ID FEDORA:B59FE21064 Type fedora Reporter Fedora Modified 2012-06-30T08:27:28
Description
Implements the ActiveRecord pattern (Fowler, PoEAA) for ORM. It ties databa se tables and classes together for business objects, like Customer or Subscription, that can find, save, and destroy themselves without resorting to manual SQL.
{"cve": [{"lastseen": "2021-02-02T05:59:49", "description": "The Active Record component in Ruby on Rails 3.0.x before 3.0.13, 3.1.x before 3.1.5, and 3.2.x before 3.2.4 does not properly implement the passing of request data to a where method in an ActiveRecord class, which allows remote attackers to conduct certain SQL injection attacks via nested query parameters that leverage unintended recursion, a related issue to CVE-2012-2695.", "edition": 5, "cvss3": {}, "published": "2012-06-22T14:55:00", "title": "CVE-2012-2661", "type": "cve", "cwe": ["CWE-89"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-2661"], "modified": "2019-08-08T15:42:00", "cpe": ["cpe:/a:rubyonrails:rails:3.0.11", "cpe:/a:rubyonrails:rails:3.1.4", "cpe:/a:rubyonrails:rails:3.2.1", "cpe:/a:rubyonrails:rails:3.1.1", "cpe:/a:rubyonrails:rails:3.0.10", "cpe:/a:rubyonrails:rails:3.0.7", "cpe:/a:rubyonrails:rails:3.1.2", "cpe:/a:rubyonrails:rails:3.0.0", "cpe:/a:rubyonrails:rails:3.1.3", "cpe:/a:rubyonrails:rails:3.0.4", "cpe:/a:rubyonrails:rails:3.1.0", "cpe:/a:rubyonrails:rails:3.0.6", "cpe:/a:rubyonrails:rails:3.0.8", "cpe:/a:rubyonrails:rails:3.0.1", "cpe:/a:rubyonrails:rails:3.2.2", "cpe:/a:rubyonrails:rails:3.0.9", "cpe:/a:rubyonrails:ruby_on_rails:3.0.4", "cpe:/a:rubyonrails:rails:3.0.13", "cpe:/a:rubyonrails:rails:3.2.4", "cpe:/a:rubyonrails:rails:3.2.0", "cpe:/a:rubyonrails:rails:3.0.3", "cpe:/a:rubyonrails:rails:3.2.3", "cpe:/a:rubyonrails:rails:3.0.5", "cpe:/a:rubyonrails:rails:3.0.12", "cpe:/a:rubyonrails:rails:3.0.2", "cpe:/a:rubyonrails:rails:3.1.5"], "id": "CVE-2012-2661", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2661", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:rubyonrails:rails:3.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.0.4:rc1:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.0.7:*:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.1.2:rc1:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.0.0:rc2:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.1.0:rc5:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.0.8:rc4:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.1.0:rc2:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.0.10:*:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.0.0:beta2:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.2.3:*:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.0.8:rc3:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.1.0:rc3:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.0.2:pre:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.1.1:rc2:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.2.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.0.0:beta4:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.0.11:*:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.1.0:beta1:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.0.13:rc1:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.1.4:rc1:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.2.0:rc2:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.0.7:rc1:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.0.5:rc1:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.1.2:rc2:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.1.4:*:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.1.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.1.1:rc1:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.0.8:rc2:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.0.0:beta:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.2.3:rc2:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.0.6:rc2:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.1.0:rc8:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.0.6:rc1:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.2.4:rc1:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.0.7:rc2:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.0.5:*:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.0.9:rc3:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.0.12:*:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.0.9:rc1:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.0.9:rc4:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.0.8:*:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.2.2:rc1:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.0.9:rc5:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.2.3:rc1:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.0.0:beta3:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.0.9:rc2:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.0.1:pre:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.1.0:rc7:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.1.1:rc3:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.0.9:*:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.0.6:*:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.1.0:rc6:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.0.12:rc1:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.1.0:rc4:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.0.8:rc1:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.0.10:rc1:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.1.5:rc1:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.0.0:rc:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T05:59:49", "description": "The Active Record component in Ruby on Rails before 3.0.14, 3.1.x before 3.1.6, and 3.2.x before 3.2.6 does not properly implement the passing of request data to a where method in an ActiveRecord class, which allows remote attackers to conduct certain SQL injection attacks via nested query parameters that leverage improper handling of nested hashes, a related issue to CVE-2012-2661.", "edition": 7, "cvss3": {}, "published": "2012-06-22T14:55:00", "title": "CVE-2012-2695", "type": "cve", "cwe": ["CWE-89"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-2695"], "modified": "2019-08-08T15:42:00", "cpe": ["cpe:/a:rubyonrails:rails:3.0.11", "cpe:/a:rubyonrails:rails:3.1.4", "cpe:/a:rubyonrails:rails:3.2.1", "cpe:/a:rubyonrails:rails:3.1.1", "cpe:/a:rubyonrails:rails:3.0.10", "cpe:/a:rubyonrails:rails:3.0.7", "cpe:/a:rubyonrails:rails:3.1.2", "cpe:/a:rubyonrails:rails:3.0.0", "cpe:/a:rubyonrails:rails:3.1.3", "cpe:/a:rubyonrails:rails:3.0.4", "cpe:/a:rubyonrails:rails:3.1.0", "cpe:/a:rubyonrails:rails:3.0.6", "cpe:/a:rubyonrails:rails:3.0.8", "cpe:/a:rubyonrails:rails:3.0.1", "cpe:/a:rubyonrails:rails:3.2.5", "cpe:/a:rubyonrails:rails:3.2.2", "cpe:/a:rubyonrails:rails:3.0.9", "cpe:/a:rubyonrails:ruby_on_rails:3.0.4", "cpe:/a:rubyonrails:rails:3.0.13", "cpe:/a:rubyonrails:rails:3.2.4", "cpe:/a:rubyonrails:rails:3.2.0", "cpe:/a:rubyonrails:ruby_on_rails:3.0.13", "cpe:/a:rubyonrails:rails:3.0.3", "cpe:/a:rubyonrails:rails:3.2.3", "cpe:/a:rubyonrails:rails:3.0.5", "cpe:/a:rubyonrails:rails:3.0.12", "cpe:/a:rubyonrails:rails:3.0.2", "cpe:/a:rubyonrails:rails:3.1.5"], "id": "CVE-2012-2695", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2695", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:rubyonrails:rails:3.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.0.4:rc1:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.0.7:*:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.1.2:rc1:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.0.0:rc2:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.1.0:rc5:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.0.8:rc4:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.1.0:rc2:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.0.10:*:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.0.0:beta2:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.2.3:*:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.0.8:rc3:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.1.0:rc3:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.0.2:pre:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.1.1:rc2:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.2.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.0.0:beta4:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.0.11:*:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.2.5:*:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.1.0:beta1:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.0.13:rc1:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.1.4:rc1:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.2.0:rc2:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.0.7:rc1:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.0.5:rc1:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.2.4:*:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.1.2:rc2:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.1.4:*:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.4:*:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.1.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.1.1:rc1:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.0.8:rc2:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:ruby_on_rails:3.0.13:*:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.0.0:beta:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.2.3:rc2:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.0.6:rc2:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.1.0:rc8:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.1.5:*:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.0.6:rc1:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.2.4:rc1:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.0.7:rc2:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.0.5:*:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.0.9:rc3:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.0.12:*:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.0.9:rc1:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.0.9:rc4:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.0.8:*:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.2.2:rc1:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.0.9:rc5:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.2.3:rc1:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.0.0:beta3:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.0.9:rc2:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.0.1:pre:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.1.0:rc7:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.1.1:rc3:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.0.9:*:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.0.6:*:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.1.0:rc6:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.0.12:rc1:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.1.0:rc4:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.0.8:rc1:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.0.10:rc1:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.0.2:*:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.1.5:rc1:*:*:*:*:*:*", "cpe:2.3:a:rubyonrails:rails:3.0.0:rc:*:*:*:*:*:*"]}], "openvas": [{"lastseen": "2019-05-29T18:39:06", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-2695", "CVE-2012-2661"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2012-07-03T00:00:00", "id": "OPENVAS:1361412562310864515", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310864515", "type": "openvas", "title": "Fedora Update for rubygem-activerecord FEDORA-2012-9639", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for rubygem-activerecord FEDORA-2012-9639\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_xref(name:\"URL\", value:\"http://lists.fedoraproject.org/pipermail/package-announce/2012-June/083129.html\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.864515\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2012-07-03 10:23:58 +0530 (Tue, 03 Jul 2012)\");\n script_cve_id(\"CVE-2012-2661\", \"CVE-2012-2695\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_xref(name:\"FEDORA\", value:\"2012-9639\");\n script_name(\"Fedora Update for rubygem-activerecord FEDORA-2012-9639\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'rubygem-activerecord'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC16\");\n script_tag(name:\"affected\", value:\"rubygem-activerecord on Fedora 16\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC16\")\n{\n\n if ((res = isrpmvuln(pkg:\"rubygem-activerecord\", rpm:\"rubygem-activerecord~3.0.10~3.fc16\", rls:\"FC16\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2018-01-02T10:57:11", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-2695", "CVE-2012-2661"], "description": "Check for the Version of rubygem-activerecord", "modified": "2018-01-01T00:00:00", "published": "2012-07-03T00:00:00", "id": "OPENVAS:864515", "href": "http://plugins.openvas.org/nasl.php?oid=864515", "type": "openvas", "title": "Fedora Update for rubygem-activerecord FEDORA-2012-9639", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for rubygem-activerecord FEDORA-2012-9639\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_affected = \"rubygem-activerecord on Fedora 16\";\ntag_insight = \"Implements the ActiveRecord pattern (Fowler, PoEAA) for ORM. It ties database\n tables and classes together for business objects, like Customer or\n Subscription, that can find, save, and destroy themselves without resorting to\n manual SQL.