CVE-2011-3624
published 2019-11-26CVE-2011-3624: Various methods in WEBrick::HTTPRequest in Ruby 1.9.2 and 1.8.7 and earlier do not validate the X-Forwarded-For, X-Forwarded-Host and X-Forwarded-Server…
PriorityP428medium5.3CVSS 3.1
AVNACLPRNUINSUCNILAN
EPSS
1.52%
71.4th percentile
Various methods in WEBrick::HTTPRequest in Ruby 1.9.2 and 1.8.7 and earlier do not validate the X-Forwarded-For, X-Forwarded-Host and X-Forwarded-Server headers in requests, which might allow remote attackers to inject arbitrary text into log files or bypass intended address parsing via a crafted header.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ruby-lang | ruby | — | — |
| ruby-lang | ruby | — | — |
| ruby | ruby | — | — |
| ruby | ruby | — | — |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
vendor_redhat5.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
WEBrick:: HTTPRequest X-Forwarded-* allows arbitrary data
vendor_redhat·2011-10-07·CVSS 5.3
CVE-2011-3624 [MEDIUM] WEBrick:: HTTPRequest X-Forwarded-* allows arbitrary data
WEBrick:: HTTPRequest X-Forwarded-* allows arbitrary data
Various methods in WEBrick::HTTPRequest in Ruby 1.9.2 and 1.8.7 and earlier do not validate the X-Forwarded-For, X-Forwarded-Host and X-Forwarded-Server headers in requests, which might allow remote attackers to inject arbitrary text into log files or bypass intended address parsing via a crafted header.
Package: ruby (Red Hat Enterprise Linux 4) - Affected
Package: ruby (Red Hat Enterprise Linux 5) - Affected
Package: ruby (Red Hat Enterprise Linux 6) - Affected
GHSA
GHSA-rc82-v3mm-rhj2: Various methods in WEBrick::HTTPRequest in Ruby 1
ghsa_unreviewed·2022-04-22
CVE-2011-3624 [MEDIUM] CWE-74 GHSA-rc82-v3mm-rhj2: Various methods in WEBrick::HTTPRequest in Ruby 1
Various methods in WEBrick::HTTPRequest in Ruby 1.9.2 and 1.8.7 and earlier do not validate the X-Forwarded-For, X-Forwarded-Host and X-Forwarded-Server headers in requests, which might allow remote attackers to inject arbitrary text into log files or bypass intended address parsing via a crafted header.
No detection rules found.
No public exploits indexed.
https://access.redhat.com/security/cve/cve-2011-3624https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-3624https://redmine.ruby-lang.org/issues/5418https://security-tracker.debian.org/tracker/CVE-2011-3624https://access.redhat.com/security/cve/cve-2011-3624https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-3624https://redmine.ruby-lang.org/issues/5418https://security-tracker.debian.org/tracker/CVE-2011-3624
2019-11-26
Published