CVE-2017-17742
published 2018-04-03CVE-2017-17742: Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1 allows an HTTP Response Splitting attack. An attacker can…
PriorityP433medium5.3CVSS 3.0
AVNACLPRNUINSUCNILAN
EPSS
5.76%
92.1th percentile
Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1 allows an HTTP Response Splitting attack. An attacker can inject a crafted key and value into an HTTP response for the HTTP server of WEBrick.
Affected
22 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | macos_high_sierra_10.13.6_security_update_2018-004_sierra_security_update_2018-0 | — | — |
| apple | macos_mojave_10.14.1_security_update_2018-002_high_sierra_security_update_2018-0 | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | jruby | < jruby 9.3.9.0+ds-1 (bookworm) | jruby 9.3.9.0+ds-1 (bookworm) |
| jruby | jruby | >= 0 < 9.3.9.0+ds-1 | 9.3.9.0+ds-1 |
| jruby | jruby | >= 0 < 9.3.9.0+ds-1 | 9.3.9.0+ds-1 |
| jruby | jruby | >= 0 < 9.3.9.0+ds-1 | 9.3.9.0+ds-1 |
| msrc | cbl_mariner_1.0_arm | — | — |
| msrc | cbl_mariner_1.0_x64 | — | — |
| msrc | cm1_ruby_2.6.7-1_on_cbl_mariner_1.0 | — | — |
| puma | puma | < 3.12.3 | 3.12.3 |
| puma | puma | — | — |
| ruby-lang | ruby | <= 2.3.0 | — |
| ruby-lang | ruby | — | — |
| ruby-lang | ruby | >= 2.2.0 < 2.2.10 | 2.2.10 |
| ruby-lang | ruby | >= 2.3.0 < 2.3.7 | 2.3.7 |
| ruby-lang | ruby | >= 2.4.0 < 2.4.4 | 2.4.4 |
| ruby-lang | ruby | 2.4.0 – 2.4.7 | — |
| ruby-lang | ruby | >= 2.5.0 < 2.5.1 | 2.5.1 |
| ruby-lang | ruby | 2.5.0 – 2.5.6 | — |
| ruby-lang | ruby | 2.6.0 – 2.6.4 | — |
CVSS provenance
nvdv3.05.3MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
osv9.1CRITICAL
vendor_ubuntu9.1CRITICAL
vendor_debian5.3MEDIUM
vendor_msrc5.3MEDIUM
vendor_redhat5.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Ruby regression
vendor_ubuntu·2021-03-25·CVSS 9.1
CVE-2017-0903 [CRITICAL] Ruby regression
Title: Ruby regression
Summary: USN-3685-1 introduced a regression in Ruby.
USN-3685-1 fixed a vulnerability in Ruby. The fix for CVE-2017-0903 introduced
a regression in Ruby. This update fixes the problem.
Original advisory details:
Some of these CVE were already addressed in previous
USN: 3439-1, 3553-1, 3528-1. Here we address for
the remain releases.
It was discovered that Ruby incorrectly handled certain inputs.
An attacker could use this to cause a buffer overrun. (CVE-2017-0898)
It was discovered that Ruby incorrectly handled certain files.
An attacker could use this to overwrite any file on the filesystem.
(CVE-2017-0901)
It was discovered that Ruby was vulnerable to a DNS hijacking vulnerability.
