CVE-2017-17742 | Mend Vulnerability Database

Vulnerability DatabaseCVE-2017-17742

CVE-2017-17742

April 03, 2018

Ruby before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1 allows an HTTP Response Splitting attack. An attacker can inject a crafted key and value into an HTTP response for the HTTP server of WEBrick.

Related Resources (23)

https://people.canonical.com/~ubuntu-security/cve/CVE-2017-17742

https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html

https://www.debian.org/security/2018/dsa-4259

https://access.redhat.com/errata/RHSA-2018:3730

https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-4-4-released/

https://access.redhat.com/security/cve/CVE-2017-17742

https://security-tracker.debian.org/tracker/CVE-2017-17742

https://lists.debian.org/debian-lts-announce/2018/04/msg00024.html

http://www.securityfocus.com/bid/103684

https://access.redhat.com/errata/RHSA-2019:2028

http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html

https://lists.debian.org/debian-lts-announce/2023/04/msg00033.html

https://lists.debian.org/debian-lts-announce/2020/08/msg00027.html

https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-5-1-released/

https://lists.debian.org/debian-lts-announce/2019/12/msg00009.html

https://lists.debian.org/debian-lts-announce/2018/04/msg00023.html

http://www.securitytracker.com/id/1042004

https://usn.ubuntu.com/3685-1/

https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-3-7-released/

https://access.redhat.com/errata/RHSA-2018:3729

https://access.redhat.com/errata/RHSA-2018:3731

https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-2-10-released/

https://www.ruby-lang.org/en/news/2018/03/28/http-response-splitting-in-webrick-cve-2017-17742/

Do you need more information?

CVSS v4

Base Score:

6.9

Attack Vector

NETWORK

Attack Complexity

LOW

Attack Requirements

NONE

Privileges Required

NONE

User Interaction

NONE

Vulnerable System Confidentiality

NONE

Vulnerable System Integrity

LOW

Vulnerable System Availability

NONE

Subsequent System Confidentiality

NONE

Subsequent System Integrity

NONE

Subsequent System Availability

NONE

CVSS v3

Base Score:

5.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

LOW

Availability

NONE

CVSS v2

Base Score:

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

Weakness Type (CWE)

Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')

CWE-113

EPSS

Base Score:

1.15

Products

Solutions

Resources

Company

Compare

Developer Tools