Vulnerability-Lookup

RHSA-2019:0796

Vulnerability from csaf_redhat - Published: 2019-04-23 07:46 - Updated: 2026-02-23 16:22

Summary

Red Hat Security Advisory: CloudForms 4.7.3 security, bug fix and enhancement update

Severity

Important

Notes

Topic: An update is now available for CloudForms Management Engine 5.10. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Details: Red Hat CloudForms Management Engine delivers the insight, control, and automation needed to address the challenges of managing virtual environments. CloudForms Management Engine is built on Ruby on Rails, a model-view-controller (MVC) framework for web application development. Action Pack implements the controller and the view components. Security Fix(es): * rubygem-actionpack: render file directory traversal in Action View (CVE-2019-5418) * rubygem-actionpack: denial of service vulnerability in Action View (CVE-2019-5419) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes: This update fixes various bugs and adds enhancements. Documentation for these changes is available from the Release Notes document linked to in the References section.

Terms of Use: This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

CVE-2019-3869

When running Tower on OpenShift or Kubernetes, application credentials are exposed to playbook job runs via environment variables. A malicious user with the ability to write playbooks could use this to gain administrative privileges.

7.2 (High)


                        
                          CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE-214 - Invocation of Process Using Visible Sensitive Information

Vendor Fix For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 If the postgresql service is running, it will be automatically restarted after installing this update. After installing the updated packages, the httpd daemon will be restarted automatically. https://access.redhat.com/errata/RHSA-2019:0796

CVE-2019-5418

A content disclosure flaw was found in rubygem-actionview. Specially crafted accept headers, in combination with calls to 'render file:', can cause arbitrary files on the target server to be rendered, disclosing the file contents. Code execution cannot be ruled out if the attacker is able to gain access to the proper files. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

8.1 (High)


                        
                          CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor

CVE-2019-5419

There is a possible denial of service vulnerability in Action View (Rails) <5.2.2.1, <5.1.6.2, <5.0.7.2, <4.2.11.1 where specially crafted accept headers can cause action view to consume 100% cpu and make the server unresponsive.

5.9 (Medium)


                        
                          CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-20 - Improper Input Validation

References

URL

Category

	https://access.redhat.com/errata/RHSA-2019:0796	self
	https://access.redhat.com/security/updates/classi…	external
	https://access.redhat.com/documentation/en-us/red…	external
	https://bugzilla.redhat.com/show_bug.cgi?id=1678385	external
	https://bugzilla.redhat.com/show_bug.cgi?id=1680959	external
	https://bugzilla.redhat.com/show_bug.cgi?id=1686045	external
	https://bugzilla.redhat.com/show_bug.cgi?id=1686902	external
	https://bugzilla.redhat.com/show_bug.cgi?id=1688937	external
	https://bugzilla.redhat.com/show_bug.cgi?id=1689159	external
	https://bugzilla.redhat.com/show_bug.cgi?id=1689160	external
	https://bugzilla.redhat.com/show_bug.cgi?id=1693714	external
	https://bugzilla.redhat.com/show_bug.cgi?id=1693718	external
	https://bugzilla.redhat.com/show_bug.cgi?id=1693719	external
	https://bugzilla.redhat.com/show_bug.cgi?id=1693720	external
	https://bugzilla.redhat.com/show_bug.cgi?id=1693721	external
	https://bugzilla.redhat.com/show_bug.cgi?id=1693722	external
	https://bugzilla.redhat.com/show_bug.cgi?id=1693727	external
	https://bugzilla.redhat.com/show_bug.cgi?id=1693728	external
	https://bugzilla.redhat.com/show_bug.cgi?id=1693729	external
	https://bugzilla.redhat.com/show_bug.cgi?id=1693730	external
	https://bugzilla.redhat.com/show_bug.cgi?id=1693731	external
	https://bugzilla.redhat.com/show_bug.cgi?id=1693740	external
	https://bugzilla.redhat.com/show_bug.cgi?id=1693741	external
	https://bugzilla.redhat.com/show_bug.cgi?id=1693743	external
	https://bugzilla.redhat.com/show_bug.cgi?id=1693745	external
	https://bugzilla.redhat.com/show_bug.cgi?id=1693746	external
	https://bugzilla.redhat.com/show_bug.cgi?id=1693747	external
	https://bugzilla.redhat.com/show_bug.cgi?id=1693748	external
	https://bugzilla.redhat.com/show_bug.cgi?id=1693749	external
	https://bugzilla.redhat.com/show_bug.cgi?id=1693757	external
	https://bugzilla.redhat.com/show_bug.cgi?id=1693817	external
	https://bugzilla.redhat.com/show_bug.cgi?id=1694190	external
	https://bugzilla.redhat.com/show_bug.cgi?id=1694798	external
	https://bugzilla.redhat.com/show_bug.cgi?id=1695626	external
	https://bugzilla.redhat.com/show_bug.cgi?id=1695627	external
	https://bugzilla.redhat.com/show_bug.cgi?id=1695628	external
	https://bugzilla.redhat.com/show_bug.cgi?id=1695629	external
	https://bugzilla.redhat.com/show_bug.cgi?id=1695631	external
	https://bugzilla.redhat.com/show_bug.cgi?id=1695897	external
	https://bugzilla.redhat.com/show_bug.cgi?id=1696362	external
	https://bugzilla.redhat.com/show_bug.cgi?id=1696419	external
	https://bugzilla.redhat.com/show_bug.cgi?id=1696421	external
	https://bugzilla.redhat.com/show_bug.cgi?id=1696422	external
	https://bugzilla.redhat.com/show_bug.cgi?id=1696456	external
	https://bugzilla.redhat.com/show_bug.cgi?id=1696841	external
	https://bugzilla.redhat.com/show_bug.cgi?id=1698586	external
	https://security.access.redhat.com/data/csaf/v2/a…	self
	https://access.redhat.com/security/cve/CVE-2019-3869	self
	https://bugzilla.redhat.com/show_bug.cgi?id=1688508	external
	https://www.cve.org/CVERecord?id=CVE-2019-3869	external
	https://nvd.nist.gov/vuln/detail/CVE-2019-3869	external
	https://github.com/ansible/awx/pull/3505	external
	https://access.redhat.com/security/cve/CVE-2019-5418	self
	https://bugzilla.redhat.com/show_bug.cgi?id=1689159	external
	https://www.cve.org/CVERecord?id=CVE-2019-5418	external
	https://nvd.nist.gov/vuln/detail/CVE-2019-5418	external
	https://github.com/mpgn/CVE-2019-5418	external
	https://groups.google.com/forum/#!msg/rubyonrails…	external
	https://www.cisa.gov/known-exploited-vulnerabilit…	external
	https://access.redhat.com/security/cve/CVE-2019-5419	self
	https://bugzilla.redhat.com/show_bug.cgi?id=1689160	external
	https://www.cve.org/CVERecord?id=CVE-2019-5419	external
	https://nvd.nist.gov/vuln/detail/CVE-2019-5419	external
	https://groups.google.com/forum/#!msg/rubyonrails…	external

