gsd-2017-1002201
Vulnerability from gsd
Modified
2017-05-08 00:00
Details
In haml versions prior to version 5.0.0.beta.2, when using user input to
perform tasks on the server, characters like < > " ' must be escaped properly.
In this case, the ' character was missed. An attacker can manipulate the input
to introduce additional attributes, potentially executing code.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2017-1002201",
"description": "In haml versions prior to version 5.0.0.beta.2, when using user input to perform tasks on the server, characters like \u003c \u003e \" \u0027 must be escaped properly. In this case, the \u0027 character was missed. An attacker can manipulate the input to introduce additional attributes, potentially executing code.",
"id": "GSD-2017-1002201",
"references": [
"https://www.suse.com/security/cve/CVE-2017-1002201.html"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "haml",
"purl": "pkg:gem/haml"
}
}
],
"aliases": [
"CVE-2017-1002201",
"GHSA-r53w-g4xm-3gc6"
],
"details": "In haml versions prior to version 5.0.0.beta.2, when using user input to\nperform tasks on the server, characters like \u003c \u003e \" \u0027 must be escaped properly.\nIn this case, the \u0027 character was missed. An attacker can manipulate the input\nto introduce additional attributes, potentially executing code.\n",
"id": "GSD-2017-1002201",
"modified": "2017-05-08T00:00:00.000Z",
"published": "2017-05-08T00:00:00.000Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/haml/haml/commit/18576ae6e9bdcb4303fdbe6b3199869d289d67c2"
},
{
"type": "WEB",
"url": "https://snyk.io/vuln/SNYK-RUBY-HAML-20362"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": 4.3,
"type": "CVSS_V2"
},
{
"score": 6.1,
"type": "CVSS_V3"
}
],
"summary": "haml failure to escape single quotes"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "cve-assign@distributedweaknessfiling.org",
"ID": "CVE-2017-1002201",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "haml",
"version": {
"version_data": [
{
"version_value": "All versions prior to version 5.0.0.beta.2"
}
]
}
}
]
},
"vendor_name": "http://haml.info/"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In haml versions prior to version 5.0.0.beta.2, when using user input to perform tasks on the server, characters like \u003c \u003e \" \u0027 must be escaped properly. In this case, the \u0027 character was missed. An attacker can manipulate the input to introduce additional attributes, potentially executing code."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/haml/haml/commit/18576ae6e9bdcb4303fdbe6b3199869d289d67c2",
"refsource": "MISC",
"url": "https://github.com/haml/haml/commit/18576ae6e9bdcb4303fdbe6b3199869d289d67c2"
},
{
"name": "https://snyk.io/vuln/SNYK-RUBY-HAML-20362",
"refsource": "CONFIRM",
"url": "https://snyk.io/vuln/SNYK-RUBY-HAML-20362"
},
{
"name": "[debian-lts-announce] 20191110 [SECURITY] [DLA 1986-1] ruby-haml security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2019/11/msg00007.html"
},
{
"name": "GLSA-202007-27",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/202007-27"
},
{
"name": "[debian-lts-announce] 20211229 [SECURITY] [DLA 2864-1] ruby-haml security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2021/12/msg00028.html"
}
]
}
},
"github.com/rubysec/ruby-advisory-db": {
"cve": "2017-1002201",
"cvss_v2": 4.3,
"cvss_v3": 6.1,
"date": "2017-05-08",
"description": "In haml versions prior to version 5.0.0.beta.2, when using user input to\nperform tasks on the server, characters like \u003c \u003e \" \u0027 must be escaped properly.\nIn this case, the \u0027 character was missed. An attacker can manipulate the input\nto introduce additional attributes, potentially executing code.\n",
"gem": "haml",
"ghsa": "r53w-g4xm-3gc6",
"patched_versions": [
"\u003e= 5.0.0.beta.2"
],
"related": {
"url": [
"https://snyk.io/vuln/SNYK-RUBY-HAML-20362"
]
},
"title": "haml failure to escape single quotes",
"url": "https://github.com/haml/haml/commit/18576ae6e9bdcb4303fdbe6b3199869d289d67c2"
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003c5.0.0",
"affected_versions": "All versions before 5.0.0",
"cvss_v2": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-79",
"CWE-937"
],
"date": "2019-11-10",
"description": "User-provided input containting the `\u0027` is not properly escaped. An attacker can manipulate the input to introduce additional attributes, potentially executing code.",
"fixed_versions": [
"5.0.0"
],
"identifier": "CVE-2017-1002201",
"identifiers": [
"CVE-2017-1002201"
],
"not_impacted": "All versions starting from 5.0.0",
"package_slug": "gem/haml",
"pubdate": "2019-10-15",
"solution": "Upgrade to version 5.0.0 or above.",
"title": "Cross-site Scripting",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2017-1002201"
],
"uuid": "3edda34b-b140-417a-9ff1-fe5ee16d0961"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:haml:haml:*:*:*:*:*:ruby:*:*",
"cpe_name": [],
"versionEndExcluding": "5.0.0",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "cve-assign@distributedweaknessfiling.org",
"ID": "CVE-2017-1002201"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "In haml versions prior to version 5.0.0.beta.2, when using user input to perform tasks on the server, characters like \u003c \u003e \" \u0027 must be escaped properly. In this case, the \u0027 character was missed. An attacker can manipulate the input to introduce additional attributes, potentially executing code."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/haml/haml/commit/18576ae6e9bdcb4303fdbe6b3199869d289d67c2",
"refsource": "MISC",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/haml/haml/commit/18576ae6e9bdcb4303fdbe6b3199869d289d67c2"
},
{
"name": "https://snyk.io/vuln/SNYK-RUBY-HAML-20362",
"refsource": "CONFIRM",
"tags": [
"Exploit",
"Patch",
"Third Party Advisory"
],
"url": "https://snyk.io/vuln/SNYK-RUBY-HAML-20362"
},
{
"name": "[debian-lts-announce] 20191110 [SECURITY] [DLA 1986-1] ruby-haml security update",
"refsource": "MLIST",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2019/11/msg00007.html"
},
{
"name": "GLSA-202007-27",
"refsource": "GENTOO",
"tags": [
"Third Party Advisory"
],
"url": "https://security.gentoo.org/glsa/202007-27"
},
{
"name": "[debian-lts-announce] 20211229 [SECURITY] [DLA 2864-1] ruby-haml security update",
"refsource": "MLIST",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2021/12/msg00028.html"
}
]
}
},
"impact": {
"baseMetricV2": {
"acInsufInfo": false,
"cvssV2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.6,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": true
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.7
}
},
"lastModifiedDate": "2022-04-05T20:53Z",
"publishedDate": "2019-10-15T18:15Z"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…