Action not permitted
Modal body text goes here.
Modal Title
Modal Body
cve-2019-14849
Vulnerability from cvelistv5
Published
2019-12-12 13:14
Modified
2024-08-05 00:26
Severity ?
EPSS score ?
Summary
A vulnerability was found in 3scale before version 2.6, did not set the HTTPOnly attribute on the user session cookie. An attacker could use this to conduct cross site scripting attacks and gain access to unauthorized information.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| secalert@redhat.com | https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14849 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14849 | Issue Tracking, Vendor Advisory |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T00:26:39.075Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14849"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "3scale",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in 3scale before version 2.6, did not set the HTTPOnly attribute on the user session cookie. An attacker could use this to conduct cross site scripting attacks and gain access to unauthorized information."
}
],
"metrics": [
{
"cvssV3_0": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
"version": "3.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-201",
"description": "CWE-201",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2019-12-12T13:14:53",
"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"shortName": "redhat"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14849"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
"assignerShortName": "redhat",
"cveId": "CVE-2019-14849",
"datePublished": "2019-12-12T13:14:53",
"dateReserved": "2019-08-10T00:00:00",
"dateUpdated": "2024-08-05T00:26:39.075Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2019-14849\",\"sourceIdentifier\":\"secalert@redhat.com\",\"published\":\"2019-12-12T14:15:15.257\",\"lastModified\":\"2024-11-21T04:27:29.613\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"A vulnerability was found in 3scale before version 2.6, did not set the HTTPOnly attribute on the user session cookie. An attacker could use this to conduct cross site scripting attacks and gain access to unauthorized information.\"},{\"lang\":\"es\",\"value\":\"Se encontr\u00f3 una vulnerabilidad en 3scale versi\u00f3n anterior a 2.6, no estableci\u00f3 el atributo HTTPOnly en la cookie de sesi\u00f3n del usuario. Un atacante podr\u00eda usar esto para conducir ataques de tipo cross site scripting y conseguir acceso a informaci\u00f3n no autorizada.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N\",\"baseScore\":5.4,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.3,\"impactScore\":2.7}],\"cvssMetricV30\":[{\"source\":\"secalert@redhat.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N\",\"baseScore\":4.6,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":2.1,\"impactScore\":2.5}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:S/C:N/I:P/A:N\",\"baseScore\":3.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"SINGLE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\"},\"baseSeverity\":\"LOW\",\"exploitabilityScore\":6.8,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":true}]},\"weaknesses\":[{\"source\":\"secalert@redhat.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-201\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-79\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:redhat:3scale:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"2.6\",\"matchCriteriaId\":\"2700E9B2-AE29-44B4-B1F2-FBC912ED0A05\"}]}]}],\"references\":[{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14849\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Issue Tracking\",\"Vendor Advisory\"]},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14849\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Issue Tracking\",\"Vendor Advisory\"]}]}}"
}
}
gsd-2019-14849
Vulnerability from gsd
Modified
2023-12-13 01:23
Details
A vulnerability was found in 3scale before version 2.6, did not set the HTTPOnly attribute on the user session cookie. An attacker could use this to conduct cross site scripting attacks and gain access to unauthorized information.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2019-14849",
"description": "A vulnerability was found in 3scale before version 2.6, did not set the HTTPOnly attribute on the user session cookie. An attacker could use this to conduct cross site scripting attacks and gain access to unauthorized information.",
"id": "GSD-2019-14849",
"references": [
"https://access.redhat.com/errata/RHSA-2019:2534"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2019-14849"
],
"details": "A vulnerability was found in 3scale before version 2.6, did not set the HTTPOnly attribute on the user session cookie. An attacker could use this to conduct cross site scripting attacks and gain access to unauthorized information.",
"id": "GSD-2019-14849",
"modified": "2023-12-13T01:23:52.662572Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2019-14849",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "3scale",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "A vulnerability was found in 3scale before version 2.6, did not set the HTTPOnly attribute on the user session cookie. An attacker could use this to conduct cross site scripting attacks and gain access to unauthorized information."
}
]
},
"impact": {
"cvss": [
{
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
"version": "3.0"
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"cweId": "CWE-201",
"lang": "eng",
"value": "CWE-201"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14849",
"refsource": "MISC",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14849"
}
]
}
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:redhat:3scale:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndExcluding": "2.6",
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "secalert@redhat.com",
"ID": "CVE-2019-14849"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "A vulnerability was found in 3scale before version 2.6, did not set the HTTPOnly attribute on the user session cookie. An attacker could use this to conduct cross site scripting attacks and gain access to unauthorized information."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-201"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14849",
"refsource": "CONFIRM",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14849"
}
]
}
},
"impact": {
"baseMetricV2": {
"acInsufInfo": false,
"cvssV2": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "LOW",
"userInteractionRequired": true
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7
}
},
"lastModifiedDate": "2023-02-12T23:35Z",
"publishedDate": "2019-12-12T14:15Z"
}
}
}
fkie_cve-2019-14849
Vulnerability from fkie_nvd
Published
2019-12-12 14:15
Modified
2024-11-21 04:27
Severity ?
Summary
A vulnerability was found in 3scale before version 2.6, did not set the HTTPOnly attribute on the user session cookie. An attacker could use this to conduct cross site scripting attacks and gain access to unauthorized information.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| secalert@redhat.com | https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14849 | Issue Tracking, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14849 | Issue Tracking, Vendor Advisory |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:redhat:3scale:*:*:*:*:*:*:*:*",
"matchCriteriaId": "2700E9B2-AE29-44B4-B1F2-FBC912ED0A05",
"versionEndExcluding": "2.6",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in 3scale before version 2.6, did not set the HTTPOnly attribute on the user session cookie. An attacker could use this to conduct cross site scripting attacks and gain access to unauthorized information."
},
{
"lang": "es",
"value": "Se encontr\u00f3 una vulnerabilidad en 3scale versi\u00f3n anterior a 2.6, no estableci\u00f3 el atributo HTTPOnly en la cookie de sesi\u00f3n del usuario. Un atacante podr\u00eda usar esto para conducir ataques de tipo cross site scripting y conseguir acceso a informaci\u00f3n no autorizada."