\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.fedoraproject.org/pipermail/package-announce/2012-June/083129.html\");\n script_id(864515);\n script_version(\"$Revision: 8265 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-01-01 07:29:23 +0100 (Mon, 01 Jan 2018) $\");\n script_tag(name:\"creation_date\", value:\"2012-07-03 10:23:58 +0530 (Tue, 03 Jul 2012)\");\n script_cve_id(\"CVE-2012-2661\", \"CVE-2012-2695\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_xref(name: \"FEDORA\", value: \"2012-9639\");\n script_name(\"Fedora Update for rubygem-activerecord FEDORA-2012-9639\");\n\n script_tag(name: \"summary\" , value: \"Check for the Version of rubygem-activerecord\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC16\")\n{\n\n if ((res = isrpmvuln(pkg:\"rubygem-activerecord\", rpm:\"rubygem-activerecord~3.0.10~3.fc16\", rls:\"FC16\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-01-02T10:57:32", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-2695", "CVE-2012-2661"], "description": "Check for the Version of rubygem-activerecord", "modified": "2018-01-01T00:00:00", "published": "2012-08-30T00:00:00", "id": "OPENVAS:864526", "href": "http://plugins.openvas.org/nasl.php?oid=864526", "type": "openvas", "title": "Fedora Update for rubygem-activerecord FEDORA-2012-9635", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for rubygem-activerecord FEDORA-2012-9635\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\ntag_affected = \"rubygem-activerecord on Fedora 17\";\ntag_insight = \"Implements the ActiveRecord pattern (Fowler, PoEAA) for ORM. It ties database\n tables and classes together for business objects, like Customer or\n Subscription, that can find, save, and destroy themselves without resorting to\n manual SQL.\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.fedoraproject.org/pipermail/package-announce/2012-June/083139.html\");\n script_id(864526);\n script_version(\"$Revision: 8265 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-01-01 07:29:23 +0100 (Mon, 01 Jan 2018) $\");\n script_tag(name:\"creation_date\", value:\"2012-08-30 10:24:44 +0530 (Thu, 30 Aug 2012)\");\n script_cve_id(\"CVE-2012-2695\", \"CVE-2012-2661\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_xref(name: \"FEDORA\", value: \"2012-9635\");\n script_name(\"Fedora Update for rubygem-activerecord FEDORA-2012-9635\");\n\n script_tag(name: \"summary\" , value: \"Check for the Version of rubygem-activerecord\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC17\")\n{\n\n if ((res = isrpmvuln(pkg:\"rubygem-activerecord\", rpm:\"rubygem-activerecord~3.0.11~3.fc17\", rls:\"FC17\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-05-29T18:39:07", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-2695", "CVE-2012-2661"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2012-08-30T00:00:00", "id": "OPENVAS:1361412562310864526", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310864526", "type": "openvas", "title": "Fedora Update for rubygem-activerecord FEDORA-2012-9635", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for rubygem-activerecord FEDORA-2012-9635\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_xref(name:\"URL\", value:\"http://lists.fedoraproject.org/pipermail/package-announce/2012-June/083139.html\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.864526\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2012-08-30 10:24:44 +0530 (Thu, 30 Aug 2012)\");\n script_cve_id(\"CVE-2012-2695\", \"CVE-2012-2661\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_xref(name:\"FEDORA\", value:\"2012-9635\");\n script_name(\"Fedora Update for rubygem-activerecord FEDORA-2012-9635\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'rubygem-activerecord'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC17\");\n script_tag(name:\"affected\", value:\"rubygem-activerecord on Fedora 17\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC17\")\n{\n\n if ((res = isrpmvuln(pkg:\"rubygem-activerecord\", rpm:\"rubygem-activerecord~3.0.11~3.fc17\", rls:\"FC17\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2018-01-22T13:09:36", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-2695", "CVE-2012-6496", "CVE-2012-2661"], "description": "Check for the Version of rubygem-activerecord", "modified": "2018-01-22T00:00:00", "published": "2013-01-15T00:00:00", "id": "OPENVAS:864992", "href": "http://plugins.openvas.org/nasl.php?oid=864992", "type": "openvas", "title": "Fedora Update for rubygem-activerecord FEDORA-2013-0245", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for rubygem-activerecord FEDORA-2013-0245\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\n\ntag_affected = \"rubygem-activerecord on Fedora 17\";\ntag_insight = \"Implements the ActiveRecord pattern (Fowler, PoEAA) for ORM. It ties database\n tables and classes together for business objects, like Customer or\n Subscription, that can find, save, and destroy themselves without resorting to\n manual SQL.\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.fedoraproject.org/pipermail/package-announce/2013-January/096815.html\");\n script_id(864992);\n script_version(\"$Revision: 8483 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-01-22 07:58:04 +0100 (Mon, 22 Jan 2018) $\");\n script_tag(name:\"creation_date\", value:\"2013-01-15 18:05:53 +0530 (Tue, 15 Jan 2013)\");\n script_cve_id(\"CVE-2012-6496\", \"CVE-2012-2695\", \"CVE-2012-2661\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_xref(name: \"FEDORA\", value: \"2013-0245\");\n script_name(\"Fedora Update for rubygem-activerecord FEDORA-2013-0245\");\n\n script_tag(name: \"summary\" , value: \"Check for the Version of rubygem-activerecord\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC17\")\n{\n\n if ((res = isrpmvuln(pkg:\"rubygem-activerecord\", rpm:\"rubygem-activerecord~3.0.11~4.fc17\", rls:\"FC17\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2018-01-22T13:09:44", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-2695", "CVE-2012-6496", "CVE-2012-2661"], "description": "Check for the Version of rubygem-activerecord", "modified": "2018-01-22T00:00:00", "published": "2013-01-15T00:00:00", "id": "OPENVAS:864987", "href": "http://plugins.openvas.org/nasl.php?oid=864987", "type": "openvas", "title": "Fedora Update for rubygem-activerecord FEDORA-2013-0244", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for rubygem-activerecord FEDORA-2013-0244\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ninclude(\"revisions-lib.inc\");\n\ntag_affected = \"rubygem-activerecord on Fedora 16\";\ntag_insight = \"Implements the ActiveRecord pattern (Fowler, PoEAA) for ORM. It ties database\n tables and classes together for business objects, like Customer or\n Subscription, that can find, save, and destroy themselves without resorting to\n manual SQL.\";\ntag_solution = \"Please Install the Updated Packages.\";\n\n\n\nif(description)\n{\n script_xref(name : \"URL\" , value : \"http://lists.fedoraproject.org/pipermail/package-announce/2013-January/096787.html\");\n script_id(864987);\n script_version(\"$Revision: 8483 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-01-22 07:58:04 +0100 (Mon, 22 Jan 2018) $\");\n script_tag(name:\"creation_date\", value:\"2013-01-15 18:05:36 +0530 (Tue, 15 Jan 2013)\");\n script_cve_id(\"CVE-2012-6496\", \"CVE-2012-2695\", \"CVE-2012-2661\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_xref(name: \"FEDORA\", value: \"2013-0244\");\n script_name(\"Fedora Update for rubygem-activerecord FEDORA-2013-0244\");\n\n script_tag(name: \"summary\" , value: \"Check for the Version of rubygem-activerecord\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\");\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = get_kb_item(\"ssh/login/release\");\n\nres = \"\";\nif(release == NULL){\n exit(0);\n}\n\nif(release == \"FC16\")\n{\n\n if ((res = isrpmvuln(pkg:\"rubygem-activerecord\", rpm:\"rubygem-activerecord~3.0.10~4.fc16\", rls:\"FC16\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99); # Not vulnerable.\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-05-29T18:38:19", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-2695", "CVE-2012-6496", "CVE-2012-2661"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2013-01-15T00:00:00", "id": "OPENVAS:1361412562310864987", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310864987", "type": "openvas", "title": "Fedora Update for rubygem-activerecord FEDORA-2013-0244", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for rubygem-activerecord FEDORA-2013-0244\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_xref(name:\"URL\", value:\"http://lists.fedoraproject.org/pipermail/package-announce/2013-January/096787.html\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.864987\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2013-01-15 18:05:36 +0530 (Tue, 15 Jan 2013)\");\n script_cve_id(\"CVE-2012-6496\", \"CVE-2012-2695\", \"CVE-2012-2661\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_xref(name:\"FEDORA\", value:\"2013-0244\");\n script_name(\"Fedora Update for rubygem-activerecord FEDORA-2013-0244\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'rubygem-activerecord'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC16\");\n script_tag(name:\"affected\", value:\"rubygem-activerecord on Fedora 16\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC16\")\n{\n\n if ((res = isrpmvuln(pkg:\"rubygem-activerecord\", rpm:\"rubygem-activerecord~3.0.10~4.fc16\", rls:\"FC16\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:38:21", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-2695", "CVE-2012-6496", "CVE-2012-2661"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2013-01-15T00:00:00", "id": "OPENVAS:1361412562310864992", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310864992", "type": "openvas", "title": "Fedora Update for rubygem-activerecord FEDORA-2013-0245", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for rubygem-activerecord FEDORA-2013-0245\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_xref(name:\"URL\", value:\"http://lists.fedoraproject.org/pipermail/package-announce/2013-January/096815.html\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.864992\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2013-01-15 18:05:53 +0530 (Tue, 15 Jan 2013)\");\n script_cve_id(\"CVE-2012-6496\", \"CVE-2012-2695\", \"CVE-2012-2661\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_xref(name:\"FEDORA\", value:\"2013-0245\");\n script_name(\"Fedora Update for rubygem-activerecord FEDORA-2013-0245\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'rubygem-activerecord'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2013 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC17\");\n script_tag(name:\"affected\", value:\"rubygem-activerecord on Fedora 17\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC17\")\n{\n\n if ((res = isrpmvuln(pkg:\"rubygem-activerecord\", rpm:\"rubygem-activerecord~3.0.11~4.fc17\", rls:\"FC17\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:38:36", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-2695", "CVE-2012-2660", "CVE-2012-2661", "CVE-2012-2694"], "description": "The remote host is missing an update to the system\n as announced in the referenced advisory.", "modified": "2018-10-05T00:00:00", "published": "2012-08-10T00:00:00", "id": "OPENVAS:136141256231071520", "href": "http://plugins.openvas.org/nasl.php?oid=136141256231071520", "type": "openvas", "title": "FreeBSD Ports: rubygem-activemodel", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: freebsd_rubygem-activemodel.nasl 11762 2018-10-05 10:54:12Z cfischer $\n#\n# Auto generated from VID 748aa89f-d529-11e1-82ab-001fd0af1a4c\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.71520\");\n script_tag(name:\"cvss_base\", value:\"6.4\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:N\");\n script_cve_id(\"CVE-2012-2660\", \"CVE-2012-2661\");\n script_version(\"$Revision: 11762 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-05 12:54:12 +0200 (Fri, 05 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2012-08-10 03:22:17 -0400 (Fri, 10 Aug 2012)\");\n script_name(\"FreeBSD Ports: rubygem-activemodel\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"FreeBSD Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/freebsd\", \"ssh/login/freebsdrel\");\n\n script_tag(name:\"insight\", value:\"The following package is affected: rubygem-activemodel\n\nCVE-2012-2660\nactionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before\n3.0.13, 3.1.x before 3.1.5, and 3.2.x before 3.2.4 does not properly\nconsider differences in parameter handling between the Active Record\ncomponent and the Rack interface, which allows remote attackers to\nbypass intended database-query restrictions and perform NULL checks\nvia a crafted request, as demonstrated by certain '[nil]' values, a\nrelated issue to CVE-2012-2694.\nCVE-2012-2661\nThe Active Record component in Ruby on Rails 3.0.x before 3.0.13,\n3.1.x before 3.1.5, and 3.2.x before 3.2.4 does not properly implement\nthe passing of request data to a where method in an ActiveRecord\nclass, which allows remote attackers to conduct certain SQL injection\nattacks via nested query parameters that leverage unintended\nrecursion, a related issue to CVE-2012-2695.\");\n\n script_tag(name:\"solution\", value:\"Update your system with the appropriate patches or\n software upgrades.\");\n\n script_xref(name:\"URL\", value:\"https://groups.google.com/forum/?fromgroups#!topic/rubyonrails-security/8SA-M3as7A8\");\n script_xref(name:\"URL\", value:\"https://groups.google.com/forum/?fromgroups#!topic/rubyonrails-security/dUaiOOGWL1k\");\n script_xref(name:\"URL\", value:\"http://www.vuxml.org/freebsd/748aa89f-d529-11e1-82ab-001fd0af1a4c.html\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update to the system\n as announced in the referenced advisory.