Vulnerability-Lookup

CVE-2020-7663 (GCVE-0-2020-7663)

Vulnerability from cvelistv5 – Published: 2020-06-02 18:25 – Updated: 2024-08-04 09:33

Summary

websocket-extensions ruby module prior to 0.1.5 allows Denial of Service (DoS) via Regex Backtracking. The extension parser may take quadratic time when parsing a header containing an unclosed string parameter value whose content is a repeating two-byte sequence of a backslash and some other character. This could be abused by an attacker to conduct Regex Denial Of Service (ReDoS) on a single-threaded server by providing a malicious payload with the Sec-WebSocket-Extensions header.

Severity

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE

Regular Expression Denial of Service (ReDoS)

Assigner

snyk

References

6 references

URL	Tags
https://github.com/faye/websocket-extensions-ruby…	x_refsource_MISC
https://github.com/faye/websocket-extensions-ruby…	x_refsource_MISC
https://blog.jcoglan.com/2020/06/02/redos-vulnera…	x_refsource_MISC
https://snyk.io/vuln/SNYK-RUBY-WEBSOCKETEXTENSION…	x_refsource_MISC
https://lists.debian.org/debian-lts-announce/2020…	mailing-listx_refsource_MLIST
https://usn.ubuntu.com/4502-1/	vendor-advisoryx_refsource_UBUNTU

Impacted products

1 product

Vendor	Product	Version
n/a	websocket-extensions (ruby)	Affected: All versions prior to 0.1.5

Date Public

2020-06-02 00:00

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T09:33:20.058Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/faye/websocket-extensions-ruby/security/advisories/GHSA-g6wq-qcwm-j5g2"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://github.com/faye/websocket-extensions-ruby/commit/aa156a439da681361ed6f53f1a8131892418838b"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://blog.jcoglan.com/2020/06/02/redos-vulnerability-in-websocket-extensions"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://snyk.io/vuln/SNYK-RUBY-WEBSOCKETEXTENSIONS-570830"
          },
          {
            "name": "[debian-lts-announce] 20200819 [SECURITY] [DLA 2334-1] ruby-websocket-extensions security update",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00031.html"
          },
          {
            "name": "USN-4502-1",
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "https://usn.ubuntu.com/4502-1/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "websocket-extensions (ruby)",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "All versions prior to 0.1.5"
            }
          ]
        }
      ],
      "datePublic": "2020-06-02T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "websocket-extensions ruby module prior to 0.1.5 allows Denial of Service (DoS) via Regex Backtracking. The extension parser may take quadratic time when parsing a header containing an unclosed string parameter value whose content is a repeating two-byte sequence of a backslash and some other character. This could be abused by an attacker to conduct Regex Denial Of Service (ReDoS) on a single-threaded server by providing a malicious payload with the Sec-WebSocket-Extensions header."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "Regular Expression Denial of Service (ReDoS)",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2020-09-17T14:27:33.000Z",
        "orgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
        "shortName": "snyk"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/faye/websocket-extensions-ruby/security/advisories/GHSA-g6wq-qcwm-j5g2"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/faye/websocket-extensions-ruby/commit/aa156a439da681361ed6f53f1a8131892418838b"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://blog.jcoglan.com/2020/06/02/redos-vulnerability-in-websocket-extensions"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://snyk.io/vuln/SNYK-RUBY-WEBSOCKETEXTENSIONS-570830"
        },
        {
          "name": "[debian-lts-announce] 20200819 [SECURITY] [DLA 2334-1] ruby-websocket-extensions security update",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00031.html"
        },
        {
          "name": "USN-4502-1",
          "tags": [
            "vendor-advisory",
            "x_refsource_UBUNTU"
          ],
          "url": "https://usn.ubuntu.com/4502-1/"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "report@snyk.io",
          "ID": "CVE-2020-7663",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "websocket-extensions (ruby)",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "All versions prior to 0.1.5"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "websocket-extensions ruby module prior to 0.1.5 allows Denial of Service (DoS) via Regex Backtracking. The extension parser may take quadratic time when parsing a header containing an unclosed string parameter value whose content is a repeating two-byte sequence of a backslash and some other character. This could be abused by an attacker to conduct Regex Denial Of Service (ReDoS) on a single-threaded server by providing a malicious payload with the Sec-WebSocket-Extensions header."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "Regular Expression Denial of Service (ReDoS)"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/faye/websocket-extensions-ruby/security/advisories/GHSA-g6wq-qcwm-j5g2",
              "refsource": "MISC",
              "url": "https://github.com/faye/websocket-extensions-ruby/security/advisories/GHSA-g6wq-qcwm-j5g2"
            },
            {
              "name": "https://github.com/faye/websocket-extensions-ruby/commit/aa156a439da681361ed6f53f1a8131892418838b",
              "refsource": "MISC",
              "url": "https://github.com/faye/websocket-extensions-ruby/commit/aa156a439da681361ed6f53f1a8131892418838b"
            },
            {
              "name": "https://blog.jcoglan.com/2020/06/02/redos-vulnerability-in-websocket-extensions",
              "refsource": "MISC",
              "url": "https://blog.jcoglan.com/2020/06/02/redos-vulnerability-in-websocket-extensions"
            },
            {
              "name": "https://snyk.io/vuln/SNYK-RUBY-WEBSOCKETEXTENSIONS-570830",
              "refsource": "MISC",
              "url": "https://snyk.io/vuln/SNYK-RUBY-WEBSOCKETEXTENSIONS-570830"
            },
            {
              "name": "[debian-lts-announce] 20200819 [SECURITY] [DLA 2334-1] ruby-websocket-extensions security update",
              "refsource": "MLIST",
              "url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00031.html"
            },
            {
              "name": "USN-4502-1",
              "refsource": "UBUNTU",
              "url": "https://usn.ubuntu.com/4502-1/"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "bae035ff-b466-4ff4-94d0-fc9efd9e1730",
    "assignerShortName": "snyk",
    "cveId": "CVE-2020-7663",
    "datePublished": "2020-06-02T18:25:01.000Z",
    "dateReserved": "2020-01-21T00:00:00.000Z",
    "dateUpdated": "2024-08-04T09:33:20.058Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2020-7663",
      "date": "2026-06-05",
      "epss": "0.02622",
      "percentile": "0.85971"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2020-7663\",\"sourceIdentifier\":\"report@snyk.io\",\"published\":\"2020-06-02T19:15:12.467\",\"lastModified\":\"2024-11-21T05:37:33.930\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"websocket-extensions ruby module prior to 0.1.5 allows Denial of Service (DoS) via Regex Backtracking. The extension parser may take quadratic time when parsing a header containing an unclosed string parameter value whose content is a repeating two-byte sequence of a backslash and some other character. This could be abused by an attacker to conduct Regex Denial Of Service (ReDoS) on a single-threaded server by providing a malicious payload with the Sec-WebSocket-Extensions header.\"},{\"lang\":\"es\",\"value\":\"El m\u00f3dulo de ruby websocket-extensions versiones anteriores a 0.1.5, permite una denegaci\u00f3n de servicio (DoS) por medio de Regex Backtracking. El analizador de extensiones puede tomar un tiempo cuadr\u00e1tico cuando analiza un encabezado que contiene un valor de par\u00e1metro de cadena no cerrado cuyo contenido es una secuencia repetitiva de dos bytes de una barra diagonal inversa y alg\u00fan otro car\u00e1cter. Esto podr\u00eda ser abusado por un atacante para conducir una Denegaci\u00f3n de Servicio de Regex (ReDoS) en un servidor de un subproceso \u00fanico al proporcionar una carga \u00fatil maliciosa con el encabezado Sec-WebSocket-Extensions.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:N/I:N/A:P\",\"baseScore\":5.0,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":10.0,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-Other\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:websocket-extensions_project:websocket-extensions:*:*:*:*:*:ruby:*:*\",\"versionEndExcluding\":\"0.1.5\",\"matchCriteriaId\":\"709E45F8-F7E2-434B-8D0D-E9AF4E9C52FA\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"DEECE5FC-CACF-4496-A3E7-164736409252\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*\",\"matchCriteriaId\":\"7A5301BF-1402-4BE0-A0F8-69FBE79BC6D6\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*\",\"matchCriteriaId\":\"23A7C53F-B80F-4E6A-AFA9-58EEA84BE11D\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:canonical:ubuntu_linux:20.04:*:*:*:lts:*:*:*\",\"matchCriteriaId\":\"902B8056-9E37-443B-8905-8AA93E2447FB\"}]}]}],\"references\":[{\"url\":\"https://blog.jcoglan.com/2020/06/02/redos-vulnerability-in-websocket-extensions\",\"source\":\"report@snyk.io\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/faye/websocket-extensions-ruby/commit/aa156a439da681361ed6f53f1a8131892418838b\",\"source\":\"report@snyk.io\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/faye/websocket-extensions-ruby/security/advisories/GHSA-g6wq-qcwm-j5g2\",\"source\":\"report@snyk.io\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2020/08/msg00031.html\",\"source\":\"report@snyk.io\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://snyk.io/vuln/SNYK-RUBY-WEBSOCKETEXTENSIONS-570830\",\"source\":\"report@snyk.io\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://usn.ubuntu.com/4502-1/\",\"source\":\"report@snyk.io\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://blog.jcoglan.com/2020/06/02/redos-vulnerability-in-websocket-extensions\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/faye/websocket-extensions-ruby/commit/aa156a439da681361ed6f53f1a8131892418838b\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/faye/websocket-extensions-ruby/security/advisories/GHSA-g6wq-qcwm-j5g2\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2020/08/msg00031.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://snyk.io/vuln/SNYK-RUBY-WEBSOCKETEXTENSIONS-570830\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Exploit\",\"Third Party Advisory\"]},{\"url\":\"https://usn.ubuntu.com/4502-1/\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}"
  }
}