An attacker could use this to possibly force the RubyGems client to download
Microsoft
Ruby through 2.4.7 2.5.x through 2.5.6 and 2.6.x through 2.6.4 allows HTTP Response Splitting. If a program using WEBrick inserts untrusted input into the response header an attacker can exploit it to
vendor_msrc·2019-11-12·CVSS 5.3
CVE-2019-16254 [MEDIUM] CWE-74 Ruby through 2.4.7 2.5.x through 2.5.6 and 2.6.x through 2.6.4 allows HTTP Response Splitting. If a program using WEBrick inserts untrusted input into the response header an attacker can exploit it to
Ruby through 2.4.7 2.5.x through 2.5.6 and 2.6.x through 2.6.4 allows HTTP Response Splitting. If a program using WEBrick inserts untrusted input into the response header an attacker can exploit it to insert a newline character to split a header and inject malicious content to deceive clients. NOTE: this issue exists because of an incomplete fix for CVE-2017-17742 which addressed the CRLF vector but did not address an isolated CR or an isolated LF.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries w
Red Hat
ruby: HTTP response splitting in WEBrick
vendor_redhat·2019-10-25·CVSS 5.3
CVE-2019-16254 [MEDIUM] CWE-113 ruby: HTTP response splitting in WEBrick
ruby: HTTP response splitting in WEBrick
Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows HTTP Response Splitting. If a program using WEBrick inserts untrusted input into the response header, an attacker can exploit it to insert a newline character to split a header, and inject malicious content to deceive clients. NOTE: this issue exists because of an incomplete fix for CVE-2017-17742, which addressed the CRLF vector, but did not address an isolated CR or an isolated LF.
Package: 3amp-system (Red Hat 3scale API Management Platform 2) - Fix deferred
Package: ruby (Red Hat Enterprise Linux 5) - Out of support scope
Package: ruby (Red Hat Enterprise Linux 6) - Out of support scope
Package: ruby (Red Hat Enterprise Linux 7) - Fix deferred
Package: rh-ruby24-ruby (
Debian
CVE-2019-16254: jruby - Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows HTTP Res...
vendor_debian·2019·CVSS 5.3
CVE-2019-16254 [MEDIUM] CVE-2019-16254: jruby - Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows HTTP Res...
Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows HTTP Response Splitting. If a program using WEBrick inserts untrusted input into the response header, an attacker can exploit it to insert a newline character to split a header, and inject malicious content to deceive clients. NOTE: this issue exists because of an incomplete fix for CVE-2017-17742, which addressed the CRLF vector, but did not address an isolated CR or an isolated LF.
Scope: local
bookworm: resolved (fixed in 9.3.9.0+ds-1)
forky: resolved (fixed in 9.3.9.0+ds-1)
sid: resolved (fixed in 9.3.9.0+ds-1)
trixie: resolved (fixed in 9.3.9.0+ds-1)
Apple
CVE-2017-17742: macOS Mojave 10.14.1, Security Update 2018-002 High Sierra, Security Update 2018-005 Sierra
vendor_apple·2018-10-30·CVSS 5.3
CVE-2017-17742 [MEDIUM] CVE-2017-17742: macOS Mojave 10.14.1, Security Update 2018-002 High Sierra, Security Update 2018-005 Sierra
Apple Security Update: About the security content of macOS Mojave 10.14.1, Security Update 2018-002 High Sierra, Security Update 2018-005 Sierra
Product: macOS Mojave 10.14.1, Security Update 2018-002 High Sierra, Security Update 2018-005 Sierra
CVE: CVE-2017-17742
Component: CVE-2017-17742
Apple
CVE-2017-17742: macOS High Sierra 10.13.6, Security Update 2018-004 Sierra, Security Update 2018-004 El Capitan
vendor_apple·2018-07-09·CVSS 5.3
CVE-2017-17742 [MEDIUM] CVE-2017-17742: macOS High Sierra 10.13.6, Security Update 2018-004 Sierra, Security Update 2018-004 El Capitan
Apple Security Update: About the security content of macOS High Sierra 10.13.6, Security Update 2018-004 Sierra, Security Update 2018-004 El Capitan
Product: macOS High Sierra 10.13.6, Security Update 2018-004 Sierra, Security Update 2018-004 El Capitan
CVE: CVE-2017-17742
Component: CVE-2017-17742
Ubuntu
Ruby vulnerabilities
vendor_ubuntu·2018-06-13·CVSS 9.1
CVE-2017-0898 [CRITICAL] Ruby vulnerabilities
Title: Ruby vulnerabilities
Summary: Several security issues were fixed in Ruby.
Some of these CVE were already addressed in previous
USN: 3439-1, 3553-1, 3528-1. Here we address for
the remain releases.
It was discovered that Ruby incorrectly handled certain inputs.
An attacker could use this to cause a buffer overrun. (CVE-2017-0898)
It was discovered that Ruby incorrectly handled certain files.
An attacker could use this to overwrite any file on the filesystem.
(CVE-2017-0901)
It was discovered that Ruby was vulnerable to a DNS hijacking vulnerability.
An attacker could use this to possibly force the RubyGems client to download
and install gems from a server that the attacker controls. (CVE-2017-0902)
It was discovered that Ruby incorrectly handled certain YAML files.
An attacker
Red Hat
ruby: HTTP response splitting in WEBrick
vendor_redhat·2018-03-28·CVSS 5.3
CVE-2017-17742 [MEDIUM] CWE-113 ruby: HTTP response splitting in WEBrick
ruby: HTTP response splitting in WEBrick
Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1 allows an HTTP Response Splitting attack. An attacker can inject a crafted key and value into an HTTP response for the HTTP server of WEBrick.
It was found that WEBrick did not sanitize headers sent back to clients, resulting in a response-splitting vulnerability. An attacker, able to control the server's headers, could force WEBrick into injecting additional headers to a client.
Statement: This issue affects the versions of ruby as shipped with Red Hat CloudForms 4. Red Hat Product Security has rated this issue as having security impact of Moderate. A future update may address this issue. For additional information, refer to the Issue Severity Clas
Debian
CVE-2017-17742: jruby - Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, ...
vendor_debian·2017·CVSS 5.3
CVE-2017-17742 [MEDIUM] CVE-2017-17742: jruby - Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, ...
Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1 allows an HTTP Response Splitting attack. An attacker can inject a crafted key and value into an HTTP response for the HTTP server of WEBrick.
Scope: local
bookworm: resolved (fixed in 9.3.9.0+ds-1)
forky: resolved (fixed in 9.3.9.0+ds-1)
sid: resolved (fixed in 9.3.9.0+ds-1)
trixie: resolved (fixed in 9.3.9.0+ds-1)
VulDB
Apple macOS up to 10.14.0 Ruby response splitting (HT209193 / Nessus ID 111081)
vuldb·2026-05-10·CVSS 5.3
CVE-2017-17742 [MEDIUM] Apple macOS up to 10.14.0 Ruby response splitting (HT209193 / Nessus ID 111081)
A vulnerability categorized as critical has been discovered in Apple macOS up to 10.14.0. The affected element is an unknown function of the component Ruby. The manipulation results in http response splitting.
This vulnerability is known as CVE-2017-17742. It is possible to launch the attack remotely. No exploit is available.
It is advisable to upgrade the affected component.
VulDB
Ruby up to 2.2.9/2.3.6/2.4.3/2.5.0 HTTP Server HTTP Response Split response splitting (USN-3685-1 / Nessus ID 110551)
vuldb·2026-05-10·CVSS 5.3
CVE-2017-17742 [MEDIUM] Ruby up to 2.2.9/2.3.6/2.4.3/2.5.0 HTTP Server HTTP Response Split response splitting (USN-3685-1 / Nessus ID 110551)
A vulnerability labeled as critical has been found in Ruby up to 2.2.9/2.3.6/2.4.3/2.5.0. This issue affects some unknown processing of the component HTTP Server. Executing a manipulation as part of HTTP Response can lead to http response splitting (Split).
This vulnerability is handled as CVE-2017-17742. The attack can be executed remotely. There is not any exploit available.
The affected component should be upgraded.
GHSA
GHSA-w9fp-2996-hhwx: Ruby through 2
ghsa_unreviewed·2022-05-24·CVSS 5.3
CVE-2019-16254 [MEDIUM] CWE-74 GHSA-w9fp-2996-hhwx: Ruby through 2
Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows HTTP Response Splitting. If a program using WEBrick inserts untrusted input into the response header, an attacker can exploit it to insert a newline character to split a header, and inject malicious content to deceive clients. NOTE: this issue exists because of an incomplete fix for CVE-2017-17742, which addressed the CRLF vector, but did not address an isolated CR or an isolated LF.
