{ "threat_severity" : "Moderate", "public_date" : "2013-02-06T00:00:00Z", "bugzilla" : { "description" : "rubygem-rdoc: Cross-site scripting in the documentation created by Darkfish Rdoc HTML generator / template", "id" : "907820", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=907820" }, "cvss" : { "cvss_base_score" : "5.0", "cvss_scoring_vector" : "AV:N/AC:L/Au:N/C:N/I:P/A:N", "status" : "verified" }, "cvss3" : { "cvss3_base_score" : "5.4", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", "status" : "verified" }, "cwe" : "CWE-79", "details" : [ "darkfish.js in RDoc 2.3.0 through 3.12 and 4.x before 4.0.0.preview2.1, as used in Ruby, does not properly generate documents, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted URL." ], "acknowledgement" : "Red Hat would like to thank Eric Hodel (RDoc upstream) for reporting this issue. Upstream acknowledges Evgeny Ermakov as the original reporter.", "affected_release" : [ { "product_name" : "CloudForms for RHEL 6", "release_date" : "2013-02-21T00:00:00Z", "advisory" : "RHSA-2013:0548", "cpe" : "cpe:/a:cloudforms_cloudengine:1::el6", "package" : "rubygem-activesupport-1:3.0.10-10.el6cf" }, { "product_name" : "CloudForms for RHEL 6", "release_date" : "2013-02-21T00:00:00Z", "advisory" : "RHSA-2013:0548", "cpe" : "cpe:/a:cloudforms_cloudengine:1::el6", "package" : "rubygem-delayed_job-0:2.1.4-3.el6cf" }, { "product_name" : "CloudForms for RHEL 6", "release_date" : "2013-02-21T00:00:00Z", "advisory" : "RHSA-2013:0548", "cpe" : "cpe:/a:cloudforms_cloudengine:1::el6", "package" : "rubygem-nokogiri-0:1.5.0-0.9.beta4.el6cf" }, { "product_name" : "CloudForms for RHEL 6", "release_date" : "2013-02-21T00:00:00Z", "advisory" : "RHSA-2013:0548", "cpe" : "cpe:/a:cloudforms_cloudengine:1::el6", "package" : "rubygem-rack-1:1.3.0-3.el6cf" }, { "product_name" : "CloudForms for RHEL 6", "release_date" : "2013-02-21T00:00:00Z", "advisory" : "RHSA-2013:0548", "cpe" : "cpe:/a:cloudforms_cloudengine:1::el6", "package" : "rubygem-rails_warden-0:0.5.5-2.el6cf" }, { "product_name" : "CloudForms for RHEL 6", "release_date" : "2013-02-21T00:00:00Z", "advisory" : "RHSA-2013:0548", "cpe" : "cpe:/a:cloudforms_cloudengine:1::el6", "package" : "rubygem-rdoc-0:3.8-6.el6cf" }, { "product_name" : "CloudForms for RHEL 6", "release_date" : "2013-02-21T00:00:00Z", "advisory" : "RHSA-2013:0548", "cpe" : "cpe:/a:cloudforms_cloudengine:1::el6", "package" : "rubygem-rspec-rails-0:2.6.1-7.el6cf" }, { "product_name" : "CloudForms for RHEL 6", "release_date" : "2013-02-21T00:00:00Z", "advisory" : "RHSA-2013:0548", "cpe" : "cpe:/a:cloudforms_cloudengine:1::el6", "package" : "rubygem-ruby_parser-0:2.0.4-6.el6cf" }, { "product_name" : "CloudForms for RHEL 6", "release_date" : "2013-02-21T00:00:00Z", "advisory" : "RHSA-2013:0548", "cpe" : "cpe:/a:cloudforms_cloudengine:1::el6", "package" : "rubygem-shoulda-0:2.11.3-5.el6cf" }, { "product_name" : "Red Hat Subscription Asset Manager 1.2", "release_date" : "2013-03-26T00:00:00Z", "advisory" : "RHSA-2013:0686", "cpe" : "cpe:/a:rhel_sam:1.2::el6", "package" : "candlepin-0:0.7.24-1.el6_3" }, { "product_name" : "Red Hat Subscription Asset Manager 1.2", "release_date" : "2013-03-26T00:00:00Z", "advisory" : "RHSA-2013:0686", "cpe" : "cpe:/a:rhel_sam:1.2::el6", "package" : "katello-0:1.2.1.1-1h.el6_4" }, { "product_name" : "Red Hat Subscription Asset Manager 