SUSE-SU-2023:0127-1

Vulnerability from csaf_suse - Published: 2023-01-24 12:23 - Updated: 2023-01-24 12:23

Summary

Security update for rubygem-websocket-extensions

Severity

Moderate

Notes

Title of the patch: Security update for rubygem-websocket-extensions

Description of the patch: This update for rubygem-websocket-extensions fixes the following issues: - CVE-2020-7663: Fixed an excessive resource consumption when parsing crafted message headers sent by an attacker (bsc#1172445).

Patchnames: SUSE-2023-127,SUSE-SLE-Product-HA-15-SP1-2023-127,SUSE-SLE-Product-HA-15-SP2-2023-127,SUSE-SLE-Product-HA-15-SP3-2023-127,SUSE-SLE-Product-HA-15-SP4-2023-127,openSUSE-SLE-15.4-2023-127

CVE-2020-7663

4.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

Affected products

Recommended 24 products

Product	Version	Remediation
Unresolved product id: SUSE Linux Enterprise High Availability Extension 15 SP1:ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise High Availability Extension 15 SP1:ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.ppc64le	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise High Availability Extension 15 SP1:ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.s390x	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise High Availability Extension 15 SP1:ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.ppc64le	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.s390x	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.ppc64le	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.s390x	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.x86_64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise High Availability Extension 15 SP4:ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.aarch64	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise High Availability Extension 15 SP4:ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.ppc64le	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise High Availability Extension 15 SP4:ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.s390x	—	Vendor Fix
Unresolved product id: SUSE Linux Enterprise High Availability Extension 15 SP4:ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.4:ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.4:ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.4:ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.4:ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.x86_64	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.4:ruby2.5-rubygem-websocket-extensions-doc-0.1.3-150000.3.4.1.aarch64	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.4:ruby2.5-rubygem-websocket-extensions-doc-0.1.3-150000.3.4.1.ppc64le	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.4:ruby2.5-rubygem-websocket-extensions-doc-0.1.3-150000.3.4.1.s390x	—	Vendor Fix
Unresolved product id: openSUSE Leap 15.4:ruby2.5-rubygem-websocket-extensions-doc-0.1.3-150000.3.4.1.x86_64	—	Vendor Fix

