Details of VAR-201312-0118

ID

VAR-201312-0118

CVE

CVE-2013-4491

TITLE

Ruby on Rails of internationalization Component cross-site scripting vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2013-005367

DESCRIPTION

Cross-site scripting (XSS) vulnerability in actionpack/lib/action_view/helpers/translation_helper.rb in the internationalization component in Ruby on Rails 3.x before 3.2.16 and 4.x before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via a crafted string that triggers generation of a fallback string by the i18n gem. RubyGems i18n is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. Versions prior to RubyGems i18n 0.6.6, and 0.5.1 are vulnerable. For the stable distribution (wheezy), these problems have been fixed in version 3.2.6-6+deb7u1. For the unstable distribution (sid), this problem has been fixed in version 3.2.16-3+0 of the rails-3.2 source package. We recommend that you upgrade your ruby-actionpack-3.2 packages. Relevant releases/architectures: OpenStack 3 - noarch 3. An application using a third party library, which uses the Rack::Request interface, or custom Rack middleware could bypass the protection implemented to fix the CVE-2013-0155 vulnerability, causing the application to receive unsafe parameters and become vulnerable to CVE-2013-0155. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: Subscription Asset Manager 1.4 security update Advisory ID: RHSA-2014:1863-01 Product: Red Hat Subscription Asset Manager Advisory URL: https://rhn.redhat.com/errata/RHSA-2014-1863.html Issue date: 2014-11-17 CVE Names: CVE-2013-1854 CVE-2013-1855 CVE-2013-1857 CVE-2013-4491 CVE-2013-6414 CVE-2013-6415 CVE-2014-0130 ===================================================================== 1. Summary: Updated Subscription Asset Manager 1.4 packages that fix multiple security issues are now available. Red Hat Product Security has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. 2. Relevant releases/architectures: Red Hat Subscription Asset Manager for RHEL 6 Server - noarch 3. Description: Red Hat Subscription Asset Manager acts as a proxy for handling subscription information and software updates on client machines. Red Hat Subscription Asset Manager is built on Ruby on Rails, a model-view-controller (MVC) framework for web application development. Action Pack implements the controller and the view components. A directory traversal flaw was found in the way Ruby on Rails handled wildcard segments in routes with implicit rendering. A remote attacker could use this flaw to retrieve arbitrary local files accessible to a Ruby on Rails application using the aforementioned routes via a specially crafted request. (CVE-2014-0130) A flaw was found in the way Ruby on Rails handled hashes in certain queries. A remote attacker could use this flaw to perform a denial of service (resource consumption) attack by sending specially crafted queries that would result in the creation of Ruby symbols, which were never garbage collected. (CVE-2013-1854) Two cross-site scripting (XSS) flaws were found in Action Pack. A remote attacker could use these flaws to conduct XSS attacks against users of an application using Action Pack. A remote attacker could possibly use this flaw to perform a reflective cross-site scripting (XSS) attack by providing a specially crafted input to an application using the aforementioned component. (CVE-2013-4491) A denial of service flaw was found in the header handling component of Action View. A remote attacker could send strings in specially crafted headers that would be cached indefinitely, which would result in all available system memory eventually being consumed. (CVE-2013-6414) It was found that