CVE-2020-25613 – ruby: Potential HTTP request smuggling in WEBrick
https://notcve.org/view.php?id=CVE-2020-25613
An issue was discovered in Ruby through 2.5.8, 2.6.x through 2.6.6, and 2.7.x through 2.7.1. WEBrick, a simple HTTP server bundled with Ruby, had not checked the transfer-encoding header value rigorously. An attacker may potentially exploit this issue to bypass a reverse proxy (which also has a poor header check), which may lead to an HTTP Request Smuggling attack. Se detectó un problema en Ruby versiones hasta 2.5.8, versiones 2.6.x hasta 2.6.6 y versiones 2.7.x hasta 2.7.1. WEBrick, un simple servidor HTTP integrado con Ruby, no había comprobado rigurosamente el valor del encabezado transfer-encoding. • https://github.com/metapox/CVE-2020-25613 https://github.com/ruby/webrick/commit/8946bb38b4d87549f0d99ed73c62c41933f97cc7 https://hackerone.com/reports/965267 https://lists.debian.org/debian-lts-announce/2023/04/msg00033.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PFP3E7KXXT3H3KA6CBZPUOGA5VPFARRJ https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YTZURYROG3FFED3TYCQOBV66BS4K6WOV https://security.gentoo.org/glsa/202401-27 https://sec • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •
CVE-2019-11879
https://notcve.org/view.php?id=CVE-2019-11879
The WEBrick gem 1.4.2 for Ruby allows directory traversal if the attacker once had local access to create a symlink to a location outside of the web root directory. NOTE: The vendor states that this is analogous to Options FollowSymlinks in the Apache HTTP Server, and therefore it is "not a problem. ** EN DISPUTA ** La WEBrick gem versión 1.4.2 para Ruby permite salto de directorio si el atacante alguna vez tuvo acceso local para crear un enlace simbólico a una ubicación fuera del directorio web root. NOTA: El proveedor declara que esto es similar a las Opciones FollowSymlinks en el Servidor HTTP de Apache, y por lo tanto "no es un problema". • https://bugs.ruby-lang.org/issues/15835 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-59: Improper Link Resolution Before File Access ('Link Following') •
CVE-2009-4492 – Ruby 1.9.1 - WEBrick 'Terminal Escape Sequence in Logs' Command Injection
https://notcve.org/view.php?id=CVE-2009-4492
WEBrick 1.3.1 in Ruby 1.8.6 through patchlevel 383, 1.8.7 through patchlevel 248, 1.8.8dev, 1.9.1 through patchlevel 376, and 1.9.2dev writes data to a log file without sanitizing non-printable characters, which might allow remote attackers to modify a window's title, or possibly execute arbitrary commands or overwrite files, via an HTTP request containing an escape sequence for a terminal emulator. WEBrick v1.3.1 en Ruby v1.8.6 del patchlevel 383, v1.8.7 al patchlevel 248, v1.8.8dev, 1.9.1 al patchlevel 376, y v1.9.2dev ,escribe datos en un archivo de los sin depurar los caracteres no escribibles, lo que podría permitir a atacantes remotos modificar la ventana de título, o posiblemente ejecutar comandos de su elección o sobrescribir archivos, a través de una petición HTTP que contiene una secuencia de escape para el emulador de terminal. Nginx, Varnish, Cherokee, thttpd, mini-httpd, WEBrick, Orion, AOLserver, Yaws and Boa are subject to log escape sequence injection vulnerabilities. • https://www.exploit-db.com/exploits/33489 http://secunia.com/advisories/37949 http://securitytracker.com/id?1023429 http://www.redhat.com/support/errata/RHSA-2011-0908.html http://www.redhat.com/support/errata/RHSA-2011-0909.html http://www.ruby-lang.org/en/news/2010/01/10/webrick-escape-sequence-injection http://www.securityfocus.com/archive/1/508830/100/0/threaded http://www.securityfocus.com/bid/37710 http://www.ush.it/team/ush/hack_httpd_escape/adv.txt http: •