Threats

Impact moderate

References

8 references

URL	Category
https://www.suse.com/support/security/rating/	external
https://ftp.suse.com/pub/projects/security/csaf/s…	self
https://www.suse.com/support/update/announcement/…	self
https://lists.suse.com/pipermail/sle-security-upd…	self
https://bugzilla.suse.com/1172445	self
https://www.suse.com/security/cve/CVE-2020-7663/	self
https://www.suse.com/security/cve/CVE-2020-7663	external
https://bugzilla.suse.com/1172445	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "namespace": "https://www.suse.com/support/security/rating/",
      "text": "moderate"
    },
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Copyright 2024 SUSE LLC. All rights reserved.",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en",
    "notes": [
      {
        "category": "summary",
        "text": "Security update for rubygem-websocket-extensions",
        "title": "Title of the patch"
      },
      {
        "category": "description",
        "text": "This update for rubygem-websocket-extensions fixes the following issues:\n\n- CVE-2020-7663: Fixed an excessive resource consumption when parsing\n  crafted message headers sent by an attacker (bsc#1172445).\n",
        "title": "Description of the patch"
      },
      {
        "category": "details",
        "text": "SUSE-2023-127,SUSE-SLE-Product-HA-15-SP1-2023-127,SUSE-SLE-Product-HA-15-SP2-2023-127,SUSE-SLE-Product-HA-15-SP3-2023-127,SUSE-SLE-Product-HA-15-SP4-2023-127,openSUSE-SLE-15.4-2023-127",
        "title": "Patchnames"
      },
      {
        "category": "legal_disclaimer",
        "text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
        "title": "Terms of use"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "https://www.suse.com/support/security/contact/",
      "name": "SUSE Product Security Team",
      "namespace": "https://www.suse.com/"
    },
    "references": [
      {
        "category": "external",
        "summary": "SUSE ratings",
        "url": "https://www.suse.com/support/security/rating/"
      },
      {
        "category": "self",
        "summary": "URL of this CSAF notice",
        "url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2023_0127-1.json"
      },
      {
        "category": "self",
        "summary": "URL for SUSE-SU-2023:0127-1",
        "url": "https://www.suse.com/support/update/announcement/2023/suse-su-20230127-1/"
      },
      {
        "category": "self",
        "summary": "E-Mail link for SUSE-SU-2023:0127-1",
        "url": "https://lists.suse.com/pipermail/sle-security-updates/2023-January/013515.html"
      },
      {
        "category": "self",
        "summary": "SUSE Bug 1172445",
        "url": "https://bugzilla.suse.com/1172445"
      },
      {
        "category": "self",
        "summary": "SUSE CVE CVE-2020-7663 page",
        "url": "https://www.suse.com/security/cve/CVE-2020-7663/"
      }
    ],
    "title": "Security update for rubygem-websocket-extensions",
    "tracking": {
      "current_release_date": "2023-01-24T12:23:20Z",
      "generator": {
        "date": "2023-01-24T12:23:20Z",
        "engine": {
          "name": "cve-database.git:bin/generate-csaf.pl",
          "version": "1"
        }
      },
      "id": "SUSE-SU-2023:0127-1",
      "initial_release_date": "2023-01-24T12:23:20Z",
      "revision_history": [
        {
          "date": "2023-01-24T12:23:20Z",
          "number": "1",
          "summary": "Current version"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.aarch64",
                "product": {
                  "name": "ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.aarch64",
                  "product_id": "ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.aarch64"
                }
              },
              {
                "category": "product_version",
                "name": "ruby2.5-rubygem-websocket-extensions-doc-0.1.3-150000.3.4.1.aarch64",
                "product": {
                  "name": "ruby2.5-rubygem-websocket-extensions-doc-0.1.3-150000.3.4.1.aarch64",
                  "product_id": "ruby2.5-rubygem-websocket-extensions-doc-0.1.3-150000.3.4.1.aarch64"
                }
              }
            ],
            "category": "architecture",
            "name": "aarch64"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.i586",
                "product": {
                  "name": "ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.i586",
                  "product_id": "ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.i586"
                }
              },
              {
                "category": "product_version",
                "name": "ruby2.5-rubygem-websocket-extensions-doc-0.1.3-150000.3.4.1.i586",
                "product": {
                  "name": "ruby2.5-rubygem-websocket-extensions-doc-0.1.3-150000.3.4.1.i586",
                  "product_id": "ruby2.5-rubygem-websocket-extensions-doc-0.1.3-150000.3.4.1.i586"
                }
              }
            ],
            "category": "architecture",
            "name": "i586"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.ppc64le",
                "product": {
                  "name": "ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.ppc64le",
                  "product_id": "ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.ppc64le"
                }
              },
              {
                "category": "product_version",
                "name": "ruby2.5-rubygem-websocket-extensions-doc-0.1.3-150000.3.4.1.ppc64le",
                "product": {
                  "name": "ruby2.5-rubygem-websocket-extensions-doc-0.1.3-150000.3.4.1.ppc64le",
                  "product_id": "ruby2.5-rubygem-websocket-extensions-doc-0.1.3-150000.3.4.1.ppc64le"
                }
              }
            ],
            "category": "architecture",
            "name": "ppc64le"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.s390x",
                "product": {
                  "name": "ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.s390x",
                  "product_id": "ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.s390x"
                }
              },
              {
                "category": "product_version",
                "name": "ruby2.5-rubygem-websocket-extensions-doc-0.1.3-150000.3.4.1.s390x",
                "product": {
                  "name": "ruby2.5-rubygem-websocket-extensions-doc-0.1.3-150000.3.4.1.s390x",
                  "product_id": "ruby2.5-rubygem-websocket-extensions-doc-0.1.3-150000.3.4.1.s390x"
                }
              }
            ],
            "category": "architecture",
            "name": "s390x"
          },
          {
            "branches": [
              {
                "category": "product_version",
                "name": "ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.x86_64",
                "product": {
                  "name": "ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.x86_64",
                  "product_id": "ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.x86_64"
                }
              },
              {
                "category": "product_version",
                "name": "ruby2.5-rubygem-websocket-extensions-doc-0.1.3-150000.3.4.1.x86_64",
                "product": {
                  "name": "ruby2.5-rubygem-websocket-extensions-doc-0.1.3-150000.3.4.1.x86_64",
                  "product_id": "ruby2.5-rubygem-websocket-extensions-doc-0.1.3-150000.3.4.1.x86_64"
                }
              }
            ],
            "category": "architecture",
            "name": "x86_64"
          },
          {
            "branches": [
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise High Availability Extension 15 SP1",
                "product": {
                  "name": "SUSE Linux Enterprise High Availability Extension 15 SP1",
                  "product_id": "SUSE Linux Enterprise High Availability Extension 15 SP1",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sle-ha:15:sp1"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise High Availability Extension 15 SP2",
                "product": {
                  "name": "SUSE Linux Enterprise High Availability Extension 15 SP2",
                  "product_id": "SUSE Linux Enterprise High Availability Extension 15 SP2",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sle-ha:15:sp2"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise High Availability Extension 15 SP3",
                "product": {
                  "name": "SUSE Linux Enterprise High Availability Extension 15 SP3",
                  "product_id": "SUSE Linux Enterprise High Availability Extension 15 SP3",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sle-ha:15:sp3"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "SUSE Linux Enterprise High Availability Extension 15 SP4",
                "product": {
                  "name": "SUSE Linux Enterprise High Availability Extension 15 SP4",
                  "product_id": "SUSE Linux Enterprise High Availability Extension 15 SP4",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:suse:sle-ha:15:sp4"
                  }
                }
              },
              {
                "category": "product_name",
                "name": "openSUSE Leap 15.4",
                "product": {
                  "name": "openSUSE Leap 15.4",
                  "product_id": "openSUSE Leap 15.4",
                  "product_identification_helper": {
