{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2019-16254", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2024-08-05T01:10:41.699Z", "dateReserved": "2019-09-11T00:00:00", "datePublished": "2019-11-26T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2023-04-30T00:00:00"}, "descriptions": [{"lang": "en", "value": "Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows HTTP Response Splitting. If a program using WEBrick inserts untrusted input into the response header, an attacker can exploit it to insert a newline character to split a header, and inject malicious content to deceive clients. NOTE: this issue exists because of an incomplete fix for CVE-2017-17742, which addressed the CRLF vector, but did not address an isolated CR or an isolated LF."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://hackerone.com/reports/331984"}, {"url": "https://lists.debian.org/debian-lts-announce/2019/11/msg00025.html"}, {"url": "https://www.ruby-lang.org/ja/news/2019/10/01/http-response-splitting-in-webrick-cve-2019-16254/"}, {"url": "https://www.ruby-lang.org/ja/news/2019/10/01/ruby-2-6-5-released/"}, {"url": "https://www.ruby-lang.org/ja/news/2019/10/01/ruby-2-5-7-released/"}, {"url": "https://www.ruby-lang.org/ja/news/2019/10/01/ruby-2-4-8-released/"}, {"name": "[debian-lts-announce] 20191210 [SECURITY] [DLA 2027-1] jruby security update", "tags": ["mailing-list"], "url": "https://lists.debian.org/debian-lts-announce/2019/12/msg00009.html"}, {"name": "20191217 [SECURITY] [DSA 4587-1] ruby2.3 security update", "tags": ["mailing-list"], "url": "https://seclists.org/bugtraq/2019/Dec/31"}, {"name": "20191217 [SECURITY] [DSA 4586-1] ruby2.5 security update", "tags": ["mailing-list"], "url": "https://seclists.org/bugtraq/2019/Dec/32"}, {"name": "DSA-4587", "tags": ["vendor-advisory"], "url": "https://www.debian.org/security/2019/dsa-4587"}, {"name": "DSA-4586", "tags": ["vendor-advisory"], "url": "https://www.debian.org/security/2019/dsa-4586"}, {"url": "https://www.oracle.com/security-alerts/cpujan2020.html"}, {"name": "GLSA-202003-06", "tags": ["vendor-advisory"], "url": "https://security.gentoo.org/glsa/202003-06"}, {"name": "openSUSE-SU-2020:0395", "tags": ["vendor-advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00041.html"}, {"name": "[debian-lts-announce] 20200816 [SECURITY] [DLA 2330-1] jruby security update", "tags": ["mailing-list"], "url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00027.html"}, {"name": "[debian-lts-announce] 20230430 [SECURITY] [DLA 3408-1] jruby security update", "tags": ["mailing-list"], "url": "https://lists.debian.org/debian-lts-announce/2023/04/msg00033.html"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T01:10:41.699Z"}, "title": "CVE Program Container", "references": [{"url": "https://hackerone.com/reports/331984", "tags": ["x_transferred"]}, {"url": "https://lists.debian.org/debian-lts-announce/2019/11/msg00025.html", "tags": ["x_transferred"]}, {"url": "https://www.ruby-lang.org/ja/news/2019/10/01/http-response-splitting-in-webrick-cve-2019-16254/", "tags": ["x_transferred"]}, {"url": "https://www.ruby-lang.org/ja/news/2019/10/01/ruby-2-6-5-released/", "tags": ["x_transferred"]}, {"url": "https://www.ruby-lang.org/ja/news/2019/10/01/ruby-2-5-7-released/", "tags": ["x_transferred"]}, {"url": "https://www.ruby-lang.org/ja/news/2019/10/01/ruby-2-4-8-released/", "tags": ["x_transferred"]}, {"name": "[debian-lts-announce] 20191210 [SECURITY] [DLA 2027-1] jruby security update", "tags": ["mailing-list", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2019/12/msg00009.html"}, {"name": "20191217 [SECURITY] [DSA 4587-1] ruby2.3 security update", "tags": ["mailing-list", "x_transferred"], "url": "https://seclists.org/bugtraq/2019/Dec/31"}, {"name": "20191217 [SECURITY] [DSA 4586-1] ruby2.5 security