}
],
"id": "CVE-2019-14849",
"lastModified": "2024-11-21T04:27:29.613",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "LOW",
"cvssData": {
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 3.5,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 6.8,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": true
}
],
"cvssMetricV30": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
"version": "3.0"
},
"exploitabilityScore": 2.1,
"impactScore": 2.5,
"source": "secalert@redhat.com",
"type": "Secondary"
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.3,
"impactScore": 2.7,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2019-12-12T14:15:15.257",
"references": [
{
"source": "secalert@redhat.com",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14849"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Issue Tracking",
"Vendor Advisory"
],
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14849"
}
],
"sourceIdentifier": "secalert@redhat.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-201"
}
],
"source": "secalert@redhat.com",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-79"
}
],
"source": "nvd@nist.gov",
"type": "Secondary"
}
]
}
rhsa-2019_2534
Vulnerability from csaf_redhat
Published
2019-08-21 11:44
Modified
2024-11-15 04:08
Summary
Red Hat Security Advisory: Red Hat 3scale API Management 2.6.0 release and security update
Notes
Topic
A security update for Red Hat 3scale API Management Platform is now available from the Red Hat Container Catalog.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat 3scale API Management delivers centralized API management features through a distributed, cloud-hosted layer. It includes built-in features to help in building a more successful API program, including access control, rate limits, payment gateway integration, and developer experience tools.
This release of Red Hat 3scale API Management 2.6.0 replaces Red Hat 3scale API Management 2.5.1.
Security Fix(es):
* ghostscript: -dSAFER escape via .buildfont1 (CVE-2019-10216)
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "A security update for Red Hat 3scale API Management Platform is now available from the Red Hat Container Catalog.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat 3scale API Management delivers centralized API management features through a distributed, cloud-hosted layer. It includes built-in features to help in building a more successful API program, including access control, rate limits, payment gateway integration, and developer experience tools.\n\nThis release of Red Hat 3scale API Management 2.6.0 replaces Red Hat 3scale API Management 2.5.1.\n\nSecurity Fix(es):\n\n* ghostscript: -dSAFER escape via .buildfont1 (CVE-2019-10216)",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2019:2534",
"url": "https://access.redhat.com/errata/RHSA-2019:2534"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "1737080",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1737080"
},
{
"category": "external",
"summary": "THREESCALE-2852",
"url": "https://issues.redhat.com/browse/THREESCALE-2852"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2019/rhsa-2019_2534.json"
}
],
"title": "Red Hat Security Advisory: Red Hat 3scale API Management 2.6.0 release and security update",
"tracking": {
"current_release_date": "2024-11-15T04:08:50+00:00",
"generator": {
"date": "2024-11-15T04:08:50+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2019:2534",
"initial_release_date": "2019-08-21T11:44:18+00:00",
"revision_history": [
{
"date": "2019-08-21T11:44:18+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2019-08-21T11:44:18+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-15T04:08:50+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "RHAMP-2.6",
"product": {
"name": "RHAMP-2.6",
"product_id": "7Server-RH7-3scale-AMP-2.6",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:3scale_amp:2"
}
}
}
],
"category": "product_family",
"name": "3scale API Management"
},
{
"branches": [
{
"category": "product_version",
"name": "3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64",
"product": {
"name": "3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64",
"product_id": "3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64",
"product_identification_helper": {
"purl": "pkg:oci/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69?arch=amd64\u0026repository_url=registry.redhat.io/3scale-amp26/apicast-gateway\u0026tag=1.15-9"
}
}
},
{
"category": "product_version",
"name": "3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64",
"product": {
"name": "3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64",
"product_id": "3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64",
"product_identification_helper": {
"purl": "pkg:oci/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e?arch=amd64\u0026repository_url=registry.redhat.io/3scale-amp26/backend\u0026tag=1.9-24"
}
}
},
{
"category": "product_version",
"name": "3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64",
"product": {
"name": "3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64",
"product_id": "3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64",
"product_identification_helper": {
"purl": "pkg:oci/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43?arch=amd64\u0026repository_url=registry.redhat.io/3scale-amp26/zync\u0026tag=1.9-28"
}
}
},
{
"category": "product_version",
"name": "3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"product": {
"name": "3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"product_id": "3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"product_identification_helper": {
"purl": "pkg:oci/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926?arch=amd64\u0026repository_url=registry.redhat.io/3scale-amp26/3scale-operator\u0026tag=latest"
}
}
},
{
"category": "product_version",
"name": "3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"product": {
"name": "3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"product_id": "3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"product_identification_helper": {
"purl": "pkg:oci/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926?arch=amd64\u0026repository_url=registry.redhat.io/3scale-amp26/operator\u0026tag=latest"
}
}
},
{
"category": "product_version",
"name": "3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64",
"product": {
"name": "3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64",
"product_id": "3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64",
"product_identification_helper": {
"purl": "pkg:oci/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed?arch=amd64\u0026repository_url=registry.redhat.io/3scale-amp26/toolbox\u0026tag=latest"
}
}
}
],
"category": "architecture",
"name": "amd64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64 as a component of RHAMP-2.6",
"product_id": "7Server-RH7-3scale-AMP-2.6:3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64"
},
"product_reference": "3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"relates_to_product_reference": "7Server-RH7-3scale-AMP-2.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64 as a component of RHAMP-2.6",
"product_id": "7Server-RH7-3scale-AMP-2.6:3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64"
},
"product_reference": "3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64",
"relates_to_product_reference": "7Server-RH7-3scale-AMP-2.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64 as a component of RHAMP-2.6",
"product_id": "7Server-RH7-3scale-AMP-2.6:3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64"
},
"product_reference": "3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64",
"relates_to_product_reference": "7Server-RH7-3scale-AMP-2.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64 as a component of RHAMP-2.6",
"product_id": "7Server-RH7-3scale-AMP-2.6:3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64"
},
"product_reference": "3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"relates_to_product_reference": "7Server-RH7-3scale-AMP-2.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64 as a component of RHAMP-2.6",
"product_id": "7Server-RH7-3scale-AMP-2.6:3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64"
},
"product_reference": "3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64",
"relates_to_product_reference": "7Server-RH7-3scale-AMP-2.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64 as a component of RHAMP-2.6",
"product_id": "7Server-RH7-3scale-AMP-2.6:3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64"
},
"product_reference": "3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64",
"relates_to_product_reference": "7Server-RH7-3scale-AMP-2.6"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Artifex Software"
]
},
{
"names": [
"Netanel"
],
"organization": "Cloudinary",
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2019-10216",
"cwe": {
"id": "CWE-648",
"name": "Incorrect Use of Privileged APIs"
},
"discovery_date": "2019-08-02T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1737080"
}
],
"notes": [
{
"category": "description",
"text": "It was found that the .buildfont1 procedure did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. An attacker could abuse this flaw by creating a specially crafted PostScript file that could escalate privileges and access files outside of restricted areas.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "ghostscript: -dSAFER escape via .buildfont1 (701394)",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2019-10216"
},
{
"category": "external",