1.2", "release_date" : "2013-03-26T00:00:00Z", "advisory" : "RHSA-2013:0686", "cpe" : "cpe:/a:rhel_sam:1.2::el6", "package" : "katello-configure-0:1.2.3.1-4h.el6_4" }, { "product_name" : "Red Hat Subscription Asset Manager 1.2", "release_date" : "2013-03-26T00:00:00Z", "advisory" : "RHSA-2013:0686", "cpe" : "cpe:/a:rhel_sam:1.2::el6", "package" : "rubygem-actionpack-1:3.0.10-12.el6cf" }, { "product_name" : "Red Hat Subscription Asset Manager 1.2", "release_date" : "2013-03-26T00:00:00Z", "advisory" : "RHSA-2013:0686", "cpe" : "cpe:/a:rhel_sam:1.2::el6", "package" : "rubygem-activemodel-0:3.0.10-3.el6cf" }, { "product_name" : "Red Hat Subscription Asset Manager 1.2", "release_date" : "2013-03-26T00:00:00Z", "advisory" : "RHSA-2013:0686", "cpe" : "cpe:/a:rhel_sam:1.2::el6", "package" : "rubygem-delayed_job-0:2.1.4-3.el6cf" }, { "product_name" : "Red Hat Subscription Asset Manager 1.2", "release_date" : "2013-03-26T00:00:00Z", "advisory" : "RHSA-2013:0686", "cpe" : "cpe:/a:rhel_sam:1.2::el6", "package" : "rubygem-json-0:1.7.3-2.el6_3" }, { "product_name" : "Red Hat Subscription Asset Manager 1.2", "release_date" : "2013-03-26T00:00:00Z", "advisory" : "RHSA-2013:0686", "cpe" : "cpe:/a:rhel_sam:1.2::el6", "package" : "rubygem-nokogiri-0:1.5.0-0.9.beta4.el6cf" }, { "product_name" : "Red Hat Subscription Asset Manager 1.2", "release_date" : "2013-03-26T00:00:00Z", "advisory" : "RHSA-2013:0686", "cpe" : "cpe:/a:rhel_sam:1.2::el6", "package" : "rubygem-rack-1:1.3.0-4.el6cf" }, { "product_name" : "Red Hat Subscription Asset Manager 1.2", "release_date" : "2013-03-26T00:00:00Z", "advisory" : "RHSA-2013:0686", "cpe" : "cpe:/a:rhel_sam:1.2::el6", "package" : "rubygem-rails_warden-0:0.5.5-2.el6cf" }, { "product_name" : "Red Hat Subscription Asset Manager 1.2", "release_date" : "2013-03-26T00:00:00Z", "advisory" : "RHSA-2013:0686", "cpe" : "cpe:/a:rhel_sam:1.2::el6", "package" : "rubygem-rdoc-0:3.8-6.el6cf" }, { "product_name" : "Red Hat Subscription Asset Manager 1.2", "release_date" : "2013-03-26T00:00:00Z", "advisory" : "RHSA-2013:0686", "cpe" : "cpe:/a:rhel_sam:1.2::el6", "package" : "thumbslug-0:0.0.28.1-1.el6_4" }, { "product_name" : "RHEL 6 Version of OpenShift Enterprise", "release_date" : "2013-04-02T00:00:00Z", "advisory" : "RHSA-2013:0701", "cpe" : "cpe:/a:redhat:openshift:1::el6", "package" : "ruby193-ruby-0:1.9.3.327-28.el6" }, { "product_name" : "RHEL 6 Version of OpenShift Enterprise", "release_date" : "2013-04-02T00:00:00Z", "advisory" : "RHSA-2013:0701", "cpe" : "cpe:/a:redhat:openshift:1::el6", "package" : "rubygem-json-0:1.7.3-2.el6op" }, { "product_name" : "RHEL 6 Version of OpenShift Enterprise", "release_date" : "2013-04-02T00:00:00Z", "advisory" : "RHSA-2013:0701", "cpe" : "cpe:/a:redhat:openshift:1::el6", "package" : "rubygem-rdoc-0:3.8-9.el6op" }, { "product_name" : "RHEL 6 Version of OpenShift Enterprise", "release_date" : "2013-04-09T00:00:00Z", "advisory" : "RHSA-2013:0728", "cpe" : "cpe:/a:redhat:openshift:1::el6", "package" : "ruby193-rubygem-activesupport-1:3.2.8-4.el6" }, { "product_name" : "RHEL 6 Version of OpenShift Enterprise", "release_date" : "2013-04-09T00:00:00Z", "advisory" : "RHSA-2013:0728", "cpe" : "cpe:/a:redhat:openshift:1::el6", "package" : "ruby193-rubygem-bcrypt-ruby-0:3.0.1-7.el6" }, { "product_name" : "RHEL 6 Version of OpenShift