oss-sec mailing list archives
Ruby 3.0.10 WEBrick::HTTPRequest X-Forwarded-*
From: Kurt Seifried <kseifried () redhat com>
Date: Wed, 12 Oct 2011 13:06:10 -0600
Various methods in WEBrick::HTTPRequest in Ruby on Rails 3.0.10 do not validate the X-Forwarded-For, X-Forwarded-Host and X-Forwarded-Server headers in requests, which might allow remote attackers to inject arbitrary text into log files or bypass intended address parsing via a crafted header. https://redmine.ruby-lang.org/issues/5418 Can we get a CVE for this please? -Kurt Seifried / Red Hat Security Response Team
Current thread:
- radvd 1.8.2 released with security fixes Solar Designer (Oct 06)
- Re: radvd 1.8.2 released with security fixes Huzaifa Sidhpurwala (Oct 07)
- Re: radvd 1.8.2 released with security fixes Robert Święcki (Oct 07)
- Re: radvd 1.8.2 released with security fixes John Haxby (Oct 07)
- Re: radvd 1.8.2 released with security fixes Vasiliy Kulikov (Oct 08)
- Re: radvd 1.8.2 released with security fixes Reuben Hawkins (Oct 11)
- Re: radvd 1.8.2 released with security fixes Vasiliy Kulikov (Oct 12)
- Re: radvd 1.8.2 released with security fixes Vasiliy Kulikov (Oct 12)
- Ruby 3.0.10 WEBrick::HTTPRequest X-Forwarded-* Kurt Seifried (Oct 12)
- Re: radvd 1.8.2 released with security fixes Reuben Hawkins (Oct 14)
- Re: radvd 1.8.2 released with security fixes Robert Święcki (Oct 07)
- Re: radvd 1.8.2 released with security fixes Huzaifa Sidhpurwala (Oct 07)
- Re: radvd 1.8.2 released with security fixes Solar Designer (Oct 13)
- Re: radvd 1.8.2 released with security fixes Huzaifa Sidhpurwala (Oct 13)
- Re: radvd 1.8.2 released with security fixes Vasiliy Kulikov (Oct 14)
- Re: radvd 1.8.2 released with security fixes Yves-Alexis Perez (Oct 20)
- Re: radvd 1.8.2 released with security fixes Huzaifa Sidhpurwala (Oct 21)