oss-sec mailing list archives

Ruby 3.0.10 WEBrick::HTTPRequest X-Forwarded-*

From: Kurt Seifried <kseifried () redhat com>
Date: Wed, 12 Oct 2011 13:06:10 -0600

Various methods in WEBrick::HTTPRequest in Ruby on Rails 3.0.10 do not
validate the X-Forwarded-For, X-Forwarded-Host and X-Forwarded-Server
headers in requests, which might allow remote attackers to inject
arbitrary text into log files or bypass intended address parsing via a
crafted header.

https://redmine.ruby-lang.org/issues/5418

Can we get a CVE for this please?

-Kurt Seifried / Red Hat Security Response Team

Current thread:

radvd 1.8.2 released with security fixes Solar Designer (Oct 06)
- Re: radvd 1.8.2 released with security fixes Huzaifa Sidhpurwala (Oct 07)
  - Re: radvd 1.8.2 released with security fixes Robert Święcki (Oct 07)
    - Re: radvd 1.8.2 released with security fixes John Haxby (Oct 07)
    - Re: radvd 1.8.2 released with security fixes Vasiliy Kulikov (Oct 08)
    - Re: radvd 1.8.2 released with security fixes Reuben Hawkins (Oct 11)
    - Re: radvd 1.8.2 released with security fixes Vasiliy Kulikov (Oct 12)
    - Re: radvd 1.8.2 released with security fixes Vasiliy Kulikov (Oct 12)
    - Ruby 3.0.10 WEBrick::HTTPRequest X-Forwarded-* Kurt Seifried (Oct 12)
    - Re: radvd 1.8.2 released with security fixes Reuben Hawkins (Oct 14)
- Re: radvd 1.8.2 released with security fixes Huzaifa Sidhpurwala (Oct 13)
  - Re: radvd 1.8.2 released with security fixes Solar Designer (Oct 13)
    - Re: radvd 1.8.2 released with security fixes Huzaifa Sidhpurwala (Oct 13)
    - Re: radvd 1.8.2 released with security fixes Vasiliy Kulikov (Oct 14)
    - Re: radvd 1.8.2 released with security fixes Yves-Alexis Perez (Oct 20)
    - Re: radvd 1.8.2 released with security fixes Huzaifa Sidhpurwala (Oct 21)