CVE-2020-25613
published 2020-10-06CVE-2020-25613: An issue was discovered in Ruby through 2.5.8, 2.6.x through 2.6.6, and 2.7.x through 2.7.1. WEBrick, a simple HTTP server bundled with Ruby, had not checked…
PriorityP343high7.5CVSS 3.1
AVNACLPRNUINSUCNIHAN
EPSS
3.77%
88.6th percentile
An issue was discovered in Ruby through 2.5.8, 2.6.x through 2.6.6, and 2.7.x through 2.7.1. WEBrick, a simple HTTP server bundled with Ruby, had not checked the transfer-encoding header value rigorously. An attacker may potentially exploit this issue to bypass a reverse proxy (which also has a poor header check), which may lead to an HTTP Request Smuggling attack.
Affected
15 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | jruby | < jruby 9.3.9.0+ds-1 (bookworm) | jruby 9.3.9.0+ds-1 (bookworm) |
| debian | ruby2.7 | < jruby 9.3.9.0+ds-1 (bookworm) | jruby 9.3.9.0+ds-1 (bookworm) |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| jruby | jruby | >= 0 < 9.3.9.0+ds-1 | 9.3.9.0+ds-1 |
| jruby | jruby | >= 0 < 9.3.9.0+ds-1 | 9.3.9.0+ds-1 |
| jruby | jruby | >= 0 < 9.3.9.0+ds-1 | 9.3.9.0+ds-1 |
| msrc | cm1_ruby_2.6.6-2_on_cbl_mariner_1.0 | — | — |
| ruby-lang | ruby | <= 2.5.8 | — |
| ruby-lang | ruby | 2.6.0 – 2.6.6 | — |
| ruby-lang | ruby | 2.7.0 – 2.7.1 | — |
| ruby-lang | webrick | <= 1.6.0 | — |
| ruby-lang | webrick | >= 0 < 1.4.4 | 1.4.4 |
| ruby-lang | webrick | >= 1.5.0 < 1.5.1 | 1.5.1 |
| ruby-lang | webrick | >= 1.6.0 < 1.6.1 | 1.6.1 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
osv7.5HIGH
vendor_debian7.5HIGH
vendor_msrc7.5HIGH
vendor_redhat7.5HIGH
vendor_ubuntu7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Ruby vulnerabilities
vendor_ubuntu·2021-03-18·CVSS 7.5
CVE-2020-10663 [HIGH] Ruby vulnerabilities
Title: Ruby vulnerabilities
Summary: Several security issues were fixed in Ruby.
It was discovered that the Ruby JSON gem incorrectly handled certain JSON
files. If a user or automated system were tricked into parsing a specially
crafted JSON file, a remote attacker could use this issue to execute
arbitrary code. This issue only affected Ubuntu 16.04 LTS and Ubuntu 18.04
LTS. (CVE-2020-10663)
It was discovered that Ruby incorrectly handled certain socket memory
operations. A remote attacker could possibly use this issue to obtain
sensitive information. This issue only affected Ubuntu 18.04 LTS and
Ubuntu 20.04 LTS. (CVE-2020-10933)
It was discovered that Ruby incorrectly handled certain transfer-encoding
headers when using Webrick. A remote attacker could possibly use this issue
to byp
Microsoft
An issue was discovered in Ruby through 2.5.8 2.6.x through 2.6.6 and 2.7.x through 2.7.1. WEBrick a simple HTTP server bundled with Ruby had not checked the transfer-encoding header value rigorously.
vendor_msrc·2020-10-13·CVSS 7.5
CVE-2020-25613 [HIGH] CWE-444 An issue was discovered in Ruby through 2.5.8 2.6.x through 2.6.6 and 2.7.x through 2.7.1. WEBrick a simple HTTP server bundled with Ruby had not checked the transfer-encoding header value rigorously.
