SB2020052110 - Red Hat Enterprise Linux 7 update for ruby
Published: May 21, 2020
Security Bulletin ID
SB2020052110
Severity
Low
Patch available
YES
Number of vulnerabilities
2
Exploitation vector
Remote access
Highest impact
Information disclosure
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 secuirty vulnerabilities.
1) HTTP response splitting (CVE-ID: CVE-2017-17742)
The vulnerability allows a remote attacker to perform HTTP response splitting attack.The weakness exists due to improper handling of HTTP requests. If a script accepts an external input and outputs it without modification as a part of HTTP responses, a remote attacker can use newline characters to trick the victim that the HTTP response header is stopped at there and inject fake HTTP responses after the newline characters to show malicious contents to the victim.
2) Buffer under-read (CVE-ID: CVE-2018-8778)
The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.The weakness exists in the String#unpack method due to buffer under-read. A remote attacker can gain access to potentially sensitive information.
Remediation
Install update from vendor's website.