PT-2020-5675 · Ruby+9 · Webrick+10

Piao

·

Published

2020-10-01

·

Updated

2025-09-29

·

CVE-2020-25613

CVSS v3.1

7.5

High

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Name of the Vulnerable Software and Affected Versions Ruby versions prior to 2.5.9 Ruby versions 2.6.x through 2.6.6 Ruby versions 2.7.x through 2.7.1
Description The issue is related to the WEBrick library in Ruby, which has a problem with incorrect checking of the header value. This can potentially allow a remote attacker to impact data integrity by bypassing a reverse proxy with poor header checks, leading to an HTTP Request Smuggling attack.
Recommendations For Ruby versions prior to 2.5.9, update to version 2.5.9 or later to resolve the issue. For Ruby versions 2.6.x through 2.6.6, update to version 2.6.7 or later to resolve the issue. For Ruby versions 2.7.x through 2.7.1, update to version 2.7.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the WEBrick server to minimize the risk of exploitation.

Exploit

Fix

HTTP Request/Response Smuggling

Weakness Enumeration

CWE-444

Related Identifiers

ALSA-2021:2584
ALSA-2021:2587
ALSA-2021:2588
ALSA-2025_16880
ALT-PU-2020-3360
ALT-PU-2020-3411
ALT-PU-2021-3068
BDU:2021-01472
BIT-RUBY-2020-25613
BIT-RUBY-MIN-2020-25613
CESA-2021_2584
CESA-2021_2587
CESA-2021_2588
CVE-2020-25613
DLA-2391-1
DLA-2392-1
DLA-3408-1
GHSA-GWFG-CQMG-CF8F
MGASA-2020-0423
MGASA-2020-0440
OPENSUSE-SU-2021:0471-1
OPENSUSE-SU-2021_0471-1
OPENSUSE-SU-2024:11310-1
RHSA-2021:2104
RHSA-2021:2229
RHSA-2021:2230
RHSA-2021:2584
RHSA-2021:2587
RHSA-2021:2588
RHSA-2021_2584
RHSA-2021_2587
RHSA-2021_2588
RHSA-2022:0581
RHSA-2022:0582
RHSA-2026:7305
RHSA-2026:7307
RHSA-2026:8838
RLSA-2021:2584
RLSA-2021:2587
RLSA-2021:2588
SUSE-SU-2021:0933-1
SUSE-SU-2021:3837-1
SUSE-SU-2021_0933-1
SUSE-SU-2021_3837-1
USN-4882-1

Affected Products

Alt Linux
Almalinux
Astra Linux
Centos
Linuxmint
Red Hat
Rocky Linux
Ruby
Suse
Ubuntu
Webrick