RubySec

Providing security resources for the Ruby community

CVE-2011-3186 (actionpack): Response Splitting Vulnerability in Ruby on Rails

ADVISORIES

GEM

actionpack

FRAMEWORK

rails

SEVERITY

CVSS v2: 4.3 (Medium)

PATCHED VERSIONS

  • >= 2.3.13

DESCRIPTION

A response splitting flaw in Ruby on Rails 2.3.x was reported that could allow a remote attacker to inject arbitrary HTTP headers into a response due to insufficient sanitization of the values provided for response content types.