the number_to_currency Action View helper did not properly escape the unit parameter. An attacker could use this flaw to perform a cross-site scripting (XSS) attack on an application that uses data submitted by a user in the unit parameter. (CVE-2013-6415) Red Hat would like to thank Ruby on Rails upstream for reporting these issues. Upstream acknowledges Ben Murphy as the original reporter of CVE-2013-1854, Charlie Somerville as the original reporter of CVE-2013-1855, Alan Jenkins as the original reporter of CVE-2013-1857, Peter McLarnan as the original reporter of CVE-2013-4491, Toby Hsieh as the original reporter of CVE-2013-6414, and Ankit Gupta as the original reporter of CVE-2013-6415. All Subscription Asset Manager users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. 4. Solution: Before applying this update, make sure all previously released errata relevant to your system have been applied. This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 921329 - CVE-2013-1854 rubygem-activerecord: attribute_dos Symbol DoS vulnerability 921331 - CVE-2013-1855 rubygem-actionpack: css_sanitization: XSS vulnerability in sanitize_css 921335 - CVE-2013-1857 rubygem-actionpack: sanitize_protocol: XSS Vulnerability in the helper of Ruby on Rails 1036483 - CVE-2013-6414 rubygem-actionpack: Action View DoS 1036910 - CVE-2013-6415 rubygem-actionpack: number_to_currency XSS 1036922 - CVE-2013-4491 rubygem-actionpack: i18n missing translation XSS 1095105 - CVE-2014-0130 rubygem-actionpack: directory traversal issue 6. Package List: Red Hat Subscription Asset Manager for RHEL 6 Server: Source: katello-1.4.3.28-1.el6sam_splice.src.rpm ruby193-rubygem-actionmailer-3.2.17-1.el6sam.src.rpm ruby193-rubygem-actionpack-3.2.17-6.el6sam.src.rpm ruby193-rubygem-activemodel-3.2.17-1.el6sam.src.rpm ruby193-rubygem-activerecord-3.2.17-5.el6sam.src.rpm ruby193-rubygem-activeresource-3.2.17-1.el6sam.src.rpm ruby193-rubygem-activesupport-3.2.17-2.el6sam.src.rpm ruby193-rubygem-i18n-0.6.9-1.el6sam.src.rpm ruby193-rubygem-mail-2.5.4-1.el6sam.src.rpm ruby193-rubygem-rack-1.4.5-3.el6sam.src.rpm ruby193-rubygem-rails-3.2.17-1.el6sam.src.rpm ruby193-rubygem-railties-3.2.17-1.el6sam.src.rpm noarch: katello-common-1.4.3.28-1.el6sam_splice.noarch.rpm katello-glue-candlepin-1.4.3.28-1.el6sam_splice.noarch.rpm katello-glue-elasticsearch-1.4.3.28-1.el6sam_splice.noarch.rpm katello-headpin-1.4.3.28-1.el6sam_splice.noarch.rpm katello-headpin-all-1.4.3.28-1.el6sam_splice.noarch.rpm ruby193-rubygem-actionmailer-3.2.17-1.el6sam.noarch.rpm ruby193-rubygem-actionpack-3.2.17-6.el6sam.noarch.rpm ruby193-rubygem-activemodel-3.2.17-1.el6sam.noarch.rpm ruby193-rubygem-activerecord-3.2.17-5.el6sam.noarch.rpm ruby193-rubygem-activeresource-3.2.17-1.el6sam.noarch.rpm ruby193-rubygem-activesupport-3.2.17-2.el6sam.noarch.rpm ruby193-rubygem-i18n-0.6.9-1.el6sam.noarch.rpm ruby193-rubygem-mail-2.5.4-1.el6sam.noarch.rpm ruby193-rubygem-rack-1.4.5-3.el6sam.noarch.rpm ruby193-rubygem-rails-3.2.17-1.el6sam.noarch.rpm ruby193-rubygem-railties-3.2.17-1.el6sam.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2013-1854 https://access.redhat.com/security/cve/CVE-2013-1855 https://access.redhat.com/security/cve/CVE-2013-1857 https://access.redhat.com/security/cve/CVE-2013-4491 https://access.redhat.com/security/cve/CVE-2013-6414 https://access.redhat.com/security/cve/CVE-2013-6415 https://access.redhat.com/security/cve/CVE-2014-0130 https://access.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2014 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFUai7iXlSAg2UNWIIRAmtEAJ9m+ZUXuva81fLz9G1CLKYi5aJoHACfcd3y SoVal0zNgx0pwtSAkS1q5/0= =i5aK -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce

