CVE-2019-16254
Published: 20 November 2019
Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows HTTP Response Splitting. If a program using WEBrick inserts untrusted input into the response header, an attacker can exploit it to insert a newline character to split a header, and inject malicious content to deceive clients. NOTE: this issue exists because of an incomplete fix for CVE-2017-17742, which addressed the CRLF vector, but did not address an isolated CR or an isolated LF.
From the Ubuntu Security Team
It was discovered that JRuby mishandled newline characters in HTTP response headers. A remote attacker could use this vulnerability to display malicious content to HTTP clients.
Priority
Status
| Package | Release | Status |
|---|---|---|
|
ruby2.3 Launchpad, Ubuntu, Debian |
jammy |
Does not exist
|
| bionic |
Does not exist
|
|
| disco |
Does not exist
|
|
| eoan |
Does not exist
|
|
| focal |
Does not exist
|
|
| groovy |
Does not exist
|
|
| hirsute |
Does not exist
|
|
| impish |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Needs triage
|
|
| xenial |
Released
(2.3.1-2~ubuntu16.04.14)
|
|
|
ruby2.5 Launchpad, Ubuntu, Debian |
jammy |
Does not exist
|
| bionic |
Released
(2.5.1-1ubuntu1.6)
|
|
| disco |
Released
(2.5.5-1ubuntu1.1)
|
|
| eoan |
Released
(2.5.5-4ubuntu2.1)
|
|
| focal |
Does not exist
|
|
| groovy |
Does not exist
|
|
| hirsute |
Does not exist
|
|
| impish |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(2.5.7-1)
|
|
| xenial |
Does not exist
|
|
|
Patches: upstream: https://github.com/ruby/ruby/commit/3ce238b5f9795581eb84114dcfbdf4aa086bfecc (master) upstream: https://github.com/ruby/ruby/commit/f98b3023bd786b4e7dfdb94b573a5f5d3d37d145 (2.5.x) |
||
|
jruby Launchpad, Ubuntu, Debian |
trusty |
Released
(1.5.6-9+deb8u2build0.14.04.1~esm2)
Available with Ubuntu Pro or Ubuntu Pro (Infra-only) |
| bionic |
Not vulnerable
(code not present)
|
|
| disco |
Not vulnerable
(code not present)
|
|
| eoan |
Ignored
(end of life)
|
|
| focal |
Not vulnerable
(code not present)
|
|
| groovy |
Not vulnerable
(code not present)
|
|
| hirsute |
Not vulnerable
(code not present)
|
|
| impish |
Not vulnerable
(code not present)
|
|
| upstream |
Needs triage
|
|
| xenial |
Not vulnerable
(code not present)
|
|
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 5.3 |
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | None |
| Integrity impact | Low |
| Availability impact | None |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |