CVE-2019-16254

UNKNOWN

Published 2019-11-26T00:00:00

Actions:

Expert Analysis

Professional remediation guidance

Get tailored security recommendations from our analyst team for CVE-2019-16254. We'll provide specific mitigation strategies based on your environment and risk profile.

No CVSS data available

Description

Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows HTTP Response Splitting. If a program using WEBrick inserts untrusted input into the response header, an attacker can exploit it to insert a newline character to split a header, and inject malicious content to deceive clients. NOTE: this issue exists because of an incomplete fix for CVE-2017-17742, which addressed the CRLF vector, but did not address an isolated CR or an isolated LF.

Available Exploits

No exploits available for this CVE.

Related News

No news articles found for this CVE.

GitHub Security Advisories

Community-driven vulnerability intelligence from GitHub

⚠ Unreviewed MODERATE

GHSA-w9fp-2996-hhwx

Advisory Details

CVSS Scoring

CVSS Score

5.0

CVSS Vector


                                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2019-16254

WEB https://hackerone.com/reports/331984

WEB https://lists.debian.org/debian-lts-announce/2019/11/msg00025.html

WEB https://lists.debian.org/debian-lts-announce/2019/12/msg00009.html

WEB https://lists.debian.org/debian-lts-announce/2020/08/msg00027.html

WEB https://lists.debian.org/debian-lts-announce/2023/04/msg00033.html

WEB https://seclists.org/bugtraq/2019/Dec/31

WEB https://seclists.org/bugtraq/2019/Dec/32

WEB https://security.gentoo.org/glsa/202003-06

WEB https://www.debian.org/security/2019/dsa-4586

WEB https://www.debian.org/security/2019/dsa-4587

WEB https://www.oracle.com/security-alerts/cpujan2020.html

WEB https://www.ruby-lang.org/ja/news/2019/10/01/http-response-splitting-in-webrick-cve-2019-16254

WEB https://www.ruby-lang.org/ja/news/2019/10/01/ruby-2-4-8-released

WEB https://www.ruby-lang.org/ja/news/2019/10/01/ruby-2-5-7-released

WEB https://www.ruby-lang.org/ja/news/2019/10/01/ruby-2-6-5-released

WEB http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00041.html

Advisory provided by GitHub Security Advisory Database. Published: May 24, 2022, Modified: May 1, 2023

Social Media Intelligence

Real-time discussions and threat intelligence from social platforms

1 post

Reddit • 1 month, 1 week ago

Immediate_Gold9789

Exploit Payload

🚨 Cache Poisoning & Request Smuggling — A Technical Breakdown By CyberDudeBivash – Ruthless, Engineering-Grade Threat Intel https://preview.redd.it/duyiknn3qsjf1.png?width=1536&format=png&auto=webp&s=d1b9dbc5c915affdcf40aa292c8a13f2398b1b1b 1. Introduction Modern web applications rely heavily on **reverse proxies, CDNs, and caching layers** to deliver fast, scalable experiences. But attackers exploit the **mismatch between how different systems parse HTTP requests** to …

Also mentions: CVE-2023-44487 CVE-2021-22960

1.0

View Original High Risk