CVE-2011-3624
MEDIUMRuby <=1.9.2 Header Injection via X-Forwarded-For/Host/Server Headers
Title source: llmDescription
Various methods in WEBrick::HTTPRequest in Ruby 1.9.2 and 1.8.7 and earlier do not validate the X-Forwarded-For, X-Forwarded-Host and X-Forwarded-Server headers in requests, which might allow remote attackers to inject arbitrary text into log files or bypass intended address parsing via a crafted header.
References (4)
Core 4
Core References
Third Party Advisory x_refsource_misc
https://security-tracker.debian.org/tracker/CVE-2011-3624
Issue Tracking, Third Party Advisory x_refsource_misc
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-3624
Third Party Advisory x_refsource_misc
https://access.redhat.com/security/cve/cve-2011-3624
Issue Tracking x_refsource_misc
https://redmine.ruby-lang.org/issues/5418
Scores
CVSS v3
5.3
EPSS
0.0152
EPSS Percentile
71.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Details
CWE
CWE-74
Status
published
Products (2)
ruby-lang/ruby
1.8.7
ruby-lang/ruby
1.9.2
Published
Nov 26, 2019
Tracked Since
Feb 18, 2026