{
  "threat_severity" : "Moderate",
  "public_date" : "2014-02-18T00:00:00Z",
  "bugzilla" : {
    "description" : "rubygem-actionpack: number_to_currency, number_to_percentage and number_to_human XSS vulnerability",
    "id" : "1065520",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1065520"
  },
  "cvss" : {
    "cvss_base_score" : "4.3",
    "cvss_scoring_vector" : "AV:N/AC:M/Au:N/C:N/I:P/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-79",
  "details" : [ "Multiple cross-site scripting (XSS) vulnerabilities in actionview/lib/action_view/helpers/number_helper.rb in Ruby on Rails before 3.2.17, 4.0.x before 4.0.3, and 4.1.x before 4.1.0.beta2 allow remote attackers to inject arbitrary web script or HTML via the (1) format, (2) negative_format, or (3) units parameter to the (a) number_to_currency, (b) number_to_percentage, or (c) number_to_human helper." ],
  "statement" : "Red Hat OpenShift Enterprise 1.2 is now in Production 1 Phase of the support\nand maintenance life cycle. This has been rated as having Moderate security\nimpact and is not currently planned to be addressed in future updates. For\nadditional information, refer to the Red Hat OpenShift Enterprise Life Cycle:\nhttps://access.redhat.com/site/support/policy/updates/openshift.",
  "acknowledgement" : "Red Hat would like to thank Ruby on Rails Project for reporting this issue. Upstream acknowledges Kevin Reintjes as the original reporter.",
  "affected_release" : [ {
    "product_name" : "CloudForms Management Engine 5.x",
    "release_date" : "2014-03-11T00:00:00Z",
    "advisory" : "RHSA-2014:0215",
    "cpe" : "cpe:/a:redhat:cloudforms_managementengine:5::el6",
    "package" : "cfme-0:5.2.2.3-1.el6cf"
  }, {
    "product_name" : "CloudForms Management Engine 5.x",
    "release_date" : "2014-03-11T00:00:00Z",
    "advisory" : "RHSA-2014:0215",
    "cpe" : "cpe:/a:redhat:cloudforms_managementengine:5::el6",
    "package" : "ruby193-ruby-0:1.9.3.448-40.1.el6"
  }, {
    "product_name" : "CloudForms Management Engine 5.x",
    "release_date" : "2014-03-11T00:00:00Z",
    "advisory" : "RHSA-2014:0215",
    "cpe" : "cpe:/a:redhat:cloudforms_managementengine:5::el6",
    "package" : "ruby193-rubygem-actionpack-1:3.2.13-5.el6cf"
  }, {
    "product_name" : "CloudForms Management Engine 5.x",
    "release_date" : "2014-03-11T00:00:00Z",
    "advisory" : "RHSA-2014:0215",
    "cpe" : "cpe:/a:redhat:cloudforms_managementengine:5::el6",
    "package" : "ruby193-rubygem-amq-protocol-0:1.9.2-3.el6cf"
  }, {
    "product_name" : "CloudForms Management Engine 5.x",
    "release_date" : "2014-03-11T00:00:00Z",
    "advisory" : "RHSA-2014:0215",
    "cpe" : "cpe:/a:redhat:cloudforms_managementengine:5::el6",
    "package" : "ruby193-rubygem-bunny-0:1.0.7-1.el6cf"
  }, {
    "product_name" : "CloudForms Management Engine 5.x",
    "release_date" : "2014-03-11T00:00:00Z",
    "advisory" : "RHSA-2014:0215",
    "cpe" : "cpe:/a:redhat:cloudforms_managementengine:5::el6",
    "package" : "ruby193-rubygem-excon-0:0.31.0-1.el6cf"
  }, {
    "product_name" : "CloudForms Management Engine 5.x",
    "release_date" : "2014-03-11T00:00:00Z",
    "advisory" : "RHSA-2014:0215",
    "cpe" : "cpe:/a:redhat:cloudforms_managementengine:5::el6",
    "package" : "ruby193-rubygem-fog-0:1.19.0-1.el6cf"
  }, {
    "product_name" : "CloudForms Management Engine 5.x",
    "release_date" : "2014-03-11T00:00:00Z",
    "advisory" : "RHSA-2014:0215",
    "cpe" : "cpe:/a:redhat:cloudforms_managementengine:5::el6",
    "package" : "ruby193-rubygem-linux_admin-0:0.7.0-1.el6cf"
  }, {
    "product_name" : "CloudForms Management Engine 5.x",
    "release_date" : "2014-03-11T00:00:00Z",
    "advisory" : "RHSA-2014:0215",
    "cpe" : "cpe:/a:redhat:cloudforms_managementengine:5::el6",
    "package" : "ruby193-rubygem-more_core_extensions-0:1.1.2-1.el6cf"
  }, {
    "product_name" : "CloudForms Management Engine 5.x",
    "release_date" : "2014-03-11T00:00:00Z",
    "advisory" : "RHSA-2014:0215",
    "cpe" : "cpe:/a:redhat:cloudforms_managementengine:5::el6",
    "package" : "ruby193-rubygem-nokogiri-0:1.5.6-3.el6cf"
  }, {
    "product_name" : "Red Hat Software Collections for RHEL-6",
    "release_date" : "2014-03-17T00:00:00Z",
    "advisory" : "RHSA-2014:0306",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:1::el6",
    "package" : "ruby193-rubygem-actionpack-1:3.2.8-5.3.el6"
  } ],
  "package_state" : [ {
    "product_name" : "OpenShift Enterprise 1",
    "fix_state" : "Will not fix",
    "package_name" : "ruby193-rubygem-actionpack",
    "cpe" : "cpe:/a:redhat:openshift:1"
  }, {
    "product_name" : "Red Hat OpenStack Platform 3",
    "fix_state" : "Affected",
    "package_name" : "ruby193-rubygem-actionpack",
    "cpe" : "cpe:/a:redhat:openstack:3"
  }, {
    "product_name" : "Red Hat OpenStack Platform 4",
    "fix_state" : "Affected",
    "package_name" : "ruby193-rubygem-actionpack",
    "cpe" : "cpe:/a:redhat:openstack:4"
  }, {
    "product_name" : "Red Hat Satellite 6",
    "fix_state" : "Affected",
    "package_name" : "ruby193-rubygem-actionpack",
    "cpe" : "cpe:/a:redhat:satellite:6"
  }, {
    "product_name" : "Red Hat Software Collections",
    "fix_state" : "Affected",
    "package_name" : "ror40-rubygem-actionpack",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:1"
  }, {
    "product_name" : "Red Hat Subscription Asset Manager",
    "fix_state" : "Will not fix",
    "package_name" : "ruby193-rubygem-actionpack",
    "cpe" : "cpe:/a:rhel_sam:1"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2014-0081\nhttps://nvd.nist.gov/vuln/detail/CVE-2014-0081" ],
  "name" : "CVE-2014-0081",
  "csaw" : false
}