Skip to content

Commit 7f8b17b

Browse files
jasnowRubySec CI
jasnow
authored and
RubySec CI
committed
Updated advisory posts against rubysec/ruby-advisory-db@77ef7ef 
1 parent d2b6397 commit 7f8b17b

File tree

1 file changed

+31
-0
lines changed

1 file changed

+31
-0
lines changed

advisories/_posts/2024-09-22-CVE-2024-47220.md

Lines changed: 31 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,31 @@
1+
---
2+
layout: advisory
3+
title: 'CVE-2024-47220 (webrick): HTTP Request Smuggling in ruby webrick'
4+
comments: false
5+
categories:
6+
- webrick
7+
advisory:
8+
gem: webrick
9+
cve: 2024-47220
10+
ghsa: 6f62-3596-g6w7
11+
url: https://github.com/advisories/GHSA-6f62-3596-g6w7
12+
title: HTTP Request Smuggling in ruby webrick
13+
date: 2024-09-22
14+
description: |
15+
An issue was discovered in the WEBrick toolkit through 1.8.1 for Ruby.
16+
It allows HTTP request smuggling by providing both a Content-Length
17+
header and a Transfer-Encoding header, e.g.,
18+
"GET /admin HTTP/1.1\r\n" inside of a "POST /user HTTP/1.1\r\n"
19+
request.
20+
21+
NOTE: the supplier''s position is "Webrick should not be used in production."
22+
cvss_v3: 7.5
23+
notes: Never patched
24+
related:
25+
url:
26+
- https://nvd.nist.gov/vuln/detail/CVE-2024-47220
27+
- https://github.com/ruby/webrick/issues/145
28+
- https://github.com/ruby/webrick/pull/146/commits/d88321da45dcd230ac2b4585cad4833d6d5e8841
29+
- https://github.com/ruby/webrick/commit/f5faca9222541591e1a7c3c97552ebb0c92733c7
30+
- https://github.com/advisories/GHSA-6f62-3596-g6w7
31+
---

0 commit comments

Comments
 (0)