An issue was discovered in Ruby through 2.5.8 2.6.x through 2.6.6 and 2.7.x through 2.7.1. WEBrick a simple HTTP server bundled with Ruby had not checked the transfer-encoding header value rigorously. An attacker may potentially exploit this issue to bypass a reverse proxy (which also has a poor header check) which may lead to an HTTP Request Smuggling attack.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work whic
Red Hat
ruby: Potential HTTP request smuggling in WEBrick
vendor_redhat·2020-09-29·CVSS 7.5
CVE-2020-25613 [HIGH] CWE-444 ruby: Potential HTTP request smuggling in WEBrick
ruby: Potential HTTP request smuggling in WEBrick
An issue was discovered in Ruby through 2.5.8, 2.6.x through 2.6.6, and 2.7.x through 2.7.1. WEBrick, a simple HTTP server bundled with Ruby, had not checked the transfer-encoding header value rigorously. An attacker may potentially exploit this issue to bypass a reverse proxy (which also has a poor header check), which may lead to an HTTP Request Smuggling attack.
Package: ruby (CloudForms Management Engine 5) - Will not fix
Package: ruby-rack (Red Hat 3scale API Management Platform 2) - Will not fix
Package: system (Red Hat 3scale API Management Platform 2) - Will not fix
Package: ruby (Red Hat Enterprise Linux 5) - Out of support scope
Package: ruby (Red Hat Enterprise Linux 6) - Out of support scope
Package: ruby (Red Hat Enterpr
Debian
CVE-2020-25613: jruby - An issue was discovered in Ruby through 2.5.8, 2.6.x through 2.6.6, and 2.7.x th...
vendor_debian·2020·CVSS 7.5
CVE-2020-25613 [HIGH] CVE-2020-25613: jruby - An issue was discovered in Ruby through 2.5.8, 2.6.x through 2.6.6, and 2.7.x th...
An issue was discovered in Ruby through 2.5.8, 2.6.x through 2.6.6, and 2.7.x through 2.7.1. WEBrick, a simple HTTP server bundled with Ruby, had not checked the transfer-encoding header value rigorously. An attacker may potentially exploit this issue to bypass a reverse proxy (which also has a poor header check), which may lead to an HTTP Request Smuggling attack.
Scope: local
bookworm: resolved (fixed in 9.3.9.0+ds-1)
forky: resolved (fixed in 9.3.9.0+ds-1)
sid: resolved (fixed in 9.3.9.0+ds-1)
trixie: resolved (fixed in 9.3.9.0+ds-1)
GHSA
WEBRick vulnerable to HTTP Request/Response Smuggling
ghsa·2022-05-24
CVE-2020-25613 [HIGH] CWE-444 WEBRick vulnerable to HTTP Request/Response Smuggling
WEBRick vulnerable to HTTP Request/Response Smuggling
An issue was discovered in Ruby through 2.5.8, 2.6.x through 2.6.6, and 2.7.x through 2.7.1. WEBrick, a simple HTTP server bundled with Ruby, had not checked the transfer-encoding header value rigorously. An attacker may potentially exploit this issue to bypass a reverse proxy (which also has a poor header check), which may lead to an HTTP Request Smuggling attack.
OSV
WEBRick vulnerable to HTTP Request/Response Smuggling
osv·2022-05-24
CVE-2020-25613 [HIGH] WEBRick vulnerable to HTTP Request/Response Smuggling
WEBRick vulnerable to HTTP Request/Response Smuggling
An issue was discovered in Ruby through 2.5.8, 2.6.x through 2.6.6, and 2.7.x through 2.7.1. WEBrick, a simple HTTP server bundled with Ruby, had not checked the transfer-encoding header value rigorously. An attacker may potentially exploit this issue to bypass a reverse proxy (which also has a poor header check), which may lead to an HTTP Request Smuggling attack.
