First published: Wed Mar 28 2018(Updated: )
If a script accepts an external input and outputs it without modification as a part of HTTP responses, an attacker can use newline characters to deceive the clients that the HTTP response header is stopped at there, and can inject fake HTTP responses after the newline characters to show malicious contents to the clients. Affected versions: Ruby 2.2 series: 2.2.9 and earlier Ruby 2.3 series: 2.3.6 and earlier Ruby 2.4 series: 2.4.3 and earlier Ruby 2.5 series: 2.5.0 and earlier External References: <a href="https://www.ruby-lang.org/en/news/2018/03/28/http-response-splitting-in-webrick-cve-2017-17742/">https://www.ruby-lang.org/en/news/2018/03/28/http-response-splitting-in-webrick-cve-2017-17742/</a>
Credit: CVE-2017-0898 CVE-2017-10784 CVE-2017-14033 CVE-2017-14064 CVE-2017-17405 CVE-2017-17742 CVE-2018-6914 CVE-2018-8777 CVE-2018-8778 CVE-2018-8779 CVE-2018-8780 CVE-2017-0898 CVE-2017-10784 CVE-2017-14033 CVE-2017-14064 CVE-2017-17405 CVE-2017-17742 CVE-2018-6914 CVE-2018-8777 CVE-2018-8778 CVE-2018-8779 CVE-2018-8780 cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/ruby | <0:2.0.0.648-36.el7 | 0:2.0.0.648-36.el7 |
redhat/ruby | <0:2.0.0.648-36.el7_4 | 0:2.0.0.648-36.el7_4 |
redhat/ruby | <0:2.0.0.648-36.el7_5 | 0:2.0.0.648-36.el7_5 |
redhat/ruby | <0:2.0.0.648-37.el7_6 | 0:2.0.0.648-37.el7_6 |
redhat/rh-ruby23-ruby | <0:2.3.8-69.el6 | 0:2.3.8-69.el6 |
redhat/rh-ruby24-ruby | <0:2.4.5-91.el6 | 0:2.4.5-91.el6 |
redhat/rh-ruby23-ruby | <0:2.3.8-69.el7 | 0:2.3.8-69.el7 |
redhat/rh-ruby24-ruby | <0:2.4.5-91.el7 | 0:2.4.5-91.el7 |
redhat/rh-ruby25-ruby | <0:2.5.3-6.el7 | 0:2.5.3-6.el7 |
Ruby-lang Ruby | >=2.2.0<2.2.10 | |
Ruby-lang Ruby | >=2.3.0<2.3.7 | |
Ruby-lang Ruby | >=2.4.0<2.4.4 | |
Ruby-lang Ruby | >=2.5.0<2.5.1 | |
Ruby-lang Ruby | =2.6.0-preview1 | |
Debian Debian Linux | =7.0 | |
Apple macOS Mojave | <10.14.1 | 10.14.1 |
Apple High Sierra | ||
Apple Sierra | ||
Apple macOS High Sierra | <10.13.6 | 10.13.6 |
Apple El Capitan | ||
redhat/ruby | <2.2.10 | 2.2.10 |
redhat/ruby | <2.3.7 | 2.3.7 |
redhat/ruby | <2.4.4 | 2.4.4 |
redhat/ruby | <2.5.1 | 2.5.1 |
debian/jruby | 9.3.9.0+ds-8 9.4.8.0+ds-1 |
The server can manually sanitize possibly untrusted headers prior to inserting them in the reply.
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Appears in the following advisories)
(Found alongside the following vulnerabilities)
CVE-2017-17742 is a vulnerability in Ruby that allows an HTTP Response Splitting attack.
CVE-2017-17742 has a severity rating of medium (5.3).
Ruby versions before 2.2.10, 2.3.x before 2.3.7, 2.4.x before 2.4.4, 2.5.x before 2.5.1, and 2.6.0-preview1 are affected by CVE-2017-17742.
To fix the CVE-2017-17742 vulnerability in Ruby, update to version 2.2.10, 2.3.7, 2.4.4, 2.5.1, or a later version.
You can find more information about CVE-2017-17742 at the following references: [Link 1](https://www.ruby-lang.org/en/news/2018/03/28/http-response-splitting-in-webrick-cve-2017-17742/), [Link 2](https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1561957), [Link 3](https://access.redhat.com/security/updates/classification/).