CVE-2017-1002201

Common vulnerabilities & exposures (CVE)

CVE database CVE database blogpost Release & EoL database

Published at: - 15-10-2019 08:15

Last modified: - 05-04-2022 10:53

Total changes: - 3

Description

In haml versions prior to version 5.0.0.beta.2, when using user input to perform tasks on the server, characters like < > " ' must be escaped properly. In this case, the ' character was missed. An attacker can manipulate the input to introduce additional attributes, potentially executing code.

Common Vulnerability Scoring System (CVSS)

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Low

Attack complexity

Network

Attack vector

None

Availability

Low

Confidentiality

Low

Integrity

None

Privileges required

Changed

Scope

Required

User interaction

6.1

Base score

2.8

2.7

Exploitability score

Impact score

Verification logic

vendor=haml AND product=haml AND target_software=ruby AND versionEndExcluding=5.0.0

vendor=Debian AND product=debian_linux AND version=8.0

vendor=Debian AND product=debian_linux AND version=9.0

Reference

https://github.com/haml/haml/commit/18576ae6e9bdcb4303fdbe6b3199869d289d67c2
https://snyk.io/vuln/SNYK-RUBY-HAML-20362
[debian-lts-announce] 20191110 [SECURITY] [DLA 1986-1] ruby-haml security update-Mailing List, Third Party Advisory
GLSA-202007-27-Third Party Advisory
[debian-lts-announce] 20211229 [SECURITY] [DLA 2864-1] ruby-haml security update-Mailing List, Third Party Advisory

Keywords

CVE-2017-1002201

Common vulnerabilities & exposures (CVE)

Description

Common Vulnerability Scoring System (CVSS)

Verification logic

Reference

NVD

CVE-2017-1002201

CVE

Common vulnerabilities & exposures

CVSS

Common vulnerability scoring system

Security

Vulnerabilities

Exposures