CVE-2019-16254
published 2019-11-26CVE-2019-16254: Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows HTTP Response Splitting. If a program using WEBrick inserts untrusted input into the…
PriorityP432medium5.3CVSS 3.1
AVNACLPRNUINSUCNILAN
EPSS
4.57%
90.4th percentile
Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows HTTP Response Splitting. If a program using WEBrick inserts untrusted input into the response header, an attacker can exploit it to insert a newline character to split a header, and inject malicious content to deceive clients. NOTE: this issue exists because of an incomplete fix for CVE-2017-17742, which addressed the CRLF vector, but did not address an isolated CR or an isolated LF.
Affected
30 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | jruby | < jruby 9.3.9.0+ds-1 (bookworm) | jruby 9.3.9.0+ds-1 (bookworm) |
| debian | puma | < puma 3.12.4-1 (bookworm) | puma 3.12.4-1 (bookworm) |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| jruby | jruby | >= 0 < 9.3.9.0+ds-1 | 9.3.9.0+ds-1 |
| jruby | jruby | >= 0 < 9.3.9.0+ds-1 | 9.3.9.0+ds-1 |
| jruby | jruby | >= 0 < 9.3.9.0+ds-1 | 9.3.9.0+ds-1 |
| msrc | cbl_mariner_1.0_arm | — | — |
| msrc | cbl_mariner_1.0_x64 | — | — |
| msrc | cm1_ruby_2.6.7-1_on_cbl_mariner_1.0 | — | — |
| puma | puma | < 3.12.4 | 3.12.4 |
| puma | puma | < 3.12.3 | 3.12.3 |
| puma | puma | <= 3.12.3 | — |
| puma | puma | — | — |
| puma | puma | — | — |
| puma | puma | >= 0 < 3.12.4-1 | 3.12.4-1 |
| puma | puma | >= 0 < 3.12.4-1 | 3.12.4-1 |
| puma | puma | >= 0 < 3.12.4-1 | 3.12.4-1 |
| puma | puma | >= 0 < 3.12.4-1 | 3.12.4-1 |
| puma | puma | >= 0 < 3.12.4 | 3.12.4 |
| puma | puma | >= 4.0.0 < 4.3.3 | 4.3.3 |
| puma | puma | 4.0.0 – 4.3.2 | — |
CVSS provenance
nvdv3.15.3MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
ghsa5.3MEDIUM
osv6.5MEDIUM
vendor_ubuntu6.5MEDIUM
vendor_debian5.3MEDIUM
vendor_msrc5.3MEDIUM
vendor_redhat5.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
rubygem-puma: attacker is able to use newline characters to insert malicious content (HTTP Response Splitting), this could lead to XSS
vendor_redhat·2020-03-02·CVSS 5.3
CVE-2020-5247 [MEDIUM] CWE-113 rubygem-puma: attacker is able to use newline characters to insert malicious content (HTTP Response Splitting), this could lead to XSS
rubygem-puma: attacker is able to use newline characters to insert malicious content (HTTP Response Splitting), this could lead to XSS
In Puma (RubyGem) before 4.3.2 and before 3.12.3, if an application using Puma allows untrusted input in a response header, an attacker can use newline characters (i.e. `CR`, `LF` or`/r`, `/n`) to end the header and inject malicious content, such as additional headers or an entirely new response body. This vulnerability is known as HTTP Response Splitting. While not an attack in itself, response splitting is a vector for several other attacks, such as cross-site scripting (XSS). This is related to CVE-2019-16254, which fixed this vulnerability for the WEBrick Ruby web server. This has been fixed in versions 4.3.2 and 3.12.3 by checking all headers for line
Debian
CVE-2020-5247: puma - In Puma (RubyGem) before 4.3.2 and before 3.12.3, if an application using Puma a...
vendor_debian·2020·CVSS 5.3
CVE-2020-5247 [MEDIUM] CVE-2020-5247: puma - In Puma (RubyGem) before 4.3.2 and before 3.12.3, if an application using Puma a...
In Puma (RubyGem) before 4.3.2 and before 3.12.3, if an application using Puma allows untrusted input in a response header, an attacker can use newline characters (i.e. `CR`, `LF` or`/r`, `/n`) to end the header and inject malicious content, such as additional headers or an entirely new response body. This vulnerability is known as HTTP Response Splitting. While not an attack in itself, response splitting is a vector for several other attacks, such as cross-site scripting (XSS). This is related to CVE-2019-16254, which fixed this vulnerability for the WEBrick Ruby web server. This has been fixed in versions 4.3.2 and 3.12.3 by checking all headers for line endings and rejecting headers with those characters.
