Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows HTTP Response Splitting. If a program using WEBrick inserts untrusted input into the response header, an attacker can exploit it to insert a newline character to split a header, and inject malicious content to deceive clients. NOTE: this issue exists because of an incomplete fix for CVE-2017-17742, which addressed the CRLF vector, but did not address an isolated CR or an isolated LF.
The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Ruby | Ruby-lang | * | 2.3.0 (including) |
| Ruby | Ruby-lang | 2.4.0 (including) | 2.4.7 (including) |
| Ruby | Ruby-lang | 2.5.0 (including) | 2.5.6 (including) |
| Ruby | Ruby-lang | 2.6.0 (including) | 2.6.4 (including) |