CVE-2017-17742HTTP Request/Response Splitting in Ruby

CWE-113HTTP Request/Response SplittingCWE-74Injection14 documents10 sources
Severity
5.3MEDIUMNVD
EPSS
1.2%
top 21.47%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
JrubyRuby-lang RubyDebian Linux
Timeline
PublishedApr 3
Latest updateMay 13

Description

Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1 allows an HTTP Response Splitting attack. An attacker can inject a crafted key and value into an HTTP response for the HTTP server of WEBrick.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages2 packages

NVDruby-lang/ruby2.2.02.2.10+4
Debianjruby/jruby< 9.3.9.0+ds-1+2

Also affects: Debian Linux 7.0

Patches

Patch: www.ruby-lang.orgPatch: www.ruby-lang.orgPatch: www.ruby-lang.org

🔴Vulnerability Details

3
GHSA
GHSA-7p4c-jf2w-hc3w: Ruby before 22022-05-13
OSV
CVE-2017-17742: Ruby before 22018-04-03
CVEList
CVE-2017-17742: Ruby before 22018-04-03

📋Vendor Advisories

7
Microsoft
Ruby through 2.4.7 2.5.x through 2.5.6 and 2.6.x through 2.6.4 allows HTTP Response Splitting. If a program using WEBrick inserts untrusted input into the response header an attacker can exploit it to2019-11-12
Red Hat
ruby: HTTP response splitting in WEBrick2019-10-25
Apple
CVE-2017-17742: macOS Mojave 10.14.1, Security Update 2018-002 High Sierra, Security Update 2018-005 Sierra2018-10-30
Apple
CVE-2017-17742: macOS High Sierra 10.13.6, Security Update 2018-004 Sierra, Security Update 2018-004 El Capitan2018-07-09
Ubuntu
Ruby vulnerabilities2018-06-13

💬Community

3
Bugzilla
CVE-2019-16254 ruby: HTTP response splitting in WEBrick2020-01-09
Bugzilla
CVE-2017-17742 ruby: HTTP response splitting in WEBrick2018-03-29
Bugzilla
CVE-2017-17742 CVE-2018-6914 CVE-2018-8777 CVE-2018-8778 CVE-2018-8779 CVE-2018-8780 ruby: various flaws [fedora-all]2018-03-29
CVE-2017-17742 — HTTP Request/Response Splitting | cvebase