cbcvebase.
CVE-2020-25613
published 2020-10-06

CVE-2020-25613: An issue was discovered in Ruby through 2.5.8, 2.6.x through 2.6.6, and 2.7.x through 2.7.1. WEBrick, a simple HTTP server bundled with Ruby, had not checked…

PriorityP343high7.5CVSS 3.1
AVNACLPRNUINSUCNIHAN
EPSS
3.77%
88.6th percentile
An issue was discovered in Ruby through 2.5.8, 2.6.x through 2.6.6, and 2.7.x through 2.7.1. WEBrick, a simple HTTP server bundled with Ruby, had not checked the transfer-encoding header value rigorously. An attacker may potentially exploit this issue to bypass a reverse proxy (which also has a poor header check), which may lead to an HTTP Request Smuggling attack.

Affected

15 ranges
VendorProductVersion rangeFixed in
debianjruby< jruby 9.3.9.0+ds-1 (bookworm)jruby 9.3.9.0+ds-1 (bookworm)
debianruby2.7< jruby 9.3.9.0+ds-1 (bookworm)jruby 9.3.9.0+ds-1 (bookworm)
fedoraprojectfedora
fedoraprojectfedora
jrubyjruby>= 0 < 9.3.9.0+ds-19.3.9.0+ds-1
jrubyjruby>= 0 < 9.3.9.0+ds-19.3.9.0+ds-1
jrubyjruby>= 0 < 9.3.9.0+ds-19.3.9.0+ds-1
msrccm1_ruby_2.6.6-2_on_cbl_mariner_1.0
ruby-langruby<= 2.5.8
ruby-langruby2.6.0 – 2.6.6
ruby-langruby2.7.0 – 2.7.1
ruby-langwebrick<= 1.6.0
ruby-langwebrick>= 0 < 1.4.41.4.4
ruby-langwebrick>= 1.5.0 < 1.5.11.5.1
ruby-langwebrick>= 1.6.0 < 1.6.11.6.1

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
osv7.5HIGH
vendor_debian7.5HIGH
vendor_msrc7.5HIGH
vendor_redhat7.5HIGH
vendor_ubuntu7.5HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.