CVE-2017-17742
First published: Wed Mar 28 2018(Updated: )
If a script accepts an external input and outputs it without modification as a part of HTTP responses, an attacker can use newline characters to deceive the clients that the HTTP response header is stopped at there, and can inject fake HTTP responses after the newline characters to show malicious contents to the clients. Affected versions: Ruby 2.2 series: 2.2.9 and earlier Ruby 2.3 series: 2.3.6 and earlier Ruby 2.4 series: 2.4.3 and earlier Ruby 2.5 series: 2.5.0 and earlier External References: <a href="https://www.ruby-lang.org/en/news/2018/03/28/http-response-splitting-in-webrick-cve-2017-17742/">https://www.ruby-lang.org/en/news/2018/03/28/http-response-splitting-in-webrick-cve-2017-17742/</a>
Credit: CVE-2017-0898 CVE-2017-10784 CVE-2017-14033 CVE-2017-14064 CVE-2017-17405 CVE-2017-17742 CVE-2018-6914 CVE-2018-8777 CVE-2018-8778 CVE-2018-8779 CVE-2018-8780 CVE-2017-0898 CVE-2017-10784 CVE-2017-14033 CVE-2017-14064 CVE-2017-17405 CVE-2017-17742 CVE-2018-6914 CVE-2018-8777 CVE-2018-8778 CVE-2018-8779 CVE-2018-8780 cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/ruby | <0:2.0.0.648-36.el7 | 0:2.0.0.648-36.el7 |
| redhat/ruby | <0:2.0.0.648-36.el7_4 | 0:2.0.0.648-36.el7_4 |
| redhat/ruby | <0:2.0.0.648-36.el7_5 | 0:2.0.0.648-36.el7_5 |
| redhat/ruby | <0:2.0.0.648-37.el7_6 | 0:2.0.0.648-37.el7_6 |
| redhat/rh-ruby23-ruby | <0:2.3.8-69.el6 | 0:2.3.8-69.el6 |
| redhat/rh-ruby24-ruby | <0:2.4.5-91.el6 | 0:2.4.5-91.el6 |
| redhat/rh-ruby23-ruby | <0:2.3.8-69.el7 | 0:2.3.8-69.el7 |
| redhat/rh-ruby24-ruby | <0:2.4.5-91.el7 | 0:2.4.5-91.el7 |
| redhat/rh-ruby25-ruby | <0:2.5.3-6.el7 | 0:2.5.3-6.el7 |
| Ruby-lang Ruby | >=2.2.0<2.2.10 | |
| Ruby-lang Ruby | >=2.3.0<2.3.7 | |
| Ruby-lang Ruby | >=2.4.0<2.4.4 | |
| Ruby-lang Ruby | >=2.5.0<2.5.1 | |
| Ruby-lang Ruby | =2.6.0-preview1 | |
| Debian Debian Linux | =7.0 | |
| Apple macOS Mojave | <10.14.1 | 10.14.1 |
| Apple High Sierra | ||
| Apple Sierra | ||
| Apple macOS High Sierra | <10.13.6 | 10.13.6 |
| Apple El Capitan | ||
| redhat/ruby | <2.2.10 | 2.2.10 |
| redhat/ruby | <2.3.7 | 2.3.7 |
| redhat/ruby | <2.4.4 | 2.4.4 |
| redhat/ruby | <2.5.1 | 2.5.1 |
| debian/jruby | 9.3.9.0+ds-8 9.4.8.0+ds-1 |
Remedy
The server can manually sanitize possibly untrusted headers prior to inserting them in the reply.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2017-17742 https://nvd.nist.gov/vuln/detail/CVE-2017-17742 https://www.ruby-lang.org/en/news/2018/03/28/http-response-splitting-in-webrick-cve-2017-17742/
- https://bugzilla.redhat.com/show_bug.cgi?id=1561952
- https://access.redhat.com/errata/RHSA-2019:2028
- https://access.redhat.com/errata/RHSA-2020:2212
- https://access.redhat.com/errata/RHSA-2020:1963
- https://access.redhat.com/errata/RHSA-2020:2288
- https://access.redhat.com/errata/RHSA-2018:3729
- https://access.redhat.com/errata/RHSA-2018:3730
- https://access.redhat.com/errata/RHSA-2018:3731
- https://access.redhat.com/security/cve/CVE-2017-17742
- http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00036.html
- http://www.securityfocus.com/bid/103684
- http://www.securitytracker.com/id/1042004
- https://lists.debian.org/debian-lts-announce/2018/04/msg00023.html
- https://lists.debian.org/debian-lts-announce/2018/04/msg00024.html
- https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html
- https://lists.debian.org/debian-lts-announce/2019/12/msg00009.html
- https://lists.debian.org/debian-lts-announce/2020/08/msg00027.html
- https://lists.debian.org/debian-lts-announce/2023/04/msg00033.html
- https://usn.ubuntu.com/3685-1/
- https://www.debian.org/security/2018/dsa-4259
- https://www.ruby-lang.org/en/news/2018/03/28/http-response-splitting-in-webrick-cve-2017-17742/
- https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-2-10-released/
- https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-3-7-released/
- https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-4-4-released/
- https://www.ruby-lang.org/en/news/2018/03/28/ruby-2-5-1-released/
- https://launchpad.net/bugs/cve/CVE-2017-17742
- https://support.apple.com/en-us/HT209193 (Advisory)
- https://support.apple.com/en-us/HT208937 (Advisory)
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1561957
