CVE-2020-25613
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
06/10/2020
Last modified:
24/01/2024
Description
An issue was discovered in Ruby through 2.5.8, 2.6.x through 2.6.6, and 2.7.x through 2.7.1. WEBrick, a simple HTTP server bundled with Ruby, had not checked the transfer-encoding header value rigorously. An attacker may potentially exploit this issue to bypass a reverse proxy (which also has a poor header check), which may lead to an HTTP Request Smuggling attack.
Impact
Base Score 3.x
7.50
Severity 3.x
HIGH
Base Score 2.0
5.00
Severity 2.0
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:ruby-lang:ruby:*:*:*:*:*:*:*:* | 2.5.8 (including) | |
| cpe:2.3:a:ruby-lang:ruby:*:*:*:*:*:*:*:* | 2.6.0 (including) | 2.6.6 (including) |
| cpe:2.3:a:ruby-lang:ruby:*:*:*:*:*:*:*:* | 2.7.0 (including) | 2.7.1 (including) |
| cpe:2.3:a:ruby-lang:webrick:*:*:*:*:*:ruby:*:* | 1.6.0 (including) | |
| cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:* | ||
| cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://github.com/ruby/webrick/commit/8946bb38b4d87549f0d99ed73c62c41933f97cc7
- https://hackerone.com/reports/965267
- https://lists.debian.org/debian-lts-announce/2023/04/msg00033.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PFP3E7KXXT3H3KA6CBZPUOGA5VPFARRJ/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YTZURYROG3FFED3TYCQOBV66BS4K6WOV/
- https://security.gentoo.org/glsa/202401-27
- https://security.netapp.com/advisory/ntap-20210115-0008/
- https://www.ruby-lang.org/en/news/2020/09/29/http-request-smuggling-cve-2020-25613/