CVE-2017-17742
ruby: HTTP response splitting in WEBrick
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1 allows an HTTP Response Splitting attack. An attacker can inject a crafted key and value into an HTTP response for the HTTP server of WEBrick.
Ruby, en versiones anteriores a la 2.2.10, versiones 2.3.x anteriores a la 2.3.7, versiones 2.4.x anteriores a la 2.4.4, versiones 2.5.x anteriores a la 2.5.1 y la versiĆ³n 2.6.0-preview1, permite un ataque de separaciĆ³n de respuesta HTTP. Un atacante puede inyectar una clave y un valor manipulados en una respuesta HTTP para el servidor HTTP de WEBrick.
It was found that WEBrick did not sanitize headers sent back to clients, resulting in a response-splitting vulnerability. An attacker, able to control the server's headers, could force WEBrick into injecting additional headers to a client.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2017-12-18 CVE Reserved
- 2018-03-30 CVE Published
- 2024-07-07 EPSS Updated
- 2024-08-05 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')
CAPEC
References (22)
URL | Tag | Source |
---|---|---|
http://www.securityfocus.com/bid/103684 | Third Party Advisory | |
http://www.securitytracker.com/id/1042004 | Vdb Entry | |
https://lists.debian.org/debian-lts-announce/2018/04/msg00023.html | Mailing List | |
https://lists.debian.org/debian-lts-announce/2018/04/msg00024.html | Mailing List | |
https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html | Mailing List | |
https://lists.debian.org/debian-lts-announce/2019/12/msg00009.html | Mailing List | |
https://lists.debian.org/debian-lts-announce/2020/08/msg00027.html | Mailing List | |
https://lists.debian.org/debian-lts-announce/2023/04/msg00033.html | Mailing List |
URL | Date | SRC |
---|
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Ruby-lang Search vendor "Ruby-lang" | Ruby Search vendor "Ruby-lang" for product "Ruby" | >= 2.2.0 < 2.2.10 Search vendor "Ruby-lang" for product "Ruby" and version " >= 2.2.0 < 2.2.10" | - |
Affected
| ||||||
Ruby-lang Search vendor "Ruby-lang" | Ruby Search vendor "Ruby-lang" for product "Ruby" | >= 2.3.0 < 2.3.7 Search vendor "Ruby-lang" for product "Ruby" and version " >= 2.3.0 < 2.3.7" | - |
Affected
| ||||||
Ruby-lang Search vendor "Ruby-lang" | Ruby Search vendor "Ruby-lang" for product "Ruby" | >= 2.4.0 < 2.4.4 Search vendor "Ruby-lang" for product "Ruby" and version " >= 2.4.0 < 2.4.4" | - |
Affected
| ||||||
Ruby-lang Search vendor "Ruby-lang" | Ruby Search vendor "Ruby-lang" for product "Ruby" | >= 2.5.0 < 2.5.1 Search vendor "Ruby-lang" for product "Ruby" and version " >= 2.5.0 < 2.5.1" | - |
Affected
| ||||||
Ruby-lang Search vendor "Ruby-lang" | Ruby Search vendor "Ruby-lang" for product "Ruby" | 2.6.0 Search vendor "Ruby-lang" for product "Ruby" and version "2.6.0" | preview1 |
Affected
| ||||||
Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 7.0 Search vendor "Debian" for product "Debian Linux" and version "7.0" | - |
Affected
|