- https://access.redhat.com/security/updates/classification/
- https://github.com/ruby/ruby/commit/d9d4a28f1cdd05a0e8dabb36d747d40bbcc30f16
- https://github.com/ruby/ruby/commit/bbda1a027475bf7ce5e1a9583a7b55d0be71c8fe
- https://github.com/jruby/jruby/releases/tag/9.2.12.0
- https://security-tracker.debian.org/tracker/CVE-2017-17742
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17742
- https://nvd.nist.gov/vuln/detail/CVE-2017-17742
- https://ubuntu.com/security/CVE-2017-17742
Parent vulnerabilities
(Appears in the following advisories)
Peer vulnerabilities
(Found alongside the following vulnerabilities)
- CVE-2018-4295
- CVE-2018-4410
- CVE-2018-4417
- CVE-2017-12613
- CVE-2017-12618
- CVE-2018-4411
- CVE-2018-4308
- CVE-2018-4468
- CVE-2018-4126
- CVE-2018-4415
- CVE-2018-4398
- CVE-2018-4412
- CVE-2018-4153
- CVE-2018-4406
- CVE-2018-4346
- CVE-2018-4403
- CVE-2018-4423
- CVE-2018-3639
- CVE-2018-4342
- CVE-2018-4304
- CVE-2018-4426
- CVE-2018-4331
- CVE-2018-3646
- CVE-2018-4242
- CVE-2018-4394
- CVE-2018-4334
- CVE-2018-4396
- CVE-2018-4418
- CVE-2018-4350
- CVE-2018-4421
- CVE-2018-4422
- CVE-2018-4408
- CVE-2018-4402
- CVE-2018-4341
- CVE-2018-4354
- CVE-2018-4401
- CVE-2018-4371
- CVE-2018-4420
- CVE-2018-4399
- CVE-2018-4340
- CVE-2018-4419
- CVE-2018-4425
- CVE-2018-4259
- CVE-2018-4286
- CVE-2018-4287
- CVE-2018-4288
- CVE-2018-4291
- CVE-2018-4413
- CVE-2018-4407
- CVE-2018-4424
- CVE-2018-4187
- CVE-2018-4348
- CVE-2018-4389
- CVE-2018-4326
- CVE-2018-4310
- CVE-2018-3640
- CVE-2018-4369
- CVE-2018-6797
- CVE-2017-0898
- CVE-2017-10784
- CVE-2017-14033
- CVE-2017-14064
- CVE-2017-17405
- CVE-2017-17742
- CVE-2018-6914
- CVE-2018-8777
- CVE-2018-8778
- CVE-2018-8779
- CVE-2018-8780
- CVE-2018-4400
- CVE-2018-4395
- CVE-2018-4393
- CVE-2018-4203
- CVE-2018-4368
- CVE-2018-4470
- CVE-2018-4289
- CVE-2018-4268
- CVE-2018-4285
- CVE-2018-5383
- CVE-2018-4293
- CVE-2018-4269
- CVE-2018-4276
- CVE-2018-4178
- CVE-2018-4456
- CVE-2018-4283
- CVE-2018-3665
- CVE-2018-4280
- CVE-2018-4248
- CVE-2018-4277
- CVE-2018-6913
- CVE-2018-4274
Frequently Asked Questions
What is CVE-2017-17742?
CVE-2017-17742 is a vulnerability in Ruby that allows an HTTP Response Splitting attack.
What is the severity of CVE-2017-17742?
CVE-2017-17742 has a severity rating of medium (5.3).
Which versions of Ruby are affected by CVE-2017-17742?
Ruby versions before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1 are affected by CVE-2017-17742.
How can I fix the CVE-2017-17742 vulnerability in Ruby?
To fix the CVE-2017-17742 vulnerability in Ruby, update to version 2.2.10, 2.3.7, 2.4.4, 2.5.1, or a later version.
Where can I find more information about CVE-2017-17742?
You can find more information about CVE-2017-17742 at the following references: [Link 1](https://www.ruby-lang.org/en/news/2018/03/28/http-response-splitting-in-webrick-cve-2017-17742/), [Link 2](https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1561957), [Link 3](https://access.redhat.com/security/updates/classification/).
- collector/redhat-cve
- collector/nvd-index
- agent/type
- agent/last-modified-date
- agent/first-publish-date
- collector/launchpad-cve
- source/Launchpad
- collector/apple-support
- alias/CVE-2017-10784
- alias/CVE-2017-14033
- alias/CVE-2017-14064
- alias/CVE-2017-17405
- alias/CVE-2017-17742
- alias/CVE-2018-6914
- alias/CVE-2018-8777
- alias/CVE-2018-8778
- alias/CVE-2018-8779
- alias/CVE-2018-8780
- agent/software-canonical-lookup-request
- collector/redhat-bugzilla
- source/Red Hat
- agent/software-canonical-lookup
- agent/weakness
- agent/remedy
- agent/author
- agent/severity
- collector/nvd-cve
- source/NVD
- agent/event
- agent/description
- agent/references
- agent/tags
- collector/security-tracker-debian
- source/Debian
- agent/softwarecombine
- collector/usn-cve
- source/Ubuntu
- package-manager/redhat
- vendor/ruby-lang
- canonical/ruby-lang ruby
- version/ruby-lang ruby/2.2.0
- version/ruby-lang ruby/2.3.0
- version/ruby-lang ruby/2.4.0
- version/ruby-lang ruby/2.5.0
- version/ruby-lang ruby/2.6.0-preview1
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/7.0
- vendor/apple
- canonical/apple macos mojave
- canonical/apple high sierra
- canonical/apple sierra
- canonical/apple macos high sierra
- canonical/apple el capitan
- package-manager/debian