ID

VAR-201312-0119


CVE

CVE-2013-4492


TITLE

Ruby for i18n gem of exceptions.rb Vulnerable to cross-site scripting

Trust: 0.8

sources: JVNDB: JVNDB-2013-005372

DESCRIPTION

Cross-site scripting (XSS) vulnerability in exceptions.rb in the i18n gem before 0.6.6 for Ruby allows remote attackers to inject arbitrary web script or HTML via a crafted I18n::MissingTranslationData.new call. RubyGems i18n is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. Versions prior to RubyGems i18n 0.6.6, and 0.5.1 are vulnerable. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ------------------------------------------------------------------------- Debian Security Advisory DSA-2830-1 security@debian.org http://www.debian.org/security/ Florian Weiemr December 30, 2013 http://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : ruby-i18n Vulnerability : cross-site scripting Problem type : remote Debian-specific: no CVE ID : CVE-2013-4492 Peter McLarnan discovered that the internationalization component of Ruby on Rails does not properly encode parameters in generated HTML code, resulting in a cross-site scripting vulnerability. This update corrects the underlying vulnerability in the i18n gem, as provided by the ruby-i18n package. The oldstable distribution (squeeze) is not affected by this problem; the libi18n-ruby package does not contain the vulnerable code. For the stable distribution (wheezy), this problem has been fixed in version 0.6.0-3+deb7u1. For the unstable distribution (sid), this problem has been fixed in version 0.6.9-1. We recommend that you upgrade your ruby-i18n packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-announce@lists.debian.org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQEcBAEBAgAGBQJSwfRdAAoJEL97/wQC1SS+xwAH/iI7ga/tjp1b8r//lKu3BBt5 GClsPWVKd9TBEYGHTM2ipskSU9+EDOkt/vhWH9TK2C5BA0eo68b6I2Gg8Z+BQzGa SwfQmnIee/UX3gFi+mRnppyNp1WqAxEXvRNN/1JCiVevZAUEicnUx36xUn7paLIi T+I2iae9LrCrP11XtU0KzNeg3ktt5QOTvOHIjlsdXoDHqT8EzjGalk99qA4fVK0I FU2as0zhN6aZtnivhoIuc4P3u4XYoKhK7R4BL4bwW1KzSr4/LqZ2PAOLRexyWDwV HJdfcR3WyRvpuxQKVFU9XF+agjBhWU98B8BWaC7O7aTsFYpwtHdtRN6PGJgCXUA= =GovW -----END PGP SIGNATURE-----

