More information
#### Details
An issue was discovered in the WEBrick toolkit through 1.8.1 for Ruby. It allows HTTP request smuggling by providing both a Content-Length header and a Transfer-Encoding header, e.g., "GET /admin HTTP/1.1\r\n" inside of a "POST /user HTTP/1.1\r\n" request. NOTE: the supplier's position is "Webrick should not be used in production."
#### Severity
- CVSS Score: 7.5 / 10 (High)
- Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N`
#### References
- [https://nvd.nist.gov/vuln/detail/CVE-2024-47220](https://nvd.nist.gov/vuln/detail/CVE-2024-47220)
- [https://github.com/ruby/webrick/issues/145](https://redirect.github.com/ruby/webrick/issues/145)
- [https://github.com/ruby/webrick/pull/146/commits/d88321da45dcd230ac2b4585cad4833d6d5e8841](https://redirect.github.com/ruby/webrick/pull/146/commits/d88321da45dcd230ac2b4585cad4833d6d5e8841)
- [https://github.com/ruby/webrick/commit/f5faca9222541591e1a7c3c97552ebb0c92733c7](https://redirect.github.com/ruby/webrick/commit/f5faca9222541591e1a7c3c97552ebb0c92733c7)
- [https://github.com/ruby/webrick](https://redirect.github.com/ruby/webrick)
This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-6f62-3596-g6w7) and the [GitHub Advisory Database](https://redirect.github.com/github/advisory-database) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)).
Release Notes
ruby/webrick (webrick)
### [`v1.8.2`](https://redirect.github.com/ruby/webrick/releases/tag/v1.8.2)
[Compare Source](https://redirect.github.com/ruby/webrick/compare/v1.8.1...v1.8.2)
#### What's Changed
- Drop commented-out line by [@olleolleolle](https://redirect.github.com/olleolleolle) in [https://github.com/ruby/webrick/pull/108](https://redirect.github.com/ruby/webrick/pull/108)
- Add Ruby 3.1 & 3.2 to CI matrix by [@tricknotes](https://redirect.github.com/tricknotes) in [https://github.com/ruby/webrick/pull/109](https://redirect.github.com/ruby/webrick/pull/109)
- Fix/redos by [@ooooooo-q](https://redirect.github.com/ooooooo-q) in [https://github.com/ruby/webrick/pull/114](https://redirect.github.com/ruby/webrick/pull/114)
- Raise HTTPStatus::BadRequest for requests with invalid/duplicate content-length headers by [@jeremyevans](https://redirect.github.com/jeremyevans) in [https://github.com/ruby/webrick/pull/120](https://redirect.github.com/ruby/webrick/pull/120)
- Bump actions/checkout from 3 to 4 by [@dependabot](https://redirect.github.com/dependabot) in [https://github.com/ruby/webrick/pull/121](https://redirect.github.com/ruby/webrick/pull/121)
- Improve CI by [@hsbt](https://redirect.github.com/hsbt) in [https://github.com/ruby/webrick/pull/123](https://redirect.github.com/ruby/webrick/pull/123)
- Fix WEBrick::TestFileHandler#test_short_filename test not working on mswin by [@KJTsanaktsidis](https://redirect.github.com/KJTsanaktsidis) in [https://github.com/ruby/webrick/pull/128](https://redirect.github.com/ruby/webrick/pull/128)
- Fix bug chunk extension detection by [@jeremyevans](https://redirect.github.com/jeremyevans) in [https://github.com/ruby/webrick/pull/125](https://redirect.github.com/ruby/webrick/pull/125)
- Fix CI. by [@ioquatix](https://redirect.github.com/ioquatix) in [https://github.com/ruby/webrick/pull/131](https://redirect.github.com/ruby/webrick/pull/131)
- Merge multiple cookie headers, preserving semantic correctness. by [@ioquatix](https://redirect.github.com/ioquatix) in [https://github.com/ruby/webrick/pull/130](https://redirect.github.com/ruby/webrick/pull/130)
- Test on macos-latest by [@byroot](https://redirect.github.com/byroot) in [https://github.com/ruby/webrick/pull/132](https://redirect.github.com/ruby/webrick/pull/132)
- Require CRLF line endings in request line and headers by [@jeremyevans](https://redirect.github.com/jeremyevans) in [https://github.com/ruby/webrick/pull/138](https://redirect.github.com/ruby/webrick/pull/138)
- Prefer squigly heredocs. by [@ioquatix](https://redirect.github.com/ioquatix) in [https://github.com/ruby/webrick/pull/143](https://redirect.github.com/ruby/webrick/pull/143)
- Only strip space and horizontal tab in headers by [@jeremyevans](https://redirect.github.com/jeremyevans) in [https://github.com/ruby/webrick/pull/141](https://redirect.github.com/ruby/webrick/pull/141)
