CVE-2017-1002201

Published: 15 October 2019

In haml versions prior to version 5.0.0.beta.2, when using user input to perform tasks on the server, characters like < > " ' must be escaped properly. In this case, the ' character was missed. An attacker can manipulate the input to introduce additional attributes, potentially executing code.

From the Ubuntu security team

It was discovered that Haml did not properly escape the ' character. If Haml were made to process crafted data, an attacker could execute arbitrary code.

Priority

Medium

CVSS 3 base score: 6.1

Status

Package Release Status
ruby-haml
Launchpad, Ubuntu, Debian
Upstream
Released (5.0.4-1)
Ubuntu 20.10 (Groovy Gorilla) Not vulnerable
(5.0.4-3)
Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable
(5.0.4-3)
Ubuntu 18.04 LTS (Bionic Beaver) Needed

Ubuntu 16.04 LTS (Xenial Xerus) Needed

Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

Ubuntu 12.04 ESM (Precise Pangolin) Does not exist