CVE-2020-25613: Potential HTTP Request Smuggling Vulnerability in WEBrick

about 2 years ago - Direct link

A potential HTTP request smuggling vulnerability in WEBrick was reported. This vulnerability has been assigned the CVE idenfitifer CVE-2020-25613. We strongly recommend upgrading the webrick gem.

Details

WEBrick was too tolerant against an invalid Transfer-Encoding header. This may lead to inconsistent interpretation between WEBrick and some HTTP proxy servers, which may allow the attacker to “smuggle” a request. See CWE-444 in detail.

Please update the webrick gem to version 1.6.1 or later. You can use gem update webrick to update it. If you are using bundler, please add gem "webrick", ">= 1.6.1" to your Gemfile.

Affected versions


  • webrick gem 1.6.0 or prior

  • bundled versions of webrick in ruby 2.7.1 or prior

  • bundled versions of webrick in ruby 2.6.6 or prior

  • bundled ve...


Go to article →
← More from Ruby

Links in this thread

CVE - CVE-2020-25613
Common Vulnerabilities and Exposures (CVE®) is a list of entries — each containing an identification number, a description, and at least one public reference — for publicly known cybersecurity vulnerabilities. Assigned by CVE Numbering Authorities (CNAs) from around the world, use of CVE Entries ensures confidence among parties when used to discuss or share information about a unique software vulnerability, provides a baseline for tool evaluation, and enables data exchange for cybersecurity automation.


CWE - CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') (4.2)
Common Weakness Enumeration (CWE) is a list of software weaknesses.


HackerOne profile - piao
piao's profile that highlights the hacker's bug reporting track record and reputation on the HackerOne platform