CVE-2008-5189Cross-Site Request Forgery in Rails

CWE-352Cross-Site Request Forgery9 documents7 sources
Severity
5.0MEDIUMNVD
EPSS
0.2%
top 61.80%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Rubyonrails RailsRubyonrails Ruby ON Rails
Timeline
PublishedNov 21
Latest updateOct 24

Description

CRLF injection vulnerability in Ruby on Rails before 2.0.5 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a crafted URL to the redirect_to function.

CVSS vector

AV:N/AC:L/C:N/I:P/A:NExploitability: 10.0 | Impact: 2.9

Affected Packages4 packages

RubyGemsrubyonrails/rails< 2.0.5
Debianrubyonrails/rails< 2.1.0-6+3
NVDrubyonrails/rails36 versions+35

Patches

Patch: www.securityfocus.comPatch: www.securityfocus.com

🔴Vulnerability Details

4
OSV
rails is vulnerable to CRLF injection2017-10-24
GHSA
rails is vulnerable to CRLF injection2017-10-24
CVEList
CVE-2008-5189: CRLF injection vulnerability in Ruby on Rails before 22008-11-21
OSV
CVE-2008-5189: CRLF injection vulnerability in Ruby on Rails before 22008-11-21

📋Vendor Advisories

2
Red Hat
rubygems-actionpack: redirect HTTP header injection vulnerability2008-10-14
Debian
CVE-2008-5189: rails - CRLF injection vulnerability in Ruby on Rails before 2.0.5 allows remote attacke...2008

💬Community

2
Bugzilla
ruby: HTTP response splitting issue in CGI module2009-02-26
Bugzilla
CVE-2008-5189 rubygems-actionpack: redirect HTTP header injection vulnerability2008-11-21
CVE-2008-5189 — Cross-Site Request Forgery in Rails | cvebase