Candidate: CVE-2017-1002201
PublicDate: 2019-10-15 18:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1002201
 https://github.com/haml/haml/commit/18576ae6e9bdcb4303fdbe6b3199869d289d67c2
 https://snyk.io/vuln/SNYK-RUBY-HAML-20362
Description:
 In haml versions prior to version 5.0.0.beta.2, when using user input to
 perform tasks on the server, characters like < > " ' must be escaped
 properly. In this case, the ' character was missed. An attacker can
 manipulate the input to introduce additional attributes, potentially
 executing code.
Ubuntu-Description:
 It was discovered that Haml did not properly escape the ' character. If Haml
 were made to process crafted data, an attacker could execute arbitrary code.
Notes:
Mitigation:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N [6.1 MEDIUM]


Patches_ruby-haml:
upstream_ruby-haml: released (5.0.4-1)
precise/esm_ruby-haml: DNE
trusty_ruby-haml: ignored (out of standard support)
trusty/esm_ruby-haml: DNE
xenial_ruby-haml: ignored (end of standard support, was needed)
bionic_ruby-haml: needed
disco_ruby-haml: not-affected (5.0.4-3)
eoan_ruby-haml: not-affected (5.0.4-3)
focal_ruby-haml: not-affected (5.0.4-3)
groovy_ruby-haml: not-affected (5.0.4-3)
hirsute_ruby-haml: not-affected (5.0.4-3)
impish_ruby-haml: not-affected (5.0.4-3)
jammy_ruby-haml: not-affected (5.0.4-3)
devel_ruby-haml: not-affected (5.0.4-3)