CVE Vulnerabilities

CVE-2011-3624

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Published: Nov 26, 2019 | Modified: Dec 11, 2019
CVSS 3.x
5.3
MEDIUM
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CVSS 2.x
5 MEDIUM
AV:N/AC:L/Au:N/C:N/I:P/A:N
RedHat/V2
5 LOW
AV:N/AC:L/Au:N/C:N/I:P/A:N
RedHat/V3
Ubuntu
LOW

Various methods in WEBrick::HTTPRequest in Ruby 1.9.2 and 1.8.7 and earlier do not validate the X-Forwarded-For, X-Forwarded-Host and X-Forwarded-Server headers in requests, which might allow remote attackers to inject arbitrary text into log files or bypass intended address parsing via a crafted header.

Weakness

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

Affected Software

Name Vendor Start Version End Version
Ruby Ruby-lang 1.8.7 (including) 1.8.7 (including)
Ruby Ruby-lang 1.9.2 (including) 1.9.2 (including)
Ruby1.9.1 Ubuntu lucid *
Ruby1.9.1 Ubuntu maverick *
Ruby1.9.1 Ubuntu natty *
Ruby1.9.1 Ubuntu oneiric *
Ruby1.9.1 Ubuntu precise *
Ruby1.9.1 Ubuntu quantal *
Ruby1.9.1 Ubuntu raring *
Ruby1.9.1 Ubuntu saucy *
Ruby1.9.1 Ubuntu trusty *
Ruby1.9.1 Ubuntu utopic *
Ruby1.9.1 Ubuntu vivid *

Potential Mitigations

References