CVE-2020-25613

CVSS v3.1 7.5 (High)

CVSS v2.0 5 (Medium)

EPSS 0.38 % (73^th)

Affected Products 3

Advisories 25

An issue was discovered in Ruby through 2.5.8, 2.6.x through 2.6.6, and 2.7.x through 2.7.1. WEBrick, a simple HTTP server bundled with Ruby, had not checked the transfer-encoding header value rigorously. An attacker may potentially exploit this issue to bypass a reverse proxy (which also has a poor header check), which may lead to an HTTP Request Smuggling attack.

Weaknesses

CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

CVE Status: PUBLISHED
CNA: MITRE
Published Date: 2020-10-06 13:15:13
(4 years ago)
Updated Date: 2024-01-24 05:15:08
(7 months ago)

Affected Products

Fedoraproject

Fedora

Ruby-lang

Ruby
Webrick

Configuration #1

	CPE23	From	Up To
Ruby-lang Ruby 2.5.8 and prior versions	cpe:2.3:a:ruby-lang:ruby		<= 2.5.8
Ruby-lang Ruby from 2.6.0 version and 2.6.6 and prior versions	cpe:2.3:a:ruby-lang:ruby	>= 2.6.0	<= 2.6.6
Ruby-lang Ruby from 2.7.0 version and 2.7.1 and prior versions	cpe:2.3:a:ruby-lang:ruby	>= 2.7.0	<= 2.7.1
Ruby-lang Webrick for Ruby 1.6.0 and prior versions	cpe:2.3:a:ruby-lang:webrick::::::ruby		<= 1.6.0

Configuration #2

		CPE23	From	Up To
	Fedoraproject Fedora 32	cpe:2.3:o:fedoraproject:fedora:32
	Fedoraproject Fedora 33	cpe:2.3:o:fedoraproject:fedora:33