\");\n\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-bsd.inc\");\n\nvuln = FALSE;\ntxt = \"\";\n\nbver = portver(pkg:\"rubygem-activemodel\");\nif(!isnull(bver) && revcomp(a:bver, b:\"3.2.4\")<0) {\n txt += \"Package rubygem-activemodel version \" + bver + \" is installed which is known to be vulnerable.\\n\";\n vuln = TRUE;\n}\n\nif(vuln) {\n security_message(data:txt);\n} else if (__pkg_match) {\n exit(99);\n}", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2017-07-02T21:10:51", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-2695", "CVE-2012-2660", "CVE-2012-2661", "CVE-2012-2694"], "description": "The remote host is missing an update to the system\nas announced in the referenced advisory.", "modified": "2017-04-24T00:00:00", "published": "2012-08-10T00:00:00", "id": "OPENVAS:71520", "href": "http://plugins.openvas.org/nasl.php?oid=71520", "type": "openvas", "title": "FreeBSD Ports: rubygem-activemodel", "sourceData": "#\n#VID 748aa89f-d529-11e1-82ab-001fd0af1a4c\n# OpenVAS Vulnerability Test\n# $\n# Description: Auto generated from VID 748aa89f-d529-11e1-82ab-001fd0af1a4c\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largely excerpted from the referenced\n# advisories, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"The following package is affected: rubygem-activemodel\n\nCVE-2012-2660\nactionpack/lib/action_dispatch/http/request.rb in Ruby on Rails before\n3.0.13, 3.1.x before 3.1.5, and 3.2.x before 3.2.4 does not properly\nconsider differences in parameter handling between the Active Record\ncomponent and the Rack interface, which allows remote attackers to\nbypass intended database-query restrictions and perform NULL checks\nvia a crafted request, as demonstrated by certain '[nil]' values, a\nrelated issue to CVE-2012-2694.\nCVE-2012-2661\nThe Active Record component in Ruby on Rails 3.0.x before 3.0.13,\n3.1.x before 3.1.5, and 3.2.x before 3.2.4 does not properly implement\nthe passing of request data to a where method in an ActiveRecord\nclass, which allows remote attackers to conduct certain SQL injection\nattacks via nested query parameters that leverage unintended\nrecursion, a related issue to CVE-2012-2695.\";\ntag_solution = \"Update your system with the appropriate patches or\nsoftware upgrades.\n\nhttps://groups.google.com/forum/?fromgroups#!topic/rubyonrails-security/8SA-M3as7A8\nhttps://groups.google.com/forum/?fromgroups#!topic/rubyonrails-security/dUaiOOGWL1k\nhttp://www.vuxml.org/freebsd/748aa89f-d529-11e1-82ab-001fd0af1a4c.html\";\ntag_summary = \"The remote host is missing an update to the system\nas announced in the referenced advisory.\";\n\n\n\nif(description)\n{\n script_id(71520);\n script_tag(name:\"cvss_base\", value:\"6.4\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:N\");\n script_cve_id(\"CVE-2012-2660\", \"CVE-2012-2661\");\n script_version(\"$Revision: 6018 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-04-24 11:02:24 +0200 (Mon, 24 Apr 2017) $\");\n script_tag(name:\"creation_date\", value:\"2012-08-10 03:22:17 -0400 (Fri, 10 Aug 2012)\");\n script_name(\"FreeBSD Ports: rubygem-activemodel\");\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2012 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"FreeBSD Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/freebsdrel\", \"login/SSH/success\");\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-bsd.inc\");\nvuln = 0;\ntxt = \"\";\nbver = portver(pkg:\"rubygem-activemodel\");\nif(!isnull(bver) && revcomp(a:bver, b:\"3.2.4\")<0) {\n txt += \"Package rubygem-activemodel version \" + bver + \" is installed which is known to be vulnerable.\\n\";\n vuln = 1;\n}\n\nif(vuln) {\n security_message(data:string(txt ));\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "fedora": [{"lastseen": "2020-12-21T08:17:51", "bulletinFamily": "unix", "cvelist": ["CVE-2012-2661", "CVE-2012-2695"], "description": "Implements the ActiveRecord pattern (Fowler, PoEAA) for ORM. It ties databa se tables and classes together for business objects, like Customer or Subscription, that can find, save, and destroy themselves without resorting to manual SQL. ", "modified": "2012-06-30T08:25:19", "published": "2012-06-30T08:25:19", "id": "FEDORA:D395D20FF2", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 16 Update: rubygem-activerecord-3.0.10-3.fc16", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:51", "bulletinFamily": "unix", "cvelist": ["CVE-2012-2661", "CVE-2012-2695", "CVE-2012-6496"], "description": "Implements the ActiveRecord pattern (Fowler, PoEAA) for ORM. It ties databa se tables and classes together for business objects, like Customer or Subscription, that can find, save, and destroy themselves without resorting to manual SQL. ", "modified": "2013-01-15T02:31:35", "published": "2013-01-15T02:31:35", "id": "FEDORA:4F41F20723", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 17 Update: rubygem-activerecord-3.0.11-4.fc17", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:51", "bulletinFamily": "unix", "cvelist": ["CVE-2012-2661", "CVE-2012-2695", "CVE-2012-6496"], "description": "Implements the ActiveRecord pattern (Fowler, PoEAA) for ORM. It ties databa se tables and classes together for business objects, like Customer or Subscription, that can find, save, and destroy themselves without resorting to manual SQL. ", "modified": "2013-01-15T02:22:33", "published": "2013-01-15T02:22:33", "id": "FEDORA:120C220093", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 16 Update: rubygem-activerecord-3.0.10-4.fc16", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:51", "bulletinFamily": "unix", "cvelist": ["CVE-2012-2661", "CVE-2012-2695", "CVE-2012-6496", "CVE-2013-0155", "CVE-2013-0277"], "description": "Implements the ActiveRecord pattern (Fowler, PoEAA) for ORM. It ties databa se tables and classes together for business objects, like Customer or Subscription, that can find, save, and destroy themselves without resorting to manual SQL. ", "modified": "2013-02-21T05:33:12", "published": "2013-02-21T05:33:12", "id": "FEDORA:A683320E82", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 17 Update: rubygem-activerecord-3.0.11-6.fc17", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-21T08:17:51", "bulletinFamily": "unix", "cvelist": ["CVE-2012-2661", "CVE-2012-2695", "CVE-2012-6496", "CVE-2013-0155", "CVE-2013-0156"], "description": "Implements the ActiveRecord pattern (Fowler, PoEAA) for ORM. It ties databa se tables and classes together for business objects, like Customer or Subscription, that can find, save, and destroy themselves without resorting to manual SQL. ", "modified": "2013-01-23T01:34:00", "published": "2013-01-23T01:34:00", "id": "FEDORA:20AB92101C", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 16 Update: rubygem-activerecord-3.0.10-5.fc16", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:51", "bulletinFamily": "unix", "cvelist": ["CVE-2012-2661", "CVE-2012-2695", "CVE-2012-6496", "CVE-2013-0155", "CVE-2013-0156"], "description": "Implements the ActiveRecord pattern (Fowler, PoEAA) for ORM. It ties databa se tables and classes together for business objects, like Customer or Subscription, that can find, save, and destroy themselves without resorting to manual SQL. ", "modified": "2013-01-23T01:53:38", "published": "2013-01-23T01:53:38", "id": "FEDORA:97F30216D6", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 17 Update: rubygem-activerecord-3.0.11-5.fc17", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-21T08:17:51", "bulletinFamily": "unix", "cvelist": ["CVE-2012-2661"], "description": "Implements the ActiveRecord pattern (Fowler, PoEAA) for ORM. It ties databa se tables and classes together for business objects, like Customer or Subscription, that can find, save, and destroy themselves without resorting to manual SQL. ", "modified": "2012-06-15T12:32:36", "published": "2012-06-15T12:32:36", "id": "FEDORA:A50EA210F7", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 17 Update: rubygem-activerecord-3.0.11-2.fc17", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-12-21T08:17:51", "bulletinFamily": "unix", "cvelist": ["CVE-2012-2661"], "description": "Implements the ActiveRecord pattern (Fowler, PoEAA) for ORM. It ties databa se tables and classes together for business objects, like Customer or Subscription, that can find, save, and destroy themselves without resorting to manual SQL. ", "modified": "2012-06-15T12:31:06", "published": "2012-06-15T12:31:06", "id": "FEDORA:7D9E42123A", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 16 Update: rubygem-activerecord-3.0.10-2.fc16", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-12-21T08:17:51", "bulletinFamily": "unix", "cvelist": ["CVE-2012-2661"], "description": "Implements the ActiveRecord pattern (Fowler, PoEAA) for ORM. It ties databa se tables and classes together for business objects, like Customer or Subscription, that can find, save, and destroy themselves without resorting to manual SQL. ", "modified": "2012-06-15T12:31:35", "published": "2012-06-15T12:31:35", "id": "FEDORA:4356F20E85", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 15 Update: rubygem-activerecord-3.0.5-3.fc15", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "nessus": [{"lastseen": "2021-01-12T10:10:46", "description": "Fix for CVE-2012-2695.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 14, "published": "2012-07-01T00:00:00", "title": "Fedora 17 : rubygem-activerecord-3.0.11-3.fc17 (2012-9635)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-2695", "CVE-2012-2661"], "modified": "2012-07-01T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:17", "p-cpe:/a:fedoraproject:fedora:rubygem-activerecord"], "id": "FEDORA_2012-9635.NASL", "href": "https://www.tenable.com/plugins/nessus/59804", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2012-9635.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(59804);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2012-2661\", \"CVE-2012-2695\");\n script_bugtraq_id(53753, 53970);\n script_xref(name:\"FEDORA\", value:\"2012-9635\");\n\n script_name(english:\"Fedora 17 : rubygem-activerecord-3.0.11-3.fc17 (2012-9635)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Fix for CVE-2012-2695.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=831573\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2012-June/083139.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?8ca01237\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected rubygem-activerecord package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:rubygem-activerecord\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:17\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/06/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/07/01\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2012-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^17([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 17.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC17\", reference:\"rubygem-activerecord-3.0.11-3.fc17\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"rubygem-activerecord\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-12T10:10:46", "description": "Fix for CVE-2012-2661.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 14, "published": "2012-07-01T00:00:00", "title": "Fedora 16 : rubygem-activerecord-3.0.10-3.fc16 (2012-9639)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-2695", "CVE-2012-2661"], "modified": "2012-07-01T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:16", "p-cpe:/a:fedoraproject:fedora:rubygem-activerecord"], "id": "FEDORA_2012-9639.NASL", "href": "https://www.tenable.com/plugins/nessus/59806", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2012-9639.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(59806);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2012-2661\", \"CVE-2012-2695\");\n script_bugtraq_id(53753, 53970);\n script_xref(name:\"FEDORA\", value:\"2012-9639\");\n\n script_name(english:\"Fedora 16 : rubygem-activerecord-3.0.10-3.fc16 (2012-9639)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Fix for CVE-2012-2661.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=831573\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2012-June/083129.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?c80825e7\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected rubygem-activerecord package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:rubygem-activerecord\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:16\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/06/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/07/01\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2012-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^16([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 16.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC16\", reference:\"rubygem-activerecord-3.0.10-3.fc16\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"rubygem-activerecord\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-20T12:25:27", "description": "Multiple version upgrades for rails components.", "edition": 16, "published": "2014-06-13T00:00:00", "title": "openSUSE Security Update : rubygem-actionmailer-3_2 / rubygem-actionpack-3_2 / rubygem-activemodel-3_2 / etc (openSUSE-SU-2012:1066-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-3424", "CVE-2012-2695", "CVE-2012-2660", "CVE-2012-2661", "CVE-2012-2694"], "modified": "2014-06-13T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:rubygem-activesupport-3_2", "p-cpe:/a:novell:opensuse:rubygem-sprockets-2_1", "p-cpe:/a:novell:opensuse:rubygem-actionpack-3_2", "p-cpe:/a:novell:opensuse:rubygem-journey-1_0-testsuite", "p-cpe:/a:novell:opensuse:rubygem-rails-3_2", "p-cpe:/a:novell:opensuse:rubygem-activeresource-3_2", "p-cpe:/a:novell:opensuse:rubygem-railties-3_2", "p-cpe:/a:novell:opensuse:rubygem-activemodel-3_2", "p-cpe:/a:novell:opensuse:rubygem-journey-1_0", "p-cpe:/a:novell:opensuse:rubygem-actionmailer-3_2", "cpe:/o:novell:opensuse:12.2", "p-cpe:/a:novell:opensuse:rubygem-activerecord-3_2"], "id": "OPENSUSE-2012-536.NASL", "href": "https://www.tenable.com/plugins/nessus/74727", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2012-536.