GHSA
GHSA-7p4c-jf2w-hc3w: Ruby before 2
ghsa_unreviewed·2022-05-13
CVE-2017-17742 [MEDIUM] CWE-113 GHSA-7p4c-jf2w-hc3w: Ruby before 2
Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1 allows an HTTP Response Splitting attack. An attacker can inject a crafted key and value into an HTTP response for the HTTP server of WEBrick.
OSV
ruby2.0 regression
osv·2021-03-25·CVSS 9.1
CVE-2017-0903 [CRITICAL] ruby2.0 regression
ruby2.0 regression
USN-3685-1 fixed a vulnerability in Ruby. The fix for CVE-2017-0903 introduced
a regression in Ruby. This update fixes the problem.
Original advisory details:
Some of these CVE were already addressed in previous
USN: 3439-1, 3553-1, 3528-1. Here we address for
the remain releases.
It was discovered that Ruby incorrectly handled certain inputs.
An attacker could use this to cause a buffer overrun. (CVE-2017-0898)
It was discovered that Ruby incorrectly handled certain files.
An attacker could use this to overwrite any file on the filesystem.
(CVE-2017-0901)
It was discovered that Ruby was vulnerable to a DNS hijacking vulnerability.
An attacker could use this to possibly force the RubyGems client to download
and install gems from a server that the attacker controls.
OSV
CVE-2019-16254: Ruby through 2
osv·2019-11-26·CVSS 5.3
CVE-2019-16254 [MEDIUM] CVE-2019-16254: Ruby through 2
Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows HTTP Response Splitting. If a program using WEBrick inserts untrusted input into the response header, an attacker can exploit it to insert a newline character to split a header, and inject malicious content to deceive clients. NOTE: this issue exists because of an incomplete fix for CVE-2017-17742, which addressed the CRLF vector, but did not address an isolated CR or an isolated LF.
OSV
ruby1.9.1, ruby2.0, ruby2.3 vulnerabilities
osv·2018-06-13·CVSS 9.1
CVE-2017-0898 [CRITICAL] ruby1.9.1, ruby2.0, ruby2.3 vulnerabilities
ruby1.9.1, ruby2.0, ruby2.3 vulnerabilities
Some of these CVE were already addressed in previous
USN: 3439-1, 3553-1, 3528-1. Here we address for
the remain releases.
It was discovered that Ruby incorrectly handled certain inputs.
An attacker could use this to cause a buffer overrun. (CVE-2017-0898)
It was discovered that Ruby incorrectly handled certain files.
An attacker could use this to overwrite any file on the filesystem.
(CVE-2017-0901)
It was discovered that Ruby was vulnerable to a DNS hijacking vulnerability.
An attacker could use this to possibly force the RubyGems client to download
and install gems from a server that the attacker controls. (CVE-2017-0902)
It was discovered that Ruby incorrectly handled certain YAML files.
An attacker could use this to possibly execute arb
OSV
CVE-2017-17742: Ruby before 2
osv·2018-04-03·CVSS 5.3
CVE-2017-17742 [MEDIUM] CVE-2017-17742: Ruby before 2
Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1 allows an HTTP Response Splitting attack. An attacker can inject a crafted key and value into an HTTP response for the HTTP server of WEBrick.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2019-16254 ruby: HTTP response splitting in WEBrick
bugzilla·2020-01-09·CVSS 5.3
CVE-2019-16254 [MEDIUM] CVE-2019-16254 ruby: HTTP response splitting in WEBrick
CVE-2019-16254 ruby: HTTP response splitting in WEBrick
Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows HTTP Response Splitting. If a program using WEBrick inserts untrusted input into the response header, an attacker can exploit it to insert a newline character to split a header, and inject malicious content to deceive clients. NOTE: this issue exists because of an incomplete fix for CVE-2017-17742, which addressed the CRLF vector, but did not address an isolated CR or an isolated LF.
