Potential HTTP Request Smuggling Vulnerability in WEBrick
Published: September 29, 2020
SECURITY IDENTIFIERS
- CVE: CVE-2020-25613 (NVD)
- GHSA: GHSA-gwfg-cqmg-cf8f
- Vendor Advisory: https://www.ruby-lang.org/en/news/2020/09/29/http-request-smuggling-cve-2020-25613/
GEM
SEVERITY
CVSS v3.x: 7.5 (High)
PATCHED VERSIONS
>= 1.6.1
DESCRIPTION
WEBrick was too tolerant against an invalid Transfer-Encoding header. This may lead to inconsistent interpretation between WEBrick and some HTTP proxy servers, which may allow the attacker to "smuggle" a request. See CWE-444 in detail.