GitHub Advisory DatabaseGHSA-JMGF-P46X-982H

HistoryOct 24, 2017 - 6:33 p.m.

rails is vulnerable to CRLF injection

2017-10-2418:33:38

CWE-352

GitHub Advisory Database

github.com

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

0.002 Low

EPSS

Percentile

58.8%

JSON

CRLF injection vulnerability in Ruby on Rails before 2.0.5 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a crafted URL to the redirect_to function.

CPENameOperatorVersion
railslt2.0.5

CPE	Name	Operator	Version
	rails	lt	2.0.5

References

github.com/rails/rails/commit/7282ed863ca7e6f928bae9162c9a63a98775a19d

lists.opensuse.org/opensuse-security-announce/2008-12/msg00002.html

weblog.rubyonrails.org/2008/10/19/rails-2-0-5-redirect_to-and-offset-limit-sanitizing

weblog.rubyonrails.org/2008/10/19/response-splitting-risk

www.securityfocus.com/bid/32359

github.com/advisories/GHSA-jmgf-p46x-982h

github.com/rubysec/ruby-advisory-db/blob/master/gems/rails/CVE-2008-5189.yml

nvd.nist.gov/vuln/detail/CVE-2008-5189

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

0.002 Low

EPSS

Percentile

58.8%

JSON

Related for GHSA-JMGF-P46X-982H