| Name | CVE-2020-25613 |
| Description | An issue was discovered in Ruby through 2.5.8, 2.6.x through 2.6.6, and 2.7.x through 2.7.1. WEBrick, a simple HTTP server bundled with Ruby, had not checked the transfer-encoding header value rigorously. An attacker may potentially exploit this issue to bypass a reverse proxy (which also has a poor header check), which may lead to an HTTP Request Smuggling attack. |
| Source | CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| References | DLA-2391-1, DLA-2392-1, DLA-3408-1 |
| Debian Bugs | 972230 |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| jruby (PTS) | buster | 9.1.17.0-3 | vulnerable |
| buster (security) | 9.1.17.0-3+deb10u1 | fixed | |
| bookworm | 9.3.9.0+ds-8 | fixed | |
| sid, trixie | 9.4.6.0+ds-1 | fixed | |
| ruby2.5 (PTS) | buster | 2.5.5-3+deb10u4 | fixed |
| buster (security) | 2.5.5-3+deb10u6 | fixed | |
| ruby2.7 (PTS) | bullseye, bullseye (security) | 2.7.4-1+deb11u1 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| jruby | source | stretch | 1.7.26-1+deb9u3 | DLA-2392-1 | ||
| jruby | source | buster | 9.1.17.0-3+deb10u1 | DLA-3408-1 | ||
| jruby | source | (unstable) | 9.3.9.0+ds-1 | 972230 | ||
| ruby2.3 | source | stretch | 2.3.3-1+deb9u9 | DLA-2391-1 | ||
| ruby2.3 | source | (unstable) | (unfixed) | |||
| ruby2.5 | source | buster | 2.5.5-3+deb10u3 | |||
| ruby2.5 | source | (unstable) | (unfixed) | |||
| ruby2.7 | source | (unstable) | 2.7.1-4 |
https://www.ruby-lang.org/en/news/2020/09/29/http-request-smuggling-cve-2020-25613/
Fix in webrick: https://github.com/ruby/webrick/commit/8946bb38b4d87549f0d99ed73c62c41933f97cc7