CVE-2019-16254 in Ruby Programming Language and Debian Products
Published on November 26, 2019

Ruby through 2.4.7, 2.5.x through 2.5.6, and 2.6.x through 2.6.4 allows HTTP Response Splitting. If a program using WEBrick inserts untrusted input into the response header, an attacker can exploit it to insert a newline character to split a header, and inject malicious content to deceive clients. NOTE: this issue exists because of an incomplete fix for CVE-2017-17742, which addressed the CRLF vector, but did not address an isolated CR or an isolated LF.

Github Repository Vendor Advisory Vendor Advisory Vendor Advisory Vendor Advisory NVD

Products Associated with CVE-2019-16254

You can be notified by email with stack.watch whenever vulnerabilities like CVE-2019-16254 are published in these products:

Ruby Programming Language Ruby Language

Debian Linux

Vulnerable Packages

The following package name and versions may be associated with CVE-2019-16254

Package Manager	Vulnerable Package	Versions	Fixed In
rubygems	puma	< 3.12.3	3.12.4
rubygems	puma	>= 4.0.0, < 4.3.2	4.3.3

Exploit Probability

EPSS

0.71%

Percentile

71.71%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.

CVE-2019-16254 in Ruby Programming Language and Debian ProductsPublished on November 26, 2019

Products Associated with CVE-2019-16254

Vulnerable Packages

Exploit Probability

CVE-2019-16254 in Ruby Programming Language and Debian Products
Published on November 26, 2019