PublicDateAtUSN: 2020-10-06 13:15:00 UTC
Candidate: CVE-2020-25613
PublicDate: 2020-10-06 13:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25613
 https://www.ruby-lang.org/en/news/2020/09/29/http-request-smuggling-cve-2020-25613/
 https://ubuntu.com/security/notices/USN-4882-1
Description:
 An issue was discovered in Ruby through 2.5.8, 2.6.x through 2.6.6, and
 2.7.x through 2.7.1. WEBrick, a simple HTTP server bundled with Ruby, had
 not checked the transfer-encoding header value rigorously. An attacker may
 potentially exploit this issue to bypass a reverse proxy (which also has a
 poor header check), which may lead to an HTTP Request Smuggling attack.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=972230
Priority: low
Discovered-by:
Assigned-to: mdeslaur
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N [7.5 HIGH]

Patches_ruby1.9.1:
upstream_ruby1.9.1: needs-triage
precise/esm_ruby1.9.1: DNE
trusty_ruby1.9.1: ignored (out of standard support)
trusty/esm_ruby1.9.1: DNE
xenial_ruby1.9.1: DNE
bionic_ruby1.9.1: DNE
focal_ruby1.9.1: DNE
groovy_ruby1.9.1: DNE
devel_ruby1.9.1: DNE

Patches_ruby2.0:
upstream_ruby2.0: needs-triage
precise/esm_ruby2.0: DNE
trusty_ruby2.0: ignored (out of standard support)
trusty/esm_ruby2.0: DNE
xenial_ruby2.0: DNE
bionic_ruby2.0: DNE
focal_ruby2.0: DNE
groovy_ruby2.0: DNE
devel_ruby2.0: DNE

Patches_ruby2.3:
upstream_ruby2.3: needs-triage
precise/esm_ruby2.3: DNE
trusty_ruby2.3: DNE
trusty/esm_ruby2.3: DNE
xenial_ruby2.3: released (2.3.1-2~ubuntu16.04.15)
esm-infra/xenial_ruby2.3: released (2.3.1-2~ubuntu16.04.15)
bionic_ruby2.3: DNE
focal_ruby2.3: DNE
groovy_ruby2.3: DNE
devel_ruby2.3: DNE

Patches_ruby2.5:
upstream_ruby2.5: needs-triage
precise/esm_ruby2.5: DNE
trusty_ruby2.5: DNE
trusty/esm_ruby2.5: DNE
xenial_ruby2.5: DNE
bionic_ruby2.5: released (2.5.1-1ubuntu1.8)
focal_ruby2.5: DNE
groovy_ruby2.5: DNE
devel_ruby2.5: DNE

Patches_ruby2.7:
 upstream: https://github.com/ruby/webrick/commit/8946bb38b4d87549f0d99ed73c62c41933f97cc7
upstream_ruby2.7: released (2.7.1-4)
precise/esm_ruby2.7: DNE
trusty_ruby2.7: DNE
trusty/esm_ruby2.7: DNE
xenial_ruby2.7: DNE
bionic_ruby2.7: DNE
focal_ruby2.7: released (2.7.0-5ubuntu1.3)
groovy_ruby2.7: released (2.7.1-3ubuntu1.2)
devel_ruby2.7: not-affected (2.7.2-4)