CVE-2011-3624 — Injection in Ruby

CWE-74 — Injection5 documents5 sources

Severity

5.3MEDIUMNVD

EPSS

0.9%

top 23.92%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Ruby Ruby-lang Ruby

Timeline

PublishedNov 26

Latest updateApr 22

Description

Various methods in WEBrick::HTTPRequest in Ruby 1.9.2 and 1.8.7 and earlier do not validate the X-Forwarded-For, X-Forwarded-Host and X-Forwarded-Server headers in requests, which might allow remote attackers to inject arbitrary text into log files or bypass intended address parsing via a crafted header.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages2 packages

▶CVEListV5ruby/ruby1.8.7 and earlier, 1.9.2+1

▶NVDruby-lang/ruby1.8.7, 1.9.2+1

🔴Vulnerability Details

GHSA

GHSA-rc82-v3mm-rhj2: Various methods in WEBrick::HTTPRequest in Ruby 1↗2022-04-22

▶

CVEList

CVE-2011-3624: Various methods in WEBrick::HTTPRequest in Ruby 1↗2019-11-26

▶

📋Vendor Advisories

Red Hat

WEBrick:: HTTPRequest X-Forwarded-* allows arbitrary data↗2011-10-07

▶

💬Community

Bugzilla

CVE-2011-3624 Ruby WEBrick::HTTPRequest X-Forwarded-* allows arbitrary data↗2011-10-12

▶