Scope: local
bookworm: resolved (fixed in 3.12.4-1)
bullseye: resolved (fixed in 3
Ubuntu
Ruby vulnerabilities
vendor_ubuntu·2019-11-26·CVSS 6.5
CVE-2019-15845 [MEDIUM] Ruby vulnerabilities
Title: Ruby vulnerabilities
Summary: Several security issues were fixed in Ruby.
It was discovered that Ruby incorrectly handled certain files.
An attacker could possibly use this issue to pass path matching
what can lead to an unauthorized access. (CVE-2019-15845)
It was discovered that Ruby incorrectly handled certain regular expressions.
An attacker could use this issue to cause a denial of service.
(CVE-2019-16201)
It was discovered that Ruby incorrectly handled certain HTTP headers.
An attacker could possibly use this issue to execute arbitrary code.
(CVE-2019-16254)
It was discovered that Ruby incorrectly handled certain inputs.
An attacker could possibly use this issue to execute arbitrary code.
(CVE-2019-16255)
Instructions: In general, a standard system update will make all
Microsoft
Ruby through 2.4.7 2.5.x through 2.5.6 and 2.6.x through 2.6.4 allows HTTP Response Splitting. If a program using WEBrick inserts untrusted input into the response header an attacker can exploit it to
vendor_msrc·2019-11-12·CVSS 5.3
CVE-2019-16254 [MEDIUM] CWE-74 Ruby through 2.4.7 2.5.x through 2.5.6 and 2.6.x through 2.6.4 allows HTTP Response Splitting. If a program using WEBrick inserts untrusted input into the response header an attacker can exploit it to
Ruby through 2.4.7 2.5.x through 2.5.6 and 2.6.x through 2.6.4 allows HTTP Response Splitting. If a program using WEBrick inserts untrusted input into the response header an attacker can exploit it to insert a newline character to split a header and inject malicious content to deceive clients. NOTE: this issue exists because of an incomplete fix for CVE-2017-17742 which addressed the CRLF vector but did not address an isolated CR or an isolated LF.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries w
Red Hat
ruby: HTTP response splitting in WEBrick
vendor_redhat·2019-10-25·CVSS 5.3
CVE-2019-16254 [MEDIUM] CWE-113 ruby: HTTP response splitting in WEBrick
ruby: HTTP response splitting in WEBrick
Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows HTTP Response Splitting. If a program using WEBrick inserts untrusted input into the response header, an attacker can exploit it to insert a newline character to split a header, and inject malicious content to deceive clients. NOTE: this issue exists because of an incomplete fix for CVE-2017-17742, which addressed the CRLF vector, but did not address an isolated CR or an isolated LF.
Package: 3amp-system (Red Hat 3scale API Management Platform 2) - Fix deferred
Package: ruby (Red Hat Enterprise Linux 5) - Out of support scope
Package: ruby (Red Hat Enterprise Linux 6) - Out of support scope
Package: ruby (Red Hat Enterprise Linux 7) - Fix deferred
Package: rh-ruby24-ruby (
Debian
CVE-2019-16254: jruby - Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows HTTP Res...
vendor_debian·2019·CVSS 5.3
CVE-2019-16254 [MEDIUM] CVE-2019-16254: jruby - Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows HTTP Res...
Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows HTTP Response Splitting. If a program using WEBrick inserts untrusted input into the response header, an attacker can exploit it to insert a newline character to split a header, and inject malicious content to deceive clients. NOTE: this issue exists because of an incomplete fix for CVE-2017-17742, which addressed the CRLF vector, but did not address an isolated CR or an isolated LF.
Scope: local
bookworm: resolved (fixed in 9.3.9.0+ds-1)
forky: resolved (fixed in 9.3.9.0+ds-1)
sid: resolved (fixed in 9.3.9.0+ds-1)
trixie: resolved (fixed in 9.3.9.0+ds-1)
VulDB
Ruby up to 2.4.7/2.5.6/2.6.4 Incomplete Fix HTTP Response injection (DLA 2027-1 / WID-SEC-2023-1110)
vuldb·2026-05-10·CVSS 5.3
CVE-2019-16254 [MEDIUM] Ruby up to 2.4.7/2.5.6/2.6.4 Incomplete Fix HTTP Response injection (DLA 2027-1 / WID-SEC-2023-1110)
A vulnerability was found in Ruby up to 2.4.7/2.5.6/2.6.4. It has been classified as critical. This issue affects some unknown processing of the component Incomplete Fix. Performing a manipulation as part of HTTP Response results in injection.