- Treat missing CRLF separator after headers as an EOFError by [@jeremyevans](https://redirect.github.com/jeremyevans) in [https://github.com/ruby/webrick/pull/142](https://redirect.github.com/ruby/webrick/pull/142)
- Return 400 response for chunked requests with unexpected data after chunk by [@jeremyevans](https://redirect.github.com/jeremyevans) in [https://github.com/ruby/webrick/pull/136](https://redirect.github.com/ruby/webrick/pull/136)
- Fix reference to URI::REGEXP::PATTERN::HOST by [@casperisfine](https://redirect.github.com/casperisfine) in [https://github.com/ruby/webrick/pull/144](https://redirect.github.com/ruby/webrick/pull/144)
- Prevent request smuggling by [@jeremyevans](https://redirect.github.com/jeremyevans) in [https://github.com/ruby/webrick/pull/146](https://redirect.github.com/ruby/webrick/pull/146)
#### New Contributors
- [@tricknotes](https://redirect.github.com/tricknotes) made their first contribution in [https://github.com/ruby/webrick/pull/109](https://redirect.github.com/ruby/webrick/pull/109)
- [@ooooooo-q](https://redirect.github.com/ooooooo-q) made their first contribution in [https://github.com/ruby/webrick/pull/114](https://redirect.github.com/ruby/webrick/pull/114)
- [@KJTsanaktsidis](https://redirect.github.com/KJTsanaktsidis) made their first contribution in [https://github.com/ruby/webrick/pull/128](https://redirect.github.com/ruby/webrick/pull/128)
- [@byroot](https://redirect.github.com/byroot) made their first contribution in [https://github.com/ruby/webrick/pull/132](https://redirect.github.com/ruby/webrick/pull/132)
- [@casperisfine](https://redirect.github.com/casperisfine) made their first contribution in [https://github.com/ruby/webrick/pull/144](https://redirect.github.com/ruby/webrick/pull/144)
**Full Changelog**: https://github.com/ruby/webrick/compare/v1.8.1...v1.8.2
Configuration
📅 Schedule: Branch creation - "" in timezone Australia/Sydney, Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
â™» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, check this box
This PR contains the following updates:
1.8.1
->1.8.2
HTTP Request Smuggling in ruby webrick
CVE-2024-47220 / GHSA-6f62-3596-g6w7
More information
#### Details An issue was discovered in the WEBrick toolkit through 1.8.1 for Ruby. It allows HTTP request smuggling by providing both a Content-Length header and a Transfer-Encoding header, e.g., "GET /admin HTTP/1.1\r\n" inside of a "POST /user HTTP/1.1\r\n" request. NOTE: the supplier's position is "Webrick should not be used in production." #### Severity - CVSS Score: 7.5 / 10 (High) - Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N` #### References - [https://nvd.nist.gov/vuln/detail/CVE-2024-47220](https://nvd.nist.gov/vuln/detail/CVE-2024-47220) - [https://github.com/ruby/webrick/issues/145](https://redirect.github.com/ruby/webrick/issues/145) - [https://github.com/ruby/webrick/pull/146/commits/d88321da45dcd230ac2b4585cad4833d6d5e8841](https://redirect.github.com/ruby/webrick/pull/146/commits/d88321da45dcd230ac2b4585cad4833d6d5e8841) - [https://github.com/ruby/webrick/commit/f5faca9222541591e1a7c3c97552ebb0c92733c7](https://redirect.github.com/ruby/webrick/commit/f5faca9222541591e1a7c3c97552ebb0c92733c7) - [https://github.com/ruby/webrick](https://redirect.github.com/ruby/webrick) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-6f62-3596-g6w7) and the [GitHub Advisory Database](https://redirect.github.com/github/advisory-database) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)).Release Notes
ruby/webrick (webrick)
### [`v1.8.2`](https://redirect.github.com/ruby/webrick/releases/tag/v1.8.2) [Compare Source](https://redirect.github.com/ruby/webrick/compare/v1.8.1...v1.8.2) #### What's Changed - Drop commented-out line by [@olleolleolle](https://redirect.github.com/olleolleolle) in [https://github.com/ruby/webrick/pull/108](https://redirect.github.com/ruby/webrick/pull/108) - Add Ruby 3.1 & 3.2 to CI matrix by [@tricknotes](https://redirect.github.com/tricknotes) in [https://github.com/ruby/webrick/pull/109](https://redirect.github.com/ruby/webrick/pull/109) - Fix/redos by [@ooooooo-q](https://redirect.github.com/ooooooo-q) in [https://github.com/ruby/webrick/pull/114](https://redirect.github.com/ruby/webrick/pull/114) - Raise HTTPStatus::BadRequest for requests with invalid/duplicate content-length headers by [@jeremyevans](https://redirect.github.com/jeremyevans) in [https://github.com/ruby/webrick/pull/120](https://redirect.github.com/ruby/webrick/pull/120) - Bump actions/checkout from 3 to 4 by [@dependabot](https://redirect.github.com/dependabot) in [https://github.com/ruby/webrick/pull/121](https://redirect.github.com/ruby/webrick/pull/121) - Improve CI by [@hsbt](https://redirect.github.com/hsbt) in [https://github.com/ruby/webrick/pull/123](https://redirect.github.com/ruby/webrick/pull/123) - Fix WEBrick::TestFileHandler#test_short_filename test not working on mswin by [@KJTsanaktsidis](https://redirect.github.com/KJTsanaktsidis) in [https://github.com/ruby/webrick/pull/128](https://redirect.github.com/ruby/webrick/pull/128) - Fix bug chunk extension detection by [@jeremyevans](https://redirect.github.com/jeremyevans) in [https://github.com/ruby/webrick/pull/125](https://redirect.github.com/ruby/webrick/pull/125) - Fix CI. by [@ioquatix](https://redirect.github.com/ioquatix) in [https://github.com/ruby/webrick/pull/131](https://redirect.github.com/ruby/webrick/pull/131) - Merge multiple cookie headers, preserving semantic correctness. by [@ioquatix](https://redirect.github.com/ioquatix) in [https://github.com/ruby/webrick/pull/130](https://redirect.github.com/ruby/webrick/pull/130) - Test on macos-latest by [@byroot](https://redirect.github.com/byroot) in [https://github.com/ruby/webrick/pull/132](https://redirect.github.com/ruby/webrick/pull/132) - Require CRLF line endings in request line and headers by [@jeremyevans](https://redirect.github.com/jeremyevans) in [https://github.com/ruby/webrick/pull/138](https://redirect.github.com/ruby/webrick/pull/138) - Prefer squigly heredocs. by [@ioquatix](https://redirect.github.com/ioquatix) in [https://github.com/ruby/webrick/pull/143](https://redirect.github.com/ruby/webrick/pull/143) - Only strip space and horizontal tab in headers by [@jeremyevans](https://redirect.github.com/jeremyevans) in [https://github.com/ruby/webrick/pull/141](https://redirect.github.com/ruby/webrick/pull/141) - Treat missing CRLF separator after headers as an EOFError by [@jeremyevans](https://redirect.github.com/jeremyevans) in [https://github.com/ruby/webrick/pull/142](https://redirect.github.com/ruby/webrick/pull/142) - Return 400 response for chunked requests with unexpected data after chunk by [@jeremyevans](https://redirect.github.com/jeremyevans) in [https://github.com/ruby/webrick/pull/136](https://redirect.github.com/ruby/webrick/pull/136) - Fix reference to URI::REGEXP::PATTERN::HOST by [@casperisfine](https://redirect.github.com/casperisfine) in [https://github.com/ruby/webrick/pull/144](https://redirect.github.com/ruby/webrick/pull/144) - Prevent request smuggling by [@jeremyevans](https://redirect.github.com/jeremyevans) in [https://github.com/ruby/webrick/pull/146](https://redirect.github.com/ruby/webrick/pull/146) #### New Contributors - [@tricknotes](https://redirect.github.com/tricknotes) made their first contribution in [https://github.com/ruby/webrick/pull/109](https://redirect.github.com/ruby/webrick/pull/109) - [@ooooooo-q](https://redirect.github.com/ooooooo-q) made their first contribution in [https://github.com/ruby/webrick/pull/114](https://redirect.github.com/ruby/webrick/pull/114) - [@KJTsanaktsidis](https://redirect.github.com/KJTsanaktsidis) made their first contribution in [https://github.com/ruby/webrick/pull/128](https://redirect.github.com/ruby/webrick/pull/128) - [@byroot](https://redirect.github.com/byroot) made their first contribution in [https://github.com/ruby/webrick/pull/132](https://redirect.github.com/ruby/webrick/pull/132) - [@casperisfine](https://redirect.github.com/casperisfine) made their first contribution in [https://github.com/ruby/webrick/pull/144](https://redirect.github.com/ruby/webrick/pull/144) **Full Changelog**: https://github.com/ruby/webrick/compare/v1.8.1...v1.8.2Configuration
📅 Schedule: Branch creation - "" in timezone Australia/Sydney, Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
â™» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.