CVE-2019-16254

CVE-2019-16254

Name

CVE-2019-16254

Description

Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows HTTP Response Splitting. If a program using WEBrick inserts untrusted input into the response header, an attacker can exploit it to insert a newline character to split a header, and inject malicious content to deceive clients. NOTE: this issue exists because of an incomplete fix for CVE-2017-17742, which addressed the CRLF vector, but did not address an isolated CR or an isolated LF.

NVD Severity

medium

Other trackers

CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia

Mailing lists

oss-security, full-disclosure, bugtraq

Exploits

Exploit DB, Metasploit

Forges

GitHub (code, issues), Aports (code, issues)

Type	URI
Vendor Advisory	https://www.ruby-lang.org/ja/news/2019/10/01/ruby-2-4-8-released/
Third Party Advisory	https://hackerone.com/reports/331984
Vendor Advisory	https://www.ruby-lang.org/ja/news/2019/10/01/ruby-2-5-7-released/
Vendor Advisory	https://www.ruby-lang.org/ja/news/2019/10/01/ruby-2-6-5-released/
Vendor Advisory	https://www.ruby-lang.org/ja/news/2019/10/01/http-response-splitting-in-webrick-cve-2019-16254/
Mailing List	https://lists.debian.org/debian-lts-announce/2019/11/msg00025.html
MLIST	https://lists.debian.org/debian-lts-announce/2019/12/msg00009.html
BUGTRAQ	https://seclists.org/bugtraq/2019/Dec/32
BUGTRAQ	https://seclists.org/bugtraq/2019/Dec/31
DEBIAN	https://www.debian.org/security/2019/dsa-4587
DEBIAN	https://www.debian.org/security/2019/dsa-4586
MISC	https://www.oracle.com/security-alerts/cpujan2020.html
GENTOO	https://security.gentoo.org/glsa/202003-06
SUSE	http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00041.html
MLIST	https://lists.debian.org/debian-lts-announce/2020/08/msg00027.html

Type

URI

Vendor Advisory

https://www.ruby-lang.org/ja/news/2019/10/01/ruby-2-4-8-released/

Third Party Advisory

https://hackerone.com/reports/331984

Vendor Advisory

https://www.ruby-lang.org/ja/news/2019/10/01/ruby-2-5-7-released/

Vendor Advisory

https://www.ruby-lang.org/ja/news/2019/10/01/ruby-2-6-5-released/

Vendor Advisory

https://www.ruby-lang.org/ja/news/2019/10/01/http-response-splitting-in-webrick-cve-2019-16254/

Mailing List

https://lists.debian.org/debian-lts-announce/2019/11/msg00025.html

MLIST

https://lists.debian.org/debian-lts-announce/2019/12/msg00009.html

BUGTRAQ

https://seclists.org/bugtraq/2019/Dec/32

BUGTRAQ

https://seclists.org/bugtraq/2019/Dec/31

DEBIAN

https://www.debian.org/security/2019/dsa-4587

DEBIAN

https://www.debian.org/security/2019/dsa-4586

MISC

https://www.oracle.com/security-alerts/cpujan2020.html

GENTOO

https://security.gentoo.org/glsa/202003-06

SUSE

http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00041.html

MLIST

https://lists.debian.org/debian-lts-announce/2020/08/msg00027.html

Match rules

CPE URI	Source package	Min version	Max version
`cpe:2.3:a:ruby-lang:ruby::::::::`	ruby	>= None	<= 2.3.0
`cpe:2.3:a:ruby-lang:ruby::::::::`	ruby	>= 2.4.0	<= 2.4.7
`cpe:2.3:a:ruby-lang:ruby::::::::`	ruby	>= 2.5.0	<= 2.5.6
`cpe:2.3:a:ruby-lang:ruby::::::::`	ruby	>= 2.6.0	<= 2.6.4

CPE URI

Source package

Min version

Max version

cpe:2.3:a:ruby-lang:ruby:*:*:*:*:*:*:*:*

ruby

>= None

<= 2.3.0

cpe:2.3:a:ruby-lang:ruby:*:*:*:*:*:*:*:*

ruby

>= 2.4.0

<= 2.4.7

cpe:2.3:a:ruby-lang:ruby:*:*:*:*:*:*:*:*

ruby

>= 2.5.0

<= 2.5.6

cpe:2.3:a:ruby-lang:ruby:*:*:*:*:*:*:*:*

ruby

>= 2.6.0

<= 2.6.4

References

Match rules

Vulnerable and fixed packages