Vulnerability-Lookup

CVE-2013-6443 (GCVE-0-2013-6443)

Vulnerability from cvelistv5 – Published: 2014-01-23 01:00 – Updated: 2024-08-06 17:39

Summary

CloudForms 3.0 Management Engine before 5.2.1.6 allows remote attackers to bypass the Ruby on Rails protect_from_forgery mechanism and conduct cross-site request forgery (CSRF) attacks via a destructive action in a request.

Severity ?

No CVSS data available.

CWE

Assigner

redhat

References

URL

RHSA-2014:0025

Vulnerability from csaf_redhat - Published: 2014-01-14 19:16 - Updated: 2025-11-21 17:46

Summary

Red Hat Security Advisory: cfme security, bug fix, and enhancement update

Notes

Topic

Updated cfme packages that fix one security issue, several bugs, and add various enhancements are now available for Red Hat CloudForms 3.0. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.

Details

Red Hat CloudForms Management Engine delivers the insight, control, and automation enterprises need to address the challenges of managing virtual environments, which are far more complex than physical ones. This technology enables enterprises with existing virtual infrastructures to improve visibility and control, and those just starting virtualization deployments to build and operate a well-managed virtual infrastructure. It was found that sending a GET request for a destructive action could bypass the Ruby on Rails protect_from_forgery mechanism. A remote attacker could use this flaw to perform Cross-Site Request Forgery (CSRF) attacks against CloudForms applications. (CVE-2013-6443) This issue was discovered by Martin Povolný of Red Hat. This update fixes several bugs and adds multiple enhancements. Documentation for these changes will be available shortly from the Red Hat CloudForms 3.0 Management Engine 5.2 Technical Notes linked to in the References section. All users of Red Hat CloudForms are advised to upgrade to these updated packages, which contain backported patches to correct these issues and add these enhancements.

