CGA-85w5-qqvw-qxp8

Published

Last updated

https://images.chainguard.dev/security/CGA-85w5-qqvw-qxp8

Package

gitlab-rails-ee-fips-17.0

Repository

Chainguard

Latest Update

Fix not planned

Aliases

GHSA-6f62-3596-g6w7

Severity

Unknown

Summary

HTTP Request Smuggling in ruby webrick

Description

An issue was discovered in the WEBrick toolkit through 1.8.1 for Ruby. It allows HTTP request smuggling by providing both a Content-Length header and a Transfer-Encoding header, e.g., "GET /admin HTTP/1.1\r\n" inside of a "POST /user HTTP/1.1\r\n" request. NOTE: the supplier's position is "Webrick should not be used in production."

References

https://github.com/advisories/GHSA-6f62-3596-g6w7
https://nvd.nist.gov/vuln/detail/CVE-2024-47220
https://github.com/ruby/webrick/issues/145
https://github.com/ruby/webrick/issues/145#issuecomment-2369994610
https://github.com/ruby/webrick/issues/145#issuecomment-2372838285
https://github.com/ruby/webrick/pull/146/commits/d88321da45dcd230ac2b4585cad4833d6d5e8841
https://github.com/ruby/webrick/commit/f5faca9222541591e1a7c3c97552ebb0c92733c7
https://github.com/ruby/webrick
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/webrick/CVE-2024-47220.yml

Updates

Advisories are based on vulnerability information provided by Grype from Anchore. Learn how Chainguard creates security advisories.

Safe Source for Open Source™

Media Kit Contact Us

Private Policy

CGA-85w5-qqvw-qxp8

Severity

Summary

Description

References

Updates

Products

Why Chainguard

Customers

Company

Resources