MEDIUM

GHSA-jmgf-p46x-982h

rails is vulnerable to CRLF injection

Details

CRLF injection vulnerability in Ruby on Rails before 2.0.5 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a crafted URL to the redirect_to function.

Are you affected?

Enter the version of the package you're using.

Affected packages

RubyGems / rails

Introduced in: 0 Fixed in: 2.0.5

Fix bundle update rails

References

https://nvd.nist.gov/vuln/detail/CVE-2008-5189 [ADVISORY]
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rails/CVE-2008-5189.yml [WEB]
http://github.com/rails/rails [PACKAGE]
http://github.com/rails/rails/commit/7282ed863ca7e6f928bae9162c9a63a98775a19d [WEB]
http://lists.opensuse.org/opensuse-security-announce/2008-12/msg00002.html [WEB]
http://weblog.rubyonrails.org/2008/10/19/rails-2-0-5-redirect_to-and-offset-limit-sanitizing [WEB]
http://weblog.rubyonrails.org/2008/10/19/response-splitting-risk [WEB]