{
  "threat_severity" : "Moderate",
  "public_date" : "2014-01-27T00:00:00Z",
  "bugzilla" : {
    "description" : "libyaml: heap-based buffer overflow when parsing YAML tags",
    "id" : "1033990",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1033990"
  },
  "cvss" : {
    "cvss_base_score" : "4.3",
    "cvss_scoring_vector" : "AV:A/AC:H/Au:N/C:P/I:P/A:P",
    "status" : "verified"
  },
  "cwe" : "CWE-122",
  "details" : [ "The yaml_parser_scan_tag_uri function in scanner.c in LibYAML before 0.1.5 performs an incorrect cast, which allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via crafted tags in a YAML document, which triggers a heap-based buffer overflow.", "A heap based buffer oveflow exists in the libyaml package such that a remote attacker could provide a specifically crafted YAML document when parsed by the application could result in remote code execution and complete compromise of the system." ],
  "statement" : "The Red Hat security response team has rated this issue as having low security impact in Red Hat Enterpise MRG 1 and 2, CloudForms 3, and Red Hat Network Satellite 5. This issue is not currently planned to be addressed in future updates.Redhat satellite 6 does not ship libyaml\nThe Red Hat security response team has rated this issue as having low security impact in Red Hat Update Infrastructure. A future update may address this issue. \nThe Red Hat security response team has rated this issue as having moderate security impact in Subscription Asset Manager 1. A future update may address this issue.\nFor additional information, refer to the Issue Severity Classification:\nhttps://access.redhat.com/security/updates/classification/",
  "acknowledgement" : "This issue was discovered by Florian Weimer (Red Hat Product Security Team).",
  "affected_release" : [ {
    "product_name" : "OpenStack 3 for RHEL 6",
    "release_date" : "2014-04-02T00:00:00Z",
    "advisory" : "RHSA-2014:0353",
    "cpe" : "cpe:/a:redhat:openstack:3::el6",
    "package" : "libyaml-0:0.1.3-1.4.el6"
  }, {
    "product_name" : "OpenStack 3 for RHEL 6",
    "release_date" : "2014-04-03T00:00:00Z",
    "advisory" : "RHSA-2014:0364",
    "cpe" : "cpe:/a:redhat:openstack:3::el6",
    "package" : "ruby193-libyaml-0:0.1.4-5.1.el6"
  }, {
    "product_name" : "OpenStack 4 for RHEL 6",
    "release_date" : "2014-04-02T00:00:00Z",
    "advisory" : "RHSA-2014:0354",
    "cpe" : "cpe:/a:redhat:openstack:4::el6",
    "package" : "libyaml-0:0.1.3-1.4.el6"
  }, {
    "product_name" : "Red Hat Common for RHEL 6",
    "release_date" : "2014-04-17T00:00:00Z",
    "advisory" : "RHSA-2014:0415",
    "cpe" : "cpe:/a:redhat:rhel_common:6::el6",
    "package" : "libyaml-0:0.1.3-1.4.el6"
  }, {
    "product_name" : "Red Hat Software Collections for RHEL-6",
    "release_date" : "2014-04-02T00:00:00Z",
    "advisory" : "RHSA-2014:0355",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:1::el6",
    "package" : "ruby193-libyaml-0:0.1.4-5.1.el6"
  } ],
  "package_state" : [ {
    "product_name" : "CloudForms Management Engine 5",
    "fix_state" : "Not affected",
    "package_name" : "ruby193-libyaml",
    "cpe" : "cpe:/a:redhat:cloudforms_managementengine:5"
  }, {
    "product_name" : "OpenShift Enterprise 1",
    "fix_state" : "Will not fix",
    "package_name" : "ruby193-libyaml",
    "cpe" : "cpe:/a:redhat:openshift:1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Affected",
    "package_name" : "libyaml",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "libyaml",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise MRG 1",
    "fix_state" : "Will not fix",
    "package_name" : "libyaml",
    "cpe" : "cpe:/a:redhat:enterprise_mrg:1"
  }, {
    "product_name" : "Red Hat Enterprise MRG 2",
    "fix_state" : "Will not fix",
    "package_name" : "libyaml",
    "cpe" : "cpe:/a:redhat:enterprise_mrg:2"
  }, {
    "product_name" : "Red Hat Satellite 5",
    "fix_state" : "Will not fix",
    "package_name" : "libyaml",
    "cpe" : "cpe:/a:redhat:network_satellite:5"
  }, {
    "product_name" : "Red Hat Satellite 6",
    "fix_state" : "Not affected",
    "package_name" : "libyaml",
    "cpe" : "cpe:/a:redhat:satellite:6"
  }, {
    "product_name" : "Red Hat Satellite 6",
    "fix_state" : "Not affected",
    "package_name" : "ruby193-libyaml",
    "cpe" : "cpe:/a:redhat:satellite:6"
  }, {
    "product_name" : "Red Hat Software Collections",
    "fix_state" : "Affected",
    "package_name" : "libyaml",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:1"
  }, {
    "product_name" : "Red Hat Subscription Asset Manager",
    "fix_state" : "Will not fix",
    "package_name" : "libyaml",
    "cpe" : "cpe:/a:rhel_sam:1"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2013-6393\nhttps://nvd.nist.gov/vuln/detail/CVE-2013-6393" ],
  "name" : "CVE-2013-6393",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}