PT-2018-3121 · Ruby+6 · Ruby+6
Aaron Patterson
·
Publicado
2018-03-28
·
Atualizado
2023-05-01
·
CVE-2017-17742
CVSS v3.1
5.3
Média
| Vetor | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Ruby versions prior to 2.2.10
Ruby versions 2.3.x prior to 2.3.7
Ruby versions 2.4.x prior to 2.4.4
Ruby versions 2.5.x prior to 2.5.1
Ruby version 2.6.0-preview1
Description
The issue is related to the WEBrick library in the Ruby programming language, specifically concerning the handling of CRLF sequences in HTTP headers. This can allow an attacker to inject crafted HTTP headers, potentially leading to an HTTP Response Splitting attack. An attacker can exploit this by injecting a crafted key and value into an HTTP response for the HTTP server of WEBrick.
Recommendations
For Ruby versions prior to 2.2.10, update to version 2.2.10 or later.
For Ruby versions 2.3.x prior to 2.3.7, update to version 2.3.7 or later.
For Ruby versions 2.4.x prior to 2.4.4, update to version 2.4.4 or later.
For Ruby versions 2.5.x prior to 2.5.1, update to version 2.5.1 or later.
For Ruby version 2.6.0-preview1, update to a later version.
Exploit
Correção
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Alt Linux
Astra Linux
Centos
Red Hat
Ruby
Suse
Ubuntu