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(74727);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2012-2660\", \"CVE-2012-2661\", \"CVE-2012-2694\", \"CVE-2012-2695\", \"CVE-2012-3424\");\n\n script_name(english:\"openSUSE Security Update : rubygem-actionmailer-3_2 / rubygem-actionpack-3_2 / rubygem-activemodel-3_2 / etc (openSUSE-SU-2012:1066-1)\");\n script_summary(english:\"Check for the openSUSE-2012-536 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\"Multiple version upgrades for rails components.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.opensuse.org/opensuse-updates/2012-08/msg00046.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected rubygem-actionmailer-3_2 / rubygem-actionpack-3_2 / rubygem-activemodel-3_2 / etc packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:rubygem-actionmailer-3_2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:rubygem-actionpack-3_2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:rubygem-activemodel-3_2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:rubygem-activerecord-3_2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:rubygem-activeresource-3_2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:rubygem-activesupport-3_2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:rubygem-journey-1_0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:rubygem-journey-1_0-testsuite\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:rubygem-rails-3_2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:rubygem-railties-3_2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:rubygem-sprockets-2_1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:12.2\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/08/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/06/13\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE12\\.2)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"12.2\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE12.2\", reference:\"rubygem-actionmailer-3_2-3.2.7-2.4.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"rubygem-actionpack-3_2-3.2.7-3.4.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"rubygem-activemodel-3_2-3.2.7-2.4.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"rubygem-activerecord-3_2-3.2.7-2.4.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"rubygem-activeresource-3_2-3.2.7-2.4.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"rubygem-activesupport-3_2-3.2.7-2.4.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"rubygem-journey-1_0-1.0.4-3.4.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"rubygem-journey-1_0-testsuite-1.0.4-3.4.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"rubygem-rails-3_2-3.2.7-2.4.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"rubygem-railties-3_2-3.2.7-2.4.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.2\", reference:\"rubygem-sprockets-2_1-2.1.3-3.4.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"rubygem-actionmailer-3_2 / rubygem-actionpack-3_2 / etc\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-12T10:10:43", "description": "Fix for CVE-2012-2661.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 13, "published": "2012-06-18T00:00:00", "title": "Fedora 16 : rubygem-activerecord-3.0.10-2.fc16 (2012-8982)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-2661"], "modified": "2012-06-18T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:16", "p-cpe:/a:fedoraproject:fedora:rubygem-activerecord"], "id": "FEDORA_2012-8982.NASL", "href": "https://www.tenable.com/plugins/nessus/59544", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2012-8982.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(59544);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2012-2661\");\n script_xref(name:\"FEDORA\", value:\"2012-8982\");\n\n script_name(english:\"Fedora 16 : rubygem-activerecord-3.0.10-2.fc16 (2012-8982)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Fix for CVE-2012-2661.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=827363\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2012-June/082303.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?14df3a64\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected rubygem-activerecord package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:rubygem-activerecord\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:16\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/06/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/06/18\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2012-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^16([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 16.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC16\", reference:\"rubygem-activerecord-3.0.10-2.fc16\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"rubygem-activerecord\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-01-12T10:10:43", "description": "Fix for CVE-2012-2661.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 13, "published": "2012-06-18T00:00:00", "title": "Fedora 15 : rubygem-activerecord-3.0.5-3.fc15 (2012-8972)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-2661"], "modified": "2012-06-18T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:15", "p-cpe:/a:fedoraproject:fedora:rubygem-activerecord"], "id": "FEDORA_2012-8972.NASL", "href": "https://www.tenable.com/plugins/nessus/59543", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2012-8972.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(59543);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2012-2661\");\n script_xref(name:\"FEDORA\", value:\"2012-8972\");\n\n script_name(english:\"Fedora 15 : rubygem-activerecord-3.0.5-3.fc15 (2012-8972)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Fix for CVE-2012-2661.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=827363\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2012-June/082306.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?e3329606\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected rubygem-activerecord package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:rubygem-activerecord\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:15\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/06/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/06/18\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2012-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^15([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 15.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC15\", reference:\"rubygem-activerecord-3.0.5-3.fc15\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"rubygem-activerecord\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-01-12T10:10:42", "description": "Fix for CVE-2012-2661.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 14, "published": "2012-06-18T00:00:00", "title": "Fedora 17 : rubygem-activerecord-3.0.11-2.fc17 (2012-8901)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-2661"], "modified": "2012-06-18T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:17", "p-cpe:/a:fedoraproject:fedora:rubygem-activerecord"], "id": "FEDORA_2012-8901.NASL", "href": "https://www.tenable.com/plugins/nessus/59535", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory 2012-8901.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(59535);\n script_version(\"1.13\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2012-2661\");\n script_bugtraq_id(53753);\n script_xref(name:\"FEDORA\", value:\"2012-8901\");\n\n script_name(english:\"Fedora 17 : rubygem-activerecord-3.0.11-2.fc17 (2012-8901)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Fix for CVE-2012-2661.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.redhat.com/show_bug.cgi?id=827363\"\n );\n # https://lists.fedoraproject.org/pipermail/package-announce/2012-June/082311.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?5c7f7598\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected rubygem-activerecord package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:rubygem-activerecord\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:17\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/06/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/06/18\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2012-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = eregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! ereg(pattern:\"^17([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 17.x\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"FC17\", reference:\"rubygem-activerecord-3.0.11-2.fc17\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"rubygem-activerecord\");\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2021-01-07T10:45:44", "description": "rubygem-activerecord -- multiple vulernabilities\n\nDue to the way Active Record interprets parameters in combination with\nthe way that Rack parses query parameters, it is possible for an\nattacker to issue unexpected database queries with 'IS NULL' where\nclauses. This issue does *not* let an attacker insert arbitrary values\ninto a SQL query, however they can cause the query to check for NULL\nwhere most users wouldn't expect it.\n\nDue to the way Active Record handles nested query parameters, an\nattacker can use a specially crafted request to inject some forms of\nSQL into your application's SQL queries.", "edition": 22, "published": "2012-07-24T00:00:00", "title": "FreeBSD : rubygem-activerecord -- multiple vulnerabilities (748aa89f-d529-11e1-82ab-001fd0af1a4c)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-2660", "CVE-2012-2661"], "modified": "2012-07-24T00:00:00", "cpe": ["cpe:/o:freebsd:freebsd", "p-cpe:/a:freebsd:freebsd:rubygem-activemodel"], "id": "FREEBSD_PKG_748AA89FD52911E182AB001FD0AF1A4C.NASL", "href": "https://www.tenable.com/plugins/nessus/60101", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2018 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(60101);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2012-2660\", \"CVE-2012-2661\");\n\n script_name(english:\"FreeBSD : rubygem-activerecord -- multiple vulnerabilities (748aa89f-d529-11e1-82ab-001fd0af1a4c)\");\n script_summary(english:\"Checks for updated package in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote FreeBSD host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"rubygem-activerecord -- multiple vulernabilities\n\nDue to the way Active Record interprets parameters in combination with\nthe way that Rack parses query parameters, it is possible for an\nattacker to issue unexpected database queries with 'IS NULL' where\nclauses. This issue does *not* let an attacker insert arbitrary values\ninto a SQL query, however they can cause the query to check for NULL\nwhere most users wouldn't expect it.\n\nDue to the way Active Record handles nested query parameters, an\nattacker can use a specially crafted request to inject some forms of\nSQL into your application's SQL queries.\"\n );\n # https://groups.google.com/forum/?fromgroups#!topic/rubyonrails-security/8SA-M3as7A8\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?f997721c\"\n );\n # https://groups.google.com/forum/?fromgroups#!topic/rubyonrails-security/dUaiOOGWL1k\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?ad95742e\"\n );\n # https://vuxml.freebsd.org/freebsd/748aa89f-d529-11e1-82ab-001fd0af1a4c.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?482ec7fb\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:rubygem-activemodel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2012/05/31\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/07/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2012/07/24\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2012-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"rubygem-activemodel<3.2.4\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2021-01-20T12:25:25", "description": "3 Security issues were fixed in rails 2.3 core components.\n\n2 NULL query issues where fixed in the actionpack gem. 1 SQL injection\nwas fixed in the activerecord gem.", "edition": 19, "published": "2014-06-13T00:00:00", "title": "openSUSE Security Update : rubygem-actionpack/activerecord-2_3 (openSUSE-SU-2012:0978-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-2695", "CVE-2012-2660", "CVE-2012-2694"], "modified": "2014-06-13T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:rubygem-activerecord-2_3", "cpe:/o:novell:opensuse:12.1", "p-cpe:/a:novell:opensuse:rubygem-activerecord-2_3-testsuite", "p-cpe:/a:novell:opensuse:rubygem-actionpack-2_3", "p-cpe:/a:novell:opensuse:rubygem-actionpack-2_3-testsuite"], "id": "OPENSUSE-2012-508.NASL", "href": "https://www.tenable.com/plugins/nessus/74710", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2012-508.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(74710);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2012-2660\", \"CVE-2012-2694\", \"CVE-2012-2695\");\n\n script_name(english:\"openSUSE Security Update : rubygem-actionpack/activerecord-2_3 (openSUSE-SU-2012:0978-1)\");\n script_summary(english:\"Check for the openSUSE-2012-508 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"3 Security issues were fixed in rails 2.3 core components.\n\n2 NULL query issues where fixed in the actionpack gem. 1 SQL injection\nwas fixed in the activerecord gem.