This vulnerability was named CVE-2019-16254. The attack may be initiated remotely. There is no available exploit.
GHSA
GHSA-w9fp-2996-hhwx: Ruby through 2
ghsa_unreviewed·2022-05-24·CVSS 5.3
CVE-2019-16254 [MEDIUM] CWE-74 GHSA-w9fp-2996-hhwx: Ruby through 2
Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows HTTP Response Splitting. If a program using WEBrick inserts untrusted input into the response header, an attacker can exploit it to insert a newline character to split a header, and inject malicious content to deceive clients. NOTE: this issue exists because of an incomplete fix for CVE-2017-17742, which addressed the CRLF vector, but did not address an isolated CR or an isolated LF.
OSV
HTTP Response Splitting in Puma
osv·2020-02-28·CVSS 5.3
CVE-2020-5247 [MEDIUM] HTTP Response Splitting in Puma
HTTP Response Splitting in Puma
In Puma (RubyGem) before 4.3.2 and 3.12.3, if an application using Puma allows untrusted input in a response header, an attacker can use newline characters (i.e. `CR`, `LF` or`/r`, `/n`) to end the header and inject malicious content, such as additional headers or an entirely new response body. This vulnerability is known as HTTP Response Splitting.
While not an attack in itself, response splitting is a vector for several other attacks, such as cross-site scripting (XSS).
This is related to CVE-2019-16254, which fixed this vulnerability for the WEBrick Ruby web server.
This has been fixed in versions 4.3.2 and 3.12.3 by checking all headers for line endings and rejecting headers with those characters.
GHSA
HTTP Response Splitting in Puma
ghsa·2020-02-28·CVSS 5.3
CVE-2020-5247 [MEDIUM] CWE-113 HTTP Response Splitting in Puma
HTTP Response Splitting in Puma
In Puma (RubyGem) before 4.3.2 and 3.12.3, if an application using Puma allows untrusted input in a response header, an attacker can use newline characters (i.e. `CR`, `LF` or`/r`, `/n`) to end the header and inject malicious content, such as additional headers or an entirely new response body. This vulnerability is known as HTTP Response Splitting.
While not an attack in itself, response splitting is a vector for several other attacks, such as cross-site scripting (XSS).
This is related to CVE-2019-16254, which fixed this vulnerability for the WEBrick Ruby web server.
This has been fixed in versions 4.3.2 and 3.12.3 by checking all headers for line endings and rejecting headers with those characters.
OSV
CVE-2020-5247: In Puma (RubyGem) before 4
osv·2020-02-28·CVSS 5.3
CVE-2020-5247 [MEDIUM] CVE-2020-5247: In Puma (RubyGem) before 4
In Puma (RubyGem) before 4.3.2 and before 3.12.3, if an application using Puma allows untrusted input in a response header, an attacker can use newline characters (i.e. `CR`, `LF` or`/r`, `/n`) to end the header and inject malicious content, such as additional headers or an entirely new response body. This vulnerability is known as HTTP Response Splitting. While not an attack in itself, response splitting is a vector for several other attacks, such as cross-site scripting (XSS). This is related to CVE-2019-16254, which fixed this vulnerability for the WEBrick Ruby web server. This has been fixed in versions 4.3.2 and 3.12.3 by checking all headers for line endings and rejecting headers with those characters.
OSV
CVE-2019-16254: Ruby through 2
osv·2019-11-26·CVSS 5.3
CVE-2019-16254 [MEDIUM] CVE-2019-16254: Ruby through 2
Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows HTTP Response Splitting. If a program using WEBrick inserts untrusted input into the response header, an attacker can exploit it to insert a newline character to split a header, and inject malicious content to deceive clients. NOTE: this issue exists because of an incomplete fix for CVE-2017-17742, which addressed the CRLF vector, but did not address an isolated CR or an isolated LF.
OSV
ruby2.3, ruby2.5 vulnerabilities
osv·2019-11-26·CVSS 6.5
CVE-2019-15845 [MEDIUM] ruby2.3, ruby2.5 vulnerabilities
ruby2.3, ruby2.5 vulnerabilities
It was discovered that Ruby incorrectly handled certain files.
An attacker could possibly use this issue to pass path matching
what can lead to an unauthorized access. (CVE-2019-15845)
It was discovered that Ruby incorrectly handled certain regular expressions.
