CVE-2020-25613

EPSS 0.27%
Veröffentlicht 06.10.2020 13:15:13
Zuletzt bearbeitet 21.11.2024 05:18:14
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

An issue was discovered in Ruby through 2.5.8, 2.6.x through 2.6.6, and 2.7.x through 2.7.1. WEBrick, a simple HTTP server bundled with Ruby, had not checked the transfer-encoding header value rigorously. An attacker may potentially exploit this issue to bypass a reverse proxy (which also has a poor header check), which may lead to an HTTP Request Smuggling attack.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 11

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Ruby-lang ≫ Ruby Version <= 2.5.8

Ruby-lang ≫ Ruby Version >= 2.6.0 <= 2.6.6

Ruby-lang ≫ Ruby Version >= 2.7.0 <= 2.7.1

Ruby-lang ≫ Webrick SwPlatformruby Version <= 1.6.0

Fedoraproject ≫ Fedora Version32

Fedoraproject ≫ Fedora Version33

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.27%	0.503

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
nvd@nist.gov	5	10	2.9	AV:N/AC:L/Au:N/C:N/I:P/A:N

CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination.

https://lists.debian.org/debian-lts-announce/2023/04/msg00033.html

https://github.com/ruby/webrick/commit/8946bb38b4d87549f0d99ed73c62c41933f97cc7

Patch

Third Party Advisory

https://hackerone.com/reports/965267

Third Party Advisory

Permissions Required

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PFP3E7KXXT3H3KA6CBZPUOGA5VPFARRJ/

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YTZURYROG3FFED3TYCQOBV66BS4K6WOV/

https://security.gentoo.org/glsa/202401-27

https://security.netapp.com/advisory/ntap-20210115-0008/

Third Party Advisory