QwikSec

Security Database

CVE

CWE

Training

CVE-2019-16254

Published: Nov 26, 2019

Modified: Aug 5, 2024

PUBLISHED

Description

Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows HTTP Response Splitting. If a program using WEBrick inserts untrusted input into the response header, an attacker can exploit it to insert a newline character to split a header, and inject malicious content to deceive clients. NOTE: this issue exists because of an incomplete fix for CVE-2017-17742, which addressed the CRLF vector, but did not address an isolated CR or an isolated LF.

Vendor	Product	Versions
n/a	n/a	affected `n/a`

References

https://hackerone.com/reports/331984

https://lists.debian.org/debian-lts-announce/2019/11/msg00025.html

https://www.ruby-lang.org/ja/news/2019/10/01/http-response-splitting-in-webrick-cve-2019-16254/

https://www.ruby-lang.org/ja/news/2019/10/01/ruby-2-6-5-released/

https://www.ruby-lang.org/ja/news/2019/10/01/ruby-2-5-7-released/

https://www.ruby-lang.org/ja/news/2019/10/01/ruby-2-4-8-released/

[debian-lts-announce] 20191210 [SECURITY] [DLA 2027-1] jruby security update

mailing-list

20191217 [SECURITY] [DSA 4587-1] ruby2.3 security update

mailing-list

20191217 [SECURITY] [DSA 4586-1] ruby2.5 security update

mailing-list

vendor-advisory

vendor-advisory

https://www.oracle.com/security-alerts/cpujan2020.html

vendor-advisory

openSUSE-SU-2020:0395

vendor-advisory

[debian-lts-announce] 20200816 [SECURITY] [DLA 2330-1] jruby security update

mailing-list

[debian-lts-announce] 20230430 [SECURITY] [DLA 3408-1] jruby security update

mailing-list

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.