This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://access.redhat.com/security/updates/classification/",
      "text": "Moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Updated cfme packages that fix one security issue, several bugs, and add\nvarious enhancements are now available for Red Hat CloudForms 3.0.\n\nThe Red Hat Security Response Team has rated this update as having moderate\nsecurity impact. A Common Vulnerability Scoring System (CVSS) base score,\nwhich gives a detailed severity rating, is available from the CVE link in\nthe References section.",
        "title": "Topic"
      },
      {
        "category": "general",
        "text": "Red Hat CloudForms Management Engine delivers the insight, control, and\nautomation enterprises need to address the challenges of managing virtual\nenvironments, which are far more complex than physical ones. This\ntechnology enables enterprises with existing virtual infrastructures\nto improve visibility and control, and those just starting virtualization\ndeployments to build and operate a well-managed virtual infrastructure.\n\nIt was found that sending a GET request for a destructive action could\nbypass the Ruby on Rails protect_from_forgery mechanism. A remote attacker\ncould use this flaw to perform Cross-Site Request Forgery (CSRF) attacks\nagainst CloudForms applications. (CVE-2013-6443)\n\nThis issue was discovered by Martin Povoln\u00fd of Red Hat.\n\nThis update fixes several bugs and adds multiple enhancements.\nDocumentation for these changes will be available shortly from the Red Hat\nCloudForms 3.0 Management Engine 5.2 Technical Notes linked to in the\nReferences section.\n\nAll users of Red Hat CloudForms are advised to upgrade to these updated\npackages, which contain backported patches to correct these issues and add\nthese enhancements.",
        "title": "Details"
      },
      {
        "category": "legal_disclaimer",
        "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.",
        "title": "Terms of Use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://access.redhat.com/security/team/contact/",
      "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.",
      "name": "Red Hat Product Security",
      "namespace": "https://www.redhat.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "https://access.redhat.com/errata/RHSA-2014:0025",
        "url": "https://access.redhat.com/errata/RHSA-2014:0025"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/security/updates/classification/#moderate",
        "url": "https://access.redhat.com/security/updates/classification/#moderate"
      },
      {
        "category": "external",
        "summary": "https://access.redhat.com/site/documentation/en-US/CloudForms/3.0/html/Management_Engine_5.2_Technical_Notes/index.html",
        "url": "https://access.redhat.com/site/documentation/en-US/CloudForms/3.0/html/Management_Engine_5.2_Technical_Notes/index.html"
      },
      {
        "category": "external",
        "summary": "1044178",
        "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1044178"
      },
      {
        "category": "self",
        "summary": "Canonical URL",
        "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2014/rhsa-2014_0025.json"
      }
    ],
    "title": "Red Hat Security Advisory: cfme security, bug fix, and enhancement update",
    "tracking": {
      "current_release_date": "2025-11-21T17:46:46+00:00",
      "generator": {
        "date": "2025-11-21T17:46:46+00:00",
        "engine": {
          "name": "Red Hat SDEngine",
          "version": "4.6.12"
        }
      },
      "id": "RHSA-2014:0025",
      "initial_release_date": "2014-01-14T19:16:52+00:00",
      "revision_history": [
        {
          "date": "2014-01-14T19:16:52+00:00",
          "number": "1",
          "summary": "Initial version"
        },
        {
          "date": "2014-01-14T19:16:52+00:00",
          "number": "2",
          "summary": "Last updated version"
        },
        {
          "date": "2025-11-21T17:46:46+00:00",
          "number": "3",
          "summary": "Last generated version"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "Management Engine",
                "product": {
                  "name": "Management Engine",
                  "product_id": "6Server-CFME",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:redhat:cloudforms_managementengine:5::el6"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Red Hat CloudForms"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby193-rubygem-activerecord-1:3.2.13-4.el6cf.src",
                "product": {
                  "name": "ruby193-rubygem-activerecord-1:3.2.13-4.el6cf.src",
                  "product_id": "ruby193-rubygem-activerecord-1:3.2.13-4.el6cf.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/ruby193-rubygem-activerecord@3.2.13-4.el6cf?arch=src\u0026epoch=1"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "ruby193-rubygem-linux_admin-0:0.5.6-1.el6cf.src",
                "product": {
                  "name": "ruby193-rubygem-linux_admin-0:0.5.6-1.el6cf.src",
                  "product_id": "ruby193-rubygem-linux_admin-0:0.5.6-1.el6cf.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/ruby193-rubygem-linux_admin@0.5.6-1.el6cf?arch=src"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "cfme-0:5.2.1.8-1.el6cf.src",
                "product": {
                  "name": "cfme-0:5.2.1.8-1.el6cf.src",
                  "product_id": "cfme-0:5.2.1.8-1.el6cf.src",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/cfme@5.2.1.8-1.el6cf?arch=src"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "src"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby193-rubygem-activerecord-1:3.2.13-4.el6cf.noarch",
