==================================================================== CERT-Renater Note d'Information No. 2020/VULN555 _____________________________________________________________________ DATE : 07/10/2020 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running webrick gem versions prior to 1.6.1, bundled versions of webrick in ruby prior to 2.7.1, 2.6.6, 2.5.8. ===================================================================== https://www.ruby-lang.org/en/news/2020/09/29/http-request-smuggling-cve-2020-25613/ _____________________________________________________________________ CVE-2020-25613: Potential HTTP Request Smuggling Vulnerability in WEBrick Posted by mame on 29 Sep 2020 A potential HTTP request smuggling vulnerability in WEBrick was reported. This vulnerability has been assigned the CVE idenfitifer CVE-2020-25613. We strongly recommend upgrading the webrick gem. Details WEBrick was too tolerant against an invalid Transfer-Encoding header. This may lead to inconsistent interpretation between WEBrick and some HTTP proxy servers, which may allow the attacker to “smuggle” a request. See CWE-444 in detail. Please update the webrick gem to version 1.6.1 or later. You can use gem update webrick to update it. If you are using bundler, please add gem "webrick", ">= 1.6.1" to your Gemfile. Affected versions webrick gem 1.6.0 or prior bundled versions of webrick in ruby 2.7.1 or prior bundled versions of webrick in ruby 2.6.6 or prior bundled versions of webrick in ruby 2.5.8 or prior Credits Thanks to piao for discovering this issue. History Originally published at 2020-09-29 06:30:00 (UTC) ========================================================= + CERT-RENATER       |    tel : 01-53-94-20-44          + + 23/25 Rue Daviel   |    fax : 01-53-94-20-41         + + 75013 Paris        |    email:cert@support.renater.fr + =========================================================