Trust: 1.98

sources: NVD: CVE-2013-4492 // JVNDB: JVNDB-2013-005372 // BID: 64076 // PACKETSTORM: 124627

AFFECTED PRODUCTS

vendor:i18nmodel:i18nscope:lteversion:0.6.5

Trust: 1.0

vendor:sven fuchsmodel:i18nscope:ltversion:0.6.6

Trust: 0.8

vendor:ruby i18nmodel:i18nscope:eqversion:0.6.5

Trust: 0.6

vendor:susemodel:webyastscope:eqversion:1.3

Trust: 0.3

vendor:susemodel:studio onsitescope:eqversion:1.3

Trust: 0.3

vendor:susemodel:lifecycle management serverscope:eqversion:1.3

Trust: 0.3

vendor:s u s emodel:opensusescope:eqversion:13.1

Trust: 0.3

vendor:s u s emodel:opensusescope:eqversion:12.3

Trust: 0.3

vendor:s u s emodel:opensusescope:eqversion:12.2

Trust: 0.3

vendor:rubygemsmodel:i18nscope:eqversion:0.6.5

Trust: 0.3

vendor:rubygemsmodel:i18nscope:eqversion:0.5.0

Trust: 0.3

vendor:rubymodel:on rails ruby on railsscope:eqversion:4.0.1

Trust: 0.3

vendor:rubymodel:on rails ruby on railsscope:eqversion:4.0

Trust: 0.3

vendor:rubymodel:on rails ruby on railsscope:eqversion:3.2.13

Trust: 0.3

vendor:rubymodel:on rails ruby on railsscope:eqversion:3.2.12

Trust: 0.3

vendor:rubymodel:on rails ruby on railsscope:eqversion:3.2.11

Trust: 0.3

vendor:rubymodel:on rails ruby on railsscope:eqversion:3.2.10

Trust: 0.3

vendor:rubymodel:on rails ruby on railsscope:eqversion:3.2.8

Trust: 0.3

vendor:rubymodel:on rails ruby on railsscope:eqversion:3.2.7

Trust: 0.3

vendor:rubymodel:on rails ruby on railsscope:eqversion:3.2.6

Trust: 0.3

vendor:rubymodel:on rails ruby on railsscope:eqversion:3.2.4

Trust: 0.3

vendor:rubymodel:on rails ruby on railsscope:eqversion:3.2.2

Trust: 0.3

vendor:rubymodel:on rails ruby on railsscope:eqversion:3.1.12

Trust: 0.3

vendor:rubymodel:on rails ruby on railsscope:eqversion:3.1.11

Trust: 0.3

vendor:rubymodel:on rails ruby on railsscope:eqversion:3.1.9

Trust: 0.3

vendor:rubymodel:on rails ruby on railsscope:eqversion:3.1.8

Trust: 0.3

vendor:rubymodel:on rails ruby on railsscope:eqversion:3.1.7

Trust: 0.3

vendor:rubymodel:on rails ruby on railsscope:eqversion:3.1.6

Trust: 0.3

vendor:rubymodel:on rails ruby on railsscope:eqversion:3.1.5

Trust: 0.3

vendor:rubymodel:on rails ruby on railsscope:eqversion:3.1.4

Trust: 0.3

vendor:rubymodel:on rails ruby on railsscope:eqversion:3.1.2

Trust: 0.3

vendor:rubymodel:on rails ruby on railsscope:eqversion:3.1

Trust: 0.3

vendor:rubymodel:on rails ruby on railsscope:eqversion:3.0.6

Trust: 0.3

vendor:rubymodel:on rails ruby on railsscope:eqversion:3.2.15

Trust: 0.3

vendor:rubymodel:on rails ruby on railsscope:eqversion:3.2

Trust: 0.3

vendor:rubymodel:on rails ruby on railsscope:eqversion:3.0.8

Trust: 0.3

vendor:rubymodel:on rails ruby on railsscope:eqversion:3.0.7

Trust: 0.3

vendor:redhatmodel:software collections for rhelscope:eqversion:0

Trust: 0.3

vendor:redhatmodel:openstackscope:eqversion:3.0

Trust: 0.3

vendor:puppetlabsmodel:puppet enterprisescope:eqversion:3.1

Trust: 0.3

vendor:opscodemodel:chefscope:eqversion:11.1.2

Trust: 0.3

vendor:ibmmodel:security network protection xgsscope:eqversion:51005.1.1

Trust: 0.3

vendor:ibmmodel:security network protection xgsscope:eqversion:51005.1

Trust: 0.3

vendor:ibmmodel:security network protection xgsscope:eqversion:5.1.2

Trust: 0.3

vendor:debianmodel:linux sparcscope:eqversion:6.0

Trust: 0.3

vendor:debianmodel:linux s/390scope:eqversion:6.0

Trust: 0.3

vendor:debianmodel:linux powerpcscope:eqversion:6.0

Trust: 0.3

vendor:debianmodel:linux mipsscope:eqversion:6.0

Trust: 0.3

vendor:debianmodel:linux ia-64scope:eqversion:6.0

Trust: 0.3

vendor:debianmodel:linux ia-32scope:eqversion:6.0

Trust: 0.3

vendor:debianmodel:linux armscope:eqversion:6.0

Trust: 0.3

vendor:debianmodel:linux amd64scope:eqversion:6.0

Trust: 0.3

vendor:rubygemsmodel:i18nscope:neversion:0.6.6

Trust: 0.3

vendor:rubygemsmodel:i18nscope:neversion:0.5.1

Trust: 0.3

vendor:rubymodel:on rails ruby on railsscope:neversion:4.0.2

Trust: 0.3

vendor:rubymodel:on rails ruby on railsscope:neversion:3.2.16

Trust: 0.3

vendor:puppetlabsmodel:puppet enterprisescope:neversion:3.1.1

Trust: 0.3

vendor:opscodemodel:chefscope:neversion:11.1.3

Trust: 0.3

sources: BID: 64076 // JVNDB: JVNDB-2013-005372 // CNNVD: CNNVD-201312-124 // NVD: CVE-2013-4492

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2013-4492
value: MEDIUM

Trust: 1.0

NVD: CVE-2013-4492
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201312-124
value: MEDIUM

Trust: 0.6

nvd@nist.gov: CVE-2013-4492
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

sources: JVNDB: JVNDB-2013-005372 // CNNVD: CNNVD-201312-124 // NVD: CVE-2013-4492

PROBLEMTYPE DATA

problemtype:CWE-79

Trust: 1.8

sources: JVNDB: JVNDB-2013-005372 // NVD: CVE-2013-4492

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201312-124

TYPE

xss

Trust: 0.7

sources: PACKETSTORM: 124627 // CNNVD: CNNVD-201312-124

CONFIGURATIONS

sources: JVNDB: JVNDB-2013-005372

PATCH

title:The I18n::MissingTranslation exception escapes key names for its html_messageurl:https://github.com/svenfuchs/i18n/commit/92b57b1e4f84adcdcc3a375278f299274be62445

Trust: 0.8

title:[CVE-2013-4491] Reflective XSS Vulnerability in Ruby on Railsurl:https://groups.google.com/forum/message/raw?msg=ruby-security-ann/pLrh6DUw998/bLFEyIO4k_EJ