update", "tags": ["mailing-list", "x_transferred"], "url": "https://seclists.org/bugtraq/2019/Dec/32"}, {"name": "DSA-4587", "tags": ["vendor-advisory", "x_transferred"], "url": "https://www.debian.org/security/2019/dsa-4587"}, {"name": "DSA-4586", "tags": ["vendor-advisory", "x_transferred"], "url": "https://www.debian.org/security/2019/dsa-4586"}, {"url": "https://www.oracle.com/security-alerts/cpujan2020.html", "tags": ["x_transferred"]}, {"name": "GLSA-202003-06", "tags": ["vendor-advisory", "x_transferred"], "url": "https://security.gentoo.org/glsa/202003-06"}, {"name": "openSUSE-SU-2020:0395", "tags": ["vendor-advisory", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00041.html"}, {"name": "[debian-lts-announce] 20200816 [SECURITY] [DLA 2330-1] jruby security update", "tags": ["mailing-list", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00027.html"}, {"name": "[debian-lts-announce] 20230430 [SECURITY] [DLA 3408-1] jruby security update", "tags": ["mailing-list", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2023/04/msg00033.html"}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ruby-lang:ruby:*:*:*:*:*:*:*:*", "matchCriteriaId": "A6EFA741-C6E9-4362-AE58-785B0053A2A7", "versionEndIncluding": "2.3.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:ruby-lang:ruby:*:*:*:*:*:*:*:*", "matchCriteriaId": "A2C45233-D18A-47C8-8D49-BB05ADD50D88", "versionEndIncluding": "2.4.7", "versionStartIncluding": "2.4.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:ruby-lang:ruby:*:*:*:*:*:*:*:*", "matchCriteriaId": "6E259007-36E1-418F-8493-A5A7928129F6", "versionEndIncluding": "2.5.6", "versionStartIncluding": "2.5.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:ruby-lang:ruby:*:*:*:*:*:*:*:*", "matchCriteriaId": "E746C3E0-0162-4487-AB58-2579B2BE1FD4", "versionEndIncluding": "2.6.4", "versionStartIncluding": "2.6.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "C11E6FB0-C8C0-4527-9AA0-CB9B316F8F43", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows HTTP Response Splitting. If a program using WEBrick inserts untrusted input into the response header, an attacker can exploit it to insert a newline character to split a header, and inject malicious content to deceive clients. NOTE: this issue exists because of an incomplete fix for CVE-2017-17742, which addressed the CRLF vector, but did not address an isolated CR or an isolated LF."}, {"lang": "es", "value": "Ruby versiones hasta 2.4.7, versiones 2.5.x hasta 2.5.6 y versiones 2.6.x hasta 2.6.4, permite HTTP Response Splitting. Si un programa que utiliza WEBrick inserta informaci\u00f3n no segura en el encabezado de respuesta, un atacante puede explotarlo para insertar un car\u00e1cter newline para dividir un encabezado e inyectar contenido malicioso para enga\u00f1ar a los clientes. NOTA: este problema se presenta debido a una soluci\u00f3n incompleta de CVE-2017-17742, que abord\u00f3 el vector CRLF, pero no abord\u00f3 un CR aislado o un LF aislado."}], "id": "CVE-2019-16254", "lastModified": "2023-04-30T23:15:44.607", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-11-26T18:15:15.210", "references": [{"source": "cve@mitre.org", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00041.html"}, {"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://hackerone.com/reports/331984"}, {"source": "cve@mitre.org", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2019/11/msg00025.html"}, {"source": "cve@mitre.org", "url": "https://lists.debian.org/debian-lts-announce/2019/12/msg00009.html"}, {"source": "cve@mitre.org", "url": "https://lists.debian.org/debian-lts-announce/2020/08/msg00027.html"}, {"source": "cve@mitre.org", "url": "https://lists.debian.org/debian-lts-announce/2023/04/msg00033.html"}, {"source": "cve@mitre.org", "url": "https://seclists.org/bugtraq/2019/Dec/31"}, {"source": "cve@mitre.org", "url": "https://seclists.org/bugtraq/2019/Dec/32"}, {"source": "cve@mitre.org", "url": "https://security.gentoo.org/glsa/202003-06"}, {"source": "cve@mitre.org", "url": "https://www.debian.org/security/2019/dsa-4586"}, {"source": "cve@mitre.org", "url": "https://www.debian.org/security/2019/dsa-4587"}, {"source": "cve@mitre.org", "url": "https://www.oracle.com/security-alerts/cpujan2020.html"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://www.ruby-lang.org/ja