CVE-2017-17742 - Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting') vulnerability in Debian and Ruby Lang products

Publication

2018-04-03

Last modification

2018-11-30

Summary

Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1 allows an HTTP Response Splitting attack. An attacker can inject a crafted key and value into an HTTP response for the HTTP server of WEBrick.

Classification

CWE-113 - Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')

Risk level (CVSS AV:N/AC:L/Au:N/C:N/I:P/A:N)

Medium

5.0

Access Vector

  • Network
  • Adjacent Network
  • Local

Access Complexity

  • Low
  • Medium
  • High

Authentication

  • None
  • Single
  • Multiple

Confident. Impact

  • Complete
  • Partial
  • None

Integrity Impact

  • Complete
  • Partial
  • None

Affected Products

Vendor Product Versions
Debian Debian Linux  7.0
Ruby Lang Ruby  2.2.3 , 2.2.4 , 2.2.7 , 2.2.1 , 2.2.8 , 2.3.0 , 2.3.4 , 2.6.0 , 2.2.0 , 2.2.9 , 2.3.2 , 2.4.3 , 2.3.1 , 2.2.2 , 2.3.3 , 2.3.6 , 2.4.1 , 2.3.5 , 2.2.5 , 2.2.6 , 2.4.2 , 2.5.0 , 2.4.0