"summary": "RHBZ#1737080",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1737080"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2019-10216",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-10216"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-10216",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10216"
}
],
"release_date": "2019-08-12T13:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-08-21T11:44:18+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/documentation/en-us/red_hat_3scale_api_management/2.6/html-single/installing_3scale/#onpremises-installation",
"product_ids": [
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:2534"
},
{
"category": "workaround",
"details": "Please refer to the \"Mitigation\" section of CVE-2018-16509 : https://access.redhat.com/security/cve/cve-2018-16509",
"product_ids": [
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"products": [
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "ghostscript: -dSAFER escape via .buildfont1 (701394)"
},
{
"acknowledgments": [
{
"names": [
"Artifex Software"
]
},
{
"names": [
"Hiroki MATSUKUMA"
],
"organization": "Cyber Defense Institute",
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2019-14811",
"cwe": {
"id": "CWE-648",
"name": "Incorrect Use of Privileged APIs"
},
"discovery_date": "2019-08-19T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1743757"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the .pdf_hook_DSC_Creator procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "ghostscript: Safer mode bypass by .forceput exposure in .pdf_hook_DSC_Creator (701445)",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2019-14811"
},
{
"category": "external",
"summary": "RHBZ#1743757",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1743757"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2019-14811",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-14811"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-14811",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14811"
}
],
"release_date": "2019-08-28T12:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-08-21T11:44:18+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/documentation/en-us/red_hat_3scale_api_management/2.6/html-single/installing_3scale/#onpremises-installation",
"product_ids": [
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:2534"
},
{
"category": "workaround",
"details": "Please refer to the \"Mitigation\" section of CVE-2018-16509 : https://access.redhat.com/security/cve/cve-2018-16509",
"product_ids": [
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"products": [
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "ghostscript: Safer mode bypass by .forceput exposure in .pdf_hook_DSC_Creator (701445)"
},
{
"acknowledgments": [
{
"names": [
"Artifex Software"
]
},
{
"names": [
"Hiroki MATSUKUMA"
],
"organization": "Cyber Defense Institute",
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2019-14812",
"cwe": {
"id": "CWE-648",
"name": "Incorrect Use of Privileged APIs"
},
"discovery_date": "2019-08-19T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1743754"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the .setuserparams2 procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "ghostscript: Safer mode bypass by .forceput exposure in setuserparams (701444)",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2019-14812"
},
{
"category": "external",
"summary": "RHBZ#1743754",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1743754"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2019-14812",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-14812"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-14812",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14812"
}
],
"release_date": "2019-08-28T12:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-08-21T11:44:18+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/documentation/en-us/red_hat_3scale_api_management/2.6/html-single/installing_3scale/#onpremises-installation",
"product_ids": [
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:2534"
},
{
"category": "workaround",
"details": "Please refer to the \"Mitigation\" section of CVE-2018-16509 : https://access.redhat.com/security/cve/cve-2018-16509",
"product_ids": [
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"products": [
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "ghostscript: Safer mode bypass by .forceput exposure in setuserparams (701444)"
},
{
"acknowledgments": [
{
"names": [
"Artifex Software"
]
},
{
"names": [
"Hiroki MATSUKUMA"
],
"organization": "Cyber Defense Institute",
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2019-14813",
"cwe": {
"id": "CWE-648",
"name": "Incorrect Use of Privileged APIs"
},
"discovery_date": "2019-08-20T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1743737"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the setsystemparams procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "ghostscript: Safer mode bypass by .forceput exposure in setsystemparams (701443)",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2019-14813"
},
{
"category": "external",
"summary": "RHBZ#1743737",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1743737"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2019-14813",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-14813"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-14813",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14813"
}
],
"release_date": "2019-08-28T12:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-08-21T11:44:18+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/documentation/en-us/red_hat_3scale_api_management/2.6/html-single/installing_3scale/#onpremises-installation",
"product_ids": [
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:2534"
},
{
"category": "workaround",
"details": "Please refer to the \"Mitigation\" section of CVE-2018-16509 : https://access.redhat.com/security/cve/cve-2018-16509",
"product_ids": [
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"products": [
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "ghostscript: Safer mode bypass by .forceput exposure in setsystemparams (701443)"
},
{
"acknowledgments": [
{
"names": [
"Artifex Software"
]
}
],
"cve": "CVE-2019-14817",
"cwe": {
"id": "CWE-648",
"name": "Incorrect Use of Privileged APIs"
},
"discovery_date": "2019-08-21T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1744042"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the .pdfexectoken and other procedures where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "ghostscript: Safer mode bypass by .forceput exposure in .pdfexectoken and other procedures (701450)",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2019-14817"
},
{
"category": "external",
"summary": "RHBZ#1744042",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1744042"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2019-14817",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-14817"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-14817",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14817"
}
],
"release_date": "2019-08-28T12:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-08-21T11:44:18+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/documentation/en-us/red_hat_3scale_api_management/2.6/html-single/installing_3scale/#onpremises-installation",
"product_ids": [
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:2534"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"products": [
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "ghostscript: Safer mode bypass by .forceput exposure in .pdfexectoken and other procedures (701450)"
},
{
"cve": "CVE-2019-14849",
"cwe": {
"id": "CWE-201",
"name": "Insertion of Sensitive Information Into Sent Data"
},
"discovery_date": "2019-05-20T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1712167"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found where 3scale did not set the HTTPOnly attribute on the user session cookie. An attacker could abuse this flaw to conduct Cross-site Scripting attacks and gain access to unauthorized information.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "3scale: user session cookie does not set HTTPOnly",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2019-14849"
},
{
"category": "external",
"summary": "RHBZ#1712167",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1712167"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2019-14849",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-14849"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-14849",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14849"
}
],
"release_date": "2019-12-11T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-08-21T11:44:18+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/documentation/en-us/red_hat_3scale_api_management/2.6/html-single/installing_3scale/#onpremises-installation",
"product_ids": [
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:2534"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "3scale: user session cookie does not set HTTPOnly"
}
]
}
rhsa-2019:2534
Vulnerability from csaf_redhat
Published
2019-08-21 11:44
Modified
2024-11-15 04:08
Summary
Red Hat Security Advisory: Red Hat 3scale API Management 2.6.0 release and security update
Notes
Topic
A security update for Red Hat 3scale API Management Platform is now available from the Red Hat Container Catalog.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat 3scale API Management delivers centralized API management features through a distributed, cloud-hosted layer. It includes built-in features to help in building a more successful API program, including access control, rate limits, payment gateway integration, and developer experience tools.