                "product": {
                  "name": "ruby193-rubygem-activerecord-1:3.2.13-4.el6cf.noarch",
                  "product_id": "ruby193-rubygem-activerecord-1:3.2.13-4.el6cf.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/ruby193-rubygem-activerecord@3.2.13-4.el6cf?arch=noarch\u0026epoch=1"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "ruby193-rubygem-linux_admin-0:0.5.6-1.el6cf.noarch",
                "product": {
                  "name": "ruby193-rubygem-linux_admin-0:0.5.6-1.el6cf.noarch",
                  "product_id": "ruby193-rubygem-linux_admin-0:0.5.6-1.el6cf.noarch",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/ruby193-rubygem-linux_admin@0.5.6-1.el6cf?arch=noarch"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "noarch"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "cfme-lib-0:5.2.1.8-1.el6cf.x86_64",
                "product": {
                  "name": "cfme-lib-0:5.2.1.8-1.el6cf.x86_64",
                  "product_id": "cfme-lib-0:5.2.1.8-1.el6cf.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/cfme-lib@5.2.1.8-1.el6cf?arch=x86_64"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "cfme-0:5.2.1.8-1.el6cf.x86_64",
                "product": {
                  "name": "cfme-0:5.2.1.8-1.el6cf.x86_64",
                  "product_id": "cfme-0:5.2.1.8-1.el6cf.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/cfme@5.2.1.8-1.el6cf?arch=x86_64"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "cfme-appliance-0:5.2.1.8-1.el6cf.x86_64",
                "product": {
                  "name": "cfme-appliance-0:5.2.1.8-1.el6cf.x86_64",
                  "product_id": "cfme-appliance-0:5.2.1.8-1.el6cf.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/cfme-appliance@5.2.1.8-1.el6cf?arch=x86_64"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "cfme-debuginfo-0:5.2.1.8-1.el6cf.x86_64",
                "product": {
                  "name": "cfme-debuginfo-0:5.2.1.8-1.el6cf.x86_64",
                  "product_id": "cfme-debuginfo-0:5.2.1.8-1.el6cf.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/cfme-debuginfo@5.2.1.8-1.el6cf?arch=x86_64"
                  }
                }
              },
              {
                "category": "product_version",
                "name": "mingw32-cfme-host-0:5.2.1.8-1.el6cf.x86_64",
                "product": {
                  "name": "mingw32-cfme-host-0:5.2.1.8-1.el6cf.x86_64",
                  "product_id": "mingw32-cfme-host-0:5.2.1.8-1.el6cf.x86_64",
                  "product_identification_helper": {
                    "purl": "pkg:rpm/redhat/mingw32-cfme-host@5.2.1.8-1.el6cf?arch=x86_64"
                  }
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          }
        ],
        "category": "vendor",
        "name": "Red Hat"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cfme-0:5.2.1.8-1.el6cf.src as a component of Management Engine",
          "product_id": "6Server-CFME:cfme-0:5.2.1.8-1.el6cf.src"
        },
        "product_reference": "cfme-0:5.2.1.8-1.el6cf.src",
        "relates_to_product_reference": "6Server-CFME"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cfme-0:5.2.1.8-1.el6cf.x86_64 as a component of Management Engine",
          "product_id": "6Server-CFME:cfme-0:5.2.1.8-1.el6cf.x86_64"
        },
        "product_reference": "cfme-0:5.2.1.8-1.el6cf.x86_64",
        "relates_to_product_reference": "6Server-CFME"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cfme-appliance-0:5.2.1.8-1.el6cf.x86_64 as a component of Management Engine",
          "product_id": "6Server-CFME:cfme-appliance-0:5.2.1.8-1.el6cf.x86_64"
        },
        "product_reference": "cfme-appliance-0:5.2.1.8-1.el6cf.x86_64",
        "relates_to_product_reference": "6Server-CFME"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cfme-debuginfo-0:5.2.1.8-1.el6cf.x86_64 as a component of Management Engine",
          "product_id": "6Server-CFME:cfme-debuginfo-0:5.2.1.8-1.el6cf.x86_64"
        },
        "product_reference": "cfme-debuginfo-0:5.2.1.8-1.el6cf.x86_64",
        "relates_to_product_reference": "6Server-CFME"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cfme-lib-0:5.2.1.8-1.el6cf.x86_64 as a component of Management Engine",
          "product_id": "6Server-CFME:cfme-lib-0:5.2.1.8-1.el6cf.x86_64"
        },
        "product_reference": "cfme-lib-0:5.2.1.8-1.el6cf.x86_64",
        "relates_to_product_reference": "6Server-CFME"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "mingw32-cfme-host-0:5.2.1.8-1.el6cf.x86_64 as a component of Management Engine",
          "product_id": "6Server-CFME:mingw32-cfme-host-0:5.2.1.8-1.el6cf.x86_64"
        },
        "product_reference": "mingw32-cfme-host-0:5.2.1.8-1.el6cf.x86_64",
        "relates_to_product_reference": "6Server-CFME"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby193-rubygem-activerecord-1:3.2.13-4.el6cf.noarch as a component of Management Engine",
          "product_id": "6Server-CFME:ruby193-rubygem-activerecord-1:3.2.13-4.el6cf.noarch"
        },
        "product_reference": "ruby193-rubygem-activerecord-1:3.2.13-4.el6cf.noarch",
        "relates_to_product_reference": "6Server-CFME"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby193-rubygem-activerecord-1:3.2.13-4.el6cf.src as a component of Management Engine",
          "product_id": "6Server-CFME:ruby193-rubygem-activerecord-1:3.2.13-4.el6cf.src"
        },
        "product_reference": "ruby193-rubygem-activerecord-1:3.2.13-4.el6cf.src",
        "relates_to_product_reference": "6Server-CFME"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby193-rubygem-linux_admin-0:0.5.6-1.el6cf.noarch as a component of Management Engine",
