{ "document": { "aggregate_severity": { "text": "Medium" }, "category": "csaf_vex", "csaf_version": "2.0", "distribution": { "text": "TuxCare License Agreement", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Cloud Linux Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://tuxcare.com/contact/", "name": "TuxCare", "namespace": "https://tuxcare.com/" }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://security.tuxcare.com/csaf/v2/els_os/centos8.4els/vex/2019/cve-2019-8690-els_os-centos8_4els.json" } ], "tracking": { "current_release_date": "2026-04-20T16:10:13Z", "generator": { "date": "2026-04-20T16:10:13Z", "engine": { "name": "pyCSAF" } }, "id": "CVE-2019-8690-ELS_OS-CENTOS8.4ELS", "initial_release_date": "2019-12-18T18:15:00Z", "revision_history": [ { "date": "2019-12-18T18:15:00Z", "number": "1", "summary": "Initial version" }, { "date": "2026-04-14T11:44:33Z", "number": "2", "summary": "Official Publication" }, { "date": "2026-04-20T16:10:13Z", "number": "3", "summary": "Update document" } ], "status": "final", "version": "3" }, "title": "Security update on CVE-2019-8690" }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Community Enterprise Operating System 8.4", "product": { "name": "Community Enterprise Operating System 8.4", "product_id": "CentOS-8.4", "product_identification_helper": { "cpe": "cpe:2.3:o:centos:centos:8.4:*:*:*:*:*:*:*" } } } ], "category": "product_family", "name": "Community Enterprise Operating System" }, { "branches": [ { "category": "product_version", "name": "file-roller-0:3.28.1-3.el8.4.x86_64", "product": { "name": "file-roller-0:3.28.1-3.el8.4.x86_64", "product_id": "file-roller-0:3.28.1-3.el8.4.x86_64", "product_identification_helper": { "purl": "pkg:rpm/centos/file-roller@3.28.1-3.el8.4?arch=x86_64" } } } ], "category": "architecture", "name": "x86_64" } ], "category": "vendor", "name": "Red Hat, Inc." }, { "branches": [ { "branches": [ { "category": "product_version", "name": "file-roller-0:3.28.1-3.el8.4.tuxcare.els1.x86_64", "product": { "name": "file-roller-0:3.28.1-3.el8.4.tuxcare.els1.x86_64", "product_id": "file-roller-0:3.28.1-3.el8.4.tuxcare.els1.x86_64", "product_identification_helper": { "purl": "pkg:rpm/tuxcare/file-roller@3.28.1-3.el8.4.tuxcare.els1?arch=x86_64" } } } ], "category": "architecture", "name": "x86_64" } ], "category": "vendor", "name": "TuxCare" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "file-roller-0:3.28.1-3.el8.4.tuxcare.els1.x86_64 as a component of Community Enterprise Operating System 8.4", "product_id": "CentOS-8.4:file-roller-0:3.28.1-3.el8.4.tuxcare.els1.x86_64" }, "product_reference": "file-roller-0:3.28.1-3.el8.4.tuxcare.els1.x86_64", "relates_to_product_reference": "CentOS-8.4" }, { "category": "default_component_of", "full_product_name": { "name": "file-roller-0:3.28.1-3.el8.4.x86_64 as a component of Community Enterprise Operating System 8.4", "product_id": "CentOS-8.4:file-roller-0:3.28.1-3.el8.4.x86_64" }, "product_reference": "file-roller-0:3.28.1-3.el8.4.x86_64", "relates_to_product_reference": "CentOS-8.4" } ] }, "vulnerabilities": [ { "cve": "CVE-2019-8690", "cwe": { "id": "CWE-79", "name": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" }, "notes": [ { "category": "description", "text": "A logic issue existed in the handling of document loads. This issue was addressed with improved state management. This issue is fixed in iOS 12.4, macOS Mojave 10.14.6, tvOS 12.4, Safari 12.1.2, iTunes for Windows 12.9.6, iCloud for Windows 7.13, iCloud for Windows 10.6. Processing maliciously crafted web content may lead to universal cross site scripting.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "known_affected": [ "CentOS-8.4:file-roller-0:3.28.1-3.el8.4.tuxcare.els1.x86_64", "CentOS-8.4:file-roller-0:3.28.1-3.el8.4.x86_64" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2019-8690" }, { "category": "external", "summary": "https://support.apple.com/HT210346", "url": "https://support.apple.com/HT210346" }, { "category": "external", "summary": "https://support.apple.com/HT210348", "url": "https://support.apple.com/HT210348" }, { "category": "external", "summary": "https://support.apple.com/HT210351", "url": "https://support.apple.com/HT210351" }, { "category": "external", "summary": "https://support.apple.com/HT210355", "url": "https://support.apple.com/HT210355" }, { "category": "external", "summary": "https://support.apple.com/HT210356", "url": "https://support.apple.com/HT210356" }, { "category": "external", "summary": "https://support.apple.com/HT210357", "url": "https://support.apple.com/HT210357" }, { "category": "external", "summary": "https://support.apple.com/HT210358", "url": "https://support.apple.com/HT210358" } ], "release_date": "2019-12-18T18:15:00Z", "remediations": [ { "category": "no_fix_planned", "details": "This CVE is a client-side WebKit universal XSS in Apple software (Safari on iOS/macOS/tvOS and Apple Windows clients) that only triggers when a user loads malicious web content. Server and VM workloads running Linux typically operate without GUI WebKit-based browsers or interactive web browsing, so they are outside the vulnerable use-path and not exposed via server-facing services. Given the user-interaction requirement, limited confidentiality/integrity impact, no availability impact, and the fact that Apple addressed it in 2019 releases, it can be safely deprioritized for managed Linux server environments.", "product_ids": [ "CentOS-8.4:file-roller-0:3.28.1-3.el8.4.tuxcare.els1.x86_64", "CentOS-8.4:file-roller-0:3.28.1-3.el8.4.x86_64" ] } ], "scores": [ { "cvss_v2": { "accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0" }, "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1" }, "products": [ "CentOS-8.4:file-roller-0:3.28.1-3.el8.4.tuxcare.els1.x86_64", "CentOS-8.4:file-roller-0:3.28.1-3.el8.4.x86_64" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ] } ] }