This release of Red Hat 3scale API Management 2.6.0 replaces Red Hat 3scale API Management 2.5.1.
Security Fix(es):
* ghostscript: -dSAFER escape via .buildfont1 (CVE-2019-10216)
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "A security update for Red Hat 3scale API Management Platform is now available from the Red Hat Container Catalog.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat 3scale API Management delivers centralized API management features through a distributed, cloud-hosted layer. It includes built-in features to help in building a more successful API program, including access control, rate limits, payment gateway integration, and developer experience tools.\n\nThis release of Red Hat 3scale API Management 2.6.0 replaces Red Hat 3scale API Management 2.5.1.\n\nSecurity Fix(es):\n\n* ghostscript: -dSAFER escape via .buildfont1 (CVE-2019-10216)",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2019:2534",
"url": "https://access.redhat.com/errata/RHSA-2019:2534"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "1737080",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1737080"
},
{
"category": "external",
"summary": "THREESCALE-2852",
"url": "https://issues.redhat.com/browse/THREESCALE-2852"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2019/rhsa-2019_2534.json"
}
],
"title": "Red Hat Security Advisory: Red Hat 3scale API Management 2.6.0 release and security update",
"tracking": {
"current_release_date": "2024-11-15T04:08:50+00:00",
"generator": {
"date": "2024-11-15T04:08:50+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2019:2534",
"initial_release_date": "2019-08-21T11:44:18+00:00",
"revision_history": [
{
"date": "2019-08-21T11:44:18+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2019-08-21T11:44:18+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-15T04:08:50+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "RHAMP-2.6",
"product": {
"name": "RHAMP-2.6",
"product_id": "7Server-RH7-3scale-AMP-2.6",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:3scale_amp:2"
}
}
}
],
"category": "product_family",
"name": "3scale API Management"
},
{
"branches": [
{
"category": "product_version",
"name": "3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64",
"product": {
"name": "3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64",
"product_id": "3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64",
"product_identification_helper": {
"purl": "pkg:oci/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69?arch=amd64\u0026repository_url=registry.redhat.io/3scale-amp26/apicast-gateway\u0026tag=1.15-9"
}
}
},
{
"category": "product_version",
"name": "3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64",
"product": {
"name": "3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64",
"product_id": "3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64",
"product_identification_helper": {
"purl": "pkg:oci/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e?arch=amd64\u0026repository_url=registry.redhat.io/3scale-amp26/backend\u0026tag=1.9-24"
}
}
},
{
"category": "product_version",
"name": "3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64",
"product": {
"name": "3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64",
"product_id": "3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64",
"product_identification_helper": {
"purl": "pkg:oci/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43?arch=amd64\u0026repository_url=registry.redhat.io/3scale-amp26/zync\u0026tag=1.9-28"
}
}
},
{
"category": "product_version",
"name": "3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"product": {
"name": "3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"product_id": "3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"product_identification_helper": {
"purl": "pkg:oci/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926?arch=amd64\u0026repository_url=registry.redhat.io/3scale-amp26/3scale-operator\u0026tag=latest"
}
}
},
{
"category": "product_version",
"name": "3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"product": {
"name": "3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"product_id": "3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"product_identification_helper": {
"purl": "pkg:oci/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926?arch=amd64\u0026repository_url=registry.redhat.io/3scale-amp26/operator\u0026tag=latest"
}
}
},
{
"category": "product_version",
"name": "3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64",
"product": {
"name": "3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64",
"product_id": "3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64",
"product_identification_helper": {
"purl": "pkg:oci/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed?arch=amd64\u0026repository_url=registry.redhat.io/3scale-amp26/toolbox\u0026tag=latest"
}
}
}
],
"category": "architecture",
"name": "amd64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64 as a component of RHAMP-2.6",
"product_id": "7Server-RH7-3scale-AMP-2.6:3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64"
},
"product_reference": "3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"relates_to_product_reference": "7Server-RH7-3scale-AMP-2.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64 as a component of RHAMP-2.6",
"product_id": "7Server-RH7-3scale-AMP-2.6:3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64"
},
"product_reference": "3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64",
"relates_to_product_reference": "7Server-RH7-3scale-AMP-2.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64 as a component of RHAMP-2.6",
"product_id": "7Server-RH7-3scale-AMP-2.6:3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64"
},
"product_reference": "3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64",
"relates_to_product_reference": "7Server-RH7-3scale-AMP-2.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64 as a component of RHAMP-2.6",
"product_id": "7Server-RH7-3scale-AMP-2.6:3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64"
},
"product_reference": "3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"relates_to_product_reference": "7Server-RH7-3scale-AMP-2.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64 as a component of RHAMP-2.6",
"product_id": "7Server-RH7-3scale-AMP-2.6:3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64"
},
"product_reference": "3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64",
"relates_to_product_reference": "7Server-RH7-3scale-AMP-2.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64 as a component of RHAMP-2.6",
"product_id": "7Server-RH7-3scale-AMP-2.6:3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64"
},
"product_reference": "3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64",
"relates_to_product_reference": "7Server-RH7-3scale-AMP-2.6"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Artifex Software"
]
},
{
"names": [
"Netanel"
],
"organization": "Cloudinary",
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2019-10216",
"cwe": {
"id": "CWE-648",
"name": "Incorrect Use of Privileged APIs"
},
"discovery_date": "2019-08-02T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1737080"
}
],
"notes": [
{
"category": "description",
"text": "It was found that the .buildfont1 procedure did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. An attacker could abuse this flaw by creating a specially crafted PostScript file that could escalate privileges and access files outside of restricted areas.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "ghostscript: -dSAFER escape via .buildfont1 (701394)",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2019-10216"
},
{
"category": "external",
"summary": "RHBZ#1737080",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1737080"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2019-10216",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-10216"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-10216",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10216"
}
],
"release_date": "2019-08-12T13:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-08-21T11:44:18+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/documentation/en-us/red_hat_3scale_api_management/2.6/html-single/installing_3scale/#onpremises-installation",
"product_ids": [
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:2534"
},
{
"category": "workaround",
"details": "Please refer to the \"Mitigation\" section of CVE-2018-16509 : https://access.redhat.com/security/cve/cve-2018-16509",
"product_ids": [
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"products": [
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "ghostscript: -dSAFER escape via .buildfont1 (701394)"
},
{
"acknowledgments": [