Trust: 2.25

sources: NVD: CVE-2013-4491 // JVNDB: JVNDB-2013-005367 // BID: 64076 // PACKETSTORM: 125923 // PACKETSTORM: 124669 // PACKETSTORM: 124305 // PACKETSTORM: 129131

AFFECTED PRODUCTS

vendor:	rubyonrails	model:	ruby on rails	scope:	eq	version:	3.2.15	Trust: 1.6
vendor:	rubyonrails	model:	ruby on rails	scope:	eq	version:	3.2.14	Trust: 1.6
vendor:	rubyonrails	model:	rails	scope:	eq	version:	3.0.1	Trust: 1.0
vendor:	rubyonrails	model:	rails	scope:	lte	version:	4.0.1	Trust: 1.0
vendor:	rubyonrails	model:	rails	scope:	eq	version:	3.0.7	Trust: 1.0
vendor:	rubyonrails	model:	rails	scope:	eq	version:	3.0.9	Trust: 1.0
vendor:	rubyonrails	model:	rails	scope:	eq	version:	3.2.2	Trust: 1.0
vendor:	rubyonrails	model:	rails	scope:	eq	version:	3.0.5	Trust: 1.0
vendor:	rubyonrails	model:	rails	scope:	eq	version:	3.2.11	Trust: 1.0
vendor:	rubyonrails	model:	rails	scope:	eq	version:	3.0.3	Trust: 1.0
vendor:	rubyonrails	model:	rails	scope:	eq	version:	3.1.7	Trust: 1.0
vendor:	rubyonrails	model:	rails	scope:	eq	version:	3.1.8	Trust: 1.0
vendor:	rubyonrails	model:	rails	scope:	eq	version:	3.2.1	Trust: 1.0
vendor:	rubyonrails	model:	rails	scope:	eq	version:	3.2.3	Trust: 1.0
vendor:	rubyonrails	model:	rails	scope:	eq	version:	3.2.8	Trust: 1.0
vendor:	rubyonrails	model:	ruby on rails	scope:	eq	version:	3.0.4	Trust: 1.0
vendor:	rubyonrails	model:	ruby on rails	scope:	eq	version:	3.1.11	Trust: 1.0
vendor:	rubyonrails	model:	rails	scope:	eq	version:	3.2.9	Trust: 1.0
vendor:	rubyonrails	model:	rails	scope:	eq	version:	3.0.6	Trust: 1.0
vendor:	rubyonrails	model:	rails	scope:	eq	version:	3.0.14	Trust: 1.0
vendor:	rubyonrails	model:	rails	scope:	eq	version:	4.0.0	Trust: 1.0
vendor:	rubyonrails	model:	rails	scope:	eq	version:	3.2.7	Trust: 1.0
vendor:	rubyonrails	model:	rails	scope:	eq	version:	3.0.18	Trust: 1.0
vendor:	rubyonrails	model:	rails	scope:	eq	version:	3.1.9	Trust: 1.0
vendor:	rubyonrails	model:	rails	scope:	eq	version:	3.0.12	Trust: 1.0
vendor:	rubyonrails	model:	rails	scope:	eq	version:	3.0.2	Trust: 1.0
vendor:	rubyonrails	model:	rails	scope:	eq	version:	3.0.16	Trust: 1.0
vendor:	rubyonrails	model:	rails	scope:	eq	version:	3.0.11	Trust: 1.0
vendor:	rubyonrails	model:	rails	scope:	eq	version:	3.2.4	Trust: 1.0
vendor:	rubyonrails	model:	rails	scope:	eq	version:	3.2.12	Trust: 1.0
vendor:	rubyonrails	model:	rails	scope:	eq	version:	3.2.10	Trust: 1.0
vendor:	rubyonrails	model:	rails	scope:	eq	version:	3.1.4	Trust: 1.0
vendor:	rubyonrails	model:	rails	scope:	eq	version:	3.2.6	Trust: 1.0
vendor:	rubyonrails	model:	rails	scope:	eq	version:	3.0.19	Trust: 1.0
vendor:	rubyonrails	model:	rails	scope:	eq	version:	3.1.10	Trust: 1.0
vendor:	rubyonrails	model:	rails	scope:	eq	version:	3.1.5	Trust: 1.0
vendor:	rubyonrails	model:	rails	scope:	eq	version:	3.0.8	Trust: 1.0
vendor:	rubyonrails	model:	rails	scope:	eq	version:	3.0.4	Trust: 1.0
