CVE-2019-16254
Published: 20 November 2019
Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows HTTP Response Splitting. If a program using WEBrick inserts untrusted input into the response header, an attacker can exploit it to insert a newline character to split a header, and inject malicious content to deceive clients. NOTE: this issue exists because of an incomplete fix for CVE-2017-17742, which addressed the CRLF vector, but did not address an isolated CR or an isolated LF.
From the Ubuntu Security Team
It was discovered that JRuby mishandled newline characters in HTTP response headers. A remote attacker could use this vulnerability to display malicious content to HTTP clients.
Priority
Status
| Package | Release | Status |
|---|---|---|
|
jruby Launchpad, Ubuntu, Debian |
bionic |
Not vulnerable
(code not present)
|
| disco |
Not vulnerable
(code not present)
|
|
| eoan |
Ignored
(reached end-of-life)
|
|
| focal |
Not vulnerable
(code not present)
|
|
| groovy |
Not vulnerable
(code not present)
|
|
| hirsute |
Not vulnerable
(code not present)
|
|
| impish |
Not vulnerable
(code not present)
|
|
| precise |
Does not exist
|
|
| trusty |
Released
(1.5.6-9+deb8u2build0.14.04.1~esm2)
|
|
| upstream |
Needs triage
|
|
| xenial |
Not vulnerable
(code not present)
|
|
|
ruby2.3 Launchpad, Ubuntu, Debian |
bionic |
Does not exist
|
| disco |
Does not exist
|
|
| eoan |
Does not exist
|
|
| focal |
Does not exist
|
|
| groovy |
Does not exist
|
|
| hirsute |
Does not exist
|
|
| impish |
Does not exist
|
|
| jammy |
Does not exist
|
|
| precise |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Needs triage
|
|
| xenial |
Released
(2.3.1-2~ubuntu16.04.14)
|
|
|
ruby2.5 Launchpad, Ubuntu, Debian |
bionic |
Released
(2.5.1-1ubuntu1.6)
|
| disco |
Released
(2.5.5-1ubuntu1.1)
|
|
| eoan |
Released
(2.5.5-4ubuntu2.1)
|
|
| focal |
Does not exist
|
|
| groovy |
Does not exist
|
|
| hirsute |
Does not exist
|
|
| impish |
Does not exist
|
|
| jammy |
Does not exist
|
|
| precise |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(2.5.7-1)
|
|
| xenial |
Does not exist
|
|
|
Patches: upstream: https://github.com/ruby/ruby/commit/3ce238b5f9795581eb84114dcfbdf4aa086bfecc (master) upstream: https://github.com/ruby/ruby/commit/f98b3023bd786b4e7dfdb94b573a5f5d3d37d145 (2.5.x) |
||
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 5.3 |
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | None |
| Integrity impact | Low |
| Availability impact | None |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N |