Описание
Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows HTTP Response Splitting. If a program using WEBrick inserts untrusted input into the response header, an attacker can exploit it to insert a newline character to split a header, and inject malicious content to deceive clients. NOTE: this issue exists because of an incomplete fix for CVE-2017-17742, which addressed the CRLF vector, but did not address an isolated CR or an isolated LF.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat 3scale API Management Platform 2 | 3amp-system | Fix deferred | ||
| Red Hat Enterprise Linux 5 | ruby | Out of support scope | ||
| Red Hat Enterprise Linux 6 | ruby | Out of support scope | ||
| Red Hat Enterprise Linux 7 | ruby | Fix deferred | ||
| Red Hat Software Collections | rh-ruby24-ruby | Fix deferred | ||
| Red Hat Enterprise Linux 8 | ruby | Fixed | RHSA-2021:2587 | 29.06.2021 |
| Red Hat Enterprise Linux 8 | ruby | Fixed | RHSA-2021:2588 | 29.06.2021 |
| Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions | ruby | Fixed | RHSA-2022:0581 | 21.02.2022 |
| Red Hat Enterprise Linux 8.2 Extended Update Support | ruby | Fixed | RHSA-2022:0582 | 21.02.2022 |
| Red Hat Software Collections for Red Hat Enterprise Linux 7 | rh-ruby25-ruby | Fixed | RHSA-2021:2104 | 26.05.2021 |
Показывать по
Дополнительная информация
Статус:
EPSS
5.3 Medium
CVSS3
Связанные уязвимости
Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows HTTP Response Splitting. If a program using WEBrick inserts untrusted input into the response header, an attacker can exploit it to insert a newline character to split a header, and inject malicious content to deceive clients. NOTE: this issue exists because of an incomplete fix for CVE-2017-17742, which addressed the CRLF vector, but did not address an isolated CR or an isolated LF.
Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows HTTP Response Splitting. If a program using WEBrick inserts untrusted input into the response header, an attacker can exploit it to insert a newline character to split a header, and inject malicious content to deceive clients. NOTE: this issue exists because of an incomplete fix for CVE-2017-17742, which addressed the CRLF vector, but did not address an isolated CR or an isolated LF.
Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allow ...
Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows HTTP Response Splitting. If a program using WEBrick inserts untrusted input into the response header, an attacker can exploit it to insert a newline character to split a header, and inject malicious content to deceive clients. NOTE: this issue exists because of an incomplete fix for CVE-2017-17742, which addressed the CRLF vector, but did not address an isolated CR or an isolated LF.
EPSS
5.3 Medium
CVSS3