CVE-2020-25613: system/ruby: HTTP request smuggling
|Reporter||Max Rees (sroracle)|
|Assignee||Max Rees (sroracle)|
|Reported||2020-11-21 22:42:56 -0600|
|Modified||2020-11-21 22:42:56 -0600|
|Hardware||Adélie Linux / All|
|Importance||--- / normal|
An issue was discovered in Ruby through 2.5.8, 2.6.x through 2.6.6,
and 2.7.x through 2.7.1. WEBrick, a simple HTTP server bundled with
Ruby, had not checked the transfer-encoding header value rigorously.
An attacker may potentially exploit this issue to bypass a reverse
proxy (which also has a poor header check), which may lead to an HTTP
Request Smuggling attack.
Fixed in >= webrick 1.6.1
This fix is included in ruby >= 2.7.2