|Description||An issue was discovered in Ruby through 2.5.8, 2.6.x through 2.6.6, and 2.7.x through 2.7.1. WEBrick, a simple HTTP server bundled with Ruby, had not checked the transfer-encoding header value rigorously. An attacker may potentially exploit this issue to bypass a reverse proxy (which also has a poor header check), which may lead to an HTTP Request Smuggling attack.|
|Source||CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)|
Vulnerable and fixed packages
The table below lists information on source packages.
|buster, bullseye, sid||184.108.40.206-3||vulnerable|
|ruby2.5 (PTS)||buster, buster (security)||2.5.5-3+deb10u2||vulnerable|
|ruby2.7 (PTS)||bullseye, sid||2.7.2-2||fixed|
The information below is based on the following data on fixed versions.
[buster] - ruby2.5 <no-dsa> (Minor issue)
Fix in webrick: https://github.com/ruby/webrick/commit/8946bb38b4d87549f0d99ed73c62c41933f97cc7