Trust: 0.8

title:Rails 3.2.16 and 4.0.2 have been released!url:http://weblog.rubyonrails.org/2013/12/3/Rails_3_2_16_and_4_0_2_have_been_released/

Trust: 0.8

title:i18nurl:http://rubygems.org/gems/i18n

Trust: 0.8

title:lib-i18n-exceptions.rburl:http://123.124.177.30/web/xxk/bdxqById.tag?id=46892

Trust: 0.6

sources: JVNDB: JVNDB-2013-005372 // CNNVD: CNNVD-201312-124

EXTERNAL IDS

db:NVDid:CVE-2013-4492

Trust: 2.8

db:BIDid:64076

Trust: 1.9

db:JVNDBid:JVNDB-2013-005372

Trust: 0.8

db:CNNVDid:CNNVD-201312-124

Trust: 0.6

db:PACKETSTORMid:124627

Trust: 0.1

sources: BID: 64076 // JVNDB: JVNDB-2013-005372 // PACKETSTORM: 124627 // CNNVD: CNNVD-201312-124 // NVD: CVE-2013-4492

REFERENCES

url:http://weblog.rubyonrails.org/2013/12/3/rails_3_2_16_and_4_0_2_have_been_released/

Trust: 1.6

url:https://groups.google.com/forum/message/raw?msg=ruby-security-ann/plrh6duw998/blfeyio4k_ej

Trust: 1.6

url:http://www.debian.org/security/2013/dsa-2830

Trust: 1.6

url:https://github.com/svenfuchs/i18n/commit/92b57b1e4f84adcdcc3a375278f299274be62445

Trust: 1.6

url:http://lists.opensuse.org/opensuse-updates/2013-12/msg00093.html

Trust: 1.6

url:http://www.securityfocus.com/bid/64076

Trust: 1.6

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2013-4492

Trust: 0.8

url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2013-4492

Trust: 0.8

url:https://bugzilla.redhat.com/show_bug.cgi?id=1039435

Trust: 0.6

url:https://access.redhat.com/security/cve/cve-2013-4492

Trust: 0.6

url:https://access.redhat.com/errata/rhsa-2017:0320

Trust: 0.6

url:https://access.redhat.com/errata/rhba-2015:1100

Trust: 0.6

url:https://access.redhat.com/errata/rhsa-2018:0380

Trust: 0.6

url:https://bugzilla.redhat.com/show_bug.cgi?id=1036922

Trust: 0.3

url:http://www.getchef.com/blog/2014/04/09/chef-server-heartbleed-cve-2014-0160-releases/

Trust: 0.3

url:http://puppetlabs.com/security/cve/cve-2013-4491

Trust: 0.3

url:http://www.getchef.com/blog/2014/04/09/enterprise-chef-11-1-3-release/

Trust: 0.3

url:http://www.rubyonrails.com/

Trust: 0.3

url:rubygems.org/gems/i18n

Trust: 0.3

url:https://rhn.redhat.com/errata/rhsa-2014-0008.html

Trust: 0.3

url:https://rhn.redhat.com/errata/rhsa-2013-1794.html

Trust: 0.3

url:http://www-01.ibm.com/support/docview.wss?uid=swg21665279

Trust: 0.3

url:https://www.suse.com/support/update/announcement/2014/suse-su-20140734-1.html

Trust: 0.3

url:http://www.debian.org/security/faq

Trust: 0.1

url:http://www.debian.org/security/

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2013-4492

Trust: 0.1

sources: BID: 64076 // JVNDB: JVNDB-2013-005372 // PACKETSTORM: 124627 // CNNVD: CNNVD-201312-124 // NVD: CVE-2013-4492

CREDITS

Peter McLarnan of Matasano Security.

Trust: 0.3

sources: BID: 64076

SOURCES

db:BIDid:64076
db:JVNDBid:JVNDB-2013-005372
db:PACKETSTORMid:124627
db:CNNVDid:CNNVD-201312-124
db:NVDid:CVE-2013-4492

LAST UPDATE DATE

2024-11-23T20:16:25.598000+00:00


SOURCES UPDATE DATE

db:BIDid:64076date:2015-04-13T21:56:00
db:JVNDBid:JVNDB-2013-005372date:2013-12-10T00:00:00
db:CNNVDid:CNNVD-201312-124date:2023-04-14T00:00:00
db:NVDid:CVE-2013-4492date:2024-11-21T01:55:40.687

SOURCES RELEASE DATE

db:BIDid:64076date:2013-12-03T00:00:00
db:JVNDBid:JVNDB-2013-005372date:2013-12-10T00:00:00
db:PACKETSTORMid:124627date:2013-12-31T14:01:56
db:CNNVDid:CNNVD-201312-124date:2013-12-09T00:00:00
db:NVDid:CVE-2013-4492date:2013-12-07T00:55:03.663