Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2025-27111

Опубликовано: 04 мар. 2025
Источник: redhat
CVSS3: 5.3

Описание

Rack is a modular Ruby web server interface. The Rack::Sendfile middleware logs unsanitised header values from the X-Sendfile-Type header. An attacker can exploit this by injecting escape sequences (such as newline characters) into the header, resulting in log injection. This vulnerability is fixed in 2.2.12, 3.0.13, and 3.1.11.

A flaw was found in Rack Rubygem, where the Rack::Sendfile middleware logs unsanitized header values from the X-Sendfile-Type header. This flaw allows an attacker to inject escape sequences, such as newline characters, into the header, resulting in log injection.

Меры по смягчению последствий

To mitigate this vulnerability, remove usage of Rack::Sendfile.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Logging Subsystem for Red Hat OpenShiftopenshift-logging/fluentd-rhel8Will not fix
Red Hat 3scale API Management Platform 23scale-amp-zync-containerAffected
Red Hat Enterprise Linux 7pcsOut of support scope
Red Hat Enterprise Linux 8pcsOut of support scope
Red Hat Enterprise Linux 9ruby-30Affected
Red Hat Enterprise Linux 9ruby-31Affected
Red Hat Enterprise Linux 9ruby-33Affected
Red Hat Satellite 6rubygem-rackFix deferred
Red Hat Satellite 6satellite-capsule:el8/rubygem-rackAffected
Red Hat Satellite 6satellite:el8/rubygem-rackAffected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-117
Дефект:
CWE-93
https://bugzilla.redhat.com/show_bug.cgi?id=2349810rack: rubygem-rack: Escape Sequence Injection vulnerability in Rack lead to Possible Log Injection

5.3 Medium

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2025-27111

ubuntu
4 месяца назад

Rack is a modular Ruby web server interface. The Rack::Sendfile middleware logs unsanitised header values from the X-Sendfile-Type header. An attacker can exploit this by injecting escape sequences (such as newline characters) into the header, resulting in log injection. This vulnerability is fixed in 2.2.12, 3.0.13, and 3.1.11.

nvd логотип

CVE-2025-27111

nvd
4 месяца назад

Rack is a modular Ruby web server interface. The Rack::Sendfile middleware logs unsanitised header values from the X-Sendfile-Type header. An attacker can exploit this by injecting escape sequences (such as newline characters) into the header, resulting in log injection. This vulnerability is fixed in 2.2.12, 3.0.13, and 3.1.11.

debian логотип

CVE-2025-27111

debian
4 месяца назад

Rack is a modular Ruby web server interface. The Rack::Sendfile middle ...

suse-cvrf логотип

SUSE-SU-2025:1492-1

suse-cvrf
около 1 месяца назад

Security update for rubygem-rack-1_6

redos логотип

ROS-20250403-16

CVSS3: 5.3
redos
3 месяца назад

Уязвимость rubygem-rack

5.3 Medium

CVSS3