vendor:	rubyonrails	model:	rails	scope:	eq	version:	3.1.1	Trust: 1.0
vendor:	rubyonrails	model:	rails	scope:	eq	version:	3.1.3	Trust: 1.0
vendor:	rubyonrails	model:	rails	scope:	eq	version:	3.0.0	Trust: 1.0
vendor:	rubyonrails	model:	rails	scope:	eq	version:	3.1.6	Trust: 1.0
vendor:	rubyonrails	model:	rails	scope:	eq	version:	3.1.2	Trust: 1.0
vendor:	rubyonrails	model:	rails	scope:	eq	version:	3.1.0	Trust: 1.0
vendor:	rubyonrails	model:	rails	scope:	eq	version:	3.0.13	Trust: 1.0
vendor:	rubyonrails	model:	ruby on rails	scope:	lte	version:	3.2.15	Trust: 1.0
vendor:	rubyonrails	model:	rails	scope:	eq	version:	4.0.1	Trust: 1.0
vendor:	rubyonrails	model:	rails	scope:	eq	version:	3.2.5	Trust: 1.0
vendor:	rubyonrails	model:	rails	scope:	eq	version:	3.2.13	Trust: 1.0
vendor:	rubyonrails	model:	rails	scope:	eq	version:	3.0.10	Trust: 1.0
vendor:	rubyonrails	model:	rails	scope:	eq	version:	3.2.0	Trust: 1.0
vendor:	rubyonrails	model:	rails	scope:	eq	version:	3.0.17	Trust: 1.0
vendor:	rubyonrails	model:	rails	scope:	eq	version:	3.0.20	Trust: 1.0
vendor:	ruby on rails	model:	rails	scope:	lt	version:	4.x	Trust: 0.8
vendor:	ruby on rails	model:	rails	scope:	lt	version:	3.x	Trust: 0.8
vendor:	ruby on rails	model:	rails	scope:	eq	version:	3.2.16	Trust: 0.8
vendor:	ruby on rails	model:	rails	scope:	eq	version:	4.0.2	Trust: 0.8
vendor:	rubyonrails	model:	ruby on rails	scope:	eq	version:	3.2.12	Trust: 0.6
vendor:	rubyonrails	model:	ruby on rails	scope:	eq	version:	3.2.13	Trust: 0.6
vendor:	suse	model:	webyast	scope:	eq	version:	1.3	Trust: 0.3
vendor:	suse	model:	studio onsite	scope:	eq	version:	1.3	Trust: 0.3
vendor:	suse	model:	lifecycle management server	scope:	eq	version:	1.3	Trust: 0.3
vendor:	s u s e	model:	opensuse	scope:	eq	version:	13.1	Trust: 0.3
vendor:	s u s e	model:	opensuse	scope:	eq	version:	12.3	Trust: 0.3
vendor:	s u s e	model:	opensuse	scope:	eq	version:	12.2	Trust: 0.3
vendor:	rubygems	model:	i18n	scope:	eq	version:	0.6.5	Trust: 0.3
vendor:	rubygems	model:	i18n	scope:	eq	version:	0.5.0	Trust: 0.3
vendor:	ruby	model:	on rails ruby on rails	scope:	eq	version:	4.0.1	Trust: 0.3
vendor:	ruby	model:	on rails ruby on rails	scope:	eq	version:	4.0	Trust: 0.3
vendor:	ruby	model:	on rails ruby on rails	scope:	eq	version:	3.2.13	Trust: 0.3
vendor:	ruby	model:	on rails ruby on rails	scope:	eq	version:	3.2.12	Trust: 0.3
vendor:	ruby	model:	on rails ruby on rails	scope:	eq	version:	3.2.11	Trust: 0.3
vendor:	ruby	model:	on rails ruby on rails	scope:	eq	version:	3.2.10	Trust: 0.3
vendor:	ruby	model:	on rails ruby on rails	scope:	eq	version:	3.2.8	Trust: 0.3
vendor:	ruby	model:	on rails ruby on rails	scope:	eq	version:	3.2.7	Trust: 0.3
vendor:	ruby	model:	on rails ruby on rails	scope:	eq	version:	3.2.6	Trust: 0.3
vendor:	ruby	model:	on rails ruby on rails	scope:	eq	version:	3.2.4	Trust: 0.3
