Posted by mame on 1 Oct 2019
There is an HTTP response splitting vulnerability in WEBrick bundled with Ruby. This vulnerability has been assigned the CVE identifier CVE-2019-16254.
If a program using WEBrick inserts untrusted input into the response header, an attacker can exploit it to insert a newline character to split a header, and inject malicious content to deceive clients.
This is the same issue as CVE-2017-17742. The previous fix was incomplete, which addressed the CRLF vector, but did not address an isolated CR or an isolated LF.
All users running an affected release should upgrade immediately.
- All releases that are Ruby 2.3 or earlier
- Ruby 2.4 series: Ruby 2.4.7 or earlier
- Ruby 2.5 series: Ruby 2.5.6 or earlier
- Ruby 2.6 series: Ruby 2.6.4 or earlier
- Ruby 2.7.0-preview1
- prior to master commit 3ce238b5f9795581eb84114dcfbdf4aa086bfecc
Thanks to znz for discovering this issue.
- Originally published at 2019-10-01 11:00:00 (UTC)