Acknowledgments

FactSet Research Systems Inc Chris Bertsch

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Important"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "An update is now available for CloudForms Management Engine 5.10.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Red Hat CloudForms Management Engine delivers the insight, control, and automation needed to address the challenges of managing virtual environments. CloudForms Management Engine is built on Ruby on Rails, a model-view-controller (MVC) framework for web application development. Action Pack implements the controller and the view components.\n\nSecurity Fix(es):\n\n* rubygem-actionpack: render file directory traversal in Action View (CVE-2019-5418)\n\n* rubygem-actionpack: denial of service vulnerability in Action View (CVE-2019-5419)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.\n\nAdditional Changes:\n\nThis update fixes various bugs and adds enhancements. Documentation for these changes is available from the Release Notes document linked to in the References section.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2019:0796",
        "url": "https://access.redhat.com/errata/RHSA-2019:0796"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#important",
        "url": "https://access.redhat.com/security/updates/classification/#important"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/documentation/en-us/red_hat_cloudforms/4.7/html/release_notes",
        "url": "https://access.redhat.com/documentation/en-us/red_hat_cloudforms/4.7/html/release_notes"
      },
      {
        "category": "external",
        "summary": "1678385",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1678385"
      },
      {
        "category": "external",
        "summary": "1680959",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1680959"
      },
      {
        "category": "external",
        "summary": "1686045",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1686045"
      },
      {
        "category": "external",
        "summary": "1686902",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1686902"
      },
      {
        "category": "external",
        "summary": "1688937",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1688937"
      },
      {
        "category": "external",
        "summary": "1689159",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1689159"
      },
      {
        "category": "external",
        "summary": "1689160",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1689160"
      },
      {
        "category": "external",
        "summary": "1693714",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1693714"
      },
      {
        "category": "external",
        "summary": "1693718",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1693718"
      },
      {
        "category": "external",
        "summary": "1693719",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1693719"
      },
      {
        "category": "external",
        "summary": "1693720",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1693720"
      },
      {
        "category": "external",
        "summary": "1693721",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1693721"
      },
      {
        "category": "external",
        "summary": "1693722",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1693722"
      },
      {
        "category": "external",
        "summary": "1693727",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1693727"
      },
      {
        "category": "external",
        "summary": "1693728",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1693728"
      },
      {
        "category": "external",
        "summary": "1693729",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1693729"
      },
      {
        "category": "external",
        "summary": "1693730",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1693730"
      },
      {
        "category": "external",
        "summary": "1693731",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1693731"
      },
      {
        "category": "external",
        "summary": "1693740",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1693740"
      },
      {
        "category": "external",
        "summary": "1693741",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1693741"
      },
      {
        "category": "external",
        "summary": "1693743",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1693743"
      },
      {
        "category": "external",
        "summary": "1693745",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1693745"
      },
      {
        "category": "external",
        "summary": "1693746",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1693746"
      },
      {
        "category": "external",
        "summary": "1693747",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1693747"
      },
      {
        "category": "external",
        "summary": "1693748",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1693748"
      },
      {
        "category": "external",
        "summary": "1693749",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1693749"
      },
      {
        "category": "external",
        "summary": "1693757",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1693757"
      },
      {
        "category": "external",
        "summary": "1693817",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1693817"
      },
      {
        "category": "external",
        "summary": "1694190",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1694190"
      },
      {
        "category": "external",
        "summary": "1694798",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1694798"
      },
      {
        "category": "external",
        "summary": "1695626",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1695626"
      },
      {
        "category": "external",
        "summary": "1695627",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1695627"
      },
      {
        "category": "external",
        "summary": "1695628",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1695628"
      },
      {
        "category": "external",
        "summary": "1695629",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1695629"
      },
      {
        "category": "external",
        "summary": "1695631",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1695631"
      },
      {
        "category": "external",
        "summary": "1695897",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1695897"
      },
      {
        "category": "external",
        "summary": "1696362",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1696362"
      },
      {
        "category": "external",
        "summary": "1696419",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1696419"
      },
      {
        "category": "external",
        "summary": "1696421",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1696421"
      },
      {
        "category": "external",
        "summary": "1696422",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1696422"
      },
      {
        "category": "external",
        "summary": "1696456",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1696456"
      },
      {
        "category": "external",
        "summary": "1696841",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1696841"
      },
      {
        "category": "external",
        "summary": "1698586",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1698586"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2019/rhsa-2019_0796.json"
      }
    ],
    "title": "Red Hat Security Advisory: CloudForms 4.7.3 security, bug fix and enhancement update",
    "tracking": {
      "current_release_date": "2026-02-23T16:22:01+00:00",
      "generator": {
        "date": "2026-02-23T16:22:01+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.7.1"
        }
      },
      "id": "RHSA-2019:0796",
      "initial_release_date": "2019-04-23T07:46:49+00:00",
      "revision_history": [
        {
          "date": "2019-04-23T07:46:49+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2019-04-23T07:46:49+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2026-02-23T16:22:01+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "CloudForms Management Engine 5.10",
                "product": {
                  "name": "CloudForms Management Engine 5.10",
                  "product_id": "7Server-RH7-CFME-5.10",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:cloudforms_managementengine:5.10::el7"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat CloudForms"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ansible-tower-venv-ansible-0:3.4.3-1.el7at.x86_64",
                "product": {
                  "name": "ansible-tower-venv-ansible-0:3.4.3-1.el7at.x86_64",
                  "product_id": "ansible-tower-venv-ansible-0:3.4.3-1.el7at.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/ansible-tower-venv-ansible@3.4.3-1.el7at?arch=x86_64"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "ansible-tower-setup-0:3.4.3-1.el7at.x86_64",