                    "cpe": "cpe:/o:opensuse:leap:15.4"
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "SUSE Linux Enterprise"
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.aarch64 as component of SUSE Linux Enterprise High Availability Extension 15 SP1",
          "product_id": "SUSE Linux Enterprise High Availability Extension 15 SP1:ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.aarch64"
        },
        "product_reference": "ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.aarch64",
        "relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15 SP1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.ppc64le as component of SUSE Linux Enterprise High Availability Extension 15 SP1",
          "product_id": "SUSE Linux Enterprise High Availability Extension 15 SP1:ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.ppc64le"
        },
        "product_reference": "ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.ppc64le",
        "relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15 SP1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.s390x as component of SUSE Linux Enterprise High Availability Extension 15 SP1",
          "product_id": "SUSE Linux Enterprise High Availability Extension 15 SP1:ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.s390x"
        },
        "product_reference": "ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.s390x",
        "relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15 SP1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.x86_64 as component of SUSE Linux Enterprise High Availability Extension 15 SP1",
          "product_id": "SUSE Linux Enterprise High Availability Extension 15 SP1:ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.x86_64"
        },
        "product_reference": "ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15 SP1"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.aarch64 as component of SUSE Linux Enterprise High Availability Extension 15 SP2",
          "product_id": "SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.aarch64"
        },
        "product_reference": "ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.aarch64",
        "relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15 SP2"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.ppc64le as component of SUSE Linux Enterprise High Availability Extension 15 SP2",
          "product_id": "SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.ppc64le"
        },
        "product_reference": "ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.ppc64le",
        "relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15 SP2"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.s390x as component of SUSE Linux Enterprise High Availability Extension 15 SP2",
          "product_id": "SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.s390x"
        },
        "product_reference": "ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.s390x",
        "relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15 SP2"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.x86_64 as component of SUSE Linux Enterprise High Availability Extension 15 SP2",
          "product_id": "SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.x86_64"
        },
        "product_reference": "ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15 SP2"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.aarch64 as component of SUSE Linux Enterprise High Availability Extension 15 SP3",
          "product_id": "SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.aarch64"
        },
        "product_reference": "ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.aarch64",
        "relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15 SP3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.ppc64le as component of SUSE Linux Enterprise High Availability Extension 15 SP3",
          "product_id": "SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.ppc64le"
        },
        "product_reference": "ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.ppc64le",
        "relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15 SP3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.s390x as component of SUSE Linux Enterprise High Availability Extension 15 SP3",
          "product_id": "SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.s390x"
        },
        "product_reference": "ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.s390x",
        "relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15 SP3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.x86_64 as component of SUSE Linux Enterprise High Availability Extension 15 SP3",
          "product_id": "SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.x86_64"
        },
        "product_reference": "ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15 SP3"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.aarch64 as component of SUSE Linux Enterprise High Availability Extension 15 SP4",
          "product_id": "SUSE Linux Enterprise High Availability Extension 15 SP4:ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.aarch64"
        },
        "product_reference": "ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.aarch64",
        "relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15 SP4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.ppc64le as component of SUSE Linux Enterprise High Availability Extension 15 SP4",
          "product_id": "SUSE Linux Enterprise High Availability Extension 15 SP4:ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.ppc64le"
        },
        "product_reference": "ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.ppc64le",
        "relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15 SP4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.s390x as component of SUSE Linux Enterprise High Availability Extension 15 SP4",
          "product_id": "SUSE Linux Enterprise High Availability Extension 15 SP4:ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.s390x"
        },
        "product_reference": "ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.s390x",
        "relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15 SP4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.x86_64 as component of SUSE Linux Enterprise High Availability Extension 15 SP4",
          "product_id": "SUSE Linux Enterprise High Availability Extension 15 SP4:ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.x86_64"
        },
        "product_reference": "ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.x86_64",
        "relates_to_product_reference": "SUSE Linux Enterprise High Availability Extension 15 SP4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.aarch64 as component of openSUSE Leap 15.4",
          "product_id": "openSUSE Leap 15.4:ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.aarch64"
        },
        "product_reference": "ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.aarch64",
        "relates_to_product_reference": "openSUSE Leap 15.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.ppc64le as component of openSUSE Leap 15.4",
          "product_id": "openSUSE Leap 15.4:ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.ppc64le"
        },
        "product_reference": "ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.ppc64le",
        "relates_to_product_reference": "openSUSE Leap 15.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.s390x as component of openSUSE Leap 15.4",
          "product_id": "openSUSE Leap 15.4:ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.s390x"
        },
        "product_reference": "ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.s390x",
        "relates_to_product_reference": "openSUSE Leap 15.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.x86_64 as component of openSUSE Leap 15.4",
          "product_id": "openSUSE Leap 15.4:ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.x86_64"
        },
        "product_reference": "ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.x86_64",
        "relates_to_product_reference": "openSUSE Leap 15.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby2.5-rubygem-websocket-extensions-doc-0.1.3-150000.3.4.1.aarch64 as component of openSUSE Leap 15.4",
          "product_id": "openSUSE Leap 15.4:ruby2.5-rubygem-websocket-extensions-doc-0.1.3-150000.3.4.1.aarch64"
        },
        "product_reference": "ruby2.5-rubygem-websocket-extensions-doc-0.1.3-150000.3.4.1.aarch64",
        "relates_to_product_reference": "openSUSE Leap 15.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby2.5-rubygem-websocket-extensions-doc-0.1.3-150000.3.4.1.ppc64le as component of openSUSE Leap 15.4",
          "product_id": "openSUSE Leap 15.4:ruby2.5-rubygem-websocket-extensions-doc-0.1.3-150000.3.4.1.ppc64le"
        },
        "product_reference": "ruby2.5-rubygem-websocket-extensions-doc-0.1.3-150000.3.4.1.ppc64le",
        "relates_to_product_reference": "openSUSE Leap 15.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby2.5-rubygem-websocket-extensions-doc-0.1.3-150000.3.4.1.s390x as component of openSUSE Leap 15.4",
          "product_id": "openSUSE Leap 15.4:ruby2.5-rubygem-websocket-extensions-doc-0.1.3-150000.3.4.1.s390x"
        },
        "product_reference": "ruby2.5-rubygem-websocket-extensions-doc-0.1.3-150000.3.4.1.s390x",