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=765097\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.novell.com/show_bug.cgi?id=766792\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.opensuse.org/opensuse-updates/2012-08/msg00020.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected rubygem-actionpack/activerecord-2_3 packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:rubygem-actionpack-2_3\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:rubygem-actionpack-2_3-testsuite\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:rubygem-activerecord-2_3\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:rubygem-activerecord-2_3-testsuite\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:12.1\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2012/06/22\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2012/08/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/06/13\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE12\\.1)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"12.1\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE12.1\", reference:\"rubygem-actionpack-2_3-2.3.14-3.8.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"rubygem-actionpack-2_3-testsuite-2.3.14-3.8.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"rubygem-activerecord-2_3-2.3.14-3.8.1\") ) flag++;\nif ( rpm_check(release:\"SUSE12.1\", reference:\"rubygem-activerecord-2_3-testsuite-2.3.14-3.8.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"rubygem-actionpack/activerecord-2_3\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-17T13:11:42", "description": "Updated rubygem-actionpack, rubygem-activesupport, and\nrubygem-activerecord packages that fix multiple security issues are\nnow available for Red Hat Subscription Asset Manager.\n\nThe Red Hat Security Response Team has rated this update as having\ncritical security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nRuby on Rails is a model-view-controller (MVC) framework for web\napplication development. Action Pack implements the controller and the\nview components. Active Record implements object-relational mapping\nfor accessing database entries using objects. Active Support provides\nsupport and utility classes used by the Ruby on Rails framework.\n\nMultiple flaws were found in the way Ruby on Rails performed XML\nparameter parsing in HTTP requests. A remote attacker could use these\nflaws to execute arbitrary code with the privileges of a Ruby on Rails\napplication, perform SQL injection attacks, or bypass the\nauthentication using a specially-created HTTP request. (CVE-2013-0156)\n\nRed Hat is aware that a public exploit for the CVE-2013-0156 issues is\navailable that allows remote code execution in applications using Ruby\non Rails.\n\nMultiple input validation vulnerabilities were discovered in\nrubygem-activerecord. A remote attacker could possibly use these flaws\nto perform a SQL injection attack against an application using\nrubygem-activerecord. (CVE-2012-2661, CVE-2012-2695, CVE-2012-6496,\nCVE-2013-0155)\n\nMultiple input validation vulnerabilities were discovered in\nrubygem-actionpack. A remote attacker could possibly use these flaws\nto perform a SQL injection attack against an application using\nrubygem-actionpack and rubygem-activerecord. (CVE-2012-2660,\nCVE-2012-2694)\n\nMultiple cross-site scripting (XSS) flaws were found in\nrubygem-actionpack. A remote attacker could use these flaws to conduct\nXSS attacks against users of an application using rubygem-actionpack.\n(CVE-2012-3463, CVE-2012-3464, CVE-2012-3465)\n\nA flaw was found in the HTTP digest authentication implementation in\nrubygem-actionpack. A remote attacker could use this flaw to cause a\ndenial of service of an application using rubygem-actionpack and\ndigest authentication. (CVE-2012-3424)\n\nUsers are advised to upgrade to these updated rubygem-actionpack,\nrubygem-activesupport, and rubygem-activerecord packages, which\nresolve these issues. Katello must be restarted ('service katello\nrestart') for this update to take effect.", "edition": 26, "published": "2013-01-24T00:00:00", "title": "RHEL 6 : Ruby on Rails in Subscription Asset Manager (RHSA-2013:0154)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-3463", "CVE-2012-3465", "CVE-2012-3424", "CVE-2012-2695", "CVE-2013-0156", "CVE-2012-6496", "CVE-2012-2660", "CVE-2012-3464", "CVE-2012-2661", "CVE-2012-2694", "CVE-2013-0155"], "modified": "2013-01-24T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:rubygem-activerecord", "p-cpe:/a:redhat:enterprise_linux:rubygem-actionpack", "p-cpe:/a:redhat:enterprise_linux:rubygem-activesupport", "cpe:/o:redhat:enterprise_linux:6"], "id": "REDHAT-RHSA-2013-0154.NASL", "href": "https://www.tenable.com/plugins/nessus/64076", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2013:0154. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(64076);\n script_version(\"1.23\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2012-2660\", \"CVE-2012-2661\", \"CVE-2012-2694\", \"CVE-2012-2695\", \"CVE-2012-3424\", \"CVE-2012-3463\", \"CVE-2012-3464\", \"CVE-2012-3465\", \"CVE-2012-6496\", \"CVE-2013-0155\", \"CVE-2013-0156\");\n script_xref(name:\"RHSA\", value:\"2013:0154\");\n\n script_name(english:\"RHEL 6 : Ruby on Rails in Subscription Asset Manager (RHSA-2013:0154)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated rubygem-actionpack, rubygem-activesupport, and\nrubygem-activerecord packages that fix multiple security issues are\nnow available for Red Hat Subscription Asset Manager.\n\nThe Red Hat Security Response Team has rated this update as having\ncritical security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nRuby on Rails is a model-view-controller (MVC) framework for web\napplication development. Action Pack implements the controller and the\nview components. Active Record implements object-relational mapping\nfor accessing database entries using objects. Active Support provides\nsupport and utility classes used by the Ruby on Rails framework.\n\nMultiple flaws were found in the way Ruby on Rails performed XML\nparameter parsing in HTTP requests. A remote attacker could use these\nflaws to execute arbitrary code with the privileges of a Ruby on Rails\napplication, perform SQL injection attacks, or bypass the\nauthentication using a specially-created HTTP request. (CVE-2013-0156)\n\nRed Hat is aware that a public exploit for the CVE-2013-0156 issues is\navailable that allows remote code execution in applications using Ruby\non Rails.\n\nMultiple input validation vulnerabilities were discovered in\nrubygem-activerecord. A remote attacker could possibly use these flaws\nto perform a SQL injection attack against an application using\nrubygem-activerecord. (CVE-2012-2661, CVE-2012-2695, CVE-2012-6496,\nCVE-2013-0155)\n\nMultiple input validation vulnerabilities were discovered in\nrubygem-actionpack. A remote attacker could possibly use these flaws\nto perform a SQL injection attack against an application using\nrubygem-actionpack and rubygem-activerecord. (CVE-2012-2660,\nCVE-2012-2694)\n\nMultiple cross-site scripting (XSS) flaws were found in\nrubygem-actionpack. A remote attacker could use these flaws to conduct\nXSS attacks against users of an application using rubygem-actionpack.\n(CVE-2012-3463, CVE-2012-3464, CVE-2012-3465)\n\nA flaw was found in the HTTP digest authentication implementation in\nrubygem-actionpack. A remote attacker could use this flaw to cause a\ndenial of service of an application using rubygem-actionpack and\ndigest authentication. (CVE-2012-3424)\n\nUsers are advised to upgrade to these updated rubygem-actionpack,\nrubygem-activesupport, and rubygem-activerecord packages, which\nresolve these issues. Katello must be restarted ('service katello\nrestart') for this update to take effect.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2013:0154\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2012-2660\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2012-2661\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2012-2694\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2012-2695\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2012-3424\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2012-3463\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2012-3464\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2012-3465\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2012-6496\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-0155\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-0156\"\n );\n # https://access.redhat.com/knowledge/solutions/290903\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/solutions/290903\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Update the affected rubygem-actionpack, rubygem-activerecord and / or\nrubygem-activesupport packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Ruby on Rails XML Processor YAML Deserialization Code Execution');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:rubygem-actionpack\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:rubygem-activerecord\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:rubygem-activesupport\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2012/06/22\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/01/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/01/24\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2013-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 6.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2013:0154\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n\n if (! (rpm_exists(release:\"RHEL6\", rpm:\"candlepin-\"))) audit(AUDIT_PACKAGE_NOT_INSTALLED, \"Subscription Asset Manager\");\n\n if (rpm_check(release:\"RHEL6\", reference:\"rubygem-actionpack-3.0.10-11.el6cf\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"rubygem-activerecord-3.0.10-8.el6cf\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"rubygem-activesupport-3.0.10-5.el6cf\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"rubygem-actionpack / rubygem-activerecord / rubygem-activesupport\");\n }\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-01-17T13:12:05", "description": "Red Hat OpenShift Enterprise 1.1.1 is now available.\n\nThe Red Hat Security Response Team has rated this update as having\nmoderate security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nOpenShift Enterprise is a cloud computing Platform-as-a-Service (PaaS)\nsolution from Red Hat, and is designed for on-premise or private cloud\ndeployments.\n\nInstalling the updated packages and restarting the OpenShift services\nare the only requirements for this update. However, if you are\nupdating your system to Red Hat Enterprise Linux 6.4 while applying\nOpenShift Enterprise 1.1.1 updates, it is recommended that you restart\nyour system.\n\nFor further information about this release, refer to the OpenShift\nEnterprise 1.1.1 Technical Notes, available shortly from\nhttps://access.redhat.com/knowledge/docs/\n\nThis update also fixes the following security issues :\n\nMultiple cross-site scripting (XSS) flaws were found in\nrubygem-actionpack. A remote attacker could use these flaws to conduct\nXSS attacks against users of an application using rubygem-actionpack.\n(CVE-2012-3463, CVE-2012-3464, CVE-2012-3465)\n\nIt was found that certain methods did not sanitize file names before\npassing them to lower layer routines in Ruby. If a Ruby application\ncreated files with names based on untrusted input, it could result in\nthe creation of files with different names than expected.\n(CVE-2012-4522)\n\nA denial of service flaw was found in the implementation of\nassociative arrays (hashes) in Ruby. An attacker able to supply a\nlarge number of inputs to a Ruby application (such as HTTP POST\nrequest parameters sent to a web application) that are used as keys\nwhen inserting data into an array could trigger multiple hash function\ncollisions, making array operations take an excessive amount of CPU\ntime. To mitigate this issue, a new, more collision resistant\nalgorithm has been used to reduce the chance of an attacker\nsuccessfully causing intentional collisions. (CVE-2012-5371)\n\nInput validation vulnerabilities were discovered in\nrubygem-activerecord. A remote attacker could possibly use these flaws\nto perform a SQL injection attack against an application using\nrubygem-activerecord. (CVE-2012-2661, CVE-2012-2695, CVE-2013-0155)\n\nInput validation vulnerabilities were discovered in\nrubygem-actionpack. A remote attacker could possibly use these flaws\nto perform a SQL injection attack against an application using\nrubygem-actionpack and rubygem-activerecord. (CVE-2012-2660,\nCVE-2012-2694)\n\nA flaw was found in the HTTP digest authentication implementation in\nrubygem-actionpack. A remote attacker could use this flaw to cause a\ndenial of service of an application using rubygem-actionpack and\ndigest authentication. (CVE-2012-3424)\n\nA flaw was found in the handling of strings in Ruby safe level 4. A\nremote attacker can use Exception#to_s to destructively modify an\nuntainted string so that it is tainted, the string can then be\narbitrarily modified. (CVE-2012-4466)\n\nA flaw was found in the method for translating an exception message\ninto a string in the Ruby Exception class. A remote attacker could use\nthis flaw to bypass safe level 4 restrictions, allowing untrusted\n(tainted) code to modify arbitrary, trusted (untainted) strings, which\nsafe level 4 restrictions would otherwise prevent. (CVE-2012-4464)\n\nIt was found that ruby_parser from rubygem-ruby_parser created a\ntemporary file in an insecure way. A local attacker could use this\nflaw to perform a symbolic link attack, overwriting arbitrary files\naccessible to the application using ruby_parser. (CVE-2013-0162)\n\nThe CVE-2013-0162 issue was discovered by Michael Scherer of the Red\nHat Regional IT team.