vendor:	ruby	model:	on rails ruby on rails	scope:	eq	version:	3.2.2	Trust: 0.3
vendor:	ruby	model:	on rails ruby on rails	scope:	eq	version:	3.1.12	Trust: 0.3
vendor:	ruby	model:	on rails ruby on rails	scope:	eq	version:	3.1.11	Trust: 0.3
vendor:	ruby	model:	on rails ruby on rails	scope:	eq	version:	3.1.9	Trust: 0.3
vendor:	ruby	model:	on rails ruby on rails	scope:	eq	version:	3.1.8	Trust: 0.3
vendor:	ruby	model:	on rails ruby on rails	scope:	eq	version:	3.1.7	Trust: 0.3
vendor:	ruby	model:	on rails ruby on rails	scope:	eq	version:	3.1.6	Trust: 0.3
vendor:	ruby	model:	on rails ruby on rails	scope:	eq	version:	3.1.5	Trust: 0.3
vendor:	ruby	model:	on rails ruby on rails	scope:	eq	version:	3.1.4	Trust: 0.3
vendor:	ruby	model:	on rails ruby on rails	scope:	eq	version:	3.1.2	Trust: 0.3
vendor:	ruby	model:	on rails ruby on rails	scope:	eq	version:	3.1	Trust: 0.3
vendor:	ruby	model:	on rails ruby on rails	scope:	eq	version:	3.0.6	Trust: 0.3
vendor:	ruby	model:	on rails ruby on rails	scope:	eq	version:	3.2.15	Trust: 0.3
vendor:	ruby	model:	on rails ruby on rails	scope:	eq	version:	3.2	Trust: 0.3
vendor:	ruby	model:	on rails ruby on rails	scope:	eq	version:	3.0.8	Trust: 0.3
vendor:	ruby	model:	on rails ruby on rails	scope:	eq	version:	3.0.7	Trust: 0.3
vendor:	redhat	model:	software collections for rhel	scope:	eq	version:	0	Trust: 0.3
vendor:	redhat	model:	openstack	scope:	eq	version:	3.0	Trust: 0.3
vendor:	puppetlabs	model:	puppet enterprise	scope:	eq	version:	3.1	Trust: 0.3
vendor:	opscode	model:	chef	scope:	eq	version:	11.1.2	Trust: 0.3
vendor:	ibm	model:	security network protection xgs	scope:	eq	version:	51005.1.1	Trust: 0.3
vendor:	ibm	model:	security network protection xgs	scope:	eq	version:	51005.1	Trust: 0.3
vendor:	ibm	model:	security network protection xgs	scope:	eq	version:	5.1.2	Trust: 0.3
vendor:	debian	model:	linux sparc	scope:	eq	version:	6.0	Trust: 0.3
vendor:	debian	model:	linux s/390	scope:	eq	version:	6.0	Trust: 0.3
vendor:	debian	model:	linux powerpc	scope:	eq	version:	6.0	Trust: 0.3
vendor:	debian	model:	linux mips	scope:	eq	version:	6.0	Trust: 0.3
vendor:	debian	model:	linux ia-64	scope:	eq	version:	6.0	Trust: 0.3
vendor:	debian	model:	linux ia-32	scope:	eq	version:	6.0	Trust: 0.3
vendor:	debian	model:	linux arm	scope:	eq	version:	6.0	Trust: 0.3
vendor:	debian	model:	linux amd64	scope:	eq	version:	6.0	Trust: 0.3
vendor:	rubygems	model:	i18n	scope:	ne	version:	0.6.6	Trust: 0.3
vendor:	rubygems	model:	i18n	scope:	ne	version:	0.5.1	Trust: 0.3
vendor:	ruby	model:	on rails ruby on rails	scope:	ne	version:	4.0.2	Trust: 0.3
vendor:	ruby	model:	on rails ruby on rails	scope:	ne	version:	3.2.16	Trust: 0.3
vendor:	puppetlabs	model:	puppet enterprise	scope:	ne	version:	3.1.1	Trust: 0.3
vendor:	opscode	model:	chef	scope:	ne	version:	11.1.3	Trust: 0.3