        "relates_to_product_reference": "openSUSE Leap 15.4"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "ruby2.5-rubygem-websocket-extensions-doc-0.1.3-150000.3.4.1.x86_64 as component of openSUSE Leap 15.4",
          "product_id": "openSUSE Leap 15.4:ruby2.5-rubygem-websocket-extensions-doc-0.1.3-150000.3.4.1.x86_64"
        },
        "product_reference": "ruby2.5-rubygem-websocket-extensions-doc-0.1.3-150000.3.4.1.x86_64",
        "relates_to_product_reference": "openSUSE Leap 15.4"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2020-7663",
      "ids": [
        {
          "system_name": "SUSE CVE Page",
          "text": "https://www.suse.com/security/cve/CVE-2020-7663"
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "websocket-extensions ruby module prior to 0.1.5 allows Denial of Service (DoS) via Regex Backtracking. The extension parser may take quadratic time when parsing a header containing an unclosed string parameter value whose content is a repeating two-byte sequence of a backslash and some other character. This could be abused by an attacker to conduct Regex Denial Of Service (ReDoS) on a single-threaded server by providing a malicious payload with the Sec-WebSocket-Extensions header.",
          "title": "CVE description"
        }
      ],
      "product_status": {
        "recommended": [
          "SUSE Linux Enterprise High Availability Extension 15 SP1:ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.aarch64",
          "SUSE Linux Enterprise High Availability Extension 15 SP1:ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.ppc64le",
          "SUSE Linux Enterprise High Availability Extension 15 SP1:ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.s390x",
          "SUSE Linux Enterprise High Availability Extension 15 SP1:ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.x86_64",
          "SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.aarch64",
          "SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.ppc64le",
          "SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.s390x",
          "SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.x86_64",
          "SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.aarch64",
          "SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.ppc64le",
          "SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.s390x",
          "SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.x86_64",
          "SUSE Linux Enterprise High Availability Extension 15 SP4:ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.aarch64",
          "SUSE Linux Enterprise High Availability Extension 15 SP4:ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.ppc64le",
          "SUSE Linux Enterprise High Availability Extension 15 SP4:ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.s390x",
          "SUSE Linux Enterprise High Availability Extension 15 SP4:ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.x86_64",
          "openSUSE Leap 15.4:ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.aarch64",
          "openSUSE Leap 15.4:ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.ppc64le",
          "openSUSE Leap 15.4:ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.s390x",
          "openSUSE Leap 15.4:ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.x86_64",
          "openSUSE Leap 15.4:ruby2.5-rubygem-websocket-extensions-doc-0.1.3-150000.3.4.1.aarch64",
          "openSUSE Leap 15.4:ruby2.5-rubygem-websocket-extensions-doc-0.1.3-150000.3.4.1.ppc64le",
          "openSUSE Leap 15.4:ruby2.5-rubygem-websocket-extensions-doc-0.1.3-150000.3.4.1.s390x",
          "openSUSE Leap 15.4:ruby2.5-rubygem-websocket-extensions-doc-0.1.3-150000.3.4.1.x86_64"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "CVE-2020-7663",
          "url": "https://www.suse.com/security/cve/CVE-2020-7663"
        },
        {
          "category": "external",
          "summary": "SUSE Bug 1172445 for CVE-2020-7663",
          "url": "https://bugzilla.suse.com/1172445"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
          "product_ids": [
            "SUSE Linux Enterprise High Availability Extension 15 SP1:ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.aarch64",
            "SUSE Linux Enterprise High Availability Extension 15 SP1:ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.ppc64le",
            "SUSE Linux Enterprise High Availability Extension 15 SP1:ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.s390x",
            "SUSE Linux Enterprise High Availability Extension 15 SP1:ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.x86_64",
            "SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.aarch64",
            "SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.ppc64le",
            "SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.s390x",
            "SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.x86_64",
            "SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.aarch64",
            "SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.ppc64le",
            "SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.s390x",
            "SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.x86_64",
            "SUSE Linux Enterprise High Availability Extension 15 SP4:ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.aarch64",
            "SUSE Linux Enterprise High Availability Extension 15 SP4:ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.ppc64le",
            "SUSE Linux Enterprise High Availability Extension 15 SP4:ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.s390x",
            "SUSE Linux Enterprise High Availability Extension 15 SP4:ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.x86_64",
            "openSUSE Leap 15.4:ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.aarch64",
            "openSUSE Leap 15.4:ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.ppc64le",
            "openSUSE Leap 15.4:ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.s390x",
            "openSUSE Leap 15.4:ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.x86_64",
            "openSUSE Leap 15.4:ruby2.5-rubygem-websocket-extensions-doc-0.1.3-150000.3.4.1.aarch64",
            "openSUSE Leap 15.4:ruby2.5-rubygem-websocket-extensions-doc-0.1.3-150000.3.4.1.ppc64le",
            "openSUSE Leap 15.4:ruby2.5-rubygem-websocket-extensions-doc-0.1.3-150000.3.4.1.s390x",
            "openSUSE Leap 15.4:ruby2.5-rubygem-websocket-extensions-doc-0.1.3-150000.3.4.1.x86_64"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 4.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
            "version": "3.1"
          },
          "products": [
            "SUSE Linux Enterprise High Availability Extension 15 SP1:ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.aarch64",
            "SUSE Linux Enterprise High Availability Extension 15 SP1:ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.ppc64le",
            "SUSE Linux Enterprise High Availability Extension 15 SP1:ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.s390x",
            "SUSE Linux Enterprise High Availability Extension 15 SP1:ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.x86_64",
            "SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.aarch64",
            "SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.ppc64le",
            "SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.s390x",
            "SUSE Linux Enterprise High Availability Extension 15 SP2:ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.x86_64",
            "SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.aarch64",
            "SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.ppc64le",
            "SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.s390x",
            "SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.x86_64",
            "SUSE Linux Enterprise High Availability Extension 15 SP4:ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.aarch64",
            "SUSE Linux Enterprise High Availability Extension 15 SP4:ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.ppc64le",
            "SUSE Linux Enterprise High Availability Extension 15 SP4:ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.s390x",
            "SUSE Linux Enterprise High Availability Extension 15 SP4:ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.x86_64",
            "openSUSE Leap 15.4:ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.aarch64",
            "openSUSE Leap 15.4:ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.ppc64le",
            "openSUSE Leap 15.4:ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.s390x",
            "openSUSE Leap 15.4:ruby2.5-rubygem-websocket-extensions-0.1.3-150000.3.4.1.x86_64",
            "openSUSE Leap 15.4:ruby2.5-rubygem-websocket-extensions-doc-0.1.3-150000.3.4.1.aarch64",
            "openSUSE Leap 15.4:ruby2.5-rubygem-websocket-extensions-doc-0.1.3-150000.3.4.1.ppc64le",
            "openSUSE Leap 15.4:ruby2.5-rubygem-websocket-extensions-doc-0.1.3-150000.3.4.1.s390x",
            "openSUSE Leap 15.4:ruby2.5-rubygem-websocket-extensions-doc-0.1.3-150000.3.4.1.x86_64"
          ]
        }
      ],
      "threats": [
        {
          "category": "impact",
          "date": "2023-01-24T12:23:20Z",
          "details": "moderate"
        }
      ],
      "title": "CVE-2020-7663"
    }
  ]
}