          "product_id": "6Server-CFME:ruby193-rubygem-linux_admin-0:0.5.6-1.el6cf.noarch"
        },
        "product_reference": "ruby193-rubygem-linux_admin-0:0.5.6-1.el6cf.noarch",
        "relates_to_product_reference": "6Server-CFME"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby193-rubygem-linux_admin-0:0.5.6-1.el6cf.src as a component of Management Engine",
          "product_id": "6Server-CFME:ruby193-rubygem-linux_admin-0:0.5.6-1.el6cf.src"
        },
        "product_reference": "ruby193-rubygem-linux_admin-0:0.5.6-1.el6cf.src",
        "relates_to_product_reference": "6Server-CFME"
      }
    ]
  },
  "vulnerabilities": [
    {
      "acknowledgments": [
        {
          "names": [
            "Martin Povoln\u00fd"
          ],
          "organization": "Red Hat",
          "summary": "This issue was discovered by Red Hat."
        }
      ],
      "cve": "CVE-2013-6443",
      "cwe": {
        "id": "CWE-352",
        "name": "Cross-Site Request Forgery (CSRF)"
      },
      "discovery_date": "2013-12-17T00:00:00+00:00",
      "ids": [
        {
          "system_name": "Red Hat Bugzilla ID",
          "text": "1044178"
        }
      ],
      "notes": [
        {
          "category": "description",
          "text": "CloudForms 3.0 Management Engine before 5.2.1.6 allows remote attackers to bypass the Ruby on Rails protect_from_forgery mechanism and conduct cross-site request forgery (CSRF) attacks via a destructive action in a request.",
          "title": "Vulnerability description"
        },
        {
          "category": "summary",
          "text": "CFME: GET request CSRF vulnerability",
          "title": "Vulnerability summary"
        },
        {
          "category": "general",
          "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.",
          "title": "CVSS score applicability"
        }
      ],
      "product_status": {
        "fixed": [
          "6Server-CFME:cfme-0:5.2.1.8-1.el6cf.src",
          "6Server-CFME:cfme-0:5.2.1.8-1.el6cf.x86_64",
          "6Server-CFME:cfme-appliance-0:5.2.1.8-1.el6cf.x86_64",
          "6Server-CFME:cfme-debuginfo-0:5.2.1.8-1.el6cf.x86_64",
          "6Server-CFME:cfme-lib-0:5.2.1.8-1.el6cf.x86_64",
          "6Server-CFME:mingw32-cfme-host-0:5.2.1.8-1.el6cf.x86_64",
          "6Server-CFME:ruby193-rubygem-activerecord-1:3.2.13-4.el6cf.noarch",
          "6Server-CFME:ruby193-rubygem-activerecord-1:3.2.13-4.el6cf.src",
          "6Server-CFME:ruby193-rubygem-linux_admin-0:0.5.6-1.el6cf.noarch",
          "6Server-CFME:ruby193-rubygem-linux_admin-0:0.5.6-1.el6cf.src"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "Canonical URL",
          "url": "https://access.redhat.com/security/cve/CVE-2013-6443"
        },
        {
          "category": "external",
          "summary": "RHBZ#1044178",
          "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1044178"
        },
        {
          "category": "external",
          "summary": "https://www.cve.org/CVERecord?id=CVE-2013-6443",
          "url": "https://www.cve.org/CVERecord?id=CVE-2013-6443"
        },
        {
          "category": "external",
          "summary": "https://nvd.nist.gov/vuln/detail/CVE-2013-6443",
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-6443"
        }
      ],
      "release_date": "2014-01-14T00:00:00+00:00",
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2014-01-14T19:16:52+00:00",
          "details": "Before applying this update, make sure all previously released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to use the\nRed Hat Network to apply this update are available at\nhttps://access.redhat.com/site/articles/11258",
          "product_ids": [
            "6Server-CFME:cfme-0:5.2.1.8-1.el6cf.src",
            "6Server-CFME:cfme-0:5.2.1.8-1.el6cf.x86_64",
            "6Server-CFME:cfme-appliance-0:5.2.1.8-1.el6cf.x86_64",
            "6Server-CFME:cfme-debuginfo-0:5.2.1.8-1.el6cf.x86_64",
            "6Server-CFME:cfme-lib-0:5.2.1.8-1.el6cf.x86_64",
            "6Server-CFME:mingw32-cfme-host-0:5.2.1.8-1.el6cf.x86_64",
            "6Server-CFME:ruby193-rubygem-activerecord-1:3.2.13-4.el6cf.noarch",
            "6Server-CFME:ruby193-rubygem-activerecord-1:3.2.13-4.el6cf.src",
            "6Server-CFME:ruby193-rubygem-linux_admin-0:0.5.6-1.el6cf.noarch",
            "6Server-CFME:ruby193-rubygem-linux_admin-0:0.5.6-1.el6cf.src"
          ],
          "restart_required": {
            "category": "none"
          },
          "url": "https://access.redhat.com/errata/RHSA-2014:0025"
        }
      ],
      "scores": [
        {
          "cvss_v2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "availabilityImpact": "NONE",
            "baseScore": 3.5,
            "confidentialityImpact": "NONE",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
            "version": "2.0"
          },
          "products": [
            "6Server-CFME:cfme-0:5.2.1.8-1.el6cf.src",
            "6Server-CFME:cfme-0:5.2.1.8-1.el6cf.x86_64",
            "6Server-CFME:cfme-appliance-0:5.2.1.8-1.el6cf.x86_64",
            "6Server-CFME:cfme-debuginfo-0:5.2.1.8-1.el6cf.x86_64",
            "6Server-CFME:cfme-lib-0:5.2.1.8-1.el6cf.x86_64",
            "6Server-CFME:mingw32-cfme-host-0:5.2.1.8-1.el6cf.x86_64",
            "6Server-CFME:ruby193-rubygem-activerecord-1:3.2.13-4.el6cf.noarch",
            "6Server-CFME:ruby193-rubygem-activerecord-1:3.2.13-4.el6cf.src",
            "6Server-CFME:ruby193-rubygem-linux_admin-0:0.5.6-1.el6cf.noarch",
            "6Server-CFME:ruby193-rubygem-linux_admin-0:0.5.6-1.el6cf.src"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "details": "Moderate"
        }
      ],
      "title": "CFME: GET request CSRF vulnerability"
    }
  ]
}

