CVE-2019-16254 log

Source	CVE Red Hat MITRE NVD Debian Ubuntu SUSE Alpine Mageia CVE Details CIRCL Bugs Arch Linux Red Hat Gentoo SUSE GitHub Lists oss-security full-disclosure bugtraq Misc GitHub code web search
Severity	Medium
Remote	Yes
Type	Content spoofing
Description	It has been discovered that Ruby before 2.4.8, 2.5.7 and 2.6.5 is vulnerable to HTTP response splitting in WEBrick bundled with Ruby. If a program using WEBrick inserts untrusted input into the response header, an attacker can exploit it to insert a newline character to split a header, and inject malicious content to deceive clients. This is the same issue as CVE-2017-17742. The previous fix was incomplete, which addressed the CRLF vector, but did not address an isolated CR or an isolated LF.

Group	Package	Affected	Fixed	Severity	Status	Ticket
AVG-1040	ruby2.5	2.5.6-1	2.5.7-1	Medium	Fixed	FS#63977
AVG-1039	ruby	2.6.4-1	2.6.5-1	Medium	Fixed	FS#63977

Date	Advisory	Group	Package	Severity	Type
02 Oct 2019	ASA-201910-5	AVG-1040	ruby2.5	Medium	multiple issues
02 Oct 2019	ASA-201910-2	AVG-1039	ruby	Medium	multiple issues

References
https://www.ruby-lang.org/en/news/2019/10/01/http-response-splitting-in-webrick-cve-2019-16254/