                "product": {
                  "name": "ansible-tower-setup-0:3.4.3-1.el7at.x86_64",
                  "product_id": "ansible-tower-setup-0:3.4.3-1.el7at.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/ansible-tower-setup@3.4.3-1.el7at?arch=x86_64"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "ansible-tower-ui-0:3.4.3-1.el7at.x86_64",
                "product": {
                  "name": "ansible-tower-ui-0:3.4.3-1.el7at.x86_64",
                  "product_id": "ansible-tower-ui-0:3.4.3-1.el7at.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/ansible-tower-ui@3.4.3-1.el7at?arch=x86_64"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "ansible-tower-server-0:3.4.3-1.el7at.x86_64",
                "product": {
                  "name": "ansible-tower-server-0:3.4.3-1.el7at.x86_64",
                  "product_id": "ansible-tower-server-0:3.4.3-1.el7at.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/ansible-tower-server@3.4.3-1.el7at?arch=x86_64"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "ansible-tower-0:3.4.3-1.el7at.x86_64",
                "product": {
                  "name": "ansible-tower-0:3.4.3-1.el7at.x86_64",
                  "product_id": "ansible-tower-0:3.4.3-1.el7at.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/ansible-tower@3.4.3-1.el7at?arch=x86_64"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "ansible-tower-venv-tower-0:3.4.3-1.el7at.x86_64",
                "product": {
                  "name": "ansible-tower-venv-tower-0:3.4.3-1.el7at.x86_64",
                  "product_id": "ansible-tower-venv-tower-0:3.4.3-1.el7at.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/ansible-tower-venv-tower@3.4.3-1.el7at?arch=x86_64"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "cfme-debuginfo-0:5.10.3.3-1.el7cf.x86_64",
                "product": {
                  "name": "cfme-debuginfo-0:5.10.3.3-1.el7cf.x86_64",
                  "product_id": "cfme-debuginfo-0:5.10.3.3-1.el7cf.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/cfme-debuginfo@5.10.3.3-1.el7cf?arch=x86_64"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "cfme-0:5.10.3.3-1.el7cf.x86_64",
                "product": {
                  "name": "cfme-0:5.10.3.3-1.el7cf.x86_64",
                  "product_id": "cfme-0:5.10.3.3-1.el7cf.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/cfme@5.10.3.3-1.el7cf?arch=x86_64"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "cfme-appliance-0:5.10.3.3-1.el7cf.x86_64",
                "product": {
                  "name": "cfme-appliance-0:5.10.3.3-1.el7cf.x86_64",
                  "product_id": "cfme-appliance-0:5.10.3.3-1.el7cf.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/cfme-appliance@5.10.3.3-1.el7cf?arch=x86_64"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "cfme-appliance-debuginfo-0:5.10.3.3-1.el7cf.x86_64",
                "product": {
                  "name": "cfme-appliance-debuginfo-0:5.10.3.3-1.el7cf.x86_64",
                  "product_id": "cfme-appliance-debuginfo-0:5.10.3.3-1.el7cf.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/cfme-appliance-debuginfo@5.10.3.3-1.el7cf?arch=x86_64"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "cfme-appliance-tools-0:5.10.3.3-1.el7cf.x86_64",
                "product": {
                  "name": "cfme-appliance-tools-0:5.10.3.3-1.el7cf.x86_64",
                  "product_id": "cfme-appliance-tools-0:5.10.3.3-1.el7cf.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/cfme-appliance-tools@5.10.3.3-1.el7cf?arch=x86_64"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "cfme-appliance-common-0:5.10.3.3-1.el7cf.x86_64",
                "product": {
                  "name": "cfme-appliance-common-0:5.10.3.3-1.el7cf.x86_64",
                  "product_id": "cfme-appliance-common-0:5.10.3.3-1.el7cf.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/cfme-appliance-common@5.10.3.3-1.el7cf?arch=x86_64"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "cfme-gemset-0:5.10.3.3-1.el7cf.x86_64",
                "product": {
                  "name": "cfme-gemset-0:5.10.3.3-1.el7cf.x86_64",
                  "product_id": "cfme-gemset-0:5.10.3.3-1.el7cf.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/cfme-gemset@5.10.3.3-1.el7cf?arch=x86_64"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "cfme-gemset-debuginfo-0:5.10.3.3-1.el7cf.x86_64",
                "product": {
                  "name": "cfme-gemset-debuginfo-0:5.10.3.3-1.el7cf.x86_64",
                  "product_id": "cfme-gemset-debuginfo-0:5.10.3.3-1.el7cf.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/cfme-gemset-debuginfo@5.10.3.3-1.el7cf?arch=x86_64"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "cfme-amazon-smartstate-0:5.10.3.3-1.el7cf.x86_64",
                "product": {
                  "name": "cfme-amazon-smartstate-0:5.10.3.3-1.el7cf.x86_64",
                  "product_id": "cfme-amazon-smartstate-0:5.10.3.3-1.el7cf.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/cfme-amazon-smartstate@5.10.3.3-1.el7cf?arch=x86_64"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ansible-tower-0:3.4.3-1.el7at.src",
                "product": {
                  "name": "ansible-tower-0:3.4.3-1.el7at.src",
                  "product_id": "ansible-tower-0:3.4.3-1.el7at.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/ansible-tower@3.4.3-1.el7at?arch=src"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "cfme-0:5.10.3.3-1.el7cf.src",
                "product": {
                  "name": "cfme-0:5.10.3.3-1.el7cf.src",
                  "product_id": "cfme-0:5.10.3.3-1.el7cf.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/cfme@5.10.3.3-1.el7cf?arch=src"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "cfme-appliance-0:5.10.3.3-1.el7cf.src",
                "product": {
                  "name": "cfme-appliance-0:5.10.3.3-1.el7cf.src",
                  "product_id": "cfme-appliance-0:5.10.3.3-1.el7cf.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/cfme-appliance@5.10.3.3-1.el7cf?arch=src"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "cfme-gemset-0:5.10.3.3-1.el7cf.src",
                "product": {
                  "name": "cfme-gemset-0:5.10.3.3-1.el7cf.src",
                  "product_id": "cfme-gemset-0:5.10.3.3-1.el7cf.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/cfme-gemset@5.10.3.3-1.el7cf?arch=src"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "cfme-amazon-smartstate-0:5.10.3.3-1.el7cf.src",
                "product": {
                  "name": "cfme-amazon-smartstate-0:5.10.3.3-1.el7cf.src",
                  "product_id": "cfme-amazon-smartstate-0:5.10.3.3-1.el7cf.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/cfme-amazon-smartstate@5.10.3.3-1.el7cf?arch=src"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "src"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ansible-tower-0:3.4.3-1.el7at.src as a component of CloudForms Management Engine 5.10",
          "product_id": "7Server-RH7-CFME-5.10:ansible-tower-0:3.4.3-1.el7at.src"
        },
        "product_reference": "ansible-tower-0:3.4.3-1.el7at.src",
        "relates_to_product_reference": "7Server-RH7-CFME-5.10"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ansible-tower-0:3.4.3-1.el7at.x86_64 as a component of CloudForms Management Engine 5.10",
          "product_id": "7Server-RH7-CFME-5.10:ansible-tower-0:3.4.3-1.el7at.x86_64"
        },
        "product_reference": "ansible-tower-0:3.4.3-1.el7at.x86_64",
        "relates_to_product_reference": "7Server-RH7-CFME-5.10"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ansible-tower-server-0:3.4.3-1.el7at.x86_64 as a component of CloudForms Management Engine 5.10",
          "product_id": "7Server-RH7-CFME-5.10:ansible-tower-server-0:3.4.3-1.el7at.x86_64"
        },
        "product_reference": "ansible-tower-server-0:3.4.3-1.el7at.x86_64",
        "relates_to_product_reference": "7Server-RH7-CFME-5.10"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ansible-tower-setup-0:3.4.3-1.el7at.x86_64 as a component of CloudForms Management Engine 5.10",
          "product_id": "7Server-RH7-CFME-5.10:ansible-tower-setup-0:3.4.3-1.el7at.x86_64"
        },
        "product_reference": "ansible-tower-setup-0:3.4.3-1.el7at.x86_64",
        "relates_to_product_reference": "7Server-RH7-CFME-5.10"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ansible-tower-ui-0:3.4.3-1.el7at.x86_64 as a component of CloudForms Management Engine 5.10",
          "product_id": "7Server-RH7-CFME-5.10:ansible-tower-ui-0:3.4.3-1.el7at.x86_64"
        },
        "product_reference": "ansible-tower-ui-0:3.4.3-1.el7at.x86_64",
        "relates_to_product_reference": "7Server-RH7-CFME-5.10"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ansible-tower-venv-ansible-0:3.4.3-1.el7at.x86_64 as a component of CloudForms Management Engine 5.10",
          "product_id": "7Server-RH7-CFME-5.10:ansible-tower-venv-ansible-0:3.4.3-1.el7at.x86_64"
        },
