CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2024-47220: An issue was discovered in the WEBrick toolkit through 1.8.1 for Ruby. It allows HTTP request smuggling by providing both a Content-Length header...

Description

An issue was discovered in the WEBrick toolkit through 1.8.1 for Ruby. It allows HTTP request smuggling by providing both a Content-Length header and a Transfer-Encoding header, e.g., "GET /admin HTTP/1.1\r\n" inside of a "POST /user HTTP/1.1\r\n" request. NOTE: the supplier's position is "Webrick should not be used in production."

Classification

CVE ID: CVE-2024-47220

Affected Products

Vendor: n/a

Product: n/a

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.05% (probability of being exploited)

EPSS Percentile: 17.82% (scored less or equal to compared to others)

EPSS Date: 2025-02-07 (when was this score calculated)

References

https://github.com/ruby/webrick/issues/145
https://github.com/ruby/webrick/pull/146/commits/d88321da45dcd230ac2b4585cad4833d6d5e8841
https://github.com/ruby/webrick/issues/145#issuecomment-2369994610
https://github.com/ruby/webrick/issues/145#issuecomment-2372838285

Timeline

2025-01-10 00:30:51 UTC
CVE

An issue was discovered in the WEBrick toolkit through 1.8.1 for Ruby. It allows HTTP request smuggling by providing both a Content-Length header...
2025-02-28 10:30:27 UTC
Tenable Plugins

SUSE SLED15 / SLES15 / openSUSE 15 Security Update : ruby2.5 (SUSE-SU-2025:0736-1)