\n\nUsers are advised to upgrade to Red Hat OpenShift Enterprise 1.1.1.", "edition": 18, "published": "2018-12-06T00:00:00", "title": "RHEL 6 : openshift (RHSA-2013:0582)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-3463", "CVE-2012-3465", "CVE-2012-5371", "CVE-2012-3424", "CVE-2013-0276", "CVE-2012-2695", "CVE-2012-4466", "CVE-2012-2660", "CVE-2012-3464", "CVE-2012-4464", "CVE-2013-0162", "CVE-2012-2661", "CVE-2012-2694", "CVE-2013-0155", "CVE-2012-4522"], "modified": "2018-12-06T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:ruby193-ruby", "p-cpe:/a:redhat:enterprise_linux:php-debuginfo", "p-cpe:/a:redhat:enterprise_linux:php-devel", "p-cpe:/a:redhat:enterprise_linux:rubygem-activerecord", "p-cpe:/a:redhat:enterprise_linux:rubygem-ruby_parser-doc", "p-cpe:/a:redhat:enterprise_linux:rubygem-ruby_parser", "p-cpe:/a:redhat:enterprise_linux:ruby193-rubygem-minitest", "p-cpe:/a:redhat:enterprise_linux:ruby193-ruby-devel", "p-cpe:/a:redhat:enterprise_linux:rubygem-actionpack", "p-cpe:/a:redhat:enterprise_linux:openshift-origin-cartridge-perl-5.10", "p-cpe:/a:redhat:enterprise_linux:rubygem-openshift-origin-auth-remote-user", "p-cpe:/a:redhat:enterprise_linux:openshift-origin-cartridge-mysql-5.1", "p-cpe:/a:redhat:enterprise_linux:openshift-origin-msg-node-mcollective", "p-cpe:/a:redhat:enterprise_linux:rubygem-mongo-doc", "p-cpe:/a:redhat:enterprise_linux:graphviz", "p-cpe:/a:redhat:enterprise_linux:openshift-origin-cartridge-php-5.3", "p-cpe:/a:redhat:enterprise_linux:ruby193-ruby-debuginfo", "p-cpe:/a:redhat:enterprise_linux:php-mbstring", "p-cpe:/a:redhat:enterprise_linux:ruby193-rubygem-activemodel", "p-cpe:/a:redhat:enterprise_linux:openshift-origin-cartridge-diy-0.1", "p-cpe:/a:redhat:enterprise_linux:php-imap", "p-cpe:/a:redhat:enterprise_linux:ruby193-rubygem-rdoc", "p-cpe:/a:redhat:enterprise_linux:openshift-origin-cartridge-haproxy-1.4", "p-cpe:/a:redhat:enterprise_linux:openshift-origin-cartridge-jbosseap-6.0", "p-cpe:/a:redhat:enterprise_linux:ruby193-ruby-libs", "p-cpe:/a:redhat:enterprise_linux:graphviz-debuginfo", "p-cpe:/a:redhat:enterprise_linux:ruby193-ruby-doc", "p-cpe:/a:redhat:enterprise_linux:ruby193-rubygems", "p-cpe:/a:redhat:enterprise_linux:openshift-origin-cartridge-cron-1.4", "p-cpe:/a:redhat:enterprise_linux:openshift-origin-cartridge-jenkins-client-1.4", "p-cpe:/a:redhat:enterprise_linux:openshift-console", "p-cpe:/a:redhat:enterprise_linux:rubygem-mongo", "p-cpe:/a:redhat:enterprise_linux:ruby193-ruby-irb", "p-cpe:/a:redhat:enterprise_linux:ruby193-ruby-tcltk", "p-cpe:/a:redhat:enterprise_linux:rubygem-bson", "p-cpe:/a:redhat:enterprise_linux:ruby193-rubygem-activerecord", "p-cpe:/a:redhat:enterprise_linux:openshift-origin-cartridge-ruby-1.9-scl", "p-cpe:/a:redhat:enterprise_linux:graphviz-gd", "p-cpe:/a:redhat:enterprise_linux:rubygem-openshift-origin-console-doc", "p-cpe:/a:redhat:enterprise_linux:openshift-origin-cartridge-jbossews-1.0", "p-cpe:/a:redhat:enterprise_linux:rubygem-openshift-origin-console", "p-cpe:/a:redhat:enterprise_linux:ruby193-rubygems-devel", "p-cpe:/a:redhat:enterprise_linux:graphviz-ruby", "p-cpe:/a:redhat:enterprise_linux:php-process", "p-cpe:/a:redhat:enterprise_linux:ruby193-rubygem-ruby_parser-doc", "p-cpe:/a:redhat:enterprise_linux:ruby193-rubygem-railties", "p-cpe:/a:redhat:enterprise_linux:rubygem-openshift-origin-node", "p-cpe:/a:redhat:enterprise_linux:graphviz-devel", "p-cpe:/a:redhat:enterprise_linux:openshift-origin-broker", "p-cpe:/a:redhat:enterprise_linux:openshift-origin-cartridge-jenkins-1.4", "p-cpe:/a:redhat:enterprise_linux:ruby193-rubygem-activemodel-doc", "p-cpe:/a:redhat:enterprise_linux:ruby193-rubygem-activerecord-doc", "p-cpe:/a:redhat:enterprise_linux:openshift-origin-cartridge-postgresql-8.4", "p-cpe:/a:redhat:enterprise_linux:ruby193-rubygem-bigdecimal", "cpe:/o:redhat:enterprise_linux:6", "p-cpe:/a:redhat:enterprise_linux:ruby193-rubygem-io-console", "p-cpe:/a:redhat:enterprise_linux:rubygem-activemodel-doc", "p-cpe:/a:redhat:enterprise_linux:rubygem-openshift-origin-controller", "p-cpe:/a:redhat:enterprise_linux:ruby193-rubygem-json", "p-cpe:/a:redhat:enterprise_linux:ruby193-rubygem-actionpack-doc", "p-cpe:/a:redhat:enterprise_linux:ruby193-rubygem-actionpack", "p-cpe:/a:redhat:enterprise_linux:rubygem-activemodel", "p-cpe:/a:redhat:enterprise_linux:openshift-origin-broker-util", "p-cpe:/a:redhat:enterprise_linux:php-bcmath", "p-cpe:/a:redhat:enterprise_linux:ruby193-rubygem-railties-doc", "p-cpe:/a:redhat:enterprise_linux:ruby193-rubygem-rake", "p-cpe:/a:redhat:enterprise_linux:graphviz-doc", "p-cpe:/a:redhat:enterprise_linux:ruby193-rubygem-ruby_parser", "p-cpe:/a:redhat:enterprise_linux:openshift-origin-cartridge-ruby-1.8"], "id": "REDHAT-RHSA-2013-0582.NASL", "href": "https://www.tenable.com/plugins/nessus/119432", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2013:0582. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(119432);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2012-2660\", \"CVE-2012-2661\", \"CVE-2012-2694\", \"CVE-2012-2695\", \"CVE-2012-3424\", \"CVE-2012-3463\", \"CVE-2012-3464\", \"CVE-2012-3465\", \"CVE-2012-4464\", \"CVE-2012-4466\", \"CVE-2012-4522\", \"CVE-2012-5371\", \"CVE-2013-0155\", \"CVE-2013-0162\", \"CVE-2013-0276\");\n script_bugtraq_id(53753, 53754, 53970, 53976, 54704, 54957, 54958, 54959, 55757, 56115, 56484, 57192, 58110);\n script_xref(name:\"RHSA\", value:\"2013:0582\");\n\n script_name(english:\"RHEL 6 : openshift (RHSA-2013:0582)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Red Hat OpenShift Enterprise 1.1.1 is now available.\n\nThe Red Hat Security Response Team has rated this update as having\nmoderate security impact. Common Vulnerability Scoring System (CVSS)\nbase scores, which give detailed severity ratings, are available for\neach vulnerability from the CVE links in the References section.\n\nOpenShift Enterprise is a cloud computing Platform-as-a-Service (PaaS)\nsolution from Red Hat, and is designed for on-premise or private cloud\ndeployments.\n\nInstalling the updated packages and restarting the OpenShift services\nare the only requirements for this update. However, if you are\nupdating your system to Red Hat Enterprise Linux 6.4 while applying\nOpenShift Enterprise 1.1.1 updates, it is recommended that you restart\nyour system.\n\nFor further information about this release, refer to the OpenShift\nEnterprise 1.1.1 Technical Notes, available shortly from\nhttps://access.redhat.com/knowledge/docs/\n\nThis update also fixes the following security issues :\n\nMultiple cross-site scripting (XSS) flaws were found in\nrubygem-actionpack. A remote attacker could use these flaws to conduct\nXSS attacks against users of an application using rubygem-actionpack.\n(CVE-2012-3463, CVE-2012-3464, CVE-2012-3465)\n\nIt was found that certain methods did not sanitize file names before\npassing them to lower layer routines in Ruby. If a Ruby application\ncreated files with names based on untrusted input, it could result in\nthe creation of files with different names than expected.\n(CVE-2012-4522)\n\nA denial of service flaw was found in the implementation of\nassociative arrays (hashes) in Ruby. An attacker able to supply a\nlarge number of inputs to a Ruby application (such as HTTP POST\nrequest parameters sent to a web application) that are used as keys\nwhen inserting data into an array could trigger multiple hash function\ncollisions, making array operations take an excessive amount of CPU\ntime. To mitigate this issue, a new, more collision resistant\nalgorithm has been used to reduce the chance of an attacker\nsuccessfully causing intentional collisions. (CVE-2012-5371)\n\nInput validation vulnerabilities were discovered in\nrubygem-activerecord. A remote attacker could possibly use these flaws\nto perform a SQL injection attack against an application using\nrubygem-activerecord. (CVE-2012-2661, CVE-2012-2695, CVE-2013-0155)\n\nInput validation vulnerabilities were discovered in\nrubygem-actionpack. A remote attacker could possibly use these flaws\nto perform a SQL injection attack against an application using\nrubygem-actionpack and rubygem-activerecord. (CVE-2012-2660,\nCVE-2012-2694)\n\nA flaw was found in the HTTP digest authentication implementation in\nrubygem-actionpack. A remote attacker could use this flaw to cause a\ndenial of service of an application using rubygem-actionpack and\ndigest authentication. (CVE-2012-3424)\n\nA flaw was found in the handling of strings in Ruby safe level 4. A\nremote attacker can use Exception#to_s to destructively modify an\nuntainted string so that it is tainted, the string can then be\narbitrarily modified. (CVE-2012-4466)\n\nA flaw was found in the method for translating an exception message\ninto a string in the Ruby Exception class. A remote attacker could use\nthis flaw to bypass safe level 4 restrictions, allowing untrusted\n(tainted) code to modify arbitrary, trusted (untainted) strings, which\nsafe level 4 restrictions would otherwise prevent. (CVE-2012-4464)\n\nIt was found that ruby_parser from rubygem-ruby_parser created a\ntemporary file in an insecure way. A local attacker could use this\nflaw to perform a symbolic link attack, overwriting arbitrary files\naccessible to the application using ruby_parser. (CVE-2013-0162)\n\nThe CVE-2013-0162 issue was discovered by Michael Scherer of the Red\nHat Regional IT team.\n\nUsers are advised to upgrade to Red Hat OpenShift Enterprise 1.1.1.\"\n );\n # https://access.redhat.com/knowledge/docs/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/documentation/en-us/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2013:0582\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2012-2660\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2012-3463\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2012-3465\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2012-3424\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2012-2661\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2012-2694\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2012-2695\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2012-3464\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2012-4522\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-0155\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2012-4464\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2012-5371\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2012-4466\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-0162\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2013-0276\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:graphviz\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:graphviz-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:graphviz-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:graphviz-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:graphviz-gd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:graphviz-ruby\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:openshift-console\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:openshift-origin-broker\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:openshift-origin-broker-util\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:openshift-origin-cartridge-cron-1.4\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:openshift-origin-cartridge-diy-0.1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:openshift-origin-cartridge-haproxy-1.4\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:openshift-origin-cartridge-jbosseap-6.0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:openshift-origin-cartridge-jbossews-1.0\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:openshift-origin-cartridge-jenkins-1.4\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:openshift-origin-cartridge-jenkins-client-1.4\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:openshift-origin-cartridge-mysql-5.1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:openshift-origin-cartridge-perl-5.10\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:openshift-origin-cartridge-php-5.3\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:openshift-origin-cartridge-postgresql-8.4\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:openshift-origin-cartridge-ruby-1.8\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:openshift-origin-cartridge-ruby-1.9-scl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:openshift-origin-msg-node-mcollective\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php-bcmath\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php-imap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php-mbstring\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:php-process\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ruby193-ruby\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ruby193-ruby-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ruby193-ruby-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ruby193-ruby-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ruby193-ruby-irb\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ruby193-ruby-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ruby193-ruby-tcltk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ruby193-rubygem-actionpack\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ruby193-rubygem-actionpack-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ruby193-rubygem-activemodel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ruby193-rubygem-activemodel-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ruby193-rubygem-activerecord\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ruby193-rubygem-activerecord-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ruby193-rubygem-bigdecimal\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ruby193-rubygem-io-console\