vulnerability
Amazon Linux 2023: CVE-2024-47220: Important priority package update for ruby3.2
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 8 | (AV:N/AC:L/Au:N/C:N/I:C/A:N) | Sep 22, 2024 | Feb 17, 2025 | Jul 8, 2025 |
Severity
8
CVSS
(AV:N/AC:L/Au:N/C:N/I:C/A:N)
Published
Sep 22, 2024
Added
Feb 17, 2025
Modified
Jul 8, 2025
Description
An issue was discovered in the WEBrick toolkit through 1.8.1 for Ruby. It allows HTTP request smuggling by providing both a Content-Length header and a Transfer-Encoding header, e.g., "GET /admin HTTP/1.1\r\n" inside of a "POST /user HTTP/1.1\r\n" request. NOTE: the supplier's position is "Webrick should not be used in production."
A flaw was found in the webrick toolkit. This issue occurs because the server incorrectly handles requests with both Content-Length and Transfer-Encoding headers. This can allow an attacker to sneak in an extra request such as GET /admin after the normal request POST /user. As a result, unauthorized users can access restricted areas like /admin by POST /user.
A flaw was found in the webrick toolkit. This issue occurs because the server incorrectly handles requests with both Content-Length and Transfer-Encoding headers. This can allow an attacker to sneak in an extra request such as GET /admin after the normal request POST /user. As a result, unauthorized users can access restricted areas like /admin by POST /user.
Solutions
amazon-linux-2023-upgrade-ruby3-2amazon-linux-2023-upgrade-ruby3-2-bundled-gemsamazon-linux-2023-upgrade-ruby3-2-bundled-gems-debuginfoamazon-linux-2023-upgrade-ruby3-2-debuginfoamazon-linux-2023-upgrade-ruby3-2-debugsourceamazon-linux-2023-upgrade-ruby3-2-default-gemsamazon-linux-2023-upgrade-ruby3-2-develamazon-linux-2023-upgrade-ruby3-2-docamazon-linux-2023-upgrade-ruby3-2-libsamazon-linux-2023-upgrade-ruby3-2-libs-debuginfoamazon-linux-2023-upgrade-ruby3-2-rubygem-bigdecimalamazon-linux-2023-upgrade-ruby3-2-rubygem-bigdecimal-debuginfoamazon-linux-2023-upgrade-ruby3-2-rubygem-bundleramazon-linux-2023-upgrade-ruby3-2-rubygem-io-consoleamazon-linux-2023-upgrade-ruby3-2-rubygem-io-console-debuginfoamazon-linux-2023-upgrade-ruby3-2-rubygem-irbamazon-linux-2023-upgrade-ruby3-2-rubygem-jsonamazon-linux-2023-upgrade-ruby3-2-rubygem-json-debuginfoamazon-linux-2023-upgrade-ruby3-2-rubygem-minitestamazon-linux-2023-upgrade-ruby3-2-rubygem-power-assertamazon-linux-2023-upgrade-ruby3-2-rubygem-psychamazon-linux-2023-upgrade-ruby3-2-rubygem-psych-debuginfoamazon-linux-2023-upgrade-ruby3-2-rubygem-rakeamazon-linux-2023-upgrade-ruby3-2-rubygem-rbsamazon-linux-2023-upgrade-ruby3-2-rubygem-rbs-debuginfoamazon-linux-2023-upgrade-ruby3-2-rubygem-rdocamazon-linux-2023-upgrade-ruby3-2-rubygem-rexmlamazon-linux-2023-upgrade-ruby3-2-rubygem-rssamazon-linux-2023-upgrade-ruby3-2-rubygemsamazon-linux-2023-upgrade-ruby3-2-rubygems-develamazon-linux-2023-upgrade-ruby3-2-rubygem-test-unitamazon-linux-2023-upgrade-ruby3-2-rubygem-typeprof
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.