CVE-2019-16254

CVE	CVE-2019-16254
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2019-11-26 18:15:00 UTC
Updated	2023-04-30 23:15:00 UTC
Description	Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows HTTP Response Splitting. If a program using WEBrick inserts untrusted input into the response header, an attacker can exploit it to insert a newline character to split a header, and inject malicious content to deceive clients. NOTE: this issue exists because of an incomplete fix for CVE-2017-17742, which addressed the CRLF vector, but did not address an isolated CR or an isolated LF.

Problem Types: CWE-74

Type	Vendor	Product	Version	Update	Edition	Language
Operating System	Debian	Debian Linux	8.0	All	All	All
Operating System	Debian	Debian Linux	8.0	All	All	All
Application	Ruby-lang	Ruby	All	All	All	All
Application	Ruby-lang	Ruby	All	All	All	All
Application	Ruby-lang	Ruby	All	All	All	All
Application	Ruby-lang	Ruby	All	All	All	All

Reference	Source	Link	Tags
[SECURITY] [DLA 2330-1] jruby security update	MLIST	lists.debian.org
Bugtraq: [SECURITY] [DSA 4587-1] ruby2.3 security update	BUGTRAQ	seclists.org
Ruby 2.5.7 リリース	CONFIRM	www.ruby-lang.org	Vendor Advisory
Debian -- Security Information -- DSA-4587-1 ruby2.3	DEBIAN	www.debian.org
Bugtraq: [SECURITY] [DSA 4586-1] ruby2.5 security update	BUGTRAQ	seclists.org
[security-announce] openSUSE-SU-2020:0395-1: important: Recommended upda	SUSE	lists.opensuse.org
[SECURITY] [DLA 2027-1] jruby security update	MLIST	lists.debian.org
[SECURITY] [DLA 3408-1] jruby security update	MLIST	lists.debian.org
[SECURITY] [DLA 2007-1] ruby2.1 security update	MISC	lists.debian.org	Mailing List, Third Party Advisory
Ruby 2.4.8 リリース	CONFIRM	www.ruby-lang.org	Vendor Advisory
HackerOne	MISC	hackerone.com	Third Party Advisory
Ruby 2.6.5 リリース	CONFIRM	www.ruby-lang.org	Vendor Advisory
Oracle Critical Patch Update Advisory - January 2020	MISC	www.oracle.com
Debian -- Security Information -- DSA-4586-1 ruby2.5	DEBIAN	www.debian.org
CVE-2019-16254: WEBrick における HTTP レスポンス偽装の脆弱性について（追加の修正）	CONFIRM	www.ruby-lang.org	Vendor Advisory
Ruby: Multiple vulnerabilities (GLSA 202003-06) — Gentoo security	GENTOO	security.gentoo.org
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

159290 Oracle Enterprise Linux Security Update for ruby:2.5 (ELSA-2021-2587)
159298 Oracle Enterprise Linux Security Update for ruby:2.6 (ELSA-2021-2588)
181757 Debian Security Update for jruby (DLA 3408-1)
239350 Red Hat Update for rh-ruby25-ruby (RHSA-2021:2104)
239368 Red Hat Update for rh-ruby26-ruby (RHSA-2021:2230)
239461 Red Hat Update for ruby:2.6 (RHSA-2021:2588)
239462 Red Hat Update for ruby:2.5 (RHSA-2021:2587)
240156 Red Hat Update for ruby:2.6 (RHSA-2022:0582)
296076 Oracle Solaris 11.4 Support Repository Update (SRU) 19.3.0 Missing (CPUJAN2020)
356305 Amazon Linux Security Advisory for ruby : ALASRUBY2.6-2023-007
357267 Amazon Linux Security Advisory for ruby : ALAS2-2024-2486
500612 Alpine Linux Security Update for ruby
504372 Alpine Linux Security Update for ruby
900069 CBL-Mariner Linux Security Update for ruby 2.6.3
903454 Common Base Linux Mariner (CBL-Mariner) Security Update for ruby (2677)
940189 AlmaLinux Security Update for ruby:2.6 (ALSA-2021:2588)
940401 AlmaLinux Security Update for ruby:2.5 (ALSA-2021:2587)
960022 Rocky Linux Security Update for ruby:2.6 (RLSA-2021:2588)
960064 Rocky Linux Security Update for ruby:2.5 (RLSA-2021:2587)