csaf_suse - suse-su-2019:2932-1

suse-su-2019:2932-1

Vulnerability from csaf_suse

Published

2019-11-08 09:53

Modified

2019-11-08 09:53

Summary

Security update for rubygem-haml

Notes

Title of the patch

Security update for rubygem-haml

Description of the patch

This update for rubygem-haml fixes the following issue: - CVE-2017-1002201: Fixed an insufficient character escape that could have led to arbitrary code execution (bsc#1155089).

Patchnames

SUSE-2019-2932,SUSE-OpenStack-Cloud-7-2019-2932,SUSE-OpenStack-Cloud-Crowbar-8-2019-2932,SUSE-OpenStack-Cloud-Crowbar-9-2019-2932

CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Security update for rubygem-haml",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "This update for rubygem-haml fixes the following issue:\n\n- CVE-2017-1002201: Fixed an insufficient character escape that could have led to arbitrary code execution (bsc#1155089).\n",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "SUSE-2019-2932,SUSE-OpenStack-Cloud-7-2019-2932,SUSE-OpenStack-Cloud-Crowbar-8-2019-2932,SUSE-OpenStack-Cloud-Crowbar-9-2019-2932",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2019_2932-1.json"
      },
      {
        "category": "self",
        "summary": "URL for SUSE-SU-2019:2932-1",
        "url": "https://www.suse.com/support/update/announcement/2019/suse-su-20192932-1/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for SUSE-SU-2019:2932-1",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2019-November/006101.html"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1155089",
        "url": "https://bugzilla.suse.com/1155089"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2017-1002201 page",
        "url": "https://www.suse.com/security/cve/CVE-2017-1002201/"
      }
    ],
    "title": "Security update for rubygem-haml",
    "tracking": {
      "current_release_date": "2019-11-08T09:53:22Z",
      "generator": {
        "date": "2019-11-08T09:53:22Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "SUSE-SU-2019:2932-1",
      "initial_release_date": "2019-11-08T09:53:22Z",
      "revision_history": [
        {
          "date": "2019-11-08T09:53:22Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby2.1-rubygem-haml-4.0.6-3.3.1.aarch64",
                "product": {
                  "name": "ruby2.1-rubygem-haml-4.0.6-3.3.1.aarch64",
                  "product_id": "ruby2.1-rubygem-haml-4.0.6-3.3.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "ruby2.1-rubygem-haml-doc-4.0.6-3.3.1.aarch64",
                "product": {
                  "name": "ruby2.1-rubygem-haml-doc-4.0.6-3.3.1.aarch64",
                  "product_id": "ruby2.1-rubygem-haml-doc-4.0.6-3.3.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "ruby2.1-rubygem-haml-testsuite-4.0.6-3.3.1.aarch64",
                "product": {
                  "name": "ruby2.1-rubygem-haml-testsuite-4.0.6-3.3.1.aarch64",
                  "product_id": "ruby2.1-rubygem-haml-testsuite-4.0.6-3.3.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby2.1-rubygem-haml-4.0.6-3.3.1.i586",
                "product": {
                  "name": "ruby2.1-rubygem-haml-4.0.6-3.3.1.i586",
                  "product_id": "ruby2.1-rubygem-haml-4.0.6-3.3.1.i586"
                }
              },
              {
                "category": "product_version",
                "name": "ruby2.1-rubygem-haml-doc-4.0.6-3.3.1.i586",
                "product": {
                  "name": "ruby2.1-rubygem-haml-doc-4.0.6-3.3.1.i586",
                  "product_id": "ruby2.1-rubygem-haml-doc-4.0.6-3.3.1.i586"
                }
              },
              {
                "category": "product_version",
                "name": "ruby2.1-rubygem-haml-testsuite-4.0.6-3.3.1.i586",
                "product": {
                  "name": "ruby2.1-rubygem-haml-testsuite-4.0.6-3.3.1.i586",
                  "product_id": "ruby2.1-rubygem-haml-testsuite-4.0.6-3.3.1.i586"
                }
              }
            ],
            "category": "architecture",
            "name": "i586"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby2.1-rubygem-haml-4.0.6-3.3.1.ppc64le",
                "product": {
                  "name": "ruby2.1-rubygem-haml-4.0.6-3.3.1.ppc64le",
                  "product_id": "ruby2.1-rubygem-haml-4.0.6-3.3.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "ruby2.1-rubygem-haml-doc-4.0.6-3.3.1.ppc64le",
                "product": {
                  "name": "ruby2.1-rubygem-haml-doc-4.0.6-3.3.1.ppc64le",
