Upstream information

CVE-2013-0262 at MITRE

Description

rack/file.rb (Rack::File) in Rack 1.5.x before 1.5.2 and 1.4.x before 1.4.5 allows attackers to access arbitrary files outside the intended root directory via a crafted PATH_INFO environment variable, probably a directory traversal vulnerability that is remotely exploitable, aka "symlink path traversals."

SUSE information

Overall state of this security issue: Resolved

This issue is currently rated as having important severity.

CVSS v2 Scores
  National Vulnerability Database
Base Score 4.3
Vector AV:N/AC:M/Au:N/C:P/I:N/A:N
Access Vector Network
Access Complexity Medium
Authentication None
Confidentiality Impact Partial
Integrity Impact None
Availability Impact None
SUSE Bugzilla entry: 802795 [RESOLVED / FIXED]

SUSE Security Advisories:

List of released packages

Product(s) Fixed package version(s) References
SUSE Cloud Compute Node for SUSE Linux Enterprise 12 5
  • ruby2.1-rubygem-chef >= 10.32.2-3.1
  • rubygem-chef >= 10.32.2-3.1
Patchnames:
SUSE Cloud Compute Node for SUSE Linux Enterprise 12 5 GA ruby2.1-rubygem-chef
SUSE Linux Enterprise Software Development Kit 11 SP4
  • rubygem-rack-1_4 >= 1.4.5-0.5.8
Patchnames:
SUSE Linux Enterprise Software Development Kit 11 SP4 GA rubygem-rack-1_4
SUSE OpenStack Cloud 6
  • ruby2.1-rubygem-chef >= 10.32.2-3.2
  • ruby2.1-rubygem-chef-expander >= 10.32.2-1.34
  • ruby2.1-rubygem-chef-server >= 10.32.2-1.1
  • ruby2.1-rubygem-chef-server-api >= 10.32.2-4.2
  • ruby2.1-rubygem-chef-solr >= 10.32.2-1.2
  • ruby2.1-rubygem-rack >= 1.6.4-2.3
  • rubygem-chef >= 10.32.2-3.2
  • rubygem-chef-expander >= 10.32.2-1.34
  • rubygem-chef-server-api >= 10.32.2-4.2
  • rubygem-chef-solr >= 10.32.2-1.2
Patchnames:
SUSE OpenStack Cloud 6 GA ruby2.1-rubygem-chef
SUSE OpenStack Cloud 6 GA ruby2.1-rubygem-rack
SUSE Studio Onsite 1.3
  • susestudio >= 1.3.1.0-0.5.2
  • susestudio-bundled-packages >= 1.3.1.0-0.5.2
  • susestudio-common >= 1.3.1.0-0.5.2
  • susestudio-runner >= 1.3.1.0-0.5.2
  • susestudio-sid >= 1.3.1.0-0.5.2
  • susestudio-ui-server >= 1.3.1.0-0.5.2
Patchnames:
slestso13-susestudio
SUSE Studio Onsite 1.3
  • susestudio >= 1.3.1.0-0.5.2
  • susestudio-bundled-packages >= 1.3.1.0-0.5.2
  • susestudio-common >= 1.3.1.0-0.5.2
  • susestudio-runner >= 1.3.1.0-0.5.2
  • susestudio-sid >= 1.3.1.0-0.5.2
  • susestudio-ui-server >= 1.3.1.0-0.5.2
Builds
SAT Patch Nr: 7721
BDK 11 SP2
  • rubygem-actionmailer-3_2 >= 3.2.12-0.5.9
  • rubygem-actionpack-3_2 >= 3.2.12-0.7.1
  • rubygem-activemodel-3_2 >= 3.2.12-0.5.8
  • rubygem-activerecord-3_2 >= 3.2.12-0.7.1
  • rubygem-activeresource-3_2 >= 3.2.12-0.5.8
  • rubygem-rails-3_2 >= 3.2.12-0.5.10
  • rubygem-railties-3_2 >= 3.2.12-0.7.9
Builds
SAT Patch Nr: 7617
SUSE Linux Enterprise Software Development Kit 11 SP2
  • rubygem-activesupport-3_2 >= 3.2.12-0.5.8
  • rubygem-rack-1_4 >= 1.4.5-0.5.8
Builds
SAT Patch Nr: 7617
SUSE Lifecycle Management Server 1.3
SUSE Studio Onsite 1.3
WebYaST 1.3
  • rubygem-actionmailer-3_2 >= 3.2.12-0.5.9
  • rubygem-actionpack-3_2 >= 3.2.12-0.7.1
  • rubygem-activemodel-3_2 >= 3.2.12-0.5.8
  • rubygem-activerecord-3_2 >= 3.2.12-0.7.1
  • rubygem-activeresource-3_2 >= 3.2.12-0.5.8
  • rubygem-activesupport-3_2 >= 3.2.12-0.5.8
  • rubygem-rack-1_4 >= 1.4.5-0.5.8
  • rubygem-rails-3_2 >= 3.2.12-0.5.10
  • rubygem-railties-3_2 >= 3.2.12-0.7.9
Builds
SAT Patch Nr: 7617
openSUSE Tumbleweed
  • ruby2.2-rubygem-rack >= 2.0.1-1.1
  • ruby2.2-rubygem-rack-1_4 >= 1.4.7-1.8
  • ruby2.2-rubygem-rack-1_6 >= 1.6.5-1.1
  • ruby2.2-rubygem-rack-doc >= 2.0.1-1.1
  • ruby2.2-rubygem-rack-doc-1_4 >= 1.4.7-1.8
  • ruby2.2-rubygem-rack-doc-1_6 >= 1.6.5-1.1
  • ruby2.2-rubygem-rack-testsuite >= 2.0.1-1.1
  • ruby2.2-rubygem-rack-testsuite-1_4 >= 1.4.7-1.8
  • ruby2.2-rubygem-rack-testsuite-1_6 >= 1.6.5-1.1
  • ruby2.3-rubygem-rack >= 2.0.1-1.1
  • ruby2.3-rubygem-rack-1_4 >= 1.4.7-1.8
  • ruby2.3-rubygem-rack-1_6 >= 1.6.5-1.1
  • ruby2.3-rubygem-rack-doc >= 2.0.1-1.1
  • ruby2.3-rubygem-rack-doc-1_4 >= 1.4.7-1.8
  • ruby2.3-rubygem-rack-doc-1_6 >= 1.6.5-1.1
  • ruby2.3-rubygem-rack-testsuite >= 2.0.1-1.1
  • ruby2.3-rubygem-rack-testsuite-1_4 >= 1.4.7-1.8
  • ruby2.3-rubygem-rack-testsuite-1_6 >= 1.6.5-1.1
Patchnames:
openSUSE Tumbleweed GA ruby2.2-rubygem-rack-1_4
openSUSE Tumbleweed GA ruby2.2-rubygem-rack-1_6


Status of this issue by product and package

Product(s) Source package State
SUSE Cloud 11.3 rubygem-actionmailer-2_3 Released
SUSE Cloud 2.0 rubygem-actionmailer-2_3 Released
SUSE Cloud 3 rubygem-actionmailer-2_3 Released
SUSE Cloud 4 rubygem-actionmailer-2_3 Released
SUSE Linux Enterprise SDK 11 SP2 rubygem-actionmailer-2_3 Released