{
"names": [
"Artifex Software"
]
},
{
"names": [
"Hiroki MATSUKUMA"
],
"organization": "Cyber Defense Institute",
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2019-14811",
"cwe": {
"id": "CWE-648",
"name": "Incorrect Use of Privileged APIs"
},
"discovery_date": "2019-08-19T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1743757"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the .pdf_hook_DSC_Creator procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "ghostscript: Safer mode bypass by .forceput exposure in .pdf_hook_DSC_Creator (701445)",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2019-14811"
},
{
"category": "external",
"summary": "RHBZ#1743757",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1743757"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2019-14811",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-14811"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-14811",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14811"
}
],
"release_date": "2019-08-28T12:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-08-21T11:44:18+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/documentation/en-us/red_hat_3scale_api_management/2.6/html-single/installing_3scale/#onpremises-installation",
"product_ids": [
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:2534"
},
{
"category": "workaround",
"details": "Please refer to the \"Mitigation\" section of CVE-2018-16509 : https://access.redhat.com/security/cve/cve-2018-16509",
"product_ids": [
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"products": [
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "ghostscript: Safer mode bypass by .forceput exposure in .pdf_hook_DSC_Creator (701445)"
},
{
"acknowledgments": [
{
"names": [
"Artifex Software"
]
},
{
"names": [
"Hiroki MATSUKUMA"
],
"organization": "Cyber Defense Institute",
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2019-14812",
"cwe": {
"id": "CWE-648",
"name": "Incorrect Use of Privileged APIs"
},
"discovery_date": "2019-08-19T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1743754"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the .setuserparams2 procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "ghostscript: Safer mode bypass by .forceput exposure in setuserparams (701444)",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2019-14812"
},
{
"category": "external",
"summary": "RHBZ#1743754",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1743754"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2019-14812",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-14812"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-14812",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14812"
}
],
"release_date": "2019-08-28T12:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-08-21T11:44:18+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/documentation/en-us/red_hat_3scale_api_management/2.6/html-single/installing_3scale/#onpremises-installation",
"product_ids": [
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:2534"
},
{
"category": "workaround",
"details": "Please refer to the \"Mitigation\" section of CVE-2018-16509 : https://access.redhat.com/security/cve/cve-2018-16509",
"product_ids": [
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"products": [
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "ghostscript: Safer mode bypass by .forceput exposure in setuserparams (701444)"
},
{
"acknowledgments": [
{
"names": [
"Artifex Software"
]
},
{
"names": [
"Hiroki MATSUKUMA"
],
"organization": "Cyber Defense Institute",
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2019-14813",
"cwe": {
"id": "CWE-648",
"name": "Incorrect Use of Privileged APIs"
},
"discovery_date": "2019-08-20T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1743737"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the setsystemparams procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "ghostscript: Safer mode bypass by .forceput exposure in setsystemparams (701443)",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2019-14813"
},
{
"category": "external",
"summary": "RHBZ#1743737",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1743737"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2019-14813",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-14813"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-14813",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14813"
}
],
"release_date": "2019-08-28T12:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-08-21T11:44:18+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/documentation/en-us/red_hat_3scale_api_management/2.6/html-single/installing_3scale/#onpremises-installation",
"product_ids": [
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:2534"
},
{
"category": "workaround",
"details": "Please refer to the \"Mitigation\" section of CVE-2018-16509 : https://access.redhat.com/security/cve/cve-2018-16509",
"product_ids": [
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"products": [
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "ghostscript: Safer mode bypass by .forceput exposure in setsystemparams (701443)"
},
{
"acknowledgments": [
{
"names": [
"Artifex Software"
]
}
],
"cve": "CVE-2019-14817",
"cwe": {
"id": "CWE-648",
"name": "Incorrect Use of Privileged APIs"
},
"discovery_date": "2019-08-21T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1744042"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the .pdfexectoken and other procedures where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "ghostscript: Safer mode bypass by .forceput exposure in .pdfexectoken and other procedures (701450)",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2019-14817"
},
{
"category": "external",
"summary": "RHBZ#1744042",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1744042"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2019-14817",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-14817"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-14817",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14817"
}
],
"release_date": "2019-08-28T12:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-08-21T11:44:18+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/documentation/en-us/red_hat_3scale_api_management/2.6/html-single/installing_3scale/#onpremises-installation",
"product_ids": [
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:2534"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"products": [
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "ghostscript: Safer mode bypass by .forceput exposure in .pdfexectoken and other procedures (701450)"
},
{
"cve": "CVE-2019-14849",
"cwe": {
"id": "CWE-201",
"name": "Insertion of Sensitive Information Into Sent Data"
},
"discovery_date": "2019-05-20T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1712167"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found where 3scale did not set the HTTPOnly attribute on the user session cookie. An attacker could abuse this flaw to conduct Cross-site Scripting attacks and gain access to unauthorized information.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "3scale: user session cookie does not set HTTPOnly",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2019-14849"
},
{
"category": "external",
"summary": "RHBZ#1712167",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1712167"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2019-14849",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-14849"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-14849",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14849"
}
],
"release_date": "2019-12-11T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-08-21T11:44:18+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/documentation/en-us/red_hat_3scale_api_management/2.6/html-single/installing_3scale/#onpremises-installation",
"product_ids": [
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:2534"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "3scale: user session cookie does not set HTTPOnly"
}
]
}
RHSA-2019:2534
Vulnerability from csaf_redhat
Published
2019-08-21 11:44
Modified
2024-11-15 04:08
Summary
Red Hat Security Advisory: Red Hat 3scale API Management 2.6.0 release and security update
Notes
Topic
A security update for Red Hat 3scale API Management Platform is now available from the Red Hat Container Catalog.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat 3scale API Management delivers centralized API management features through a distributed, cloud-hosted layer. It includes built-in features to help in building a more successful API program, including access control, rate limits, payment gateway integration, and developer experience tools.