        "product_reference": "ansible-tower-venv-ansible-0:3.4.3-1.el7at.x86_64",
        "relates_to_product_reference": "7Server-RH7-CFME-5.10"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ansible-tower-venv-tower-0:3.4.3-1.el7at.x86_64 as a component of CloudForms Management Engine 5.10",
          "product_id": "7Server-RH7-CFME-5.10:ansible-tower-venv-tower-0:3.4.3-1.el7at.x86_64"
        },
        "product_reference": "ansible-tower-venv-tower-0:3.4.3-1.el7at.x86_64",
        "relates_to_product_reference": "7Server-RH7-CFME-5.10"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cfme-0:5.10.3.3-1.el7cf.src as a component of CloudForms Management Engine 5.10",
          "product_id": "7Server-RH7-CFME-5.10:cfme-0:5.10.3.3-1.el7cf.src"
        },
        "product_reference": "cfme-0:5.10.3.3-1.el7cf.src",
        "relates_to_product_reference": "7Server-RH7-CFME-5.10"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cfme-0:5.10.3.3-1.el7cf.x86_64 as a component of CloudForms Management Engine 5.10",
          "product_id": "7Server-RH7-CFME-5.10:cfme-0:5.10.3.3-1.el7cf.x86_64"
        },
        "product_reference": "cfme-0:5.10.3.3-1.el7cf.x86_64",
        "relates_to_product_reference": "7Server-RH7-CFME-5.10"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cfme-amazon-smartstate-0:5.10.3.3-1.el7cf.src as a component of CloudForms Management Engine 5.10",
          "product_id": "7Server-RH7-CFME-5.10:cfme-amazon-smartstate-0:5.10.3.3-1.el7cf.src"
        },
        "product_reference": "cfme-amazon-smartstate-0:5.10.3.3-1.el7cf.src",
        "relates_to_product_reference": "7Server-RH7-CFME-5.10"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cfme-amazon-smartstate-0:5.10.3.3-1.el7cf.x86_64 as a component of CloudForms Management Engine 5.10",
          "product_id": "7Server-RH7-CFME-5.10:cfme-amazon-smartstate-0:5.10.3.3-1.el7cf.x86_64"
        },
        "product_reference": "cfme-amazon-smartstate-0:5.10.3.3-1.el7cf.x86_64",
        "relates_to_product_reference": "7Server-RH7-CFME-5.10"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cfme-appliance-0:5.10.3.3-1.el7cf.src as a component of CloudForms Management Engine 5.10",
          "product_id": "7Server-RH7-CFME-5.10:cfme-appliance-0:5.10.3.3-1.el7cf.src"
        },
        "product_reference": "cfme-appliance-0:5.10.3.3-1.el7cf.src",
        "relates_to_product_reference": "7Server-RH7-CFME-5.10"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cfme-appliance-0:5.10.3.3-1.el7cf.x86_64 as a component of CloudForms Management Engine 5.10",
          "product_id": "7Server-RH7-CFME-5.10:cfme-appliance-0:5.10.3.3-1.el7cf.x86_64"
        },
        "product_reference": "cfme-appliance-0:5.10.3.3-1.el7cf.x86_64",
        "relates_to_product_reference": "7Server-RH7-CFME-5.10"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cfme-appliance-common-0:5.10.3.3-1.el7cf.x86_64 as a component of CloudForms Management Engine 5.10",
          "product_id": "7Server-RH7-CFME-5.10:cfme-appliance-common-0:5.10.3.3-1.el7cf.x86_64"
        },
        "product_reference": "cfme-appliance-common-0:5.10.3.3-1.el7cf.x86_64",
        "relates_to_product_reference": "7Server-RH7-CFME-5.10"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cfme-appliance-debuginfo-0:5.10.3.3-1.el7cf.x86_64 as a component of CloudForms Management Engine 5.10",
          "product_id": "7Server-RH7-CFME-5.10:cfme-appliance-debuginfo-0:5.10.3.3-1.el7cf.x86_64"
        },
        "product_reference": "cfme-appliance-debuginfo-0:5.10.3.3-1.el7cf.x86_64",
        "relates_to_product_reference": "7Server-RH7-CFME-5.10"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cfme-appliance-tools-0:5.10.3.3-1.el7cf.x86_64 as a component of CloudForms Management Engine 5.10",
          "product_id": "7Server-RH7-CFME-5.10:cfme-appliance-tools-0:5.10.3.3-1.el7cf.x86_64"
        },
        "product_reference": "cfme-appliance-tools-0:5.10.3.3-1.el7cf.x86_64",
        "relates_to_product_reference": "7Server-RH7-CFME-5.10"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cfme-debuginfo-0:5.10.3.3-1.el7cf.x86_64 as a component of CloudForms Management Engine 5.10",
          "product_id": "7Server-RH7-CFME-5.10:cfme-debuginfo-0:5.10.3.3-1.el7cf.x86_64"
        },
        "product_reference": "cfme-debuginfo-0:5.10.3.3-1.el7cf.x86_64",
        "relates_to_product_reference": "7Server-RH7-CFME-5.10"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cfme-gemset-0:5.10.3.3-1.el7cf.src as a component of CloudForms Management Engine 5.10",
          "product_id": "7Server-RH7-CFME-5.10:cfme-gemset-0:5.10.3.3-1.el7cf.src"
        },
        "product_reference": "cfme-gemset-0:5.10.3.3-1.el7cf.src",
        "relates_to_product_reference": "7Server-RH7-CFME-5.10"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cfme-gemset-0:5.10.3.3-1.el7cf.x86_64 as a component of CloudForms Management Engine 5.10",
          "product_id": "7Server-RH7-CFME-5.10:cfme-gemset-0:5.10.3.3-1.el7cf.x86_64"
        },
        "product_reference": "cfme-gemset-0:5.10.3.3-1.el7cf.x86_64",
        "relates_to_product_reference": "7Server-RH7-CFME-5.10"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cfme-gemset-debuginfo-0:5.10.3.3-1.el7cf.x86_64 as a component of CloudForms Management Engine 5.10",
          "product_id": "7Server-RH7-CFME-5.10:cfme-gemset-debuginfo-0:5.10.3.3-1.el7cf.x86_64"
        },
        "product_reference": "cfme-gemset-debuginfo-0:5.10.3.3-1.el7cf.x86_64",
        "relates_to_product_reference": "7Server-RH7-CFME-5.10"
      }
    ]
  },
  "vulnerabilities": [
    {
      "acknowledgments": [
        {
          "names": [
            "Chris Bertsch"
          ],
          "organization": "FactSet Research Systems Inc"
        }
      ],
      "cve": "CVE-2019-3869",
      "cwe": {
        "id": "CWE-214",
        "name": "Invocation of Process Using Visible Sensitive Information"
      },
      "discovery_date": "2019-03-13T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1688508"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "When running Tower on OpenShift or Kubernetes, application credentials are exposed to playbook job runs via environment variables. A malicious user with the ability to write playbooks could use this to gain administrative privileges.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "Tower: credentials leaked through environment variables",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "7Server-RH7-CFME-5.10:ansible-tower-0:3.4.3-1.el7at.src",
          "7Server-RH7-CFME-5.10:ansible-tower-0:3.4.3-1.el7at.x86_64",
          "7Server-RH7-CFME-5.10:ansible-tower-server-0:3.4.3-1.el7at.x86_64",
          "7Server-RH7-CFME-5.10:ansible-tower-setup-0:3.4.3-1.el7at.x86_64",
          "7Server-RH7-CFME-5.10:ansible-tower-ui-0:3.4.3-1.el7at.x86_64",
          "7Server-RH7-CFME-5.10:ansible-tower-venv-ansible-0:3.4.3-1.el7at.x86_64",
          "7Server-RH7-CFME-5.10:ansible-tower-venv-tower-0:3.4.3-1.el7at.x86_64",
          "7Server-RH7-CFME-5.10:cfme-0:5.10.3.3-1.el7cf.src",
          "7Server-RH7-CFME-5.10:cfme-0:5.10.3.3-1.el7cf.x86_64",
          "7Server-RH7-CFME-5.10:cfme-amazon-smartstate-0:5.10.3.3-1.el7cf.src",
          "7Server-RH7-CFME-5.10:cfme-amazon-smartstate-0:5.10.3.3-1.el7cf.x86_64",
          "7Server-RH7-CFME-5.10:cfme-appliance-0:5.10.3.3-1.el7cf.src",
          "7Server-RH7-CFME-5.10:cfme-appliance-0:5.10.3.3-1.el7cf.x86_64",
          "7Server-RH7-CFME-5.10:cfme-appliance-common-0:5.10.3.3-1.el7cf.x86_64",
          "7Server-RH7-CFME-5.10:cfme-appliance-debuginfo-0:5.10.3.3-1.el7cf.x86_64",
          "7Server-RH7-CFME-5.10:cfme-appliance-tools-0:5.10.3.3-1.el7cf.x86_64",
          "7Server-RH7-CFME-5.10:cfme-debuginfo-0:5.10.3.3-1.el7cf.x86_64",
          "7Server-RH7-CFME-5.10:cfme-gemset-0:5.10.3.3-1.el7cf.src",
          "7Server-RH7-CFME-5.10:cfme-gemset-0:5.10.3.3-1.el7cf.x86_64",
          "7Server-RH7-CFME-5.10:cfme-gemset-debuginfo-0:5.10.3.3-1.el7cf.x86_64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2019-3869"
        },
        {
          "category": "external",
          "summary": "RHBZ#1688508",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1688508"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2019-3869",
          "url": "https://www.cve.org/CVERecord?id=CVE-2019-3869"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-3869",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-3869"
        },
        {
          "category": "external",
          "summary": "https://github.com/ansible/awx/pull/3505",
          "url": "https://github.com/ansible/awx/pull/3505"
        }
      ],
      "release_date": "2019-03-26T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2019-04-23T07:46:49+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nIf the postgresql service is running, it will be automatically restarted after installing this update. After installing the updated packages, the httpd daemon will be restarted automatically.",
          "product_ids": [
            "7Server-RH7-CFME-5.10:ansible-tower-0:3.4.3-1.el7at.src",
