Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1nd2ZnLWNxbWctY2Y4Zs4AAmJ3
WEBRick vulnerable to HTTP Request/Response Smuggling
An issue was discovered in Ruby through 2.5.8, 2.6.x through 2.6.6, and 2.7.x through 2.7.1. WEBrick, a simple HTTP server bundled with Ruby, had not checked the transfer-encoding header value rigorously. An attacker may potentially exploit this issue to bypass a reverse proxy (which also has a poor header check), which may lead to an HTTP Request Smuggling attack.
Permalink: https://github.com/advisories/GHSA-gwfg-cqmg-cf8fJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1nd2ZnLWNxbWctY2Y4Zs4AAmJ3
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 2 years ago
Updated: 7 months ago
CVSS Score: 7.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Identifiers: GHSA-gwfg-cqmg-cf8f, CVE-2020-25613
References:
- https://nvd.nist.gov/vuln/detail/CVE-2020-25613
- https://github.com/ruby/webrick/commit/8946bb38b4d87549f0d99ed73c62c41933f97cc7
- https://hackerone.com/reports/965267
- https://lists.fedoraproject.org/archives/list/[email protected]/message/PFP3E7KXXT3H3KA6CBZPUOGA5VPFARRJ/
- https://lists.fedoraproject.org/archives/list/[email protected]/message/YTZURYROG3FFED3TYCQOBV66BS4K6WOV/
- https://security.netapp.com/advisory/ntap-20210115-0008/
- https://www.ruby-lang.org/en/news/2020/09/29/http-request-smuggling-cve-2020-25613/
- https://github.com/ruby/webrick/commit/076ac636bf48b7a492887ce4de7041de23e6c00d
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/webrick/CVE-2020-25613.yml
- https://lists.debian.org/debian-lts-announce/2023/04/msg00033.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PFP3E7KXXT3H3KA6CBZPUOGA5VPFARRJ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YTZURYROG3FFED3TYCQOBV66BS4K6WOV/
- https://security.gentoo.org/glsa/202401-27
- https://github.com/advisories/GHSA-gwfg-cqmg-cf8f
Blast Radius: 35.0
Affected Packages
rubygems:webrick
Dependent packages: 428Dependent repositories: 46,333
Downloads: 278,176,602 total
Affected Version Ranges: < 1.6.1
Fixed in: 1.6.1
All affected versions: 1.3.1, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.5.0, 1.5.1, 1.6.0
All unaffected versions: 1.6.1, 1.7.0, 1.8.0, 1.8.1, 1.8.2, 1.9.0