This release of Red Hat 3scale API Management 2.6.0 replaces Red Hat 3scale API Management 2.5.1.
Security Fix(es):
* ghostscript: -dSAFER escape via .buildfont1 (CVE-2019-10216)
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{
"document": {
"aggregate_severity": {
"namespace": "https://access.redhat.com/security/updates/classification/",
"text": "Important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "A security update for Red Hat 3scale API Management Platform is now available from the Red Hat Container Catalog.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.",
"title": "Topic"
},
{
"category": "general",
"text": "Red Hat 3scale API Management delivers centralized API management features through a distributed, cloud-hosted layer. It includes built-in features to help in building a more successful API program, including access control, rate limits, payment gateway integration, and developer experience tools.\n\nThis release of Red Hat 3scale API Management 2.6.0 replaces Red Hat 3scale API Management 2.5.1.\n\nSecurity Fix(es):\n\n* ghostscript: -dSAFER escape via .buildfont1 (CVE-2019-10216)",
"title": "Details"
},
{
"category": "legal_disclaimer",
"text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
"title": "Terms of Use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://access.redhat.com/security/team/contact/",
"issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
"name": "Red Hat Product Security",
"namespace": "https://www.redhat.com"
},
"references": [
{
"category": "self",
"summary": "https://access.redhat.com/errata/RHSA-2019:2534",
"url": "https://access.redhat.com/errata/RHSA-2019:2534"
},
{
"category": "external",
"summary": "https://access.redhat.com/security/updates/classification/#important",
"url": "https://access.redhat.com/security/updates/classification/#important"
},
{
"category": "external",
"summary": "1737080",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1737080"
},
{
"category": "external",
"summary": "THREESCALE-2852",
"url": "https://issues.redhat.com/browse/THREESCALE-2852"
},
{
"category": "self",
"summary": "Canonical URL",
"url": "https://security.access.redhat.com/data/csaf/v2/advisories/2019/rhsa-2019_2534.json"
}
],
"title": "Red Hat Security Advisory: Red Hat 3scale API Management 2.6.0 release and security update",
"tracking": {
"current_release_date": "2024-11-15T04:08:50+00:00",
"generator": {
"date": "2024-11-15T04:08:50+00:00",
"engine": {
"name": "Red Hat SDEngine",
"version": "4.2.1"
}
},
"id": "RHSA-2019:2534",
"initial_release_date": "2019-08-21T11:44:18+00:00",
"revision_history": [
{
"date": "2019-08-21T11:44:18+00:00",
"number": "1",
"summary": "Initial version"
},
{
"date": "2019-08-21T11:44:18+00:00",
"number": "2",
"summary": "Last updated version"
},
{
"date": "2024-11-15T04:08:50+00:00",
"number": "3",
"summary": "Last generated version"
}
],
"status": "final",
"version": "3"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_name",
"name": "RHAMP-2.6",
"product": {
"name": "RHAMP-2.6",
"product_id": "7Server-RH7-3scale-AMP-2.6",
"product_identification_helper": {
"cpe": "cpe:/a:redhat:3scale_amp:2"
}
}
}
],
"category": "product_family",
"name": "3scale API Management"
},
{
"branches": [
{
"category": "product_version",
"name": "3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64",
"product": {
"name": "3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64",
"product_id": "3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64",
"product_identification_helper": {
"purl": "pkg:oci/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69?arch=amd64\u0026repository_url=registry.redhat.io/3scale-amp26/apicast-gateway\u0026tag=1.15-9"
}
}
},
{
"category": "product_version",
"name": "3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64",
"product": {
"name": "3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64",
"product_id": "3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64",
"product_identification_helper": {
"purl": "pkg:oci/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e?arch=amd64\u0026repository_url=registry.redhat.io/3scale-amp26/backend\u0026tag=1.9-24"
}
}
},
{
"category": "product_version",
"name": "3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64",
"product": {
"name": "3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64",
"product_id": "3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64",
"product_identification_helper": {
"purl": "pkg:oci/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43?arch=amd64\u0026repository_url=registry.redhat.io/3scale-amp26/zync\u0026tag=1.9-28"
}
}
},
{
"category": "product_version",
"name": "3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"product": {
"name": "3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"product_id": "3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"product_identification_helper": {
"purl": "pkg:oci/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926?arch=amd64\u0026repository_url=registry.redhat.io/3scale-amp26/3scale-operator\u0026tag=latest"
}
}
},
{
"category": "product_version",
"name": "3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"product": {
"name": "3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"product_id": "3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"product_identification_helper": {
"purl": "pkg:oci/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926?arch=amd64\u0026repository_url=registry.redhat.io/3scale-amp26/operator\u0026tag=latest"
}
}
},
{
"category": "product_version",
"name": "3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64",
"product": {
"name": "3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64",
"product_id": "3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64",
"product_identification_helper": {
"purl": "pkg:oci/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed?arch=amd64\u0026repository_url=registry.redhat.io/3scale-amp26/toolbox\u0026tag=latest"
}
}
}
],
"category": "architecture",
"name": "amd64"
}
],
"category": "vendor",
"name": "Red Hat"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64 as a component of RHAMP-2.6",
"product_id": "7Server-RH7-3scale-AMP-2.6:3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64"
},
"product_reference": "3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"relates_to_product_reference": "7Server-RH7-3scale-AMP-2.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64 as a component of RHAMP-2.6",
"product_id": "7Server-RH7-3scale-AMP-2.6:3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64"
},
"product_reference": "3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64",
"relates_to_product_reference": "7Server-RH7-3scale-AMP-2.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64 as a component of RHAMP-2.6",