            "7Server-RH7-CFME-5.10:ansible-tower-0:3.4.3-1.el7at.x86_64",
            "7Server-RH7-CFME-5.10:ansible-tower-server-0:3.4.3-1.el7at.x86_64",
            "7Server-RH7-CFME-5.10:ansible-tower-setup-0:3.4.3-1.el7at.x86_64",
            "7Server-RH7-CFME-5.10:ansible-tower-ui-0:3.4.3-1.el7at.x86_64",
            "7Server-RH7-CFME-5.10:ansible-tower-venv-ansible-0:3.4.3-1.el7at.x86_64",
            "7Server-RH7-CFME-5.10:ansible-tower-venv-tower-0:3.4.3-1.el7at.x86_64",
            "7Server-RH7-CFME-5.10:cfme-0:5.10.3.3-1.el7cf.src",
            "7Server-RH7-CFME-5.10:cfme-0:5.10.3.3-1.el7cf.x86_64",
            "7Server-RH7-CFME-5.10:cfme-amazon-smartstate-0:5.10.3.3-1.el7cf.src",
            "7Server-RH7-CFME-5.10:cfme-amazon-smartstate-0:5.10.3.3-1.el7cf.x86_64",
            "7Server-RH7-CFME-5.10:cfme-appliance-0:5.10.3.3-1.el7cf.src",
            "7Server-RH7-CFME-5.10:cfme-appliance-0:5.10.3.3-1.el7cf.x86_64",
            "7Server-RH7-CFME-5.10:cfme-appliance-common-0:5.10.3.3-1.el7cf.x86_64",
            "7Server-RH7-CFME-5.10:cfme-appliance-debuginfo-0:5.10.3.3-1.el7cf.x86_64",
            "7Server-RH7-CFME-5.10:cfme-appliance-tools-0:5.10.3.3-1.el7cf.x86_64",
            "7Server-RH7-CFME-5.10:cfme-debuginfo-0:5.10.3.3-1.el7cf.x86_64",
            "7Server-RH7-CFME-5.10:cfme-gemset-0:5.10.3.3-1.el7cf.src",
            "7Server-RH7-CFME-5.10:cfme-gemset-0:5.10.3.3-1.el7cf.x86_64",
            "7Server-RH7-CFME-5.10:cfme-gemset-debuginfo-0:5.10.3.3-1.el7cf.x86_64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2019:0796"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.2,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          "products": [
            "7Server-RH7-CFME-5.10:ansible-tower-0:3.4.3-1.el7at.src",
            "7Server-RH7-CFME-5.10:ansible-tower-0:3.4.3-1.el7at.x86_64",
            "7Server-RH7-CFME-5.10:ansible-tower-server-0:3.4.3-1.el7at.x86_64",
            "7Server-RH7-CFME-5.10:ansible-tower-setup-0:3.4.3-1.el7at.x86_64",
            "7Server-RH7-CFME-5.10:ansible-tower-ui-0:3.4.3-1.el7at.x86_64",
            "7Server-RH7-CFME-5.10:ansible-tower-venv-ansible-0:3.4.3-1.el7at.x86_64",
            "7Server-RH7-CFME-5.10:ansible-tower-venv-tower-0:3.4.3-1.el7at.x86_64",
            "7Server-RH7-CFME-5.10:cfme-0:5.10.3.3-1.el7cf.src",
            "7Server-RH7-CFME-5.10:cfme-0:5.10.3.3-1.el7cf.x86_64",
            "7Server-RH7-CFME-5.10:cfme-amazon-smartstate-0:5.10.3.3-1.el7cf.src",
            "7Server-RH7-CFME-5.10:cfme-amazon-smartstate-0:5.10.3.3-1.el7cf.x86_64",
            "7Server-RH7-CFME-5.10:cfme-appliance-0:5.10.3.3-1.el7cf.src",
            "7Server-RH7-CFME-5.10:cfme-appliance-0:5.10.3.3-1.el7cf.x86_64",
            "7Server-RH7-CFME-5.10:cfme-appliance-common-0:5.10.3.3-1.el7cf.x86_64",
            "7Server-RH7-CFME-5.10:cfme-appliance-debuginfo-0:5.10.3.3-1.el7cf.x86_64",
            "7Server-RH7-CFME-5.10:cfme-appliance-tools-0:5.10.3.3-1.el7cf.x86_64",
            "7Server-RH7-CFME-5.10:cfme-debuginfo-0:5.10.3.3-1.el7cf.x86_64",
            "7Server-RH7-CFME-5.10:cfme-gemset-0:5.10.3.3-1.el7cf.src",
            "7Server-RH7-CFME-5.10:cfme-gemset-0:5.10.3.3-1.el7cf.x86_64",
            "7Server-RH7-CFME-5.10:cfme-gemset-debuginfo-0:5.10.3.3-1.el7cf.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "Tower: credentials leaked through environment variables"
    },
    {
      "cve": "CVE-2019-5418",
      "cwe": {
        "id": "CWE-200",
        "name": "Exposure of Sensitive Information to an Unauthorized Actor"
      },
      "discovery_date": "2019-03-13T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1689159"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "A content disclosure flaw was found in rubygem-actionview. Specially crafted accept headers, in combination with calls to \u0027render file:\u0027, can cause arbitrary files on the target server to be rendered, disclosing the file contents. Code execution cannot be ruled out if the attacker is able to gain access to the proper files. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "rubygem-actionpack: render file directory traversal in Action View",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This issue did affect the versions of rh-ror42-rubygem-actionpack and rh-ror50-rubygem-actionpack as shipped with Red Hat Software Collections.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "7Server-RH7-CFME-5.10:ansible-tower-0:3.4.3-1.el7at.src",
          "7Server-RH7-CFME-5.10:ansible-tower-0:3.4.3-1.el7at.x86_64",
          "7Server-RH7-CFME-5.10:ansible-tower-server-0:3.4.3-1.el7at.x86_64",
          "7Server-RH7-CFME-5.10:ansible-tower-setup-0:3.4.3-1.el7at.x86_64",
          "7Server-RH7-CFME-5.10:ansible-tower-ui-0:3.4.3-1.el7at.x86_64",
          "7Server-RH7-CFME-5.10:ansible-tower-venv-ansible-0:3.4.3-1.el7at.x86_64",
          "7Server-RH7-CFME-5.10:ansible-tower-venv-tower-0:3.4.3-1.el7at.x86_64",
          "7Server-RH7-CFME-5.10:cfme-0:5.10.3.3-1.el7cf.src",
          "7Server-RH7-CFME-5.10:cfme-0:5.10.3.3-1.el7cf.x86_64",
          "7Server-RH7-CFME-5.10:cfme-amazon-smartstate-0:5.10.3.3-1.el7cf.src",
          "7Server-RH7-CFME-5.10:cfme-amazon-smartstate-0:5.10.3.3-1.el7cf.x86_64",
          "7Server-RH7-CFME-5.10:cfme-appliance-0:5.10.3.3-1.el7cf.src",
          "7Server-RH7-CFME-5.10:cfme-appliance-0:5.10.3.3-1.el7cf.x86_64",
          "7Server-RH7-CFME-5.10:cfme-appliance-common-0:5.10.3.3-1.el7cf.x86_64",
          "7Server-RH7-CFME-5.10:cfme-appliance-debuginfo-0:5.10.3.3-1.el7cf.x86_64",
          "7Server-RH7-CFME-5.10:cfme-appliance-tools-0:5.10.3.3-1.el7cf.x86_64",
          "7Server-RH7-CFME-5.10:cfme-debuginfo-0:5.10.3.3-1.el7cf.x86_64",
          "7Server-RH7-CFME-5.10:cfme-gemset-0:5.10.3.3-1.el7cf.src",
          "7Server-RH7-CFME-5.10:cfme-gemset-0:5.10.3.3-1.el7cf.x86_64",
          "7Server-RH7-CFME-5.10:cfme-gemset-debuginfo-0:5.10.3.3-1.el7cf.x86_64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2019-5418"
        },
        {
          "category": "external",
          "summary": "RHBZ#1689159",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1689159"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2019-5418",
          "url": "https://www.cve.org/CVERecord?id=CVE-2019-5418"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-5418",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-5418"
        },
        {
          "category": "external",
          "summary": "https://github.com/mpgn/CVE-2019-5418",
          "url": "https://github.com/mpgn/CVE-2019-5418"
        },
        {
          "category": "external",
          "summary": "https://groups.google.com/forum/#!msg/rubyonrails-security/pFRKI96Sm8Q/IhpRq9D2CgAJ",
          "url": "https://groups.google.com/forum/#!msg/rubyonrails-security/pFRKI96Sm8Q/IhpRq9D2CgAJ"
        },
        {
          "category": "external",
          "summary": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog",
          "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
        }
      ],
      "release_date": "2019-03-13T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2019-04-23T07:46:49+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nIf the postgresql service is running, it will be automatically restarted after installing this update. After installing the updated packages, the httpd daemon will be restarted automatically.",
          "product_ids": [
            "7Server-RH7-CFME-5.10:ansible-tower-0:3.4.3-1.el7at.src",
            "7Server-RH7-CFME-5.10:ansible-tower-0:3.4.3-1.el7at.x86_64",
            "7Server-RH7-CFME-5.10:ansible-tower-server-0:3.4.3-1.el7at.x86_64",
            "7Server-RH7-CFME-5.10:ansible-tower-setup-0:3.4.3-1.el7at.x86_64",
            "7Server-RH7-CFME-5.10:ansible-tower-ui-0:3.4.3-1.el7at.x86_64",
            "7Server-RH7-CFME-5.10:ansible-tower-venv-ansible-0:3.4.3-1.el7at.x86_64",
            "7Server-RH7-CFME-5.10:ansible-tower-venv-tower-0:3.4.3-1.el7at.x86_64",
            "7Server-RH7-CFME-5.10:cfme-0:5.10.3.3-1.el7cf.src",
            "7Server-RH7-CFME-5.10:cfme-0:5.10.3.3-1.el7cf.x86_64",
            "7Server-RH7-CFME-5.10:cfme-amazon-smartstate-0:5.10.3.3-1.el7cf.src",
            "7Server-RH7-CFME-5.10:cfme-amazon-smartstate-0:5.10.3.3-1.el7cf.x86_64",
            "7Server-RH7-CFME-5.10:cfme-appliance-0:5.10.3.3-1.el7cf.src",
            "7Server-RH7-CFME-5.10:cfme-appliance-0:5.10.3.3-1.el7cf.x86_64",
            "7Server-RH7-CFME-5.10:cfme-appliance-common-0:5.10.3.3-1.el7cf.x86_64",
            "7Server-RH7-CFME-5.10:cfme-appliance-debuginfo-0:5.10.3.3-1.el7cf.x86_64",
            "7Server-RH7-CFME-5.10:cfme-appliance-tools-0:5.10.3.3-1.el7cf.x86_64",
            "7Server-RH7-CFME-5.10:cfme-debuginfo-0:5.10.3.3-1.el7cf.x86_64",
            "7Server-RH7-CFME-5.10:cfme-gemset-0:5.10.3.3-1.el7cf.src",
            "7Server-RH7-CFME-5.10:cfme-gemset-0:5.10.3.3-1.el7cf.x86_64",
            "7Server-RH7-CFME-5.10:cfme-gemset-debuginfo-0:5.10.3.3-1.el7cf.x86_64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2019:0796"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          },