sources: BID: 64076 // JVNDB: JVNDB-2013-005367 // CNNVD: CNNVD-201312-123 // NVD: CVE-2013-4491

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2013-4491
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2013-4491
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201312-123
value:	MEDIUM
Trust: 0.6

nvd@nist.gov:	CVE-2013-4491
severity:	MEDIUM
baseScore:	4.3
vectorString:	AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	PARTIAL
availabilityImpact:	NONE
exploitabilityScore:	8.6
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8

sources: JVNDB: JVNDB-2013-005367 // CNNVD: CNNVD-201312-123 // NVD: CVE-2013-4491

PROBLEMTYPE DATA

problemtype:

CWE-79

Trust: 1.8

sources: JVNDB: JVNDB-2013-005367 // NVD: CVE-2013-4491

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201312-123

TYPE

xss

Trust: 0.7

sources: PACKETSTORM: 125923 // CNNVD: CNNVD-201312-123

CONFIGURATIONS

sources: JVNDB: JVNDB-2013-005367

PATCH

title:	Enterprise Chef 11.1.3 Release	url:	https://www.chef.io/blog/2014/04/09/enterprise-chef-11-1-3-release/	Trust: 0.8
title:	[CVE-2013-4491] Reflective XSS Vulnerability in Ruby on Rails	url:	https://groups.google.com/forum/message/raw?msg=ruby-security-ann/pLrh6DUw998/bLFEyIO4k_EJ	Trust: 0.8
title:	openSUSE-SU-2013:1904	url:	http://lists.opensuse.org/opensuse-updates/2013-12/msg00079.html	Trust: 0.8
title:	openSUSE-SU-2013:1906	url:	http://lists.opensuse.org/opensuse-updates/2013-12/msg00081.html	Trust: 0.8
title:	openSUSE-SU-2013:1907	url:	http://lists.opensuse.org/opensuse-updates/2013-12/msg00082.html	Trust: 0.8
title:	Rails 3.2.16 and 4.0.2 have been released!	url:	http://weblog.rubyonrails.org/2013/12/3/Rails_3_2_16_and_4_0_2_have_been_released/	Trust: 0.8
title:	RHSA-2014:1863	url:	https://rhn.redhat.com/errata/RHSA-2014-1863.html	Trust: 0.8
title:	RHSA-2014:0008	url:	https://rhn.redhat.com/errata/RHSA-2014-0008.html	Trust: 0.8
title:	RHSA-2013:1794	url:	http://rhn.redhat.com/errata/RHSA-2013-1794.html	Trust: 0.8

sources: JVNDB: JVNDB-2013-005367

EXTERNAL IDS

db:	NVD	id:	CVE-2013-4491	Trust: 3.1
db:	BID	id:	64076	Trust: 1.9
db:	SECUNIA	id:	57836	Trust: 1.6
db:	JVNDB	id:	JVNDB-2013-005367	Trust: 0.8
db:	CNNVD	id:	CNNVD-201312-123	Trust: 0.6
db:	PACKETSTORM	id:	125923	Trust: 0.1
db:	PACKETSTORM	id:	124669	Trust: 0.1
db:	PACKETSTORM	id:	124305	Trust: 0.1
db:	PACKETSTORM	id:	129131	Trust: 0.1

sources: BID: 64076 // JVNDB: JVNDB-2013-005367 // PACKETSTORM: 125923 // PACKETSTORM: 124669 // PACKETSTORM: 124305 // PACKETSTORM: 129131 // CNNVD: CNNVD-201312-123 // NVD: CVE-2013-4491