OSV
ruby2.3, ruby2.5, ruby2.7 vulnerabilities
osv·2021-03-18·CVSS 7.5
CVE-2020-10663 [HIGH] ruby2.3, ruby2.5, ruby2.7 vulnerabilities
ruby2.3, ruby2.5, ruby2.7 vulnerabilities
It was discovered that the Ruby JSON gem incorrectly handled certain JSON
files. If a user or automated system were tricked into parsing a specially
crafted JSON file, a remote attacker could use this issue to execute
arbitrary code. This issue only affected Ubuntu 16.04 LTS and Ubuntu 18.04
LTS. (CVE-2020-10663)
It was discovered that Ruby incorrectly handled certain socket memory
operations. A remote attacker could possibly use this issue to obtain
sensitive information. This issue only affected Ubuntu 18.04 LTS and
Ubuntu 20.04 LTS. (CVE-2020-10933)
It was discovered that Ruby incorrectly handled certain transfer-encoding
headers when using Webrick. A remote attacker could possibly use this issue
to bypass a reverse proxy. (CVE-2020-25613)
OSV
CVE-2020-25613: An issue was discovered in Ruby through 2
osv·2020-10-06·CVSS 7.5
CVE-2020-25613 [HIGH] CVE-2020-25613: An issue was discovered in Ruby through 2
An issue was discovered in Ruby through 2.5.8, 2.6.x through 2.6.6, and 2.7.x through 2.7.1. WEBrick, a simple HTTP server bundled with Ruby, had not checked the transfer-encoding header value rigorously. An attacker may potentially exploit this issue to bypass a reverse proxy (which also has a poor header check), which may lead to an HTTP Request Smuggling attack.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2020-25613 ruby: potential HTTP request smuggling in WEBrick [fedora-all]
bugzilla·2020-09-29·CVSS 7.5
CVE-2020-25613 [HIGH] CVE-2020-25613 ruby: potential HTTP request smuggling in WEBrick [fedora-all]
CVE-2020-25613 ruby: potential HTTP request smuggling in WEBrick [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions
Bugzilla
CVE-2020-25613 ruby: Potential HTTP request smuggling in WEBrick
bugzilla·2020-09-29·CVSS 7.5
CVE-2020-25613 [HIGH] CVE-2020-25613 ruby: Potential HTTP request smuggling in WEBrick
CVE-2020-25613 ruby: Potential HTTP request smuggling in WEBrick
WEBrick was too tolerant against an invalid Transfer-Encoding header. This may lead to inconsistent interpretation between WEBrick and some HTTP proxy servers, which may allow the attacker to “smuggle” a request.
Reference:
https://www.ruby-lang.org/en/news/2020/09/29/http-request-smuggling-cve-2020-25613/
Discussion:
Created ruby tracking bugs for this issue:
Affects: fedora-all [bug 1883624]
---
Just FTR, I don't think this should really impact any of RH products, because they are very likely using different HTTP server, such as rubygem-puma. WEBrick is targeted more for development use, if there is no other option.
---
Upstream commit for this issue:
https://github.com/ruby/webrick/commit/8946bb38b4d87549f0d99ed73
https://github.com/ruby/webrick/commit/8946bb38b4d87549f0d99ed73c62c41933f97cc7https://hackerone.com/reports/965267https://lists.debian.org/debian-lts-announce/2023/04/msg00033.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PFP3E7KXXT3H3KA6CBZPUOGA5VPFARRJ/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YTZURYROG3FFED3TYCQOBV66BS4K6WOV/https://security.gentoo.org/glsa/202401-27https://security.netapp.com/advisory/ntap-20210115-0008/https://www.ruby-lang.org/en/news/2020/09/29/http-request-smuggling-cve-2020-25613/https://github.com/ruby/webrick/commit/8946bb38b4d87549f0d99ed73c62c41933f97cc7https://hackerone.com/reports/965267https://lists.debian.org/debian-lts-announce/2023/04/msg00033.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PFP3E7KXXT3H3KA6CBZPUOGA5VPFARRJ/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YTZURYROG3FFED3TYCQOBV66BS4K6WOV/https://security.gentoo.org/glsa/202401-27https://security.netapp.com/advisory/ntap-20210115-0008/https://www.ruby-lang.org/en/news/2020/09/29/http-request-smuggling-cve-2020-25613/
2020-10-06
Published