"product_id": "7Server-RH7-3scale-AMP-2.6:3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64"
},
"product_reference": "3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64",
"relates_to_product_reference": "7Server-RH7-3scale-AMP-2.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64 as a component of RHAMP-2.6",
"product_id": "7Server-RH7-3scale-AMP-2.6:3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64"
},
"product_reference": "3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"relates_to_product_reference": "7Server-RH7-3scale-AMP-2.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64 as a component of RHAMP-2.6",
"product_id": "7Server-RH7-3scale-AMP-2.6:3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64"
},
"product_reference": "3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64",
"relates_to_product_reference": "7Server-RH7-3scale-AMP-2.6"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64 as a component of RHAMP-2.6",
"product_id": "7Server-RH7-3scale-AMP-2.6:3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64"
},
"product_reference": "3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64",
"relates_to_product_reference": "7Server-RH7-3scale-AMP-2.6"
}
]
},
"vulnerabilities": [
{
"acknowledgments": [
{
"names": [
"Artifex Software"
]
},
{
"names": [
"Netanel"
],
"organization": "Cloudinary",
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2019-10216",
"cwe": {
"id": "CWE-648",
"name": "Incorrect Use of Privileged APIs"
},
"discovery_date": "2019-08-02T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1737080"
}
],
"notes": [
{
"category": "description",
"text": "It was found that the .buildfont1 procedure did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. An attacker could abuse this flaw by creating a specially crafted PostScript file that could escalate privileges and access files outside of restricted areas.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "ghostscript: -dSAFER escape via .buildfont1 (701394)",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2019-10216"
},
{
"category": "external",
"summary": "RHBZ#1737080",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1737080"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2019-10216",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-10216"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-10216",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10216"
}
],
"release_date": "2019-08-12T13:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-08-21T11:44:18+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/documentation/en-us/red_hat_3scale_api_management/2.6/html-single/installing_3scale/#onpremises-installation",
"product_ids": [
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:2534"
},
{
"category": "workaround",
"details": "Please refer to the \"Mitigation\" section of CVE-2018-16509 : https://access.redhat.com/security/cve/cve-2018-16509",
"product_ids": [
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"products": [
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "ghostscript: -dSAFER escape via .buildfont1 (701394)"
},
{
"acknowledgments": [
{
"names": [
"Artifex Software"
]
},
{
"names": [
"Hiroki MATSUKUMA"
],
"organization": "Cyber Defense Institute",
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2019-14811",
"cwe": {
"id": "CWE-648",
"name": "Incorrect Use of Privileged APIs"
},
"discovery_date": "2019-08-19T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1743757"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the .pdf_hook_DSC_Creator procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "ghostscript: Safer mode bypass by .forceput exposure in .pdf_hook_DSC_Creator (701445)",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2019-14811"
},
{
"category": "external",
"summary": "RHBZ#1743757",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1743757"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2019-14811",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-14811"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-14811",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14811"
}
],
"release_date": "2019-08-28T12:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-08-21T11:44:18+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/documentation/en-us/red_hat_3scale_api_management/2.6/html-single/installing_3scale/#onpremises-installation",
"product_ids": [
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:2534"
},
{
"category": "workaround",
"details": "Please refer to the \"Mitigation\" section of CVE-2018-16509 : https://access.redhat.com/security/cve/cve-2018-16509",
"product_ids": [
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"products": [
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "ghostscript: Safer mode bypass by .forceput exposure in .pdf_hook_DSC_Creator (701445)"
},
{
"acknowledgments": [
{
"names": [
"Artifex Software"
]
},
{
"names": [
"Hiroki MATSUKUMA"
],
"organization": "Cyber Defense Institute",
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2019-14812",
"cwe": {
"id": "CWE-648",
"name": "Incorrect Use of Privileged APIs"
},
"discovery_date": "2019-08-19T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1743754"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the .setuserparams2 procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "ghostscript: Safer mode bypass by .forceput exposure in setuserparams (701444)",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2019-14812"
},
{
"category": "external",
"summary": "RHBZ#1743754",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1743754"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2019-14812",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-14812"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-14812",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14812"
}
],
"release_date": "2019-08-28T12:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-08-21T11:44:18+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/documentation/en-us/red_hat_3scale_api_management/2.6/html-single/installing_3scale/#onpremises-installation",
"product_ids": [
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:2534"
},
{
"category": "workaround",
"details": "Please refer to the \"Mitigation\" section of CVE-2018-16509 : https://access.redhat.com/security/cve/cve-2018-16509",
"product_ids": [
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"products": [
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "ghostscript: Safer mode bypass by .forceput exposure in setuserparams (701444)"
},
{
"acknowledgments": [
{
"names": [
"Artifex Software"
]
},
{
"names": [
"Hiroki MATSUKUMA"
],
"organization": "Cyber Defense Institute",
"summary": "Acknowledged by upstream."
