#VU11537 HTTP response splitting in Ruby - CVE-2017-17742
Published: April 5, 2018
Vulnerability identifier: #VU11537
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2017-17742
CWE-ID: CWE-113
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Ruby
Ruby
Software vendor:
Ruby
Ruby
Description
The vulnerability allows a remote attacker to perform HTTP response splitting attack.
The weakness exists due to improper handling of HTTP requests. If a script accepts an external input and outputs it without modification as a part of HTTP responses, a remote attacker can use newline characters to trick the victim that the HTTP response header is stopped at there and inject fake HTTP responses after the newline characters to show malicious contents to the victim.
The weakness exists due to improper handling of HTTP requests. If a script accepts an external input and outputs it without modification as a part of HTTP responses, a remote attacker can use newline characters to trick the victim that the HTTP response header is stopped at there and inject fake HTTP responses after the newline characters to show malicious contents to the victim.
Remediation
Update to versions 2.2.10, 2.3.7, 2.4.4 or 2.5.1.