Reference:
https://www.ruby-lang.org/en/news/2019/10/01/http-response-splitting-in-webrick-cve-2019-16254/
Discussion:
Created ruby tracking bugs for this issue:
Affects: fedora-all [bug 1789557]
---
Upstream commit for this issue:
https://github.com/ruby/ruby/commit/3ce238b5f
Bugzilla
CVE-2017-17742 ruby: HTTP response splitting in WEBrick
bugzilla·2018-03-29·CVSS 5.3
CVE-2017-17742 [MEDIUM] CVE-2017-17742 ruby: HTTP response splitting in WEBrick
CVE-2017-17742 ruby: HTTP response splitting in WEBrick
If a script accepts an external input and outputs it without modification as a part of HTTP responses, an attacker can use newline characters to deceive the clients that the HTTP response header is stopped at there, and can inject fake HTTP responses after the newline characters to show malicious contents to the clients.
Affected versions:
Ruby 2.2 series: 2.2.9 and earlier
Ruby 2.3 series: 2.3.6 and earlier
Ruby 2.4 series: 2.4.3 and earlier
Ruby 2.5 series: 2.5.0 and earlier
External References:
https://www.ruby-lang.org/en/news/2018/03/28/http-response-splitting-in-webrick-cve-2017-17742/
Discussion:
Created ruby tracking bugs for this issue:
Affects: fedora-all [bug 1561957]
---
Mitigation:
The server can manually sanit
Bugzilla
CVE-2017-17742 CVE-2018-6914 CVE-2018-8777 CVE-2018-8778 CVE-2018-8779 CVE-2018-8780 ruby: various flaws [fedora-all]
bugzilla·2018-03-29·CVSS 5.3
CVE-2017-17742 [MEDIUM] CVE-2017-17742 CVE-2018-6914 CVE-2018-8777 CVE-2018-8778 CVE-2018-8779 CVE-2018-8780 ruby: various flaws [fedora-all]
CVE-2017-17742 CVE-2018-6914 CVE-2018-8777 CVE-2018-8778 CVE-2018-8779 CVE-2018-8780 ruby: various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this i
http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.htmlhttp://www.securityfocus.com/bid/103684http://www.securitytracker.com/id/1042004https://access.redhat.com/errata/RHSA-2018:3729https://access.redhat.com/errata/RHSA-2018:3730https://access.redhat.com/errata/RHSA-2018:3731https://access.redhat.com/errata/RHSA-2019:2028https://lists.debian.org/debian-lts-announce/2018/04/msg00023.htmlhttps://lists.debian.org/debian-lts-announce/2018/04/msg00024.htmlhttps://lists.debian.org/debian-lts-announce/2018/07/msg00012.htmlhttps://lists.debian.org/debian-lts-announce/2019/12/msg00009.htmlhttps://lists.debian.org/debian-lts-announce/2020/08/msg00027.htmlhttps://lists.debian.org/debian-lts-announce/2023/04/msg00033.htmlhttps://usn.ubuntu.com/3685-1/https://www.debian.org/security/2018/dsa-4259https://www.ruby-lang.org/en/news/2018/03/28/http-response-splitting-in-webrick-cve-2017-17742/https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-2-10-released/https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-3-7-released/https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-4-4-released/https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-5-1-released/http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.htmlhttp://www.securityfocus.com/bid/103684http://www.securitytracker.com/id/1042004https://access.redhat.com/errata/RHSA-2018:3729https://access.redhat.com/errata/RHSA-2018:3730https://access.redhat.com/errata/RHSA-2018:3731https://access.redhat.com/errata/RHSA-2019:2028https://lists.debian.org/debian-lts-announce/2018/04/msg00023.htmlhttps://lists.debian.org/debian-lts-announce/2018/04/msg00024.htmlhttps://lists.debian.org/debian-lts-announce/2018/07/msg00012.htmlhttps://lists.debian.org/debian-lts-announce/2019/12/msg00009.htmlhttps://lists.debian.org/debian-lts-announce/2020/08/msg00027.htmlhttps://lists.debian.org/debian-lts-announce/2023/04/msg00033.htmlhttps://usn.ubuntu.com/3685-1/https://www.debian.org/security/2018/dsa-4259https://www.ruby-lang.org/en/news/2018/03/28/http-response-splitting-in-webrick-cve-2017-17742/https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-2-10-released/https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-3-7-released/https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-4-4-released/https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-5-1-released/
2018-04-03
Published