REFERENCES

url:	http://rhn.redhat.com/errata/rhsa-2014-0008.html	Trust: 2.0
url:	http://rhn.redhat.com/errata/rhsa-2013-1794.html	Trust: 2.0
url:	http://www.getchef.com/blog/2014/04/09/enterprise-chef-11-1-3-release/	Trust: 1.9
url:	http://rhn.redhat.com/errata/rhsa-2014-1863.html	Trust: 1.7
url:	https://groups.google.com/forum/message/raw?msg=ruby-security-ann/plrh6duw998/blfeyio4k_ej	Trust: 1.6
url:	http://lists.opensuse.org/opensuse-updates/2013-12/msg00079.html	Trust: 1.6
url:	http://lists.opensuse.org/opensuse-updates/2013-12/msg00081.html	Trust: 1.6
url:	http://www.securityfocus.com/bid/64076	Trust: 1.6
url:	http://weblog.rubyonrails.org/2013/12/3/rails_3_2_16_and_4_0_2_have_been_released/	Trust: 1.6
url:	http://lists.opensuse.org/opensuse-updates/2013-12/msg00082.html	Trust: 1.6
url:	http://secunia.com/advisories/57836	Trust: 1.6
url:	http://www.debian.org/security/2014/dsa-2888	Trust: 1.6
url:	http://lists.opensuse.org/opensuse-updates/2014-01/msg00003.html	Trust: 1.6
url:	https://puppet.com/security/cve/cve-2013-4491	Trust: 1.6
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2013-4491	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2013-4491	Trust: 0.8
url:	https://nvd.nist.gov/vuln/detail/cve-2013-6414	Trust: 0.4
url:	https://nvd.nist.gov/vuln/detail/cve-2013-4491	Trust: 0.4
url:	https://nvd.nist.gov/vuln/detail/cve-2013-6415	Trust: 0.4
url:	https://bugzilla.redhat.com/show_bug.cgi?id=1036922	Trust: 0.3
url:	http://www.getchef.com/blog/2014/04/09/chef-server-heartbleed-cve-2014-0160-releases/	Trust: 0.3
url:	http://puppetlabs.com/security/cve/cve-2013-4491	Trust: 0.3
url:	http://www.rubyonrails.com/	Trust: 0.3
url:	rubygems.org/gems/i18n	Trust: 0.3
url:	http://www-01.ibm.com/support/docview.wss?uid=swg21665279	Trust: 0.3
url:	https://www.suse.com/support/update/announcement/2014/suse-su-20140734-1.html	Trust: 0.3
url:	https://nvd.nist.gov/vuln/detail/cve-2013-6417	Trust: 0.3
url:	https://www.redhat.com/mailman/listinfo/rhsa-announce	Trust: 0.3
url:	https://bugzilla.redhat.com/):	Trust: 0.3
url:	https://access.redhat.com/security/team/contact/	Trust: 0.3
url:	https://access.redhat.com/security/updates/classification/#important	Trust: 0.3
url:	https://www.redhat.com/security/data/cve/cve-2013-6414.html	Trust: 0.2
url:	https://access.redhat.com/security/team/key/#package	Trust: 0.2
url:	https://www.redhat.com/security/data/cve/cve-2013-6417.html	Trust: 0.2
url:	https://access.redhat.com/site/articles/11258	Trust: 0.2
url:	https://www.redhat.com/security/data/cve/cve-2013-4491.html	Trust: 0.2
url:	https://www.redhat.com/security/data/cve/cve-2013-6415.html	Trust: 0.2
url:	http://www.debian.org/security/faq	Trust: 0.1
url:	http://www.debian.org/security/	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2013-4389	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2013-1855	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2013-1857	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2013-1857	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2013-4491	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2013-1854	Trust: 0.1
url:	https://access.redhat.com/articles/11258	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2014-0130	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2014-0130	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2013-6415	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2013-1854	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2013-1855	Trust: 0.1
url:	https://access.redhat.com/security/team/key/	Trust: 0.1
url:	https://access.redhat.com/security/cve/cve-2013-6414	Trust: 0.1

CREDITS

Peter McLarnan of Matasano Security.

Trust: 0.3

sources: BID: 64076

SOURCES

db:	BID	id:	64076
db:	JVNDB	id:	JVNDB-2013-005367
db:	PACKETSTORM	id:	125923
db:	PACKETSTORM	id:	124669
db:	PACKETSTORM	id:	124305
db:	PACKETSTORM	id:	129131
db:	CNNVD	id:	CNNVD-201312-123
db:	NVD	id:	CVE-2013-4491

LAST UPDATE DATE

2024-11-23T20:02:43.087000+00:00

SOURCES UPDATE DATE

db:	BID	id:	64076	date:	2015-04-13T21:56:00
db:	JVNDB	id:	JVNDB-2013-005367	date:	2015-08-10T00:00:00
db:	CNNVD	id:	CNNVD-201312-123	date:	2019-08-09T00:00:00
db:	NVD	id:	CVE-2013-4491	date:	2024-11-21T01:55:40.540

SOURCES RELEASE DATE

db:	BID	id:	64076	date:	2013-12-03T00:00:00
db:	JVNDB	id:	JVNDB-2013-005367	date:	2013-12-10T00:00:00
db:	PACKETSTORM	id:	125923	date:	2014-03-28T19:44:00
db:	PACKETSTORM	id:	124669	date:	2014-01-06T23:18:51
db:	PACKETSTORM	id:	124305	date:	2013-12-06T01:04:06
db:	PACKETSTORM	id:	129131	date:	2014-11-17T23:30:56
db:	CNNVD	id:	CNNVD-201312-123	date:	2013-12-09T00:00:00
db:	NVD	id:	CVE-2013-4491	date:	2013-12-07T00:55:03.553