          "products": [
            "7Server-RH7-CFME-5.10:ansible-tower-0:3.4.3-1.el7at.src",
            "7Server-RH7-CFME-5.10:ansible-tower-0:3.4.3-1.el7at.x86_64",
            "7Server-RH7-CFME-5.10:ansible-tower-server-0:3.4.3-1.el7at.x86_64",
            "7Server-RH7-CFME-5.10:ansible-tower-setup-0:3.4.3-1.el7at.x86_64",
            "7Server-RH7-CFME-5.10:ansible-tower-ui-0:3.4.3-1.el7at.x86_64",
            "7Server-RH7-CFME-5.10:ansible-tower-venv-ansible-0:3.4.3-1.el7at.x86_64",
            "7Server-RH7-CFME-5.10:ansible-tower-venv-tower-0:3.4.3-1.el7at.x86_64",
            "7Server-RH7-CFME-5.10:cfme-0:5.10.3.3-1.el7cf.src",
            "7Server-RH7-CFME-5.10:cfme-0:5.10.3.3-1.el7cf.x86_64",
            "7Server-RH7-CFME-5.10:cfme-amazon-smartstate-0:5.10.3.3-1.el7cf.src",
            "7Server-RH7-CFME-5.10:cfme-amazon-smartstate-0:5.10.3.3-1.el7cf.x86_64",
            "7Server-RH7-CFME-5.10:cfme-appliance-0:5.10.3.3-1.el7cf.src",
            "7Server-RH7-CFME-5.10:cfme-appliance-0:5.10.3.3-1.el7cf.x86_64",
            "7Server-RH7-CFME-5.10:cfme-appliance-common-0:5.10.3.3-1.el7cf.x86_64",
            "7Server-RH7-CFME-5.10:cfme-appliance-debuginfo-0:5.10.3.3-1.el7cf.x86_64",
            "7Server-RH7-CFME-5.10:cfme-appliance-tools-0:5.10.3.3-1.el7cf.x86_64",
            "7Server-RH7-CFME-5.10:cfme-debuginfo-0:5.10.3.3-1.el7cf.x86_64",
            "7Server-RH7-CFME-5.10:cfme-gemset-0:5.10.3.3-1.el7cf.src",
            "7Server-RH7-CFME-5.10:cfme-gemset-0:5.10.3.3-1.el7cf.x86_64",
            "7Server-RH7-CFME-5.10:cfme-gemset-debuginfo-0:5.10.3.3-1.el7cf.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "exploit_status",
          "date": "2025-07-07T00:00:00+00:00",
          "details": "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog"
        },
        {
          "category": "impact",
          "details": "Important"
        }
      ],
      "title": "rubygem-actionpack: render file directory traversal in Action View"
    },
    {
      "cve": "CVE-2019-5419",
      "cwe": {
        "id": "CWE-20",
        "name": "Improper Input Validation"
      },
      "discovery_date": "2019-03-13T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1689160"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "There is a possible denial of service vulnerability in Action View (Rails) \u003c5.2.2.1, \u003c5.1.6.2, \u003c5.0.7.2, \u003c4.2.11.1 where specially crafted accept headers can cause action view to consume 100% cpu and make the server unresponsive.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "rubygem-actionpack: denial of service vulnerability in Action View",
          "title": "Vulnerability summary"
        },
        {
          "category": "other",
          "text": "This issue did affect the versions of rh-ror42-rubygem-actionview and rh-ror50-rubygem-actionview as shipped with Red Hat Software Collections.",
          "title": "Statement"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "7Server-RH7-CFME-5.10:ansible-tower-0:3.4.3-1.el7at.src",
          "7Server-RH7-CFME-5.10:ansible-tower-0:3.4.3-1.el7at.x86_64",
          "7Server-RH7-CFME-5.10:ansible-tower-server-0:3.4.3-1.el7at.x86_64",
          "7Server-RH7-CFME-5.10:ansible-tower-setup-0:3.4.3-1.el7at.x86_64",
          "7Server-RH7-CFME-5.10:ansible-tower-ui-0:3.4.3-1.el7at.x86_64",
          "7Server-RH7-CFME-5.10:ansible-tower-venv-ansible-0:3.4.3-1.el7at.x86_64",
          "7Server-RH7-CFME-5.10:ansible-tower-venv-tower-0:3.4.3-1.el7at.x86_64",
          "7Server-RH7-CFME-5.10:cfme-0:5.10.3.3-1.el7cf.src",
          "7Server-RH7-CFME-5.10:cfme-0:5.10.3.3-1.el7cf.x86_64",
          "7Server-RH7-CFME-5.10:cfme-amazon-smartstate-0:5.10.3.3-1.el7cf.src",
          "7Server-RH7-CFME-5.10:cfme-amazon-smartstate-0:5.10.3.3-1.el7cf.x86_64",
          "7Server-RH7-CFME-5.10:cfme-appliance-0:5.10.3.3-1.el7cf.src",
          "7Server-RH7-CFME-5.10:cfme-appliance-0:5.10.3.3-1.el7cf.x86_64",
          "7Server-RH7-CFME-5.10:cfme-appliance-common-0:5.10.3.3-1.el7cf.x86_64",
          "7Server-RH7-CFME-5.10:cfme-appliance-debuginfo-0:5.10.3.3-1.el7cf.x86_64",
          "7Server-RH7-CFME-5.10:cfme-appliance-tools-0:5.10.3.3-1.el7cf.x86_64",
          "7Server-RH7-CFME-5.10:cfme-debuginfo-0:5.10.3.3-1.el7cf.x86_64",
          "7Server-RH7-CFME-5.10:cfme-gemset-0:5.10.3.3-1.el7cf.src",
          "7Server-RH7-CFME-5.10:cfme-gemset-0:5.10.3.3-1.el7cf.x86_64",
          "7Server-RH7-CFME-5.10:cfme-gemset-debuginfo-0:5.10.3.3-1.el7cf.x86_64"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2019-5419"
        },
        {
          "category": "external",
          "summary": "RHBZ#1689160",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1689160"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2019-5419",
          "url": "https://www.cve.org/CVERecord?id=CVE-2019-5419"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-5419",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-5419"
        },
        {
          "category": "external",
          "summary": "https://groups.google.com/forum/#!msg/rubyonrails-security/GN7w9fFAQeI/0iQIiLP2CgAJ",
          "url": "https://groups.google.com/forum/#!msg/rubyonrails-security/GN7w9fFAQeI/0iQIiLP2CgAJ"
        }
      ],
      "release_date": "2019-03-13T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2019-04-23T07:46:49+00:00",
          "details": "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nIf the postgresql service is running, it will be automatically restarted after installing this update. After installing the updated packages, the httpd daemon will be restarted automatically.",
          "product_ids": [
            "7Server-RH7-CFME-5.10:ansible-tower-0:3.4.3-1.el7at.src",
            "7Server-RH7-CFME-5.10:ansible-tower-0:3.4.3-1.el7at.x86_64",
            "7Server-RH7-CFME-5.10:ansible-tower-server-0:3.4.3-1.el7at.x86_64",
            "7Server-RH7-CFME-5.10:ansible-tower-setup-0:3.4.3-1.el7at.x86_64",
            "7Server-RH7-CFME-5.10:ansible-tower-ui-0:3.4.3-1.el7at.x86_64",
            "7Server-RH7-CFME-5.10:ansible-tower-venv-ansible-0:3.4.3-1.el7at.x86_64",
            "7Server-RH7-CFME-5.10:ansible-tower-venv-tower-0:3.4.3-1.el7at.x86_64",
            "7Server-RH7-CFME-5.10:cfme-0:5.10.3.3-1.el7cf.src",
            "7Server-RH7-CFME-5.10:cfme-0:5.10.3.3-1.el7cf.x86_64",
            "7Server-RH7-CFME-5.10:cfme-amazon-smartstate-0:5.10.3.3-1.el7cf.src",
            "7Server-RH7-CFME-5.10:cfme-amazon-smartstate-0:5.10.3.3-1.el7cf.x86_64",
            "7Server-RH7-CFME-5.10:cfme-appliance-0:5.10.3.3-1.el7cf.src",
            "7Server-RH7-CFME-5.10:cfme-appliance-0:5.10.3.3-1.el7cf.x86_64",
            "7Server-RH7-CFME-5.10:cfme-appliance-common-0:5.10.3.3-1.el7cf.x86_64",
            "7Server-RH7-CFME-5.10:cfme-appliance-debuginfo-0:5.10.3.3-1.el7cf.x86_64",
            "7Server-RH7-CFME-5.10:cfme-appliance-tools-0:5.10.3.3-1.el7cf.x86_64",
            "7Server-RH7-CFME-5.10:cfme-debuginfo-0:5.10.3.3-1.el7cf.x86_64",
            "7Server-RH7-CFME-5.10:cfme-gemset-0:5.10.3.3-1.el7cf.src",
            "7Server-RH7-CFME-5.10:cfme-gemset-0:5.10.3.3-1.el7cf.x86_64",
            "7Server-RH7-CFME-5.10:cfme-gemset-debuginfo-0:5.10.3.3-1.el7cf.x86_64"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2019:0796"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.0"
          },
          "products": [
            "7Server-RH7-CFME-5.10:ansible-tower-0:3.4.3-1.el7at.src",
            "7Server-RH7-CFME-5.10:ansible-tower-0:3.4.3-1.el7at.x86_64",
            "7Server-RH7-CFME-5.10:ansible-tower-server-0:3.4.3-1.el7at.x86_64",
            "7Server-RH7-CFME-5.10:ansible-tower-setup-0:3.4.3-1.el7at.x86_64",
            "7Server-RH7-CFME-5.10:ansible-tower-ui-0:3.4.3-1.el7at.x86_64",
            "7Server-RH7-CFME-5.10:ansible-tower-venv-ansible-0:3.4.3-1.el7at.x86_64",
            "7Server-RH7-CFME-5.10:ansible-tower-venv-tower-0:3.4.3-1.el7at.x86_64",
            "7Server-RH7-CFME-5.10:cfme-0:5.10.3.3-1.el7cf.src",
            "7Server-RH7-CFME-5.10:cfme-0:5.10.3.3-1.el7cf.x86_64",
            "7Server-RH7-CFME-5.10:cfme-amazon-smartstate-0:5.10.3.3-1.el7cf.src",
            "7Server-RH7-CFME-5.10:cfme-amazon-smartstate-0:5.10.3.3-1.el7cf.x86_64",
            "7Server-RH7-CFME-5.10:cfme-appliance-0:5.10.3.3-1.el7cf.src",
            "7Server-RH7-CFME-5.10:cfme-appliance-0:5.10.3.3-1.el7cf.x86_64",
            "7Server-RH7-CFME-5.10:cfme-appliance-common-0:5.10.3.3-1.el7cf.x86_64",
            "7Server-RH7-CFME-5.10:cfme-appliance-debuginfo-0:5.10.3.3-1.el7cf.x86_64",
            "7Server-RH7-CFME-5.10:cfme-appliance-tools-0:5.10.3.3-1.el7cf.x86_64",
            "7Server-RH7-CFME-5.10:cfme-debuginfo-0:5.10.3.3-1.el7cf.x86_64",
            "7Server-RH7-CFME-5.10:cfme-gemset-0:5.10.3.3-1.el7cf.src",
            "7Server-RH7-CFME-5.10:cfme-gemset-0:5.10.3.3-1.el7cf.x86_64",
            "7Server-RH7-CFME-5.10:cfme-gemset-debuginfo-0:5.10.3.3-1.el7cf.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "rubygem-actionpack: denial of service vulnerability in Action View"
    }
  ]
}