}
],
"cve": "CVE-2019-14813",
"cwe": {
"id": "CWE-648",
"name": "Incorrect Use of Privileged APIs"
},
"discovery_date": "2019-08-20T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1743737"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the setsystemparams procedure where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "ghostscript: Safer mode bypass by .forceput exposure in setsystemparams (701443)",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2019-14813"
},
{
"category": "external",
"summary": "RHBZ#1743737",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1743737"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2019-14813",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-14813"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-14813",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14813"
}
],
"release_date": "2019-08-28T12:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-08-21T11:44:18+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/documentation/en-us/red_hat_3scale_api_management/2.6/html-single/installing_3scale/#onpremises-installation",
"product_ids": [
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:2534"
},
{
"category": "workaround",
"details": "Please refer to the \"Mitigation\" section of CVE-2018-16509 : https://access.redhat.com/security/cve/cve-2018-16509",
"product_ids": [
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64"
]
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"products": [
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "ghostscript: Safer mode bypass by .forceput exposure in setsystemparams (701443)"
},
{
"acknowledgments": [
{
"names": [
"Artifex Software"
]
}
],
"cve": "CVE-2019-14817",
"cwe": {
"id": "CWE-648",
"name": "Incorrect Use of Privileged APIs"
},
"discovery_date": "2019-08-21T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1744042"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found in the .pdfexectoken and other procedures where it did not properly secure its privileged calls, enabling scripts to bypass `-dSAFER` restrictions. A specially crafted PostScript file could disable security protection and then have access to the file system, or execute arbitrary commands.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "ghostscript: Safer mode bypass by .forceput exposure in .pdfexectoken and other procedures (701450)",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2019-14817"
},
{
"category": "external",
"summary": "RHBZ#1744042",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1744042"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2019-14817",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-14817"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-14817",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14817"
}
],
"release_date": "2019-08-28T12:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-08-21T11:44:18+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/documentation/en-us/red_hat_3scale_api_management/2.6/html-single/installing_3scale/#onpremises-installation",
"product_ids": [
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:2534"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.0"
},
"products": [
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Important"
}
],
"title": "ghostscript: Safer mode bypass by .forceput exposure in .pdfexectoken and other procedures (701450)"
},
{
"cve": "CVE-2019-14849",
"cwe": {
"id": "CWE-201",
"name": "Insertion of Sensitive Information Into Sent Data"
},
"discovery_date": "2019-05-20T00:00:00+00:00",
"ids": [
{
"system_name": "Red Hat Bugzilla ID",
"text": "1712167"
}
],
"notes": [
{
"category": "description",
"text": "A flaw was found where 3scale did not set the HTTPOnly attribute on the user session cookie. An attacker could abuse this flaw to conduct Cross-site Scripting attacks and gain access to unauthorized information.",
"title": "Vulnerability description"
},
{
"category": "summary",
"text": "3scale: user session cookie does not set HTTPOnly",
"title": "Vulnerability summary"
},
{
"category": "general",
"text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
"title": "CVSS score applicability"
}
],
"product_status": {
"fixed": [
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64"
]
},
"references": [
{
"category": "self",
"summary": "Canonical URL",
"url": "https://access.redhat.com/security/cve/CVE-2019-14849"
},
{
"category": "external",
"summary": "RHBZ#1712167",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1712167"
},
{
"category": "external",
"summary": "https://www.cve.org/CVERecord?id=CVE-2019-14849",
"url": "https://www.cve.org/CVERecord?id=CVE-2019-14849"
},
{
"category": "external",
"summary": "https://nvd.nist.gov/vuln/detail/CVE-2019-14849",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14849"
}
],
"release_date": "2019-12-11T00:00:00+00:00",
"remediations": [
{
"category": "vendor_fix",
"date": "2019-08-21T11:44:18+00:00",
"details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nFor details on how to apply this update, refer to:\n\nhttps://access.redhat.com/documentation/en-us/red_hat_3scale_api_management/2.6/html-single/installing_3scale/#onpremises-installation",
"product_ids": [
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64"
],
"restart_required": {
"category": "none"
},
"url": "https://access.redhat.com/errata/RHSA-2019:2534"
}
],
"scores": [
{
"cvss_v3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
"version": "3.0"
},
"products": [
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/3scale-operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/apicast-gateway@sha256:460179d4b253aa5ec8230e1822b9a1d391f572b69b8339c8610598fe9e4b6e69_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/backend@sha256:fc6b954148555d14c3e69152d30eb3db525d12443a64c6301e30717c33f7bf7e_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/operator@sha256:a15858e65d1ce9d9135dc6efc6bbd991c139da60fa27f5c6d913f6a14a2da926_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/toolbox@sha256:af0fe71f79abd21a7cb7a10c7a3797253a2b59025805709db5077f7608be6aed_amd64",
"7Server-RH7-3scale-AMP-2.6:3scale-amp26/zync@sha256:93028a84361f47d61dc8d487547f1023817f3c8a95d8f0d287c1774e18954f43_amd64"
]
}
],
"threats": [
{
"category": "impact",
"details": "Low"
}
],
"title": "3scale: user session cookie does not set HTTPOnly"
}
]
}
ghsa-8v4x-g74w-cgg6
Vulnerability from github
Published
2022-05-24 17:03
Modified
2023-02-02 21:33
Severity ?
Details
A vulnerability was found in 3scale before version 2.6, did not set the HTTPOnly attribute on the user session cookie. An attacker could use this to conduct cross site scripting attacks and gain access to unauthorized information.
{
"affected": [],
"aliases": [
"CVE-2019-14849"
],
"database_specific": {
"cwe_ids": [
"CWE-201",
"CWE-79"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-12-12T14:15:00Z",
"severity": "MODERATE"
},
"details": "A vulnerability was found in 3scale before version 2.6, did not set the HTTPOnly attribute on the user session cookie. An attacker could use this to conduct cross site scripting attacks and gain access to unauthorized information.",
"id": "GHSA-8v4x-g74w-cgg6",
"modified": "2023-02-02T21:33:45Z",
"published": "2022-05-24T17:03:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14849"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2019:2534"
},
{
"type": "WEB",
"url": "https://access.redhat.com/security/cve/CVE-2019-14849"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=1712167"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14849"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
]
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.