|Description||An issue was discovered in Ruby through 2.5.8, 2.6.x through 2.6.6, and 2.7.x through 2.7.1. WEBrick, a simple HTTP server bundled with Ruby, had not checked the transfer-encoding header value rigorously. An attacker may potentially exploit this issue to bypass a reverse proxy (which also has a poor header check), which may lead to an HTTP Request Smuggling attack.|
|Source||CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)|
|References||DLA-2391-1, DLA-2392-1, DLA-3408-1, ELA-290-1|
Vulnerable and fixed packages
The table below lists information on source packages.
|jruby (PTS)||jessie, jessie (lts)||1.5.6-9+deb8u2||vulnerable|
|stretch (security), stretch (lts), stretch||1.7.26-1+deb9u3||fixed|
|ruby2.1 (PTS)||jessie, jessie (lts)||2.1.5-2+deb8u13||fixed|
|ruby2.3 (PTS)||stretch (security), stretch (lts), stretch||2.3.3-1+deb9u11||fixed|
|ruby2.7 (PTS)||bullseye (security), bullseye||2.7.4-1+deb11u1||fixed|
The information below is based on the following data on fixed versions.
Fix in webrick: https://github.com/ruby/webrick/commit/8946bb38b4d87549f0d99ed73c62c41933f97cc7