CVE-2019-5418 (GCVE-0-2019-5418)

Vulnerability from cvelistv5 – Published: 2019-03-27 13:38 – Updated: 2025-10-21 23:45

Summary

There is a File Content Disclosure vulnerability in Action View <5.2.2.1, <5.1.6.2, <5.0.7.2, <4.2.11.1 and v3 where specially crafted accept headers can cause contents of arbitrary files on the target system's filesystem to be exposed.

Severity ?

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE

CWE-22 - Path Traversal (CWE-22)

Assigner

hackerone

References

URL

Tags

	https://www.exploit-db.com/exploits/46585/	exploitx_refsource_EXPLOIT-DB
	http://packetstormsecurity.com/files/152178/Rails…	x_refsource_MISC
	http://www.openwall.com/lists/oss-security/2019/03/22/1	mailing-listx_refsource_MLIST
	https://weblog.rubyonrails.org/2019/3/13/Rails-4-…	x_refsource_CONFIRM
	https://groups.google.com/forum/#%21topic/rubyonr…	x_refsource_CONFIRM
	https://lists.debian.org/debian-lts-announce/2019…	mailing-listx_refsource_MLIST
	https://access.redhat.com/errata/RHSA-2019:0796	vendor-advisoryx_refsource_REDHAT
	http://lists.opensuse.org/opensuse-security-annou…	vendor-advisoryx_refsource_SUSE
	https://lists.fedoraproject.org/archives/list/pac…	vendor-advisoryx_refsource_FEDORA
	https://access.redhat.com/errata/RHSA-2019:1149	vendor-advisoryx_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2019:1147	vendor-advisoryx_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2019:1289	vendor-advisoryx_refsource_REDHAT

Impacted products

	Vendor	Product	Version
	Rails	https://github.com/rails/rails	Affected: 5.2.2.1 Affected: 5.1.6.2 Affected: 5.0.7.2 Affected: 4.2.11.1

Date Public ?

2019-03-13 00:00

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T19:54:53.606Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "46585",
            "tags": [
              "exploit",
              "x_refsource_EXPLOIT-DB",
              "x_transferred"
            ],
            "url": "https://www.exploit-db.com/exploits/46585/"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://packetstormsecurity.com/files/152178/Rails-5.2.1-Arbitrary-File-Content-Disclosure.html"
          },
          {
            "name": "[oss-security] 20190322 [CVE-2019-5418] Amendment: Possible Remote Code Execution Exploit in Action View",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2019/03/22/1"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released/"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://groups.google.com/forum/#%21topic/rubyonrails-security/pFRKI96Sm8Q"
          },
          {
            "name": "[debian-lts-announce] 20190331 [SECURITY] [DLA 1739-1] rails security update",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2019/03/msg00042.html"
          },
          {
            "name": "RHSA-2019:0796",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:0796"
          },
          {
            "name": "openSUSE-SU-2019:1344",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00011.html"
          },
          {
            "name": "FEDORA-2019-1cfe24db5c",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y43636TH4D6T46IC6N2RQVJTRFJAAYGA/"
          },
          {
            "name": "RHSA-2019:1149",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:1149"
          },
          {
            "name": "RHSA-2019:1147",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:1147"
          },
          {
            "name": "RHSA-2019:1289",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:1289"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 7.5,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "NONE",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2019-5418",
                "options": [
                  {
                    "Exploitation": "active"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-07-17T03:55:43.688900Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          },
          {
            "other": {
              "content": {
                "dateAdded": "2025-07-07",
                "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-5418"
              },
              "type": "kev"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-21T23:45:41.038Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "url": "https://web.archive.org/web/20190313201629/https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released/"
          },
          {
            "tags": [
              "government-resource"
            ],
            "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-5418"
          }
        ],
        "timeline": [
          {
            "lang": "en",
            "time": "2025-07-07T00:00:00.000Z",
            "value": "CVE-2019-5418 added to CISA KEV"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "https://github.com/rails/rails",
          "vendor": "Rails",
          "versions": [
            {
              "status": "affected",
              "version": "5.2.2.1"
            },
            {
              "status": "affected",
              "version": "5.1.6.2"
            },
            {
              "status": "affected",
              "version": "5.0.7.2"
            },
            {
              "status": "affected",
              "version": "4.2.11.1"
            }
          ]
        }
      ],
      "datePublic": "2019-03-13T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "There is a File Content Disclosure vulnerability in Action View \u003c5.2.2.1, \u003c5.1.6.2, \u003c5.0.7.2, \u003c4.2.11.1 and v3 where specially crafted accept headers can cause contents of arbitrary files on the target system\u0027s filesystem to be exposed."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-22",
              "description": "Path Traversal (CWE-22)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2019-10-11T18:33:30.000Z",
        "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
        "shortName": "hackerone"
      },
      "references": [
        {
          "name": "46585",
          "tags": [
            "exploit",
            "x_refsource_EXPLOIT-DB"
          ],
          "url": "https://www.exploit-db.com/exploits/46585/"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "http://packetstormsecurity.com/files/152178/Rails-5.2.1-Arbitrary-File-Content-Disclosure.html"
        },
        {
          "name": "[oss-security] 20190322 [CVE-2019-5418] Amendment: Possible Remote Code Execution Exploit in Action View",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2019/03/22/1"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released/"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://groups.google.com/forum/#%21topic/rubyonrails-security/pFRKI96Sm8Q"
        },
        {
          "name": "[debian-lts-announce] 20190331 [SECURITY] [DLA 1739-1] rails security update",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2019/03/msg00042.html"
        },
        {
          "name": "RHSA-2019:0796",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:0796"
        },
        {
          "name": "openSUSE-SU-2019:1344",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00011.html"
        },
        {
          "name": "FEDORA-2019-1cfe24db5c",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y43636TH4D6T46IC6N2RQVJTRFJAAYGA/"
        },
        {
          "name": "RHSA-2019:1149",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:1149"
        },
        {
          "name": "RHSA-2019:1147",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:1147"
        },
        {
          "name": "RHSA-2019:1289",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:1289"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "support@hackerone.com",
          "ID": "CVE-2019-5418",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "https://github.com/rails/rails",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "5.2.2.1"
                          },
                          {
                            "version_value": "5.1.6.2"
                          },
                          {
                            "version_value": "5.0.7.2"
                          },
                          {
                            "version_value": "4.2.11.1"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Rails"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "There is a File Content Disclosure vulnerability in Action View \u003c5.2.2.1, \u003c5.1.6.2, \u003c5.0.7.2, \u003c4.2.11.1 and v3 where specially crafted accept headers can cause contents of arbitrary files on the target system\u0027s filesystem to be exposed."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Path Traversal (CWE-22)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "46585",
              "refsource": "EXPLOIT-DB",
              "url": "https://www.exploit-db.com/exploits/46585/"
            },
            {
              "name": "http://packetstormsecurity.com/files/152178/Rails-5.2.1-Arbitrary-File-Content-Disclosure.html",
              "refsource": "MISC",
              "url": "http://packetstormsecurity.com/files/152178/Rails-5.2.1-Arbitrary-File-Content-Disclosure.html"
            },
            {
              "name": "[oss-security] 20190322 [CVE-2019-5418] Amendment: Possible Remote Code Execution Exploit in Action View",
              "refsource": "MLIST",
              "url": "http://www.openwall.com/lists/oss-security/2019/03/22/1"
            },
            {
              "name": "https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released/",
              "refsource": "CONFIRM",
              "url": "https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released/"
            },
            {
              "name": "https://groups.google.com/forum/#!topic/rubyonrails-security/pFRKI96Sm8Q",
              "refsource": "CONFIRM",
              "url": "https://groups.google.com/forum/#!topic/rubyonrails-security/pFRKI96Sm8Q"
            },
            {
              "name": "[debian-lts-announce] 20190331 [SECURITY] [DLA 1739-1] rails security update",
              "refsource": "MLIST",
              "url": "https://lists.debian.org/debian-lts-announce/2019/03/msg00042.html"
            },
            {
              "name": "RHSA-2019:0796",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:0796"
            },
            {
              "name": "openSUSE-SU-2019:1344",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00011.html"
            },
            {
              "name": "FEDORA-2019-1cfe24db5c",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y43636TH4D6T46IC6N2RQVJTRFJAAYGA/"
            },
            {
              "name": "RHSA-2019:1149",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:1149"
            },
            {
              "name": "RHSA-2019:1147",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:1147"
            },
            {
              "name": "RHSA-2019:1289",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:1289"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
    "assignerShortName": "hackerone",
    "cveId": "CVE-2019-5418",
    "datePublished": "2019-03-27T13:38:58.000Z",
    "dateReserved": "2019-01-04T00:00:00.000Z",
    "dateUpdated": "2025-10-21T23:45:41.038Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2019-5419 (GCVE-0-2019-5419)

Vulnerability from cvelistv5 – Published: 2019-03-27 13:43 – Updated: 2024-08-04 19:54

Summary

Severity ?

No CVSS data available.

CWE

CWE-400 - Denial of Service (CWE-400)

Assigner

hackerone

References

URL

Tags

	http://www.openwall.com/lists/oss-security/2019/03/22/1	mailing-listx_refsource_MLIST
	https://weblog.rubyonrails.org/2019/3/13/Rails-4-…	x_refsource_CONFIRM
	https://groups.google.com/forum/#%21topic/rubyonr…	x_refsource_CONFIRM
	https://lists.debian.org/debian-lts-announce/2019…	mailing-listx_refsource_MLIST
	https://access.redhat.com/errata/RHSA-2019:0796	vendor-advisoryx_refsource_REDHAT
	http://lists.opensuse.org/opensuse-security-annou…	vendor-advisoryx_refsource_SUSE
	https://lists.fedoraproject.org/archives/list/pac…	vendor-advisoryx_refsource_FEDORA
	https://access.redhat.com/errata/RHSA-2019:1149	vendor-advisoryx_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2019:1147	vendor-advisoryx_refsource_REDHAT
	https://access.redhat.com/errata/RHSA-2019:1289	vendor-advisoryx_refsource_REDHAT
	http://lists.opensuse.org/opensuse-security-annou…	vendor-advisoryx_refsource_SUSE
	http://lists.opensuse.org/opensuse-security-annou…	vendor-advisoryx_refsource_SUSE

Impacted products

	Vendor	Product	Version
	Rails	https://github.com/rails/rails	Affected: 5.2.2.1 Affected: 5.1.6.2 Affected: 5.0.7.2 Affected: 4.2.11.1

Date Public ?

