CVE-2011-3186

2011-08-2918:55:01

CWE-94

redhat

web.nvd.nist.gov

crlf injection

ruby on rails

http headers

http response splitting

cve-2011-3186

CVSS2

4.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

AI Score

6.7

Confidence

Low

EPSS

0.007

Percentile

79.8%

JSON

CRLF injection vulnerability in actionpack/lib/action_controller/response.rb in Ruby on Rails 2.3.x before 2.3.13 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the Content-Type header.

Affected configurations

Nvd

Node

rubyonrailsrailsMatch2.3.2

rubyonrailsrailsMatch2.3.3

rubyonrailsrailsMatch2.3.4

rubyonrailsrailsMatch2.3.9

rubyonrailsrailsMatch2.3.10

rubyonrailsrailsMatch2.3.11

rubyonrailsrailsMatch2.3.12

VendorProductVersionCPE
rubyonrailsrails2.3.2cpe:2.3:a:rubyonrails:rails:2.3.2:*:*:*:*:*:*:*
rubyonrailsrails2.3.3cpe:2.3:a:rubyonrails:rails:2.3.3:*:*:*:*:*:*:*
rubyonrailsrails2.3.4cpe:2.3:a:rubyonrails:rails:2.3.4:*:*:*:*:*:*:*
rubyonrailsrails2.3.9cpe:2.3:a:rubyonrails:rails:2.3.9:*:*:*:*:*:*:*
rubyonrailsrails2.3.10cpe:2.3:a:rubyonrails:rails:2.3.10:*:*:*:*:*:*:*
rubyonrailsrails2.3.11cpe:2.3:a:rubyonrails:rails:2.3.11:*:*:*:*:*:*:*
rubyonrailsrails2.3.12cpe:2.3:a:rubyonrails:rails:2.3.12:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
rubyonrails	rails	2.3.2	cpe:2.3:a:rubyonrails:rails:2.3.2:::::::*
rubyonrails	rails	2.3.3	cpe:2.3:a:rubyonrails:rails:2.3.3:::::::*
rubyonrails	rails	2.3.4	cpe:2.3:a:rubyonrails:rails:2.3.4:::::::*
rubyonrails	rails	2.3.9	cpe:2.3:a:rubyonrails:rails:2.3.9:::::::*
rubyonrails	rails	2.3.10	cpe:2.3:a:rubyonrails:rails:2.3.10:::::::*
rubyonrails	rails	2.3.11	cpe:2.3:a:rubyonrails:rails:2.3.11:::::::*
rubyonrails	rails	2.3.12	cpe:2.3:a:rubyonrails:rails:2.3.12:::::::*