cbcvebase.
CVE-2017-17742
published 2018-04-03

CVE-2017-17742: Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1 allows an HTTP Response Splitting attack. An attacker can…

PriorityP433medium5.3CVSS 3.0
AVNACLPRNUINSUCNILAN
EPSS
5.76%
92.1th percentile
Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1 allows an HTTP Response Splitting attack. An attacker can inject a crafted key and value into an HTTP response for the HTTP server of WEBrick.

Affected

22 ranges
VendorProductVersion rangeFixed in
applemacos_high_sierra_10.13.6_security_update_2018-004_sierra_security_update_2018-0
applemacos_mojave_10.14.1_security_update_2018-002_high_sierra_security_update_2018-0
debiandebian_linux
debiandebian_linux
debianjruby< jruby 9.3.9.0+ds-1 (bookworm)jruby 9.3.9.0+ds-1 (bookworm)
jrubyjruby>= 0 < 9.3.9.0+ds-19.3.9.0+ds-1
jrubyjruby>= 0 < 9.3.9.0+ds-19.3.9.0+ds-1
jrubyjruby>= 0 < 9.3.9.0+ds-19.3.9.0+ds-1
msrccbl_mariner_1.0_arm
msrccbl_mariner_1.0_x64
msrccm1_ruby_2.6.7-1_on_cbl_mariner_1.0
pumapuma< 3.12.33.12.3
pumapuma
ruby-langruby<= 2.3.0
ruby-langruby
ruby-langruby>= 2.2.0 < 2.2.102.2.10
ruby-langruby>= 2.3.0 < 2.3.72.3.7
ruby-langruby>= 2.4.0 < 2.4.42.4.4
ruby-langruby2.4.0 – 2.4.7
ruby-langruby>= 2.5.0 < 2.5.12.5.1
ruby-langruby2.5.0 – 2.5.6
ruby-langruby2.6.0 – 2.6.4

CVSS provenance

nvdv3.05.3MEDIUMCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
osv9.1CRITICAL
vendor_ubuntu9.1CRITICAL
vendor_debian5.3MEDIUM
vendor_msrc5.3MEDIUM
vendor_redhat5.3MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.