2019-03-13 00:00

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T19:54:53.468Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "[oss-security] 20190322 [CVE-2019-5418] Amendment: Possible Remote Code Execution Exploit in Action View",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2019/03/22/1"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released/"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://groups.google.com/forum/#%21topic/rubyonrails-security/GN7w9fFAQeI"
          },
          {
            "name": "[debian-lts-announce] 20190331 [SECURITY] [DLA 1739-1] rails security update",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2019/03/msg00042.html"
          },
          {
            "name": "RHSA-2019:0796",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:0796"
          },
          {
            "name": "openSUSE-SU-2019:1344",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00011.html"
          },
          {
            "name": "FEDORA-2019-1cfe24db5c",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y43636TH4D6T46IC6N2RQVJTRFJAAYGA/"
          },
          {
            "name": "RHSA-2019:1149",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:1149"
          },
          {
            "name": "RHSA-2019:1147",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:1147"
          },
          {
            "name": "RHSA-2019:1289",
            "tags": [
              "vendor-advisory",
              "x_refsource_REDHAT",
              "x_transferred"
            ],
            "url": "https://access.redhat.com/errata/RHSA-2019:1289"
          },
          {
            "name": "openSUSE-SU-2019:1527",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00025.html"
          },
          {
            "name": "openSUSE-SU-2019:1824",
            "tags": [
              "vendor-advisory",
              "x_refsource_SUSE",
              "x_transferred"
            ],
            "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00001.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "https://github.com/rails/rails",
          "vendor": "Rails",
          "versions": [
            {
              "status": "affected",
              "version": "5.2.2.1"
            },
            {
              "status": "affected",
              "version": "5.1.6.2"
            },
            {
              "status": "affected",
              "version": "5.0.7.2"
            },
            {
              "status": "affected",
              "version": "4.2.11.1"
            }
          ]
        }
      ],
      "datePublic": "2019-03-13T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "There is a possible denial of service vulnerability in Action View (Rails) \u003c5.2.2.1, \u003c5.1.6.2, \u003c5.0.7.2, \u003c4.2.11.1 where specially crafted accept headers can cause action view to consume 100% cpu and make the server unresponsive."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-400",
              "description": "Denial of Service (CWE-400)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2019-08-01T20:06:09.000Z",
        "orgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
        "shortName": "hackerone"
      },
      "references": [
        {
          "name": "[oss-security] 20190322 [CVE-2019-5418] Amendment: Possible Remote Code Execution Exploit in Action View",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2019/03/22/1"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released/"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://groups.google.com/forum/#%21topic/rubyonrails-security/GN7w9fFAQeI"
        },
        {
          "name": "[debian-lts-announce] 20190331 [SECURITY] [DLA 1739-1] rails security update",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2019/03/msg00042.html"
        },
        {
          "name": "RHSA-2019:0796",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:0796"
        },
        {
          "name": "openSUSE-SU-2019:1344",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00011.html"
        },
        {
          "name": "FEDORA-2019-1cfe24db5c",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/Y43636TH4D6T46IC6N2RQVJTRFJAAYGA/"
        },
        {
          "name": "RHSA-2019:1149",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:1149"
        },
        {
          "name": "RHSA-2019:1147",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:1147"
        },
        {
          "name": "RHSA-2019:1289",
          "tags": [
            "vendor-advisory",
            "x_refsource_REDHAT"
          ],
          "url": "https://access.redhat.com/errata/RHSA-2019:1289"
        },
        {
          "name": "openSUSE-SU-2019:1527",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00025.html"
        },
        {
          "name": "openSUSE-SU-2019:1824",
          "tags": [
            "vendor-advisory",
            "x_refsource_SUSE"
          ],
          "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00001.html"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "support@hackerone.com",
          "ID": "CVE-2019-5419",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "https://github.com/rails/rails",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "5.2.2.1"
                          },
                          {
                            "version_value": "5.1.6.2"
                          },
                          {
                            "version_value": "5.0.7.2"
                          },
                          {
                            "version_value": "4.2.11.1"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Rails"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "There is a possible denial of service vulnerability in Action View (Rails) \u003c5.2.2.1, \u003c5.1.6.2, \u003c5.0.7.2, \u003c4.2.11.1 where specially crafted accept headers can cause action view to consume 100% cpu and make the server unresponsive."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Denial of Service (CWE-400)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "[oss-security] 20190322 [CVE-2019-5418] Amendment: Possible Remote Code Execution Exploit in Action View",
              "refsource": "MLIST",
              "url": "http://www.openwall.com/lists/oss-security/2019/03/22/1"
            },
            {
              "name": "https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released/",
              "refsource": "CONFIRM",
              "url": "https://weblog.rubyonrails.org/2019/3/13/Rails-4-2-5-1-5-1-6-2-have-been-released/"
            },
            {
              "name": "https://groups.google.com/forum/#!topic/rubyonrails-security/GN7w9fFAQeI",
              "refsource": "CONFIRM",
              "url": "https://groups.google.com/forum/#!topic/rubyonrails-security/GN7w9fFAQeI"
            },
            {
              "name": "[debian-lts-announce] 20190331 [SECURITY] [DLA 1739-1] rails security update",
              "refsource": "MLIST",
              "url": "https://lists.debian.org/debian-lts-announce/2019/03/msg00042.html"
            },
            {
              "name": "RHSA-2019:0796",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:0796"
            },
            {
              "name": "openSUSE-SU-2019:1344",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00011.html"
            },
            {
              "name": "FEDORA-2019-1cfe24db5c",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/Y43636TH4D6T46IC6N2RQVJTRFJAAYGA/"
            },
            {
              "name": "RHSA-2019:1149",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:1149"
            },
            {
              "name": "RHSA-2019:1147",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:1147"
            },
            {
              "name": "RHSA-2019:1289",
              "refsource": "REDHAT",
              "url": "https://access.redhat.com/errata/RHSA-2019:1289"
            },
            {
              "name": "openSUSE-SU-2019:1527",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00025.html"
            },
            {
              "name": "openSUSE-SU-2019:1824",
              "refsource": "SUSE",
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00001.html"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "36234546-b8fa-4601-9d6f-f4e334aa8ea1",
    "assignerShortName": "hackerone",
    "cveId": "CVE-2019-5419",
    "datePublished": "2019-03-27T13:43:19.000Z",
    "dateReserved": "2019-01-04T00:00:00.000Z",
    "dateUpdated": "2024-08-04T19:54:53.468Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2019-3869 (GCVE-0-2019-3869)

Vulnerability from cvelistv5 – Published: 2019-03-28 13:04 – Updated: 2024-08-04 19:19

Summary

When running Tower before 3.4.3 on OpenShift or Kubernetes, application credentials are exposed to playbook job runs via environment variables. A malicious user with the ability to write playbooks could use this to gain administrative privileges.

Severity ?

7.2 (High)


                        
                          CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-214

Assigner

redhat

References

URL

Tags

	https://github.com/ansible/awx/pull/3505	x_refsource_MISC
	https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2…	x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	Red Hat	Tower	Affected: 3.3.5 Affected: 3.4.3

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T19:19:18.595Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/ansible/awx/pull/3505"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3869"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Tower",
          "vendor": "Red Hat",
          "versions": [
            {
              "status": "affected",
              "version": "3.3.5"
            },
            {
              "status": "affected",
              "version": "3.4.3"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "When running Tower before 3.4.3 on OpenShift or Kubernetes, application credentials are exposed to playbook job runs via environment variables. A malicious user with the ability to write playbooks could use this to gain administrative privileges."
        }
      ],
      "metrics": [
        {
          "cvssV3_0": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.2,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-214",
              "description": "CWE-214",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2019-03-28T13:04:59.000Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/ansible/awx/pull/3505"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3869"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2019-3869",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Tower",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "3.3.5"
                          },
                          {
                            "version_value": "3.4.3"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Red Hat"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "When running Tower before 3.4.3 on OpenShift or Kubernetes, application credentials are exposed to playbook job runs via environment variables. A malicious user with the ability to write playbooks could use this to gain administrative privileges."
            }
          ]
        },
        "impact": {
          "cvss": [
            [
              {
                "vectorString": "7.2/CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.0"
              }
            ]
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-214"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/ansible/awx/pull/3505",
              "refsource": "MISC",
              "url": "https://github.com/ansible/awx/pull/3505"
            },
            {
              "name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3869",
              "refsource": "CONFIRM",
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3869"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2019-3869",
    "datePublished": "2019-03-28T13:04:59.000Z",
    "dateReserved": "2019-01-03T00:00:00.000Z",
    "dateUpdated": "2024-08-04T19:19:18.595Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Tags

Taxonomy of the tags.

All sightings related to this event Export sightings related to this event

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

RHSA-2019:0796

CVE-2019-5418 (GCVE-0-2019-5418)

CVE-2019-5419 (GCVE-0-2019-5419)

CVE-2019-3869 (GCVE-0-2019-3869)

Tags

Sightings

Nomenclature