                  "product_id": "ruby2.1-rubygem-haml-doc-4.0.6-3.3.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "ruby2.1-rubygem-haml-testsuite-4.0.6-3.3.1.ppc64le",
                "product": {
                  "name": "ruby2.1-rubygem-haml-testsuite-4.0.6-3.3.1.ppc64le",
                  "product_id": "ruby2.1-rubygem-haml-testsuite-4.0.6-3.3.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby2.1-rubygem-haml-4.0.6-3.3.1.s390",
                "product": {
                  "name": "ruby2.1-rubygem-haml-4.0.6-3.3.1.s390",
                  "product_id": "ruby2.1-rubygem-haml-4.0.6-3.3.1.s390"
                }
              },
              {
                "category": "product_version",
                "name": "ruby2.1-rubygem-haml-doc-4.0.6-3.3.1.s390",
                "product": {
                  "name": "ruby2.1-rubygem-haml-doc-4.0.6-3.3.1.s390",
                  "product_id": "ruby2.1-rubygem-haml-doc-4.0.6-3.3.1.s390"
                }
              },
              {
                "category": "product_version",
                "name": "ruby2.1-rubygem-haml-testsuite-4.0.6-3.3.1.s390",
                "product": {
                  "name": "ruby2.1-rubygem-haml-testsuite-4.0.6-3.3.1.s390",
                  "product_id": "ruby2.1-rubygem-haml-testsuite-4.0.6-3.3.1.s390"
                }
              }
            ],
            "category": "architecture",
            "name": "s390"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby2.1-rubygem-haml-4.0.6-3.3.1.s390x",
                "product": {
                  "name": "ruby2.1-rubygem-haml-4.0.6-3.3.1.s390x",
                  "product_id": "ruby2.1-rubygem-haml-4.0.6-3.3.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "ruby2.1-rubygem-haml-doc-4.0.6-3.3.1.s390x",
                "product": {
                  "name": "ruby2.1-rubygem-haml-doc-4.0.6-3.3.1.s390x",
                  "product_id": "ruby2.1-rubygem-haml-doc-4.0.6-3.3.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "ruby2.1-rubygem-haml-testsuite-4.0.6-3.3.1.s390x",
                "product": {
                  "name": "ruby2.1-rubygem-haml-testsuite-4.0.6-3.3.1.s390x",
                  "product_id": "ruby2.1-rubygem-haml-testsuite-4.0.6-3.3.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby2.1-rubygem-haml-4.0.6-3.3.1.x86_64",
                "product": {
                  "name": "ruby2.1-rubygem-haml-4.0.6-3.3.1.x86_64",
                  "product_id": "ruby2.1-rubygem-haml-4.0.6-3.3.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "ruby2.1-rubygem-haml-doc-4.0.6-3.3.1.x86_64",
                "product": {
                  "name": "ruby2.1-rubygem-haml-doc-4.0.6-3.3.1.x86_64",
                  "product_id": "ruby2.1-rubygem-haml-doc-4.0.6-3.3.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "ruby2.1-rubygem-haml-testsuite-4.0.6-3.3.1.x86_64",
                "product": {
                  "name": "ruby2.1-rubygem-haml-testsuite-4.0.6-3.3.1.x86_64",
                  "product_id": "ruby2.1-rubygem-haml-testsuite-4.0.6-3.3.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "SUSE OpenStack Cloud 7",
                "product": {
                  "name": "SUSE OpenStack Cloud 7",
                  "product_id": "SUSE OpenStack Cloud 7",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:suse-openstack-cloud:7"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "SUSE OpenStack Cloud Crowbar 8",
                "product": {
                  "name": "SUSE OpenStack Cloud Crowbar 8",
                  "product_id": "SUSE OpenStack Cloud Crowbar 8",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:suse-openstack-cloud-crowbar:8"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "SUSE OpenStack Cloud Crowbar 9",
                "product": {
                  "name": "SUSE OpenStack Cloud Crowbar 9",
                  "product_id": "SUSE OpenStack Cloud Crowbar 9",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:suse-openstack-cloud-crowbar:9"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby2.1-rubygem-haml-4.0.6-3.3.1.aarch64 as component of SUSE OpenStack Cloud 7",
          "product_id": "SUSE OpenStack Cloud 7:ruby2.1-rubygem-haml-4.0.6-3.3.1.aarch64"
        },
        "product_reference": "ruby2.1-rubygem-haml-4.0.6-3.3.1.aarch64",
        "relates_to_product_reference": "SUSE OpenStack Cloud 7"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby2.1-rubygem-haml-4.0.6-3.3.1.s390x as component of SUSE OpenStack Cloud 7",
          "product_id": "SUSE OpenStack Cloud 7:ruby2.1-rubygem-haml-4.0.6-3.3.1.s390x"
        },
        "product_reference": "ruby2.1-rubygem-haml-4.0.6-3.3.1.s390x",