/news/2019/10/01/http-response-splitting-in-webrick-cve-2019-16254/"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://www.ruby-lang.org/ja/news/2019/10/01/ruby-2-4-8-released/"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://www.ruby-lang.org/ja/news/2019/10/01/ruby-2-5-7-released/"}, {"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://www.ruby-lang.org/ja/news/2019/10/01/ruby-2-6-5-released/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-74"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2021:2587", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "ruby:2.5-8040020200923213910.522a0ee4", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2021-06-29T00:00:00Z"}, {"advisory": "RHSA-2021:2588", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "ruby:2.6-8040020210430142949.522a0ee4", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2021-06-29T00:00:00Z"}, {"advisory": "RHSA-2022:0581", "cpe": "cpe:/a:redhat:rhel_e4s:8.1", "package": "ruby:2.6-8010020220201152941.c27ad7f8", "product_name": "Red Hat Enterprise Linux 8.1 Update Services for SAP Solutions", "release_date": "2022-02-21T00:00:00Z"}, {"advisory": "RHSA-2022:0582", "cpe": "cpe:/a:redhat:rhel_eus:8.2", "package": "ruby:2.6-8020020220201131207.4cda2c84", "product_name": "Red Hat Enterprise Linux 8.2 Extended Update Support", "release_date": "2022-02-21T00:00:00Z"}, {"advisory": "RHSA-2021:2104", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-ruby25-ruby-0:2.5.9-9.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2021-05-26T00:00:00Z"}, {"advisory": "RHSA-2021:2230", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-ruby26-ruby-0:2.6.7-119.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date": "2021-06-03T00:00:00Z"}, {"advisory": "RHSA-2021:2104", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-ruby25-ruby-0:2.5.9-9.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS", "release_date": "2021-05-26T00:00:00Z"}, {"advisory": "RHSA-2021:2104", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-ruby25-ruby-0:2.5.9-9.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS", "release_date": "2021-05-26T00:00:00Z"}, {"advisory": "RHSA-2021:2230", "cpe": "cpe:/a:redhat:rhel_software_collections:3::el7", "package": "rh-ruby26-ruby-0:2.6.7-119.el7", "product_name": "Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS", "release_date": "2021-06-03T00:00:00Z"}], "bugzilla": {"description": "ruby: HTTP response splitting in WEBrick", "id": "1789556", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1789556"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "status": "verified"}, "cwe": "CWE-113", "details": ["Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows HTTP Response Splitting. If a program using WEBrick inserts untrusted input into the response header, an attacker can exploit it to insert a newline character to split a header, and inject malicious content to deceive clients. NOTE: this issue exists because of an incomplete fix for CVE-2017-17742, which addressed the CRLF vector, but did not address an isolated CR or an isolated LF."], "name": "CVE-2019-16254", "package_state": [{"cpe": "cpe:/a:redhat:red_hat_3scale_amp:2", "fix_state": "Will not fix", "package_name": "3amp-system", "product_name": "Red Hat 3scale API Management Platform 2"}, {"cpe": "cpe:/o:redhat:enterprise_linux:5", "fix_state": "Out of support scope", "package_name": "ruby", "product_name": "Red Hat Enterprise Linux 5"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "ruby", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Will not fix", "package_name": "ruby", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/a:redhat:rhel_software_collections:3", "fix_state": "Will not fix", "package_name": "rh-ruby24-ruby", "product_name": "Red Hat Software Collections"}], "public_date": "2019-10-25T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2019-16254\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-16254"], "threat_severity": "Low", "upstream_fix": "ruby 2.4.8, ruby 2.5.7, ruby 2.6.5, ruby 2.7.0"}