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ruby193-rubygem-json\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ruby193-rubygem-minitest\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ruby193-rubygem-railties\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ruby193-rubygem-railties-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ruby193-rubygem-rake\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ruby193-rubygem-rdoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ruby193-rubygem-ruby_parser\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ruby193-rubygem-ruby_parser-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ruby193-rubygems\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ruby193-rubygems-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:rubygem-actionpack\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:rubygem-activemodel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:rubygem-activemodel-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:rubygem-activerecord\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:rubygem-bson\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:rubygem-mongo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:rubygem-mongo-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:rubygem-openshift-origin-auth-remote-user\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:rubygem-openshift-origin-console\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:rubygem-openshift-origin-console-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:rubygem-openshift-origin-controller\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:rubygem-openshift-origin-node\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:rubygem-ruby_parser\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:rubygem-ruby_parser-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2012/06/22\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/02/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/12/06\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^6([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 6.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2013:0582\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"graphviz-2.26.0-10.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"graphviz-debuginfo-2.26.0-10.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"graphviz-devel-2.26.0-10.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"graphviz-doc-2.26.0-10.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"graphviz-gd-2.26.0-10.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"graphviz-ruby-2.26.0-10.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"openshift-console-0.0.16-1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"openshift-origin-broker-1.0.11-1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"openshift-origin-broker-util-1.0.15-1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"openshift-origin-cartridge-cron-1.4-1.0.3-1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"openshift-origin-cartridge-diy-0.1-1.0.3-1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"openshift-origin-cartridge-haproxy-1.4-1.0.4-1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"openshift-origin-cartridge-jbosseap-6.0-1.0.4-1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"openshift-origin-cartridge-jbossews-1.0-1.0.13-1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"openshift-origin-cartridge-jenkins-1.4-1.0.2-1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"openshift-origin-cartridge-jenkins-client-1.4-1.0.2-1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"openshift-origin-cartridge-mysql-5.1-1.0.5-1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"openshift-origin-cartridge-perl-5.10-1.0.3-1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"openshift-origin-cartridge-php-5.3-1.0.5-1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"openshift-origin-cartridge-postgresql-8.4-1.0.3-2.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"openshift-origin-cartridge-ruby-1.8-1.0.7-1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"openshift-origin-cartridge-ruby-1.9-scl-1.0.8-1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"openshift-origin-msg-node-mcollective-1.0.3-1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"php-bcmath-5.3.3-22.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"php-debuginfo-5.3.3-22.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"php-devel-5.3.3-22.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"php-imap-5.3.3-22.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"php-mbstring-5.3.3-22.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"php-process-5.3.3-22.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"ruby193-ruby-1.9.3.327-25.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"ruby193-ruby-debuginfo-1.9.3.327-25.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"ruby193-ruby-devel-1.9.3.327-25.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"ruby193-ruby-doc-1.9.3.327-25.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"ruby193-ruby-irb-1.9.3.327-25.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"ruby193-ruby-libs-1.9.3.327-25.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"ruby193-ruby-tcltk-1.9.3.327-25.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"ruby193-rubygem-actionpack-3.2.8-3.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"ruby193-rubygem-actionpack-doc-3.2.8-3.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"ruby193-rubygem-activemodel-3.2.8-2.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"ruby193-rubygem-activemodel-doc-3.2.8-2.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"ruby193-rubygem-activerecord-3.2.8-3.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"ruby193-rubygem-activerecord-doc-3.2.8-3.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"ruby193-rubygem-bigdecimal-1.1.0-25.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"ruby193-rubygem-io-console-0.3-25.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"ruby193-rubygem-json-1.5.4-25.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"ruby193-rubygem-minitest-2.5.1-25.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"ruby193-rubygem-railties-3.2.8-2.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"ruby193-rubygem-railties-doc-3.2.8-2.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"ruby193-rubygem-rake-0.9.2.2-25.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"ruby193-rubygem-rdoc-3.9.4-25.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"ruby193-rubygem-ruby_parser-2.3.1-3.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"ruby193-rubygem-ruby_parser-doc-2.3.1-3.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"ruby193-rubygems-1.8.23-25.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"ruby193-rubygems-devel-1.8.23-25.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"rubygem-actionpack-3.0.13-4.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"rubygem-activemodel-3.0.13-3.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"rubygem-activemodel-doc-3.0.13-3.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"rubygem-activerecord-3.0.13-5.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"rubygem-bson-1.8.1-2.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"rubygem-mongo-1.8.1-2.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"rubygem-mongo-doc-1.8.1-2.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"rubygem-openshift-origin-auth-remote-user-1.0.5-1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"rubygem-openshift-origin-console-1.0.10-1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"rubygem-openshift-origin-console-doc-1.0.10-1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"rubygem-openshift-origin-controller-1.0.12-1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"rubygem-openshift-origin-node-1.0.11-1.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"rubygem-ruby_parser-2.0.4-6.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"rubygem-ruby_parser-doc-2.0.4-6.el6\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"graphviz / graphviz-debuginfo / graphviz-devel / graphviz-doc / etc\");\n }\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "suse": [{"lastseen": "2016-09-04T11:45:49", "bulletinFamily": "unix", "cvelist": ["CVE-2012-2695", "CVE-2012-2660", "CVE-2012-2661", "CVE-2012-2694"], "description": "This update to rubygem-actionpack fixes two unsafe query\n generations with "IS NULL" in the WHERE clause.\n (CVE-2012-2660\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2660\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2660</a>\n > , CVE-2012-2694\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2694\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2694</a>\n > )\n", "edition": 1, "modified": "2012-08-21T19:08:38", "published": "2012-08-21T19:08:38", "id": "SUSE-SU-2012:1012-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00014.html", "title": "Security update for rubygem-actionpack (important)", "type": "suse", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-09-04T11:17:56", "bulletinFamily": "unix", "cvelist": ["CVE-2012-2695", "CVE-2012-2660", "CVE-2012-2661", "CVE-2012-2694"], "description": "This update to rubygem-activerecord fixes a SQL injection\n caused by mishandling nested parameters . ( CVE-2012-2695\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2695\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2695</a>\n > )\n", "edition": 1, "modified": "2012-08-21T20:08:28", "published": "2012-08-21T20:08:28", "id": "SUSE-SU-2012:1014-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00016.html", "type": "suse", "title": "Security update for rubygem-activerecord (important)", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-09-04T12:23:22", "bulletinFamily": "unix", "cvelist": ["CVE-2012-2695"], "description": "This update to rubygem-activerecord fixes a SQL injection\n caused by mishandling nested parameters . ( CVE-2012-2695\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2695\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2695</a>\n > )\n", "edition": 1, "modified": "2012-08-21T19:08:36", "published": "2012-08-21T19:08:36", "id": "SUSE-SU-2012:1011-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00013.html", "title": "Security update for rubygem-activerecord (important)", "type": "suse", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-09-04T11:31:56", "bulletinFamily": "unix", "cvelist": ["CVE-2012-2695", "CVE-2012-2660", "CVE-2012-2694"], "description": "3 Security issues were fixed in rails 2.3 core components.\n\n 2 NULL query issues where fixed in the actionpack gem. 1\n SQL injection was fixed in the activerecord gem.\n\n", "edition": 1, "modified": "2012-08-09T18:08:34", "published": "2012-08-09T18:08:34", "id": "OPENSUSE-SU-2012:0978-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2012-08/msg00002.html", "type": "suse", "title": "rubygem-actionpack/activerecord-2_3 (important)", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-09-04T11:59:55", "bulletinFamily": "unix", "cvelist": ["CVE-2012-2695", "CVE-2013-0156", "CVE-2013-0155", "CVE-2013-0333", "CVE-2012-5664"], "description": "This update updates the RubyOnRails 2.3 stack to 2.3.16,\n also this update updates the RubyOnRails 3.2 stack to\n 3.2.11.\n\n Security and bugfixes were done, foremost: CVE-2013-0333: A\n JSON sql/code injection problem was fixed. CVE-2012-5664: A\n SQL Injection Vulnerability in Active Record was fixed.\n CVE-2012-2695: A SQL injection via nested hashes in\n conditions was fixed. CVE-2013-0155: Unsafe Query\n Generation Risk in Ruby on Rails was fixed. CVE-2013-0156:\n Multiple vulnerabilities in parameter parsing in Action\n Pack were fixed.\n\n", "edition": 1, "modified": "2013-02-12T10:10:39", "published": "2013-02-12T10:10:39", "id": "OPENSUSE-SU-2013:0278-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2013-02/msg00003.html", "title": "ruby on rails to 2.3.16 (important)", "type": "suse", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-09-04T12:47:49", "bulletinFamily": "unix", "cvelist": ["CVE-2012-2695", "CVE-2013-0156", "CVE-2013-0155", "CVE-2013-0333", "CVE-2012-5664"], "description": "This update updates the RubyOnRails 2.3 stack to 2.3.16.\n\n Security and bugfixes were done, foremost: CVE-2013-0333: A\n JSON sql/code injection problem was fixed. CVE-2012-5664: A\n SQL Injection Vulnerability in Active Record was fixed.\n CVE-2012-2695: A SQL injection via nested hashes in\n conditions was fixed. CVE-2013-0155: Unsafe Query\n Generation Risk in Ruby on Rails was fixed. CVE-2013-0156:\n Multiple vulnerabilities in parameter parsing in Action\n Pack were fixed. CVE-2012-5664: options hashes should only\n be extracted if there are extra parameters CVE-2012-2695:\n Fix SQL injection via nested hashes in conditions\n CVE-2013-0156: Hash.from_xml raises when it encounters\n type="symbol" or type="yaml". Use Hash.from_trusted_xml to\n parse this XM\n\n", "edition": 1, "modified": "2013-02-12T11:04:29", "published": "2013-02-12T11:04:29", "id": "OPENSUSE-SU-2013:0280-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2013-02/msg00005.html", "type": "suse", "title": "ruby on rails to 2.3.16 (important)", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2016-09-04T11:31:56", "bulletinFamily": "unix", "cvelist": ["CVE-2012-2695", "CVE-2012-6109", "CVE-2013-0156", "CVE-2013-0183", "CVE-2013-0155", "CVE-2013-0184", "CVE-2012-5664"], "description": "rubygem-merb-core has been updated to change the rack\n version dependency. Now any rack 1.1 version is accepted.\n\n This update needs to be installed in parallel with the\n 2.3.17 rails update.