{
  "threat_severity" : "Moderate",
  "public_date" : "2013-03-18T00:00:00Z",
  "bugzilla" : {
    "description" : "rubygem-actionpack: sanitize_protocol: XSS Vulnerability in the  helper of Ruby on Rails",
    "id" : "921335",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=921335"
  },
  "cvss" : {
    "cvss_base_score" : "4.3",
    "cvss_scoring_vector" : "AV:N/AC:M/Au:N/C:N/I:P/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-79",
  "details" : [ "The sanitize helper in lib/action_controller/vendor/html-scanner/html/sanitizer.rb in the Action Pack component in Ruby on Rails before 2.3.18, 3.0.x and 3.1.x before 3.1.12, and 3.2.x before 3.2.13 does not properly handle encoded : (colon) characters in URLs, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks via a crafted scheme name, as demonstrated by including a &#x3a; sequence.", "A cross-site scripting (XSS) flaw was found in Action Pack. A remote attacker could use this flaw to conduct XSS attacks against users of an application using Action Pack." ],
  "acknowledgement" : "Red Hat would like to thank Ruby on Rails upstream for reporting this issue. Upstream acknowledges Alan Jenkins as the original reporter.",
  "affected_release" : [ {
    "product_name" : "Red Hat Subscription Asset Manager 1.4",
    "release_date" : "2014-11-17T00:00:00Z",
    "advisory" : "RHSA-2014:1863",
    "cpe" : "cpe:/a:rhel_sam:1.4::el6",
    "package" : "katello-0:1.4.3.28-1.el6sam_splice"
  }, {
    "product_name" : "Red Hat Subscription Asset Manager 1.4",
    "release_date" : "2014-11-17T00:00:00Z",
    "advisory" : "RHSA-2014:1863",
    "cpe" : "cpe:/a:rhel_sam:1.4::el6",
    "package" : "ruby193-rubygem-actionmailer-1:3.2.17-1.el6sam"
  }, {
    "product_name" : "Red Hat Subscription Asset Manager 1.4",
    "release_date" : "2014-11-17T00:00:00Z",
    "advisory" : "RHSA-2014:1863",
    "cpe" : "cpe:/a:rhel_sam:1.4::el6",
    "package" : "ruby193-rubygem-actionpack-1:3.2.17-6.el6sam"
  }, {
    "product_name" : "Red Hat Subscription Asset Manager 1.4",
    "release_date" : "2014-11-17T00:00:00Z",
    "advisory" : "RHSA-2014:1863",
    "cpe" : "cpe:/a:rhel_sam:1.4::el6",
    "package" : "ruby193-rubygem-activemodel-1:3.2.17-1.el6sam"
  }, {
    "product_name" : "Red Hat Subscription Asset Manager 1.4",
    "release_date" : "2014-11-17T00:00:00Z",
    "advisory" : "RHSA-2014:1863",
    "cpe" : "cpe:/a:rhel_sam:1.4::el6",
    "package" : "ruby193-rubygem-activerecord-1:3.2.17-5.el6sam"
  }, {
    "product_name" : "Red Hat Subscription Asset Manager 1.4",
    "release_date" : "2014-11-17T00:00:00Z",
    "advisory" : "RHSA-2014:1863",
    "cpe" : "cpe:/a:rhel_sam:1.4::el6",
    "package" : "ruby193-rubygem-activeresource-1:3.2.17-1.el6sam"
  }, {
    "product_name" : "Red Hat Subscription Asset Manager 1.4",
    "release_date" : "2014-11-17T00:00:00Z",
    "advisory" : "RHSA-2014:1863",
    "cpe" : "cpe:/a:rhel_sam:1.4::el6",
    "package" : "ruby193-rubygem-activesupport-1:3.2.17-2.el6sam"
  }, {
    "product_name" : "Red Hat Subscription Asset Manager 1.4",
    "release_date" : "2014-11-17T00:00:00Z",
    "advisory" : "RHSA-2014:1863",
    "cpe" : "cpe:/a:rhel_sam:1.4::el6",
    "package" : "ruby193-rubygem-i18n-0:0.6.9-1.el6sam"
  }, {
    "product_name" : "Red Hat Subscription Asset Manager 1.4",
    "release_date" : "2014-11-17T00:00:00Z",
    "advisory" : "RHSA-2014:1863",
    "cpe" : "cpe:/a:rhel_sam:1.4::el6",
    "package" : "ruby193-rubygem-mail-0:2.5.4-1.el6sam"
  }, {
    "product_name" : "Red Hat Subscription Asset Manager 1.4",
    "release_date" : "2014-11-17T00:00:00Z",
    "advisory" : "RHSA-2014:1863",
    "cpe" : "cpe:/a:rhel_sam:1.4::el6",
    "package" : "ruby193-rubygem-rack-1:1.4.5-3.el6sam"
  }, {
    "product_name" : "Red Hat Subscription Asset Manager 1.4",
    "release_date" : "2014-11-17T00:00:00Z",
    "advisory" : "RHSA-2014:1863",
    "cpe" : "cpe:/a:rhel_sam:1.4::el6",
    "package" : "ruby193-rubygem-rails-1:3.2.17-1.el6sam"
  }, {
    "product_name" : "Red Hat Subscription Asset Manager 1.4",
    "release_date" : "2014-11-17T00:00:00Z",
    "advisory" : "RHSA-2014:1863",
    "cpe" : "cpe:/a:rhel_sam:1.4::el6",
    "package" : "ruby193-rubygem-railties-1:3.2.17-1.el6sam"
  }, {
    "product_name" : "RHEL 6 Version of OpenShift Enterprise",
    "release_date" : "2013-04-02T00:00:00Z",
    "advisory" : "RHSA-2013:0698",
    "cpe" : "cpe:/a:redhat:openshift:1::el6",
    "package" : "ruby193-rubygem-actionpack-1:3.2.8-5.el6"
  }, {
    "product_name" : "RHEL 6 Version of OpenShift Enterprise",
    "release_date" : "2013-04-02T00:00:00Z",
    "advisory" : "RHSA-2013:0698",
    "cpe" : "cpe:/a:redhat:openshift:1::el6",
    "package" : "rubygem-actionpack-1:3.0.13-8.el6op"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Satellite 6",
    "fix_state" : "Affected",
    "package_name" : "ruby193-rubygem-actionpack",
    "cpe" : "cpe:/a:redhat:satellite:6"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2013-1857\nhttps://nvd.nist.gov/vuln/detail/CVE-2013-1857" ],
  "name" : "CVE-2013-1857",
  "csaw" : false
}