WID-SEC-W-2025-1087

Vulnerability from csaf_certbund - Published: 2020-09-02 22:00 - Updated: 2025-05-18 22:00

Summary

GitLab: Mehrere Schwachstellen

Severity

Hoch

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung: GitLab ist eine Webanwendung zur Versionsverwaltung für Softwareprojekte auf Basis von git.

Angriff: Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in GitLab ausnutzen, um einen Cross-Site Scripting oder Denial of Service Angriff durchzuführen, Sicherheitsmechanismen zu umgehen, Daten zu manipulieren oder vertrauliche Daten einzusehen.

Betroffene Betriebssysteme: - Linux - Sonstiges

CVE-2020-11022

Affected products

Known affected 5 products

Product	Identifier	Version
Open Source GitLab <13.3.4 Open Source / GitLab		<13.3.4
Open Source GitLab <13.2.8 Open Source / GitLab		<13.2.8
Open Source GitLab <13.1.10 Open Source / GitLab		<13.1.10
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—

CVE-2020-13284

Affected products

Known affected 5 products

Product	Identifier	Version
Open Source GitLab <13.3.4 Open Source / GitLab		<13.3.4
Open Source GitLab <13.2.8 Open Source / GitLab		<13.2.8
Open Source GitLab <13.1.10 Open Source / GitLab		<13.1.10
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—

CVE-2020-13287

Affected products

Known affected 5 products

Product	Identifier	Version
Open Source GitLab <13.3.4 Open Source / GitLab		<13.3.4
Open Source GitLab <13.2.8 Open Source / GitLab		<13.2.8
Open Source GitLab <13.1.10 Open Source / GitLab		<13.1.10
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—

CVE-2020-13289

Affected products

Known affected 5 products

Product	Identifier	Version
Open Source GitLab <13.3.4 Open Source / GitLab		<13.3.4
Open Source GitLab <13.2.8 Open Source / GitLab		<13.2.8
Open Source GitLab <13.1.10 Open Source / GitLab		<13.1.10
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—

CVE-2020-13297

Affected products

Known affected 5 products

Product	Identifier	Version
Open Source GitLab <13.3.4 Open Source / GitLab		<13.3.4
Open Source GitLab <13.2.8 Open Source / GitLab		<13.2.8
Open Source GitLab <13.1.10 Open Source / GitLab		<13.1.10
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—

CVE-2020-13298

Affected products

Known affected 5 products

Product	Identifier	Version
Open Source GitLab <13.3.4 Open Source / GitLab		<13.3.4
Open Source GitLab <13.2.8 Open Source / GitLab		<13.2.8
Open Source GitLab <13.1.10 Open Source / GitLab		<13.1.10
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—

CVE-2020-13299

Affected products

Known affected 5 products

Product	Identifier	Version
Open Source GitLab <13.3.4 Open Source / GitLab		<13.3.4
Open Source GitLab <13.2.8 Open Source / GitLab		<13.2.8
Open Source GitLab <13.1.10 Open Source / GitLab		<13.1.10
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—

CVE-2020-13300

Affected products

Known affected 5 products

Product	Identifier	Version
Open Source GitLab <13.3.4 Open Source / GitLab		<13.3.4
Open Source GitLab <13.2.8 Open Source / GitLab		<13.2.8
Open Source GitLab <13.1.10 Open Source / GitLab		<13.1.10
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—

CVE-2020-13301

Affected products

Known affected 5 products

Product	Identifier	Version
Open Source GitLab <13.3.4 Open Source / GitLab		<13.3.4
Open Source GitLab <13.2.8 Open Source / GitLab		<13.2.8
Open Source GitLab <13.1.10 Open Source / GitLab		<13.1.10
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—

CVE-2020-13302

Affected products

Known affected 5 products

Product	Identifier	Version
Open Source GitLab <13.3.4 Open Source / GitLab		<13.3.4
Open Source GitLab <13.2.8 Open Source / GitLab		<13.2.8
Open Source GitLab <13.1.10 Open Source / GitLab		<13.1.10
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—

CVE-2020-13303

Affected products

Known affected 5 products

Product	Identifier	Version
Open Source GitLab <13.3.4 Open Source / GitLab		<13.3.4
Open Source GitLab <13.2.8 Open Source / GitLab		<13.2.8
Open Source GitLab <13.1.10 Open Source / GitLab		<13.1.10
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—

CVE-2020-13304

Affected products

Known affected 5 products

Product	Identifier	Version
Open Source GitLab <13.3.4 Open Source / GitLab		<13.3.4
Open Source GitLab <13.2.8 Open Source / GitLab		<13.2.8
Open Source GitLab <13.1.10 Open Source / GitLab		<13.1.10
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—

CVE-2020-13305

Affected products

Known affected 5 products

Product	Identifier	Version
Open Source GitLab <13.3.4 Open Source / GitLab		<13.3.4
Open Source GitLab <13.2.8 Open Source / GitLab		<13.2.8
Open Source GitLab <13.1.10 Open Source / GitLab		<13.1.10
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—

CVE-2020-13306

Affected products

Known affected 5 products

Product	Identifier	Version
Open Source GitLab <13.3.4 Open Source / GitLab		<13.3.4
Open Source GitLab <13.2.8 Open Source / GitLab		<13.2.8
Open Source GitLab <13.1.10 Open Source / GitLab		<13.1.10
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—

CVE-2020-13307

Affected products

Known affected 5 products

Product	Identifier	Version
Open Source GitLab <13.3.4 Open Source / GitLab		<13.3.4
Open Source GitLab <13.2.8 Open Source / GitLab		<13.2.8
Open Source GitLab <13.1.10 Open Source / GitLab		<13.1.10
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—

CVE-2020-13308

Affected products

Known affected 5 products

Product	Identifier	Version
Open Source GitLab <13.3.4 Open Source / GitLab		<13.3.4
Open Source GitLab <13.2.8 Open Source / GitLab		<13.2.8
Open Source GitLab <13.1.10 Open Source / GitLab		<13.1.10
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—

CVE-2020-13309

Affected products

Known affected 5 products

Product	Identifier	Version
Open Source GitLab <13.3.4 Open Source / GitLab		<13.3.4
Open Source GitLab <13.2.8 Open Source / GitLab		<13.2.8
Open Source GitLab <13.1.10 Open Source / GitLab		<13.1.10
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—

CVE-2020-13310

Affected products

Known affected 5 products

Product	Identifier	Version
Open Source GitLab <13.3.4 Open Source / GitLab		<13.3.4
Open Source GitLab <13.2.8 Open Source / GitLab		<13.2.8
Open Source GitLab <13.1.10 Open Source / GitLab		<13.1.10
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—

CVE-2020-13311

Affected products

Known affected 5 products

Product	Identifier	Version
Open Source GitLab <13.3.4 Open Source / GitLab		<13.3.4
Open Source GitLab <13.2.8 Open Source / GitLab		<13.2.8
Open Source GitLab <13.1.10 Open Source / GitLab		<13.1.10
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—

CVE-2020-13312

Affected products

Known affected 5 products

Product	Identifier	Version
Open Source GitLab <13.3.4 Open Source / GitLab		<13.3.4
Open Source GitLab <13.2.8 Open Source / GitLab		<13.2.8
Open Source GitLab <13.1.10 Open Source / GitLab		<13.1.10
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—

CVE-2020-13313

Affected products

Known affected 5 products

Product	Identifier	Version
Open Source GitLab <13.3.4 Open Source / GitLab		<13.3.4
Open Source GitLab <13.2.8 Open Source / GitLab		<13.2.8
Open Source GitLab <13.1.10 Open Source / GitLab		<13.1.10
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—

CVE-2020-13314

Affected products

Known affected 5 products

Product	Identifier	Version
Open Source GitLab <13.3.4 Open Source / GitLab		<13.3.4
Open Source GitLab <13.2.8 Open Source / GitLab		<13.2.8
Open Source GitLab <13.1.10 Open Source / GitLab		<13.1.10
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—

CVE-2020-13315

Affected products

Known affected 5 products

Product	Identifier	Version
Open Source GitLab <13.3.4 Open Source / GitLab		<13.3.4
Open Source GitLab <13.2.8 Open Source / GitLab		<13.2.8
Open Source GitLab <13.1.10 Open Source / GitLab		<13.1.10
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—

CVE-2020-13316

Affected products

Known affected 5 products

Product	Identifier	Version
Open Source GitLab <13.3.4 Open Source / GitLab		<13.3.4
Open Source GitLab <13.2.8 Open Source / GitLab		<13.2.8
Open Source GitLab <13.1.10 Open Source / GitLab		<13.1.10
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—

