Lucene search
This script is Copyright (C) 2018-2021 and is owned by Tenable, Inc. or an Affiliate thereof.REDHAT-RHSA-2013-0698.NASLHistoryDec 06, 2018 - 12:00 a.m.
RHEL 6 : rubygem-actionpack and ruby193-rubygem-actionpack (RHSA-2013:0698)
2018-12-0600:00:00
This script is Copyright (C) 2018-2021 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
17
Updated rubygem-actionpack and ruby193-rubygem-actionpack packages that fix two security issues are now available for Red Hat OpenShift Enterprise 1.1.3.
The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.
Ruby on Rails is a model-view-controller (MVC) framework for web application development. Action Pack implements the controller and the view components.
Two cross-site scripting (XSS) flaws were found in rubygem-actionpack and ruby193-rubygem-actionpack. A remote attacker could use these flaws to conduct XSS attacks against users of an application using rubygem-actionpack or ruby193-rubygem-actionpack. (CVE-2013-1855, CVE-2013-1857)
Red Hat would like to thank Ruby on Rails upstream for reporting these issues. Upstream acknowledges Charlie Somerville as the original reporter of CVE-2013-1855, and Alan Jenkins as the original reporter of CVE-2013-1857.
Users of Red Hat OpenShift Enterprise 1.1.3 are advised to upgrade to these updated packages, which correct these issues.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Red Hat Security Advisory RHSA-2013:0698. The text
# itself is copyright (C) Red Hat, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(119434);
script_version("1.9");
script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/14");
script_cve_id("CVE-2013-1855", "CVE-2013-1857");
script_bugtraq_id(58552, 58555);
script_xref(name:"RHSA", value:"2013:0698");
script_name(english:"RHEL 6 : rubygem-actionpack and ruby193-rubygem-actionpack (RHSA-2013:0698)");
script_summary(english:"Checks the rpm output for the updated packages");
script_set_attribute(
attribute:"synopsis",
value:"The remote Red Hat host is missing one or more security updates."
);
script_set_attribute(
attribute:"description",
value:
"Updated rubygem-actionpack and ruby193-rubygem-actionpack packages
that fix two security issues are now available for Red Hat OpenShift
Enterprise 1.1.3.
The Red Hat Security Response Team has rated this update as having
moderate security impact. Common Vulnerability Scoring System (CVSS)
base scores, which give detailed severity ratings, are available for
each vulnerability from the CVE links in the References section.
Ruby on Rails is a model-view-controller (MVC) framework for web
application development. Action Pack implements the controller and the
view components.
Two cross-site scripting (XSS) flaws were found in rubygem-actionpack
and ruby193-rubygem-actionpack. A remote attacker could use these
flaws to conduct XSS attacks against users of an application using
rubygem-actionpack or ruby193-rubygem-actionpack. (CVE-2013-1855,
CVE-2013-1857)
Red Hat would like to thank Ruby on Rails upstream for reporting these
issues. Upstream acknowledges Charlie Somerville as the original
reporter of CVE-2013-1855, and Alan Jenkins as the original reporter
of CVE-2013-1857.
Users of Red Hat OpenShift Enterprise 1.1.3 are advised to upgrade to
these updated packages, which correct these issues."
);
script_set_attribute(
attribute:"see_also",
value:"https://access.redhat.com/errata/RHSA-2013:0698"
);
script_set_attribute(
attribute:"see_also",
value:"https://access.redhat.com/security/cve/cve-2013-1855"
);
script_set_attribute(
attribute:"see_also",
value:"https://access.redhat.com/security/cve/cve-2013-1857"
);
script_set_attribute(
attribute:"solution",
value:
"Update the affected ruby193-rubygem-actionpack,
ruby193-rubygem-actionpack-doc and / or rubygem-actionpack packages."
