HTTP Response Splitting Affecting actionpack package, versions < 2.3.13

Snyk CVSS

Attack Complexity Low

User Interaction Required

Threat Intelligence

EPSS 0.67% (80^th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-RUBY-ACTIONPACK-20015
published 15 Aug 2011
disclosed 15 Aug 2011
credit Brent Miller

Report a new vulnerability Found a mistake?

Introduced: 15 Aug 2011

CVE-2011-3186 Open this link in a new tab CWE-93 Open this link in a new tab

Overview

actionpack is a web app builder and tester on Rails. Affected versions of this Gem, do not sanitize the values provided for response content types, allowing a remote attacker to inject arbitrary HTTP headers into a response.

References

http://rubysec.com/advisories/CVE-2011-3186/
https://groups.google.com/forum/#!topic/rubyonrails-security/b_yTveAph2g