CVE-2019-15587: Ops Manager contains a vulnerable Loofah gem
Severity
Medium
Vendor
Loofah Team
Versions Affected
- Through 2.3.0
Description
Pivotal Ops Manager, 2.7.x versions prior to 2.7.2, 2.6.x versions prior to 2.6.13, and 2.5.x versions prior to 2.5.21, contain a vulnerable version of the Loofah gem for Ruby. Unsanitized JavaScript may occur in sanitized output when a crafted SVG element is republished.
Affected VMware Products and Versions
Severity is medium unless otherwise noted.
-
Pivotal Ops Manager
- 2.7 versions prior to 2.7.2
- 2.5 versions prior to 2.5.21
- 2.6 versions prior to 2.6.13
Mitigation
Users of affected versions should apply the following mitigation or upgrade. Releases that have fixed this issue include:
-
Pivotal Ops Manager
- 2.7.2
- 2.5.21
- 2.6.13
References
History
2019-11-25: Initial vulnerability report published.