FKIE_CVE-2013-6443

Vulnerability from fkie_nvd - Published: 2014-01-23 01:55 - Updated: 2025-04-11 00:51

Severity ?

Summary

References

URL	Tags
secalert@redhat.com	http://rhn.redhat.com/errata/RHSA-2014-0025.html	Vendor Advisory
secalert@redhat.com	http://www.securitytracker.com/id/1029606
af854a3a-2127-422b-91ae-364da2661108	http://rhn.redhat.com/errata/RHSA-2014-0025.html	Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.securitytracker.com/id/1029606

Impacted products

Vendor	Product	Version
redhat	cloudforms	3.0
redhat	cloudforms_3.0_management_engine	*
redhat	cloudforms_3.0_management_engine	5.2

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:cloudforms:3.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "E497C765-C720-4566-BB73-705C36AEA59A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:cloudforms_3.0_management_engine:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "C4F9D471-71B8-413D-9298-286D875F53A9",
              "versionEndIncluding": "5.2.1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:redhat:cloudforms_3.0_management_engine:5.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "D21CFAD1-5422-4595-841D-A80F940B1545",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "CloudForms 3.0 Management Engine before 5.2.1.6 allows remote attackers to bypass the Ruby on Rails protect_from_forgery mechanism and conduct cross-site request forgery (CSRF) attacks via a destructive action in a request."
    },
    {
      "lang": "es",
      "value": "CloudForms 3.0 Management Engine anterior a la versi\u00f3n 5.2.1.6 permite a atacantes remotos evadir el mecanismo protect_from_forgery de Ruby on Rails y llevar a cabo ataques de CSRF a trav\u00e9s de una acci\u00f3n destructiva en una petici\u00f3n."
    }
  ],
  "id": "CVE-2013-6443",
  "lastModified": "2025-04-11T00:51:21.963",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 6.8,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 8.6,
        "impactScore": 6.4,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": true
      }
    ]
  },
  "published": "2014-01-23T01:55:03.773",
  "references": [
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://rhn.redhat.com/errata/RHSA-2014-0025.html"
    },
    {
      "source": "secalert@redhat.com",
      "url": "http://www.securitytracker.com/id/1029606"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "http://rhn.redhat.com/errata/RHSA-2014-0025.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.securitytracker.com/id/1029606"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-352"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GHSA-VVP8-XF2F-VGC6