Enterprise", "release_date" : "2013-04-09T00:00:00Z", "advisory" : "RHSA-2013:0728", "cpe" : "cpe:/a:redhat:openshift:1::el6", "package" : "ruby193-rubygem-bson-0:1.5.2-6.el6op" }, { "product_name" : "RHEL 6 Version of OpenShift Enterprise", "release_date" : "2013-04-09T00:00:00Z", "advisory" : "RHSA-2013:0728", "cpe" : "cpe:/a:redhat:openshift:1::el6", "package" : "ruby193-rubygem-chunky_png-0:1.2.6-3.el6op" }, { "product_name" : "RHEL 6 Version of OpenShift Enterprise", "release_date" : "2013-04-09T00:00:00Z", "advisory" : "RHSA-2013:0728", "cpe" : "cpe:/a:redhat:openshift:1::el6", "package" : "ruby193-rubygem-ci_reporter-0:1.7.2-4.el6op" }, { "product_name" : "RHEL 6 Version of OpenShift Enterprise", "release_date" : "2013-04-09T00:00:00Z", "advisory" : "RHSA-2013:0728", "cpe" : "cpe:/a:redhat:openshift:1::el6", "package" : "ruby193-rubygem-compass-0:0.12.2-4.el6op" }, { "product_name" : "RHEL 6 Version of OpenShift Enterprise", "release_date" : "2013-04-09T00:00:00Z", "advisory" : "RHSA-2013:0728", "cpe" : "cpe:/a:redhat:openshift:1::el6", "package" : "ruby193-rubygem-fastthread-0:1.0.7-7.el6op" }, { "product_name" : "RHEL 6 Version of OpenShift Enterprise", "release_date" : "2013-04-09T00:00:00Z", "advisory" : "RHSA-2013:0728", "cpe" : "cpe:/a:redhat:openshift:1::el6", "package" : "ruby193-rubygem-haml-0:3.1.7-3.el6op" }, { "product_name" : "RHEL 6 Version of OpenShift Enterprise", "release_date" : "2013-04-09T00:00:00Z", "advisory" : "RHSA-2013:0728", "cpe" : "cpe:/a:redhat:openshift:1::el6", "package" : "ruby193-rubygem-http_connection-0:1.4.1-7.el6" }, { "product_name" : "RHEL 6 Version of OpenShift Enterprise", "release_date" : "2013-04-09T00:00:00Z", "advisory" : "RHSA-2013:0728", "cpe" : "cpe:/a:redhat:openshift:1::el6", "package" : "ruby193-rubygem-rack-1:1.4.1-5.el6" }, { "product_name" : "RHEL 6 Version of OpenShift Enterprise", "release_date" : "2013-04-09T00:00:00Z", "advisory" : "RHSA-2013:0728", "cpe" : "cpe:/a:redhat:openshift:1::el6", "package" : "ruby193-rubygem-rack-test-0:0.6.1-3.el6" }, { "product_name" : "RHEL 6 Version of OpenShift Enterprise", "release_date" : "2013-04-09T00:00:00Z", "advisory" : "RHSA-2013:0728", "cpe" : "cpe:/a:redhat:openshift:1::el6", "package" : "ruby193-rubygem-rspec-0:2.11.0-2.el6" }, { "product_name" : "RHEL 6 Version of OpenShift Enterprise", "release_date" : "2013-04-09T00:00:00Z", "advisory" : "RHSA-2013:0728", "cpe" : "cpe:/a:redhat:openshift:1::el6", "package" : "ruby193-rubygem-treetop-0:1.4.10-6.el6" }, { "product_name" : "RHEL 6 Version of OpenShift Enterprise", "release_date" : "2013-04-09T00:00:00Z", "advisory" : "RHSA-2013:0728", "cpe" : "cpe:/a:redhat:openshift:1::el6", "package" : "ruby193-rubygem-xml-simple-0:1.0.12-10.el6op" } ], "package_state" : [ { "product_name" : "OpenShift Enterprise 1", "fix_state" : "Affected", "package_name" : "rubygem-haml", "cpe" : "cpe:/a:redhat:openshift:1" }, { "product_name" : "Red Hat Enterprise MRG 2", "fix_state" : "Affected", "package_name" : "rubygem-haml", "cpe" : "cpe:/a:redhat:enterprise_mrg:2" }, { "product_name" : "Red Hat Subscription Asset Manager", "fix_state" : "Affected", "package_name" : "rubygem-haml", "cpe" : "cpe:/a:rhel_sam:1" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2013-0256\nhttps://nvd.nist.gov/vuln/detail/CVE-2013-0256\nhttp://www.ruby-lang.org/en/news/2013/02/06/rdoc-xss-cve-2013-0256/" ], "name" : "CVE-2013-0256", "csaw" : false }