);
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:ruby193-rubygem-actionpack");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:ruby193-rubygem-actionpack-doc");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:rubygem-actionpack");
script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:6");
script_set_attribute(attribute:"vuln_publication_date", value:"2013/03/19");
script_set_attribute(attribute:"patch_publication_date", value:"2013/04/02");
script_set_attribute(attribute:"plugin_publication_date", value:"2018/12/06");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_copyright(english:"This script is Copyright (C) 2018-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_family(english:"Red Hat Local Security Checks");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("rpm.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/RedHat/release");
if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
os_ver = os_ver[1];
if (! preg(pattern:"^6([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 6.x", "Red Hat " + os_ver);
if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);
yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
if (!empty_or_null(yum_updateinfo))
{
rhsa = "RHSA-2013:0698";
yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
if (!empty_or_null(yum_report))
{
security_report_v4(
port : 0,
severity : SECURITY_WARNING,
extra : yum_report
);
exit(0);
}
else
{
audit_message = "affected by Red Hat security advisory " + rhsa;
audit(AUDIT_OS_NOT, audit_message);
}
}
else
{
flag = 0;
if (rpm_check(release:"RHEL6", reference:"ruby193-rubygem-actionpack-3.2.8-5.el6")) flag++;
if (rpm_check(release:"RHEL6", reference:"ruby193-rubygem-actionpack-doc-3.2.8-5.el6")) flag++;
if (rpm_check(release:"RHEL6", reference:"rubygem-actionpack-3.0.13-8.el6")) flag++;
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_WARNING,
extra : rpm_report_get() + redhat_report_package_caveat()
);
exit(0);
}
else
{
tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, "ruby193-rubygem-actionpack / ruby193-rubygem-actionpack-doc / etc");
}
}
| Vendor | Product | Version | CPE |
|---|---|---|---|
| redhat | enterprise_linux | ruby193-rubygem-actionpack | p-cpe:/a:redhat:enterprise_linux:ruby193-rubygem-actionpack |
| redhat | enterprise_linux | ruby193-rubygem-actionpack-doc | p-cpe:/a:redhat:enterprise_linux:ruby193-rubygem-actionpack-doc |
| redhat | enterprise_linux | rubygem-actionpack | p-cpe:/a:redhat:enterprise_linux:rubygem-actionpack |
| redhat | enterprise_linux | 6 | cpe:/o:redhat:enterprise_linux:6 |
Related
nessus
nessus
Fedora 17 : rubygem-actionpack-3.0.11-9.fc17 (2013-4199)
2013-04-01 00:00:00
openSUSE Security Update : rubygem-actionpack-3_2 (openSUSE-SU-2013:0661-1)
2014-06-13 00:00:00
Fedora 18 : rubygem-actionpack-3.2.8-3.fc18 (2013-4214)
2013-04-01 00:00:00
redhat
redhat
ibm
ibm
openvas
openvas
Fedora Update for rubygem-actionpack FEDORA-2013-4214
2013-04-02 00:00:00
Fedora Update for rubygem-actionpack FEDORA-2013-4214
2013-04-02 00:00:00
Debian Security Advisory DSA 2655-1 (rails - several vulnerabilities)
2013-03-28 00:00:00
fedora
fedora
[SECURITY] Fedora 18 Update: rubygem-actionpack-3.2.8-3.fc18
2013-03-30 21:27:21
[SECURITY] Fedora 17 Update: rubygem-actionpack-3.0.11-9.fc17
2013-03-30 21:27:37
freebsd
freebsd
rubygem-rails -- multiple vulnerabilities
2013-03-18 00:00:00
threatpost
threatpost
Ruby on Rails Patches DoS, XSS Vulnerabilities
2013-03-19 16:31:57
prion
prion
Cross site scripting
2013-03-19 22:55:00
Cross site scripting
2013-03-19 22:55:00
cve
cve
CVE-2013-1857
2013-03-19 22:55:00
CVE-2013-1855
2013-03-19 22:55:00
gitlab
gitlab
XSS Vulnerability in the `sanitize` helper
2013-03-19 00:00:00
XSS vulnerability in sanitize_css in Action Pack
2013-03-19 00:00:00
ubuntucve
ubuntucve
CVE-2013-1857
2013-03-19 00:00:00
CVE-2013-1855
2013-03-19 00:00:00
osv
osv
actionpack Cross-site Scripting vulnerability
2017-10-24 18:33:37
actionpack Cross-site Scripting vulnerability
2017-10-24 18:33:37
debiancve
debiancve
CVE-2013-1857
2013-03-19 22:55:00
CVE-2013-1855
2013-03-19 22:55:00
github
github
actionpack Cross-site Scripting vulnerability
2017-10-24 18:33:37
actionpack Cross-site Scripting vulnerability
2017-10-24 18:33:37
seebug
seebug
Ruby on Rails 'sanitize_css()'ćšćłčˇ¨çŤčćŹćźć´(CVE-2013-1855)
2013-03-20 00:00:00
veracode
veracode
Cross-site Scripting (XSS)
2019-01-15 08:51:19
debian
debian
[SECURITY] [DSA 2655-1] rails security update
2013-03-28 16:15:56
rubygems
rubygems
gentoo
gentoo
Ruby on Rails: Multiple vulnerabilities
2014-12-14 00:00:00
securityvulns
securityvulns
Apple Mac OS X multiple security vulnerabilities
2013-06-17 00:00:00
Related for REDHAT-RHSA-2013-0698.NASL