All Vulnerability Reports

CVE-2019-15587: Ops Manager contains a vulnerable Loofah gem


Severity

Medium

Vendor

Loofah Team

Versions Affected

  • Through 2.3.0

Description

Pivotal Ops Manager, 2.7.x versions prior to 2.7.2, 2.6.x versions prior to 2.6.13, and 2.5.x versions prior to 2.5.21, contain a vulnerable version of the Loofah gem for Ruby. Unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.

Affected VMware Products and Versions

Severity is medium unless otherwise noted.

  • Pivotal Ops Manager
    • 2.7 versions prior to 2.7.2
    • 2.5 versions prior to 2.5.21
    • 2.6 versions prior to 2.6.13

Mitigation

Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:

  • Pivotal Ops Manager
    • 2.7.2
    • 2.5.21
    • 2.6.13

References

History

2019-11-25: Initial vulnerability report published.