CVE-2020-13317

Affected products

Known affected 5 products

Product	Identifier	Version
Open Source GitLab <13.3.4 Open Source / GitLab		<13.3.4
Open Source GitLab <13.2.8 Open Source / GitLab		<13.2.8
Open Source GitLab <13.1.10 Open Source / GitLab		<13.1.10
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—

CVE-2020-13318

Affected products

Known affected 5 products

Product	Identifier	Version
Open Source GitLab <13.3.4 Open Source / GitLab		<13.3.4
Open Source GitLab <13.2.8 Open Source / GitLab		<13.2.8
Open Source GitLab <13.1.10 Open Source / GitLab		<13.1.10
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—

CVE-2020-7663

Affected products

Known affected 5 products

Product	Identifier	Version
Open Source GitLab <13.3.4 Open Source / GitLab		<13.3.4
Open Source GitLab <13.2.8 Open Source / GitLab		<13.2.8
Open Source GitLab <13.1.10 Open Source / GitLab		<13.1.10
Ubuntu Linux Ubuntu	`cpe:/o:canonical:ubuntu_linux:-`	—
SUSE openSUSE SUSE	`cpe:/o:suse:opensuse:-`	—

References

6 references

URL	Category
https://wid.cert-bund.de/.well-known/csaf/white/2…	self
https://wid.cert-bund.de/portal/wid/securityadvis…	self
https://about.gitlab.com/releases/2020/09/02/secu…	external
https://ubuntu.com/security/notices/USN-4502-1	external
https://usn.ubuntu.com/4502-1/	external
https://lists.opensuse.org/archives/list/security…	external

