CVE-2011-3186

2011-08-2918:55:01

CWE-94

[email protected]

web.nvd.nist.gov

crlf injection

ruby on rails

http headers

http response splitting

cve-2011-3186

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

6.7 Medium

AI Score

Confidence

Low

0.007 Low

EPSS

Percentile

79.8%

JSON

CRLF injection vulnerability in actionpack/lib/action_controller/response.rb in Ruby on Rails 2.3.x before 2.3.13 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the Content-Type header.

Affected configurations

NVD

Node

rubyonrailsrailsMatch2.3.2

rubyonrailsrailsMatch2.3.3

rubyonrailsrailsMatch2.3.4

rubyonrailsrailsMatch2.3.9

rubyonrailsrailsMatch2.3.10

rubyonrailsrailsMatch2.3.11

rubyonrailsrailsMatch2.3.12

CPENameOperatorVersion
rubyonrails:railsrubyonrails railseq2.3.2
rubyonrails:railsrubyonrails railseq2.3.3
rubyonrails:railsrubyonrails railseq2.3.4
rubyonrails:railsrubyonrails railseq2.3.9
rubyonrails:railsrubyonrails railseq2.3.10
rubyonrails:railsrubyonrails railseq2.3.11
rubyonrails:railsrubyonrails railseq2.3.12

CPE	Name	Operator	Version
rubyonrails:rails	rubyonrails rails	eq	2.3.2
rubyonrails:rails	rubyonrails rails	eq	2.3.3
rubyonrails:rails	rubyonrails rails	eq	2.3.4
rubyonrails:rails	rubyonrails rails	eq	2.3.9
rubyonrails:rails	rubyonrails rails	eq	2.3.10
rubyonrails:rails	rubyonrails rails	eq	2.3.11
rubyonrails:rails	rubyonrails rails	eq	2.3.12