Описание
The cgi gem before 0.1.0.2, 0.2.x before 0.2.2, and 0.3.x before 0.3.5 for Ruby allows HTTP response splitting. This is relevant to applications that use untrusted user input either to generate an HTTP response or to create a CGI::Cookie object.
A vulnerability was found in Ruby that allows HTTP header injection. A CGI application using the CGI library may insert untrusted input into the HTTP response header. This issue can allow an attacker to insert a newline character to split a header and inject malicious content to deceive clients.
Отчет
This vulnerability is marked as moderate because the flaw was more difficult to exploit but could still lead to some compromise of the confidentiality, integrity, or availability of resources under certain circumstances but are less easily exploited based on a technical evaluation of the flaw, or affect unlikely configurations.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 6 | ruby | Out of support scope | ||
| Red Hat Enterprise Linux 7 | ruby | Out of support scope | ||
| Red Hat Software Collections | rh-ruby30-ruby | Will not fix | ||
| Red Hat Enterprise Linux 8 | ruby | Fixed | RHSA-2023:3821 | 27.06.2023 |
| Red Hat Enterprise Linux 8 | ruby | Fixed | RHSA-2023:7025 | 14.11.2023 |
| Red Hat Enterprise Linux 8 | ruby | Fixed | RHSA-2024:1431 | 19.03.2024 |
| Red Hat Enterprise Linux 8 | ruby | Fixed | RHSA-2024:3500 | 30.05.2024 |
| Red Hat Enterprise Linux 9 | ruby | Fixed | RHSA-2024:1576 | 01.04.2024 |
| Red Hat Enterprise Linux 9 | ruby | Fixed | RHSA-2024:3838 | 11.06.2024 |
| Red Hat Enterprise Linux 9.2 Extended Update Support | ruby | Fixed | RHSA-2024:4542 | 15.07.2024 |
Показывать по
Дополнительная информация
Статус:
8.8 High
CVSS3
Связанные уязвимости
The cgi gem before 0.1.0.2, 0.2.x before 0.2.2, and 0.3.x before 0.3.5 for Ruby allows HTTP response splitting. This is relevant to applications that use untrusted user input either to generate an HTTP response or to create a CGI::Cookie object.
The cgi gem before 0.1.0.2, 0.2.x before 0.2.2, and 0.3.x before 0.3.5 for Ruby allows HTTP response splitting. This is relevant to applications that use untrusted user input either to generate an HTTP response or to create a CGI::Cookie object.
The cgi gem before 0.1.0.2, 0.2.x before 0.2.2, and 0.3.x before 0.3.5 ...
Уязвимость компонента CGI языка программирования Ruby, позволяющая нарушителю получить доступ к конфиденциальным данным, нарушить их целостность, а также вызвать отказ в обслуживании
8.8 High
CVSS3