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "hoch"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "GitLab ist eine Webanwendung zur Versionsverwaltung f\u00fcr Softwareprojekte auf Basis von git.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in GitLab ausnutzen, um einen Cross-Site Scripting oder Denial of Service Angriff durchzuf\u00fchren, Sicherheitsmechanismen zu umgehen, Daten zu manipulieren oder vertrauliche Daten einzusehen.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Linux\n- Sonstiges",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2025-1087 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2020/wid-sec-w-2025-1087.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2025-1087 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2025-1087"
      },
      {
        "category": "external",
        "summary": "GitLab Security Release 13.3.4, 13.2.8, and 13.1.10 vom 2020-09-02",
        "url": "https://about.gitlab.com/releases/2020/09/02/security-release-gitlab-13-3-3-released/"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-4502-1 vom 2020-09-16",
        "url": "https://ubuntu.com/security/notices/USN-4502-1"
      },
      {
        "category": "external",
        "summary": "Ubuntu Security Notice USN-4502-1 vom 2020-09-16",
        "url": "https://usn.ubuntu.com/4502-1/"
      },
      {
        "category": "external",
        "summary": "openSUSE Security Update OPENSUSE-SU-2025:15130-1 vom 2025-05-18",
        "url": "https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/3ZQXVCWSC6AX6RNK43O7WPCY77YBJ6EX/"
      }
    ],
    "source_lang": "en-US",
    "title": "GitLab: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2025-05-18T22:00:00.000+00:00",
      "generator": {
        "date": "2025-05-19T08:27:29.362+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.3.12"
        }
      },
      "id": "WID-SEC-W-2025-1087",
      "initial_release_date": "2020-09-02T22:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2020-09-02T22:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2020-09-16T22:00:00.000+00:00",
          "number": "2",
          "summary": "Neue Updates von Ubuntu aufgenommen"
        },
        {
          "date": "2025-05-18T22:00:00.000+00:00",
          "number": "3",
          "summary": "Neue Updates von openSUSE aufgenommen"
        }
      ],
      "status": "final",
      "version": "3"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c13.3.4",
                "product": {
                  "name": "Open Source GitLab \u003c13.3.4",
                  "product_id": "T017200"
                }
              },
              {
                "category": "product_version",
                "name": "13.3.4",
                "product": {
                  "name": "Open Source GitLab 13.3.4",
                  "product_id": "T017200-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:gitlab:gitlab:13.3.4"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c13.2.8",
                "product": {
                  "name": "Open Source GitLab \u003c13.2.8",
                  "product_id": "T017201"
                }
              },
              {
                "category": "product_version",
                "name": "13.2.8",
                "product": {
                  "name": "Open Source GitLab 13.2.8",
                  "product_id": "T017201-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:gitlab:gitlab:13.2.8"
                  }
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c13.1.10",
                "product": {
                  "name": "Open Source GitLab \u003c13.1.10",
                  "product_id": "T017202"
                }
              },
              {
                "category": "product_version",
                "name": "13.1.10",
                "product": {
                  "name": "Open Source GitLab 13.1.10",
                  "product_id": "T017202-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:gitlab:gitlab:13.1.10"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "GitLab"
          }
        ],
        "category": "vendor",
        "name": "Open Source"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "SUSE openSUSE",
            "product": {
              "name": "SUSE openSUSE",
              "product_id": "T027843",
              "product_identification_helper": {
                "cpe": "cpe:/o:suse:opensuse:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "SUSE"
      },
      {
        "branches": [
          {
            "category": "product_name",
            "name": "Ubuntu Linux",
            "product": {
              "name": "Ubuntu Linux",
              "product_id": "T000126",
              "product_identification_helper": {
                "cpe": "cpe:/o:canonical:ubuntu_linux:-"
              }
            }
          }
        ],
        "category": "vendor",
        "name": "Ubuntu"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2020-11022",
      "product_status": {
        "known_affected": [
          "T017200",
          "T017201",
          "T017202",
          "T000126",
          "T027843"
        ]
      },
      "release_date": "2020-09-02T22:00:00.000+00:00",
      "title": "CVE-2020-11022"
    },
    {
      "cve": "CVE-2020-13284",
      "product_status": {
        "known_affected": [
          "T017200",
          "T017201",
          "T017202",
          "T000126",
          "T027843"
        ]
      },
      "release_date": "2020-09-02T22:00:00.000+00:00",
      "title": "CVE-2020-13284"
    },
    {
      "cve": "CVE-2020-13287",
      "product_status": {
        "known_affected": [
          "T017200",
          "T017201",
          "T017202",
          "T000126",
          "T027843"
        ]
      },
      "release_date": "2020-09-02T22:00:00.000+00:00",
      "title": "CVE-2020-13287"
    },
    {
      "cve": "CVE-2020-13289",
      "product_status": {
        "known_affected": [
          "T017200",
          "T017201",
          "T017202",
          "T000126",
          "T027843"
        ]
      },
      "release_date": "2020-09-02T22:00:00.000+00:00",
      "title": "CVE-2020-13289"
    },
    {
      "cve": "CVE-2020-13297",
      "product_status": {
        "known_affected": [
          "T017200",
          "T017201",
          "T017202",
          "T000126",
          "T027843"
        ]
      },
      "release_date": "2020-09-02T22:00:00.000+00:00",
      "title": "CVE-2020-13297"
    },
    {
      "cve": "CVE-2020-13298",
      "product_status": {
        "known_affected": [
          "T017200",
          "T017201",
          "T017202",
          "T000126",
          "T027843"
        ]
      },
      "release_date": "2020-09-02T22:00:00.000+00:00",
      "title": "CVE-2020-13298"
    },
    {
      "cve": "CVE-2020-13299",
      "product_status": {
        "known_affected": [
          "T017200",
          "T017201",
          "T017202",
          "T000126",
          "T027843"
        ]
      },
      "release_date": "2020-09-02T22:00:00.000+00:00",
      "title": "CVE-2020-13299"
    },
    {
      "cve": "CVE-2020-13300",
      "product_status": {
        "known_affected": [
          "T017200",
          "T017201",
          "T017202",
          "T000126",
          "T027843"
        ]
      },
      "release_date": "2020-09-02T22:00:00.000+00:00",
      "title": "CVE-2020-13300"
    },
    {
      "cve": "CVE-2020-13301",
      "product_status": {
        "known_affected": [
          "T017200",
          "T017201",
          "T017202",
          "T000126",
          "T027843"
        ]
      },
      "release_date": "2020-09-02T22:00:00.000+00:00",
      "title": "CVE-2020-13301"
    },
    {
      "cve": "CVE-2020-13302",
      "product_status": {
        "known_affected": [
          "T017200",
          "T017201",
          "T017202",
          "T000126",
          "T027843"
        ]
      },
      "release_date": "2020-09-02T22:00:00.000+00:00",
      "title": "CVE-2020-13302"
    },
    {
      "cve": "CVE-2020-13303",
      "product_status": {
        "known_affected": [
          "T017200",
          "T017201",
          "T017202",
          "T000126",
          "T027843"
        ]
      },
      "release_date": "2020-09-02T22:00:00.000+00:00",
      "title": "CVE-2020-13303"
    },
    {
      "cve": "CVE-2020-13304",
      "product_status": {
        "known_affected": [
          "T017200",
          "T017201",
          "T017202",
          "T000126",
          "T027843"
        ]
      },
      "release_date": "2020-09-02T22:00:00.000+00:00",
      "title": "CVE-2020-13304"
    },
    {
      "cve": "CVE-2020-13305",
      "product_status": {
        "known_affected": [
          "T017200",
          "T017201",
          "T017202",
          "T000126",
          "T027843"
        ]
      },
      "release_date": "2020-09-02T22:00:00.000+00:00",
      "title": "CVE-2020-13305"
    },
    {
      "cve": "CVE-2020-13306",
      "product_status": {
        "known_affected": [
          "T017200",
          "T017201",
          "T017202",
          "T000126",
          "T027843"
        ]
      },
      "release_date": "2020-09-02T22:00:00.000+00:00",
      "title": "CVE-2020-13306"
    },
    {
      "cve": "CVE-2020-13307",
      "product_status": {
        "known_affected": [
          "T017200",
          "T017201",
          "T017202",
          "T000126",
          "T027843"
        ]
      },
      "release_date": "2020-09-02T22:00:00.000+00:00",
      "title": "CVE-2020-13307"
    },
    {
      "cve": "CVE-2020-13308",
      "product_status": {
        "known_affected": [
          "T017200",
          "T017201",
          "T017202",
          "T000126",
          "T027843"
        ]
      },
      "release_date": "2020-09-02T22:00:00.000+00:00",
      "title": "CVE-2020-13308"
    },
    {
      "cve": "CVE-2020-13309",
      "product_status": {
        "known_affected": [
          "T017200",
          "T017201",
          "T017202",
          "T000126",
          "T027843"
        ]
      },
      "release_date": "2020-09-02T22:00:00.000+00:00",
      "title": "CVE-2020-13309"
    },
    {
      "cve": "CVE-2020-13310",
      "product_status": {
        "known_affected": [
          "T017200",
          "T017201",
          "T017202",
          "T000126",
          "T027843"
        ]
      },
      "release_date": "2020-09-02T22:00:00.000+00:00",
      "title": "CVE-2020-13310"
    },
    {
      "cve": "CVE-2020-13311",
      "product_status": {
        "known_affected": [
          "T017200",
          "T017201",
          "T017202",
          "T000126",
          "T027843"
        ]
      },
      "release_date": "2020-09-02T22:00:00.000+00:00",
      "title": "CVE-2020-13311"
    },
    {
      "cve": "CVE-2020-13312",
      "product_status": {
        "known_affected": [
          "T017200",
          "T017201",
          "T017202",
          "T000126",
          "T027843"
        ]
      },
      "release_date": "2020-09-02T22:00:00.000+00:00",
      "title": "CVE-2020-13312"
    },
    {
      "cve": "CVE-2020-13313",
      "product_status": {
        "known_affected": [
          "T017200",
          "T017201",
          "T017202",
          "T000126",
          "T027843"
        ]
      },
      "release_date": "2020-09-02T22:00:00.000+00:00",
      "title": "CVE-2020-13313"
    },
    {
      "cve": "CVE-2020-13314",
      "product_status": {
        "known_affected": [
          "T017200",
          "T017201",
          "T017202",
          "T000126",
          "T027843"
        ]
      },
      "release_date": "2020-09-02T22:00:00.000+00:00",
      "title": "CVE-2020-13314"
    },
    {
      "cve": "CVE-2020-13315",
      "product_status": {
        "known_affected": [
          "T017200",
          "T017201",
          "T017202",
          "T000126",
          "T027843"
        ]
      },
      "release_date": "2020-09-02T22:00:00.000+00:00",
      "title": "CVE-2020-13315"
    },
    {
      "cve": "CVE-2020-13316",
      "product_status": {
        "known_affected": [
          "T017200",
          "T017201",
          "T017202",
          "T000126",
          "T027843"
        ]
      },
      "release_date": "2020-09-02T22:00:00.000+00:00",
      "title": "CVE-2020-13316"
    },
    {
      "cve": "CVE-2020-13317",
      "product_status": {
        "known_affected": [
          "T017200",
          "T017201",
          "T017202",
          "T000126",
          "T027843"
        ]
      },
      "release_date": "2020-09-02T22:00:00.000+00:00",
      "title": "CVE-2020-13317"
    },
    {
      "cve": "CVE-2020-13318",
      "product_status": {
        "known_affected": [
          "T017200",
          "T017201",
          "T017202",
          "T000126",
          "T027843"
        ]
      },
      "release_date": "2020-09-02T22:00:00.000+00:00",
      "title": "CVE-2020-13318"
    },
    {
      "cve": "CVE-2020-7663",
      "product_status": {
        "known_affected": [
          "T017200",
          "T017201",
          "T017202",
          "T000126",
          "T027843"
        ]
      },
      "release_date": "2020-09-02T22:00:00.000+00:00",
      "title": "CVE-2020-7663"
    }
  ]
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2020-7663 (GCVE-0-2020-7663)

SUSE-SU-2023:0127-1

WID-SEC-W-2025-1087

Tags

Sightings

Nomenclature