CVE-2020-25613
ruby: Potential HTTP request smuggling in WEBrick
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
An issue was discovered in Ruby through 2.5.8, 2.6.x through 2.6.6, and 2.7.x through 2.7.1. WEBrick, a simple HTTP server bundled with Ruby, had not checked the transfer-encoding header value rigorously. An attacker may potentially exploit this issue to bypass a reverse proxy (which also has a poor header check), which may lead to an HTTP Request Smuggling attack.
Se detectó un problema en Ruby versiones hasta 2.5.8, versiones 2.6.x hasta 2.6.6 y versiones 2.7.x hasta 2.7.1. WEBrick, un simple servidor HTTP integrado con Ruby, no había comprobado rigurosamente el valor del encabezado transfer-encoding. Un atacante puede explotar potencialmente este problema para omitir un proxy inverso (que también presenta una comprobación de encabezado deficiente), que puede conllevar a un ataque de Trafico Inapropiado de Peticiones HTTP
It was discovered that the Ruby JSON gem incorrectly handled certain JSON files. If a user or automated system were tricked into parsing a specially crafted JSON file, a remote attacker could use this issue to execute arbitrary code. This issue only affected Ubuntu 16.04 LTS and Ubuntu 18.04 LTS. It was discovered that Ruby incorrectly handled certain socket memory operations. A remote attacker could possibly use this issue to obtain sensitive information. This issue only affected Ubuntu 18.04 LTS and Ubuntu 20.04 LTS. Various other issues were also addressed.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2020-09-16 CVE Reserved
- 2020-10-06 CVE Published
- 2022-03-30 First Exploit
- 2024-08-04 CVE Updated
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
CAPEC
References (10)
| URL | Tag | Source |
|---|---|---|
| https://lists.debian.org/debian-lts-announce/2023/04/msg00033.html | Mailing List |
|
| https://security.netapp.com/advisory/ntap-20210115-0008 | Third Party Advisory |
|
| URL | Date | SRC |
|---|---|---|
| https://github.com/metapox/CVE-2020-25613 | 2022-03-30 |
| URL | Date | SRC |
|---|---|---|
| https://github.com/ruby/webrick/commit/8946bb38b4d87549f0d99ed73c62c41933f97cc7 | 2024-01-24 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Ruby-lang Search vendor "Ruby-lang" | Ruby Search vendor "Ruby-lang" for product "Ruby" | <= 2.5.8 Search vendor "Ruby-lang" for product "Ruby" and version " <= 2.5.8" | - |
Affected
| ||||||
| Ruby-lang Search vendor "Ruby-lang" | Ruby Search vendor "Ruby-lang" for product "Ruby" | >= 2.6.0 <= 2.6.6 Search vendor "Ruby-lang" for product "Ruby" and version " >= 2.6.0 <= 2.6.6" | - |
Affected
| ||||||
| Ruby-lang Search vendor "Ruby-lang" | Ruby Search vendor "Ruby-lang" for product "Ruby" | >= 2.7.0 <= 2.7.1 Search vendor "Ruby-lang" for product "Ruby" and version " >= 2.7.0 <= 2.7.1" | - |
Affected
| ||||||
| Ruby-lang Search vendor "Ruby-lang" | Webrick Search vendor "Ruby-lang" for product "Webrick" | <= 1.6.0 Search vendor "Ruby-lang" for product "Webrick" and version " <= 1.6.0" | ruby |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 32 Search vendor "Fedoraproject" for product "Fedora" and version "32" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 33 Search vendor "Fedoraproject" for product "Fedora" and version "33" | - |
Affected
| ||||||