Actions
Bug #8263
closedCVE-2014-3712 Katello: user parameters passed to to_sym
Difficulty:
Triaged:
Yes
Bugzilla link:
Pull request:
Description
Cloned from https://bugzilla.redhat.com/show_bug.cgi?id=1155708
Jan Rusnacko of Red Hat reports:
Katello code exposes potential to_sym Denial of Service attack vector from user input parameters. The two places identified are:
This type of attack is documented here - http://docs.fedoraproject.org/en-US/Fedora_Security_Team/1/html/Secure_Ruby_Development_Guide/RubySymbols.html
This has been confirmed in testing by Eric Helms of Red Hat.
Updated by The Foreman Bot about 10 years ago
- Status changed from New to Ready For Testing
- Target version set to 59
- Pull request https://github.com/Katello/katello/pull/4802 added
- Pull request deleted (
)
Updated by Eric Helms about 10 years ago
- Translation missing: en.field_release set to 14
- Triaged changed from No to Yes
Updated by Eric Helms about 10 years ago
- Status changed from Ready For Testing to Closed
- % Done changed from 0 to 100
Applied in changeset katello|fc5ccc59d40221fbbab71b9632a92f6f83dc6215.
Actions