5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
webrick is vulnerable to HTTP response splitting. Lack of sanitization in the HTTP headers allow an attacker to inject CRLF characters and cause users to render malicious content. The exploit is possible when the application parses untrusted user input into an HTTP header in the response.
hackerone.com/reports/331984
lists.debian.org/debian-lts-announce/2019/11/msg00025.html
lists.debian.org/debian-lts-announce/2019/12/msg00009.html
seclists.org/bugtraq/2019/Dec/31
seclists.org/bugtraq/2019/Dec/32
www.debian.org/security/2019/dsa-4586
www.debian.org/security/2019/dsa-4587
www.ruby-lang.org/en/news/2019/10/01/http-response-splitting-in-webrick-cve-2019-16254/
www.ruby-lang.org/ja/news/2019/10/01/http-response-splitting-in-webrick-cve-2019-16254/
www.ruby-lang.org/ja/news/2019/10/01/ruby-2-4-8-released/
www.ruby-lang.org/ja/news/2019/10/01/ruby-2-5-7-released/
www.ruby-lang.org/ja/news/2019/10/01/ruby-2-6-5-released/
5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N