        "relates_to_product_reference": "SUSE OpenStack Cloud 7"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby2.1-rubygem-haml-4.0.6-3.3.1.x86_64 as component of SUSE OpenStack Cloud 7",
          "product_id": "SUSE OpenStack Cloud 7:ruby2.1-rubygem-haml-4.0.6-3.3.1.x86_64"
        },
        "product_reference": "ruby2.1-rubygem-haml-4.0.6-3.3.1.x86_64",
        "relates_to_product_reference": "SUSE OpenStack Cloud 7"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby2.1-rubygem-haml-4.0.6-3.3.1.x86_64 as component of SUSE OpenStack Cloud Crowbar 8",
          "product_id": "SUSE OpenStack Cloud Crowbar 8:ruby2.1-rubygem-haml-4.0.6-3.3.1.x86_64"
        },
        "product_reference": "ruby2.1-rubygem-haml-4.0.6-3.3.1.x86_64",
        "relates_to_product_reference": "SUSE OpenStack Cloud Crowbar 8"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby2.1-rubygem-haml-4.0.6-3.3.1.x86_64 as component of SUSE OpenStack Cloud Crowbar 9",
          "product_id": "SUSE OpenStack Cloud Crowbar 9:ruby2.1-rubygem-haml-4.0.6-3.3.1.x86_64"
        },
        "product_reference": "ruby2.1-rubygem-haml-4.0.6-3.3.1.x86_64",
        "relates_to_product_reference": "SUSE OpenStack Cloud Crowbar 9"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2017-1002201",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2017-1002201"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "In haml versions prior to version 5.0.0.beta.2, when using user input to perform tasks on the server, characters like \u003c \u003e \" \u0027 must be escaped properly. In this case, the \u0027 character was missed. An attacker can manipulate the input to introduce additional attributes, potentially executing code.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE OpenStack Cloud 7:ruby2.1-rubygem-haml-4.0.6-3.3.1.aarch64",
          "SUSE OpenStack Cloud 7:ruby2.1-rubygem-haml-4.0.6-3.3.1.s390x",
          "SUSE OpenStack Cloud 7:ruby2.1-rubygem-haml-4.0.6-3.3.1.x86_64",
          "SUSE OpenStack Cloud Crowbar 8:ruby2.1-rubygem-haml-4.0.6-3.3.1.x86_64",
          "SUSE OpenStack Cloud Crowbar 9:ruby2.1-rubygem-haml-4.0.6-3.3.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2017-1002201",
          "url": "https://www.suse.com/security/cve/CVE-2017-1002201"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1155089 for CVE-2017-1002201",
          "url": "https://bugzilla.suse.com/1155089"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE OpenStack Cloud 7:ruby2.1-rubygem-haml-4.0.6-3.3.1.aarch64",
            "SUSE OpenStack Cloud 7:ruby2.1-rubygem-haml-4.0.6-3.3.1.s390x",
            "SUSE OpenStack Cloud 7:ruby2.1-rubygem-haml-4.0.6-3.3.1.x86_64",
            "SUSE OpenStack Cloud Crowbar 8:ruby2.1-rubygem-haml-4.0.6-3.3.1.x86_64",
            "SUSE OpenStack Cloud Crowbar 9:ruby2.1-rubygem-haml-4.0.6-3.3.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.0"
          },
          "products": [
            "SUSE OpenStack Cloud 7:ruby2.1-rubygem-haml-4.0.6-3.3.1.aarch64",
            "SUSE OpenStack Cloud 7:ruby2.1-rubygem-haml-4.0.6-3.3.1.s390x",
            "SUSE OpenStack Cloud 7:ruby2.1-rubygem-haml-4.0.6-3.3.1.x86_64",
            "SUSE OpenStack Cloud Crowbar 8:ruby2.1-rubygem-haml-4.0.6-3.3.1.x86_64",
            "SUSE OpenStack Cloud Crowbar 9:ruby2.1-rubygem-haml-4.0.6-3.3.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2019-11-08T09:53:22Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2017-1002201"
    }
  ]
}

CVE-2017-1002201 (GCVE-0-2017-1002201)

Vulnerability from cvelistv5

Published

2019-10-15 17:35

Modified

2024-08-05 22:08

Severity ?

CWE

Cross-site Scripting (XSS)

Summary

In haml versions prior to version 5.0.0.beta.2, when using user input to perform tasks on the server, characters like < > " ' must be escaped properly. In this case, the ' character was missed. An attacker can manipulate the input to introduce additional attributes, potentially executing code.

References

►

URL

Tags

	https://github.com/haml/haml/commit/18576ae6e9bdcb4303fdbe6b3199869d289d67c2	x_refsource_MISC
	https://snyk.io/vuln/SNYK-RUBY-HAML-20362	x_refsource_CONFIRM
	https://lists.debian.org/debian-lts-announce/2019/11/msg00007.html	mailing-list, x_refsource_MLIST
	https://security.gentoo.org/glsa/202007-27	vendor-advisory, x_refsource_GENTOO
	https://lists.debian.org/debian-lts-announce/2021/12/msg00028.html	mailing-list, x_refsource_MLIST

Impacted products

	Vendor	Product	Version
	http://haml.info/	haml	Version: All versions prior to version 5.0.0.beta.2

Show details on NVD website