An attacker could use this issue to cause a denial of service.
(CVE-2019-16201)
It was discovered that Ruby incorrectly handled certain HTTP headers.
An attacker could possibly use this issue to execute arbitrary code.
(CVE-2019-16254)
It was discovered that Ruby incorrectly handled certain inputs.
An attacker could possibly use this issue to execute arbitrary code.
(CVE-2019-16255)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2019-16254 ruby: HTTP response splitting in WEBrick (Additional fix) [fedora-all]
bugzilla·2020-01-09·CVSS 5.3
CVE-2019-16254 [MEDIUM] CVE-2019-16254 ruby: HTTP response splitting in WEBrick (Additional fix) [fedora-all]
CVE-2019-16254 ruby: HTTP response splitting in WEBrick (Additional fix) [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported
Bugzilla
CVE-2019-16254 ruby: HTTP response splitting in WEBrick
bugzilla·2020-01-09·CVSS 5.3
CVE-2019-16254 [MEDIUM] CVE-2019-16254 ruby: HTTP response splitting in WEBrick
CVE-2019-16254 ruby: HTTP response splitting in WEBrick
Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows HTTP Response Splitting. If a program using WEBrick inserts untrusted input into the response header, an attacker can exploit it to insert a newline character to split a header, and inject malicious content to deceive clients. NOTE: this issue exists because of an incomplete fix for CVE-2017-17742, which addressed the CRLF vector, but did not address an isolated CR or an isolated LF.
Reference:
https://www.ruby-lang.org/en/news/2019/10/01/http-response-splitting-in-webrick-cve-2019-16254/
Discussion:
Created ruby tracking bugs for this issue:
Affects: fedora-all [bug 1789557]
---
Upstream commit for this issue:
https://github.com/ruby/ruby/commit/3ce238b5f
HackerOne
HTTP header can split /[\r\n]/ instead of /\r\n/
hackerone·2019-10-25
CVE-2019-16254 HTTP header can split /[\r\n]/ instead of /\r\n/
HTTP header can split /[\r\n]/ instead of /\r\n/
https://www.ruby-lang.org/ja/news/2019/10/01/http-response-splitting-in-webrick-cve-2019-16254/
http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00041.htmlhttps://hackerone.com/reports/331984https://lists.debian.org/debian-lts-announce/2019/11/msg00025.htmlhttps://lists.debian.org/debian-lts-announce/2019/12/msg00009.htmlhttps://lists.debian.org/debian-lts-announce/2020/08/msg00027.htmlhttps://lists.debian.org/debian-lts-announce/2023/04/msg00033.htmlhttps://seclists.org/bugtraq/2019/Dec/31https://seclists.org/bugtraq/2019/Dec/32https://security.gentoo.org/glsa/202003-06https://www.debian.org/security/2019/dsa-4586https://www.debian.org/security/2019/dsa-4587https://www.oracle.com/security-alerts/cpujan2020.htmlhttps://www.ruby-lang.org/ja/news/2019/10/01/http-response-splitting-in-webrick-cve-2019-16254/https://www.ruby-lang.org/ja/news/2019/10/01/ruby-2-4-8-released/https://www.ruby-lang.org/ja/news/2019/10/01/ruby-2-5-7-released/https://www.ruby-lang.org/ja/news/2019/10/01/ruby-2-6-5-released/http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00041.htmlhttps://hackerone.com/reports/331984https://lists.debian.org/debian-lts-announce/2019/11/msg00025.htmlhttps://lists.debian.org/debian-lts-announce/2019/12/msg00009.htmlhttps://lists.debian.org/debian-lts-announce/2020/08/msg00027.htmlhttps://lists.debian.org/debian-lts-announce/2023/04/msg00033.htmlhttps://seclists.org/bugtraq/2019/Dec/31https://seclists.org/bugtraq/2019/Dec/32https://security.gentoo.org/glsa/202003-06https://www.debian.org/security/2019/dsa-4586https://www.debian.org/security/2019/dsa-4587https://www.oracle.com/security-alerts/cpujan2020.htmlhttps://www.ruby-lang.org/ja/news/2019/10/01/http-response-splitting-in-webrick-cve-2019-16254/https://www.ruby-lang.org/ja/news/2019/10/01/ruby-2-4-8-released/https://www.ruby-lang.org/ja/news/2019/10/01/ruby-2-5-7-released/https://www.ruby-lang.org/ja/news/2019/10/01/ruby-2-6-5-released/
2019-11-26
Published