vorhanden"
},
{
"date": "2016-02-11T23:00:00.000+00:00",
"number": "7",
"summary": "New remediations available"
},
{
"date": "2016-02-14T23:00:00.000+00:00",
"number": "8",
"summary": "New remediations available"
},
{
"date": "2016-02-15T23:00:00.000+00:00",
"number": "9",
"summary": "New remediations available"
},
{
"date": "2016-02-25T23:00:00.000+00:00",
"number": "10",
"summary": "New remediations available"
},
{
"date": "2016-02-25T23:00:00.000+00:00",
"number": "11",
"summary": "Version nicht vorhanden"
},
{
"date": "2016-02-28T23:00:00.000+00:00",
"number": "12",
"summary": "New remediations available"
},
{
"date": "2016-03-01T23:00:00.000+00:00",
"number": "13",
"summary": "New remediations available"
},
{
"date": "2016-03-09T23:00:00.000+00:00",
"number": "14",
"summary": "New remediations available"
},
{
"date": "2016-03-15T23:00:00.000+00:00",
"number": "15",
"summary": "New remediations available"
},
{
"date": "2016-03-23T23:00:00.000+00:00",
"number": "16",
"summary": "New remediations available"
},
{
"date": "2016-04-07T22:00:00.000+00:00",
"number": "17",
"summary": "New remediations available"
},
{
"date": "2016-04-25T22:00:00.000+00:00",
"number": "18",
"summary": "New remediations available"
},
{
"date": "2016-04-25T22:00:00.000+00:00",
"number": "19",
"summary": "Version nicht vorhanden"
},
{
"date": "2017-02-16T23:00:00.000+00:00",
"number": "20",
"summary": "New remediations available"
},
{
"date": "2025-05-18T22:00:00.000+00:00",
"number": "21",
"summary": "Neue Updates von openSUSE aufgenommen"
}
],
"status": "final",
"version": "21"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "Debian Linux",
"product": {
"name": "Debian Linux",
"product_id": "2951",
"product_identification_helper": {
"cpe": "cpe:/o:debian:debian_linux:-"
}
}
}
],
"category": "vendor",
"name": "Debian"
},
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c4.2.5.1",
"product": {
"name": "Open Source Ruby on Rails \u003c4.2.5.1",
"product_id": "T006926"
}
},
{
"category": "product_version",
"name": "4.2.5.1",
"product": {
"name": "Open Source Ruby on Rails 4.2.5.1",
"product_id": "T006926-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:rubyonrails:ruby_on_rails:4.2.5.1"
}
}
},
{
"category": "product_version_range",
"name": "\u003c4.1.14.1",
"product": {
"name": "Open Source Ruby on Rails \u003c4.1.14.1",
"product_id": "T006927"
}
},
{
"category": "product_version",
"name": "4.1.14.1",
"product": {
"name": "Open Source Ruby on Rails 4.1.14.1",
"product_id": "T006927-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:rubyonrails:ruby_on_rails:4.1.14.1"
}
}
},
{
"category": "product_version_range",
"name": "\u003c3.2.22.1",
"product": {
"name": "Open Source Ruby on Rails \u003c3.2.22.1",
"product_id": "T006928"
}
},
{
"category": "product_version",
"name": "3.2.22.1",
"product": {
"name": "Open Source Ruby on Rails 3.2.22.1",
"product_id": "T006928-fixed",
"product_identification_helper": {
"cpe": "cpe:/a:rubyonrails:ruby_on_rails:3.2.22.1"
}
}
}
],
"category": "product_name",
"name": "Ruby on Rails"
}
],
"category": "vendor",
"name": "Open Source"
},
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "6",
"product": {
"name": "Red Hat Enterprise Linux 6",
"product_id": "120737",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:6"
}
}
},
{
"category": "product_version",
"name": "7",
"product": {
"name": "Red Hat Enterprise Linux 7",
"product_id": "T006054",
"product_identification_helper": {
"cpe": "cpe:/o:redhat:enterprise_linux:7"
}
}
}
],
"category": "product_name",
"name": "Enterprise Linux"
}
],
"category": "vendor",
"name": "Red Hat"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux",
"product": {
"name": "SUSE Linux",
"product_id": "T002207",
"product_identification_helper": {
"cpe": "cpe:/o:suse:suse_linux:-"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server",
"product": {
"name": "SUSE Linux Enterprise Server",
"product_id": "T003320",
"product_identification_helper": {
"cpe": "cpe:/o:suse:linux_enterprise_server:suseenterprisehighavailabilityextension11sp3"
}
}
},
{
"category": "product_name",
"name": "SUSE openSUSE",
"product": {
"name": "SUSE openSUSE",
"product_id": "T027843",
"product_identification_helper": {
"cpe": "cpe:/o:suse:opensuse:-"
}
}
}
],
"category": "vendor",
"name": "SUSE"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2015-7576",
"product_status": {
"known_affected": [
"T003320",
"2951",
"T002207",
"T027843",
"T006926",
"T006928",
"T006927"
]
},
"release_date": "2016-01-25T23:00:00.000+00:00",
"title": "CVE-2015-7576"
},
{
"cve": "CVE-2015-7577",
"product_status": {
"known_affected": [
"T002207",
"T027843",
"T006926",
"T006928",
"T006927"
]
},
"release_date": "2016-01-25T23:00:00.000+00:00",
"title": "CVE-2015-7577"
},
{
"cve": "CVE-2015-7578",
"product_status": {
"known_affected": [
"T002207",
"T027843",
"T006926",
"T006928",
"T006927"
]
},
"release_date": "2016-01-25T23:00:00.000+00:00",
"title": "CVE-2015-7578"
},
{
"cve": "CVE-2015-7579",
"product_status": {
"known_affected": [
"T002207",
"T027843",
"T006926",
"T006928",
"T006927"
]
},
"release_date": "2016-01-25T23:00:00.000+00:00",
"title": "CVE-2015-7579"
},
{
"cve": "CVE-2015-7580",
"product_status": {
"known_affected": [
"T002207",
"T027843",
"T006926",
"T006928",
"T006927"
]
},
"release_date": "2016-01-25T23:00:00.000+00:00",
"title": "CVE-2015-7580"
},
{
"cve": "CVE-2015-7581",
"product_status": {
"known_affected": [
"T002207",
"T027843",
"T006926",
"T006928",
"T006927"
]
},
"release_date": "2016-01-25T23:00:00.000+00:00",
"title": "CVE-2015-7581"
},
{
"cve": "CVE-2016-0751",
"product_status": {
"known_affected": [
"T002207",
"T027843",
"T006926",
"T006928",
"T006927"
]
},
"release_date": "2016-01-25T23:00:00.000+00:00",
"title": "CVE-2016-0751"
},
{
"cve": "CVE-2016-0752",
"product_status": {
"known_affected": [
"T003320",
"2951",
"T002207",
"120737",
"T027843",
"T006926",
"T006054",
"T006928",
"T006927"
]
},
"release_date": "2016-01-25T23:00:00.000+00:00",
"title": "CVE-2016-0752"
},
{
"cve": "CVE-2016-0753",
"product_status": {
"known_affected": [
"T002207",
"T027843",
"T006926",
"T006928",
"T006927"
]
},
"release_date": "2016-01-25T23:00:00.000+00:00",
"title": "CVE-2016-0753"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…