Vulnerability from github – Published: 2022-05-17 04:54 – Updated: 2022-05-17 04:54

Details

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2013-6443"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-352"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2014-01-23T01:55:00Z",
    "severity": "MODERATE"
  },
  "details": "CloudForms 3.0 Management Engine before 5.2.1.6 allows remote attackers to bypass the Ruby on Rails protect_from_forgery mechanism and conduct cross-site request forgery (CSRF) attacks via a destructive action in a request.",
  "id": "GHSA-vvp8-xf2f-vgc6",
  "modified": "2022-05-17T04:54:10Z",
  "published": "2022-05-17T04:54:10Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2013-6443"
    },
    {
      "type": "WEB",
      "url": "http://rhn.redhat.com/errata/RHSA-2014-0025.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id/1029606"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

GSD-2013-6443

Vulnerability from gsd - Updated: 2023-12-13 01:22

Details

Aliases

CVE-2013-6443

Aliases

CVE-2013-6443

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2013-6443",
    "description": "CloudForms 3.0 Management Engine before 5.2.1.6 allows remote attackers to bypass the Ruby on Rails protect_from_forgery mechanism and conduct cross-site request forgery (CSRF) attacks via a destructive action in a request.",
    "id": "GSD-2013-6443",
    "references": [
      "https://access.redhat.com/errata/RHSA-2014:0025"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2013-6443"
      ],
      "details": "CloudForms 3.0 Management Engine before 5.2.1.6 allows remote attackers to bypass the Ruby on Rails protect_from_forgery mechanism and conduct cross-site request forgery (CSRF) attacks via a destructive action in a request.",
      "id": "GSD-2013-6443",
      "modified": "2023-12-13T01:22:18.876912Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "secalert@redhat.com",
        "ID": "CVE-2013-6443",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "CloudForms 3.0 Management Engine before 5.2.1.6 allows remote attackers to bypass the Ruby on Rails protect_from_forgery mechanism and conduct cross-site request forgery (CSRF) attacks via a destructive action in a request."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "1029606",
            "refsource": "SECTRACK",
            "url": "http://www.securitytracker.com/id/1029606"
          },
          {
            "name": "RHSA-2014:0025",
            "refsource": "REDHAT",
            "url": "http://rhn.redhat.com/errata/RHSA-2014-0025.html"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:redhat:cloudforms:3.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:redhat:cloudforms_3.0_management_engine:5.2:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:redhat:cloudforms_3.0_management_engine:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndIncluding": "5.2.1",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert@redhat.com",
          "ID": "CVE-2013-6443"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "CloudForms 3.0 Management Engine before 5.2.1.6 allows remote attackers to bypass the Ruby on Rails protect_from_forgery mechanism and conduct cross-site request forgery (CSRF) attacks via a destructive action in a request."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-352"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "RHSA-2014:0025",
              "refsource": "REDHAT",
              "tags": [
                "Vendor Advisory"
              ],
              "url": "http://rhn.redhat.com/errata/RHSA-2014-0025.html"
            },
            {
              "name": "1029606",
              "refsource": "SECTRACK",
              "tags": [],
              "url": "http://www.securitytracker.com/id/1029606"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "cvssV2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 6.8,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 8.6,
          "impactScore": 6.4,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "MEDIUM",
          "userInteractionRequired": true
        }
      },
      "lastModifiedDate": "2014-01-23T18:18Z",
      "publishedDate": "2014-01-23T01:55Z"
    }
  }
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2013-6443 (GCVE-0-2013-6443)

RHSA-2014:0025

FKIE_CVE-2013-6443

GHSA-VVP8-XF2F-VGC6

GSD-2013-6443

Tags

Sightings

Nomenclature