CVE-2020-25613
ruby: Potential HTTP request smuggling in WEBrick
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
An issue was discovered in Ruby through 2.5.8, 2.6.x through 2.6.6, and 2.7.x through 2.7.1. WEBrick, a simple HTTP server bundled with Ruby, had not checked the transfer-encoding header value rigorously. An attacker may potentially exploit this issue to bypass a reverse proxy (which also has a poor header check), which may lead to an HTTP Request Smuggling attack.
Se detectó un problema en Ruby versiones hasta 2.5.8, versiones 2.6.x hasta 2.6.6 y versiones 2.7.x hasta 2.7.1. WEBrick, un simple servidor HTTP integrado con Ruby, no había comprobado rigurosamente el valor del encabezado transfer-encoding. Un atacante puede explotar potencialmente este problema para omitir un proxy inverso (que también presenta una comprobación de encabezado deficiente), que puede conllevar a un ataque de Trafico Inapropiado de Peticiones HTTP
CVSS Scores
SSVC
- Decision:-
Timeline
- 2020-09-16 CVE Reserved
- 2020-10-06 CVE Published
- 2022-03-30 First Exploit
- 2024-08-04 CVE Updated
- 2024-09-12 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
CAPEC
References (10)
URL | Tag | Source |
---|---|---|
https://lists.debian.org/debian-lts-announce/2023/04/msg00033.html | Mailing List | |
https://security.netapp.com/advisory/ntap-20210115-0008 | Third Party Advisory |
URL | Date | SRC |
---|---|---|
https://github.com/metapox/CVE-2020-25613 | 2022-03-30 |
URL | Date | SRC |
---|---|---|
https://github.com/ruby/webrick/commit/8946bb38b4d87549f0d99ed73c62c41933f97cc7 | 2024-01-24 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Ruby-lang Search vendor "Ruby-lang" | Ruby Search vendor "Ruby-lang" for product "Ruby" | <= 2.5.8 Search vendor "Ruby-lang" for product "Ruby" and version " <= 2.5.8" | - |
Affected
| ||||||
Ruby-lang Search vendor "Ruby-lang" | Ruby Search vendor "Ruby-lang" for product "Ruby" | >= 2.6.0 <= 2.6.6 Search vendor "Ruby-lang" for product "Ruby" and version " >= 2.6.0 <= 2.6.6" | - |
Affected
| ||||||
Ruby-lang Search vendor "Ruby-lang" | Ruby Search vendor "Ruby-lang" for product "Ruby" | >= 2.7.0 <= 2.7.1 Search vendor "Ruby-lang" for product "Ruby" and version " >= 2.7.0 <= 2.7.1" | - |
Affected
| ||||||
Ruby-lang Search vendor "Ruby-lang" | Webrick Search vendor "Ruby-lang" for product "Webrick" | <= 1.6.0 Search vendor "Ruby-lang" for product "Webrick" and version " <= 1.6.0" | ruby |
Affected
| ||||||
Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 32 Search vendor "Fedoraproject" for product "Fedora" and version "32" | - |
Affected
| ||||||
Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 33 Search vendor "Fedoraproject" for product "Fedora" and version "33" | - |
Affected
|