Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2025-27111

Опубликовано: 04 мар. 2025
Источник: redhat
CVSS3: 5.3
EPSS Низкий

Описание

Rack is a modular Ruby web server interface. The Rack::Sendfile middleware logs unsanitised header values from the X-Sendfile-Type header. An attacker can exploit this by injecting escape sequences (such as newline characters) into the header, resulting in log injection. This vulnerability is fixed in 2.2.12, 3.0.13, and 3.1.11.

A flaw was found in Rack Rubygem, where the Rack::Sendfile middleware logs unsanitized header values from the X-Sendfile-Type header. This flaw allows an attacker to inject escape sequences, such as newline characters, into the header, resulting in log injection.

Меры по смягчению последствий

To mitigate this vulnerability, remove usage of Rack::Sendfile.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Logging Subsystem for Red Hat OpenShiftopenshift-logging/fluentd-rhel8Will not fix
Red Hat 3scale API Management Platform 23scale-amp-zync-containerAffected
Red Hat Enterprise Linux 7pcsOut of support scope
Red Hat Enterprise Linux 8pcsOut of support scope
Red Hat Enterprise Linux 9rhel9/ruby-30Fix deferred
Red Hat Enterprise Linux 9rhel9/ruby-31Fix deferred
Red Hat Enterprise Linux 9ubi9/ruby-33Fix deferred
Red Hat Satellite 6rubygem-rackFix deferred
Red Hat Satellite 6satellite-capsule:el8/rubygem-rackAffected
Red Hat Satellite 6satellite:el8/rubygem-rackAffected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-117
Дефект:
CWE-93
https://bugzilla.redhat.com/show_bug.cgi?id=2349810rack: rubygem-rack: Escape Sequence Injection vulnerability in Rack lead to Possible Log Injection

EPSS

Процентиль: 54%
0.00309
Низкий

5.3 Medium

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2025-27111

ubuntu
6 месяцев назад

Rack is a modular Ruby web server interface. The Rack::Sendfile middleware logs unsanitised header values from the X-Sendfile-Type header. An attacker can exploit this by injecting escape sequences (such as newline characters) into the header, resulting in log injection. This vulnerability is fixed in 2.2.12, 3.0.13, and 3.1.11.

nvd логотип

CVE-2025-27111

nvd
6 месяцев назад

Rack is a modular Ruby web server interface. The Rack::Sendfile middleware logs unsanitised header values from the X-Sendfile-Type header. An attacker can exploit this by injecting escape sequences (such as newline characters) into the header, resulting in log injection. This vulnerability is fixed in 2.2.12, 3.0.13, and 3.1.11.

debian логотип

CVE-2025-27111

debian
6 месяцев назад

Rack is a modular Ruby web server interface. The Rack::Sendfile middle ...

suse-cvrf логотип

SUSE-SU-2025:1492-1

suse-cvrf
4 месяца назад

Security update for rubygem-rack-1_6

redos логотип

ROS-20250403-16

CVSS3: 5.3
redos
5 месяцев назад

Уязвимость rubygem-rack

EPSS

Процентиль: 54%
0.00309
Низкий

5.3 Medium

CVSS3