\n", "edition": 1, "modified": "2013-03-20T17:04:42", "published": "2013-03-20T17:04:42", "id": "SUSE-SU-2013:0508-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2013-03/msg00040.html", "title": "Security update for rubygem-merb-core (important)", "type": "suse", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "seebug": [{"lastseen": "2017-11-19T17:52:38", "description": "CVE-2012-2661\r\n\r\nRuby on Rails\u662f\u4e00\u6b3eWeb\u5e94\u7528\u7a0b\u5e8f\u6846\u67b6\uff0c\u6784\u5efa\u5728Ruby\u8bed\u8a00\u4e4b\u4e0a\r\n\r\n\u5b58\u5728\u4e00\u4e2aSQL\u6ce8\u5165\u6f0f\u6d1e\uff0c\u95ee\u9898\u5b58\u5728\u4e8eActive Record\u5904\u7406\u5d4c\u5957\u67e5\u8be2\u53c2\u6570\uff0c\u653b\u51fb\u8005\u53ef\u4ee5\u4f7f\u7528\u7279\u5236\u8bf7\u6c42\u6ce8\u5165SQL\u8bed\u53e5\u3002\r\n\u53d7\u5f71\u54cd\u4ee3\u7801\u76f4\u63a5\u628a\u8bf7\u6c42\u53c2\u6570\u4f20\u9012\u7ed9ActiveRecord\u7c7b\u7684`where`\u65b9\u6cd5\uff0c\u5982Post.where(:id => params[:id]).all\u3002\u653b\u51fb\u8005\u53ef\u4ee5\u63d0\u4ea4\u8bf7\u6c42\u4f7f`params[:id]`\u8fd4\u56de\u7279\u5236\u54c8\u5e0c\u4f7fWHERE\u5b50\u53e5\u4f7f\u7528\u67d0\u4e9b\u503c\u67e5\u8be2\u4efb\u610f\u8868\r\n\r\nImpacted code directly passes request params to the `where` method of an ActiveRecord class like this:\r\n\r\n Post.where(:id => params[:id]).all\r\n\r\nAn attacker can make a request that causes `params[:id]` to return a specially crafted hash that will cause the WHERE clause of the SQL statement to query an arbitrary table with some value.\r\n0\r\nRuby on Rails < 3.2.4\r\nRuby on Rails < 3.1.5\r\nRuby on Rails < 3.0.13\r\nThis issue can be mitigated by casting the parameter to an expected value. For example, change this:\r\n\r\n Post.where(:id => params[:id]).all\r\n\r\nto this:\r\n\r\n Post.where(:id => params[:id].to_s).all\r\n\r\n\r\n\u5382\u5546\u89e3\u51b3\u65b9\u6848\r\n\r\nRuby on Rails\r\n-----\r\nRuby on Rails 3.2.4\uff0c3.1.5\u548c3.0.13\u5df2\u7ecf\u4fee\u590d\u6b64\u6f0f\u6d1e\uff0c\u5efa\u8bae\u7528\u6237\u4e0b\u8f7d\u4f7f\u7528\uff1a\r\nhttp://www.rubyonrails.com/", "published": "2012-06-01T00:00:00", "type": "seebug", "title": "SQL Injection Vulnerability in Ruby on Rails", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-2661"], "modified": "2012-06-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-60174", "id": "SSV:60174", "sourceData": "", "sourceHref": "", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}, {"lastseen": "2017-11-19T21:23:24", "description": "CVE ID: CVE-2012-2694,CVE-2012-2695\r\n\r\nRuby on Rails\u7b80\u79f0RoR\u6216Rails\uff0c\u662f\u4e00\u4e2a\u4f7f\u7528Ruby\u8bed\u8a00\u5199\u7684\u5f00\u6e90Web\u5e94\u7528\u6846\u67b6\uff0c\u5b83\u662f\u4e25\u683c\u6309\u7167MVC\u7ed3\u6784\u5f00\u53d1\u7684\u3002\r\n\r\nRuby on Rails 3.2.6\u30013.1.6\u30013.0.14\u4e4b\u524d\u7248\u672c\u5728SQL\u67e5\u8be2\u4e2d\u4f7f\u7528\u4e86\u6ca1\u6709\u6b63\u786e\u9a8c\u8bc1\u7684\u8f93\u5165\uff0c\u8fd9\u4e9b\u8f93\u5165\u662f\u901a\u8fc7\u5d4c\u5957\u67e5\u8be2\u53c2\u6570\u4f20\u9012\u5230Active Record\u63a5\u53e3\u7684\uff0c\u901a\u8fc7\u6ce8\u5165SQL\u4ee3\u7801\u64cd\u4f5cSQL\u67e5\u8be2\u3002\u5728\u4f7f\u7528ActionPack\u65f6\u53c2\u6570\u89e3\u6790Rack\u7684\u65b9\u5f0f\u4e2d\u4e5f\u5b58\u5728\u6f0f\u6d1e\uff0c\u53ef\u5141\u8bb8\u63d2\u5165"IS NULL"\u5230SQL\u67e5\u8be2\u3002\r\n0\r\nRuby on Rails 3.2.x\r\nRuby on Rails 3.1.x\r\nRuby on Rails 3.0.x\r\nRuby on Rails 2.3.x\r\n\u5382\u5546\u8865\u4e01\uff1a\r\n\r\nRuby on Rails\r\n-------------\r\n\u76ee\u524d\u5382\u5546\u5df2\u7ecf\u53d1\u5e03\u4e86\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u8fd9\u4e2a\u5b89\u5168\u95ee\u9898\uff0c\u8bf7\u5230\u5382\u5546\u7684\u4e3b\u9875\u4e0b\u8f7d\uff1a\r\n\r\nhttp://www.rubyonrails.com/", "published": "2012-06-16T00:00:00", "type": "seebug", "title": "Ruby on Rails\u5d4c\u5957\u53c2\u6570SQL\u6ce8\u5165\u6f0f\u6d1e", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-2694", "CVE-2012-2695"], "modified": "2012-06-16T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-60217", "id": "SSV:60217", "sourceData": "", "sourceHref": "", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "github": [{"lastseen": "2020-03-10T23:26:17", "bulletinFamily": "software", "cvelist": ["CVE-2012-2661"], "description": "The Active Record component in Ruby on Rails 3.0.x before 3.0.13, 3.1.x before 3.1.5, and 3.2.x before 3.2.4 does not properly implement the passing of request data to a where method in an ActiveRecord class, which allows remote attackers to conduct certain SQL injection attacks via nested query parameters that leverage unintended recursion, a related issue to CVE-2012-2695.", "edition": 2, "modified": "2019-07-03T21:02:00", "published": "2017-10-24T18:33:38", "id": "GHSA-FH39-V733-MXFR", "href": "https://github.com/advisories/GHSA-fh39-v733-mxfr", "title": "Moderate severity vulnerability that affects activerecord", "type": "github", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-03-10T23:26:17", "bulletinFamily": "software", "cvelist": ["CVE-2012-2695"], "description": "The Active Record component in Ruby on Rails before 3.0.14, 3.1.x before 3.1.6, and 3.2.x before 3.2.6 does not properly implement the passing of request data to a where method in an ActiveRecord class, which allows remote attackers to conduct certain SQL injection attacks via nested query parameters that leverage improper handling of nested hashes, a related issue to CVE-2012-2661.", "edition": 2, "modified": "2019-07-03T21:02:00", "published": "2017-10-24T18:33:38", "id": "GHSA-76WQ-XW4H-F8WJ", "href": "https://github.com/advisories/GHSA-76wq-xw4h-f8wj", "title": "High severity vulnerability that affects activerecord", "type": "github", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "freebsd": [{"lastseen": "2019-05-29T18:33:48", "bulletinFamily": "unix", "cvelist": ["CVE-2012-2660", "CVE-2012-2661"], "description": "\nrubygem-activerecord -- multiple vulernabilities\n\nDue to the way Active Record interprets parameters in\n\t\t combination with the way that Rack parses query parameters, it\n\t\t is possible for an attacker to issue unexpected database\n\t\t queries with \"IS NULL\" where clauses. This issue does *not*\n\t\t let an attacker insert arbitrary values into an SQL query,\n\t\t however they can cause the query to check for NULL where most\n\t\t users wouldn't expect it.\nDue to the way Active Record handles nested query parameters,\n\t\t an attacker can use a specially crafted request to inject some\n\t\t forms of SQL into your application's SQL queries.\n\n", "edition": 4, "modified": "2012-07-23T00:00:00", "published": "2012-05-31T00:00:00", "id": "748AA89F-D529-11E1-82AB-001FD0AF1A4C", "href": "https://vuxml.freebsd.org/freebsd/748aa89f-d529-11e1-82ab-001fd0af1a4c.html", "title": "rubygem-activerecord -- multiple vulnerabilities", "type": "freebsd", "cvss": {"score": 6.4, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:N"}}], "redhat": [{"lastseen": "2019-08-13T18:46:32", "bulletinFamily": "unix", "cvelist": ["CVE-2012-2660", "CVE-2012-2661", "CVE-2012-2694", "CVE-2012-2695", "CVE-2012-3424", "CVE-2012-3463", "CVE-2012-3464", "CVE-2012-3465", "CVE-2012-6496", "CVE-2013-0155", "CVE-2013-0156"], "description": "Ruby on Rails is a model\u2013view\u2013controller (MVC) framework for web\napplication development. Action Pack implements the controller and the view\ncomponents. Active Record implements object-relational mapping for\naccessing database entries using objects. Active Support provides support\nand utility classes used by the Ruby on Rails framework.\n\nMultiple flaws were found in the way Ruby on Rails performed XML parameter\nparsing in HTTP requests. A remote attacker could use these flaws to\nexecute arbitrary code with the privileges of a Ruby on Rails application,\nperform SQL injection attacks, or bypass the authentication using a\nspecially-created HTTP request. (CVE-2013-0156)\n\nRed Hat is aware that a public exploit for the CVE-2013-0156 issues is\navailable that allows remote code execution in applications using Ruby on\nRails.\n\nMultiple input validation vulnerabilities were discovered in\nrubygem-activerecord. A remote attacker could possibly use these flaws to\nperform an SQL injection attack against an application using\nrubygem-activerecord. (CVE-2012-2661, CVE-2012-2695, CVE-2012-6496,\nCVE-2013-0155)\n\nMultiple input validation vulnerabilities were discovered in\nrubygem-actionpack. A remote attacker could possibly use these flaws to\nperform an SQL injection attack against an application using\nrubygem-actionpack and rubygem-activerecord. (CVE-2012-2660, CVE-2012-2694)\n\nMultiple cross-site scripting (XSS) flaws were found in rubygem-actionpack.\nA remote attacker could use these flaws to conduct XSS attacks against\nusers of an application using rubygem-actionpack. (CVE-2012-3463,\nCVE-2012-3464, CVE-2012-3465)\n\nA flaw was found in the HTTP digest authentication implementation in\nrubygem-actionpack. A remote attacker could use this flaw to cause a\ndenial of service of an application using rubygem-actionpack and digest\nauthentication. (CVE-2012-3424)\n\nUsers are advised to upgrade to these updated rubygem-actionpack,\nrubygem-activesupport, and rubygem-activerecord packages, which resolve\nthese issues. Katello must be restarted (\"service katello restart\") for\nthis update to take effect.", "modified": "2018-06-07T09:00:59", "published": "2013-01-11T01:37:00", "id": "RHSA-2013:0154", "href": "https://access.redhat.com/errata/RHSA-2013:0154", "type": "redhat", "title": "(RHSA-2013:0154) Critical: Ruby on Rails security update", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-12-11T13:32:46", "bulletinFamily": "unix", "cvelist": ["CVE-2012-2660", "CVE-2012-2661", "CVE-2012-2694", "CVE-2012-2695", "CVE-2012-3424", "CVE-2012-3463", "CVE-2012-3464", "CVE-2012-3465", "CVE-2012-4464", "CVE-2012-4466", "CVE-2012-4522", "CVE-2012-5371", "CVE-2013-0155", "CVE-2013-0162", "CVE-2013-0276"], "description": "OpenShift Enterprise is a cloud computing Platform-as-a-Service (PaaS)\nsolution from Red Hat, and is designed for on-premise or private cloud\ndeployments.\n\nInstalling the updated packages and restarting the OpenShift services are\nthe only requirements for this update. However, if you are updating your\nsystem to Red Hat Enterprise Linux 6.4 while applying OpenShift Enterprise\n1.1.1 updates, it is recommended that you restart your system.\n\nFor further information about this release, refer to the OpenShift\nEnterprise 1.1.1 Technical Notes, available shortly from\nhttps://access.redhat.com/knowledge/docs/\n\nThis update also fixes the following security issues:\n\nMultiple cross-site scripting (XSS) flaws were found in rubygem-actionpack.\nA remote attacker could use these flaws to conduct XSS attacks against\nusers of an application using rubygem-actionpack. (CVE-2012-3463,\nCVE-2012-3464, CVE-2012-3465)\n\nIt was found that certain methods did not sanitize file names before\npassing them to lower layer routines in Ruby. If a Ruby application created\nfiles with names based on untrusted input, it could result in the creation\nof files with different names than expected. (CVE-2012-4522)\n\nA denial of service flaw was found in the implementation of associative\narrays (hashes) in Ruby. An attacker able to supply a large number of\ninputs to a Ruby application (such as HTTP POST request parameters sent to\na web application) that are used as keys when inserting data into an array\ncould trigger multiple hash function collisions, making array operations\ntake an excessive amount of CPU time. To mitigate this issue, a new, more\ncollision resistant algorithm has been used to reduce the chance of an\nattacker successfully causing intentional collisions. (CVE-2012-5371)\n\nInput validation vulnerabilities were discovered in rubygem-activerecord.\nA remote attacker could possibly use these flaws to perform an SQL\ninjection attack against an application using rubygem-activerecord.\n(CVE-2012-2661, CVE-2012-2695, CVE-2013-0155)\n\nInput validation vulnerabilities were discovered in rubygem-actionpack. A\nremote attacker could possibly use these flaws to perform an SQL injection\nattack against an application using rubygem-actionpack and\nrubygem-activerecord. (CVE-2012-2660, CVE-2012-2694)\n\nA flaw was found in the HTTP digest authentication implementation in\nrubygem-actionpack. A remote attacker could use this flaw to cause a\ndenial of service of an application using rubygem-actionpack and digest\nauthentication. (CVE-2012-3424)\n\nA flaw was found in the handling of strings in Ruby safe level 4. A remote\nattacker can use Exception#to_s to destructively modify an untainted string\nso that it is tainted, the string can then be arbitrarily modified.\n(CVE-2012-4466)\n\nA flaw was found in the method for translating an exception message into a\nstring in the Ruby Exception class. A remote attacker could use this flaw\nto bypass safe level 4 restrictions, allowing untrusted (tainted) code to\nmodify arbitrary, trusted (untainted) strings, which safe level 4\nrestrictions would otherwise prevent. (CVE-2012-4464)\n\nIt was found that ruby_parser from rubygem-ruby_parser created a temporary\nfile in an insecure way. A local attacker could use this flaw to perform a\nsymbolic link attack, overwriting arbitrary files accessible to the\napplication using ruby_parser. (CVE-2013-0162)\n\nThe CVE-2013-0162 issue was discovered by Michael Scherer of the Red Hat\nRegional IT team.\n\nUsers are advised to upgrade to Red Hat OpenShift Enterprise 1.1.1.\n", "modified": "2018-06-09T14:17:10", "published": "2013-02-28T05:00:00", "id": "RHSA-2013:0582", "href": "https://access.redhat.com/errata/RHSA-2013:0582", "type": "redhat", "title": "(RHSA-2013:0582) Moderate: Red Hat OpenShift Enterprise 1.1.1 update", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}
