From ba5da8f631d3be03a7da080c2071fa1dc5086ac0 Mon Sep 17 00:00:00 2001 From: Al Snow <43523+jasnow@users.noreply.github.com> Date: Tue, 24 Feb 2026 20:01:00 -0500 Subject: [PATCH 1/2] GHSA SYNC: 1 brand new advisory - 2011/webrick --- rubies/ruby/CVE-2011-3624.yml | 39 +++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100644 rubies/ruby/CVE-2011-3624.yml diff --git a/rubies/ruby/CVE-2011-3624.yml b/rubies/ruby/CVE-2011-3624.yml new file mode 100644 index 0000000000..4ee323c57b --- /dev/null +++ b/rubies/ruby/CVE-2011-3624.yml @@ -0,0 +1,39 @@ +--- +engine: ruby +cve: 2011-3624 +ghsa: rc82-v3mm-rhj2 +url: https://nvd.nist.gov/vuln/detail/CVE-2011-3624 +title: WEBrick::HTTPRequest X-Forwarded-* allows arbitrary data +date: 2019-11-25 +description: | + Various methods in WEBrick::HTTPRequest do not validate the + X-Forwarded-For, X-Forwarded-Host and X-Forwarded-Server headers in + requests, which might allow remote attackers to inject arbitrary text + into log files or bypass intended address parsing via a crafted header. +cvss_v2: 5.0 +cvss_v3: 5.3 +patched_versions: + - "~> 1.9.2" + - ">= 3.0.0" +related: + url: + - https://nvd.nist.gov/vuln/detail/CVE-2011-3624 + - https://www.ruby-lang.org/en/news/2020/12/25/ruby-3-0-0-released + - https://github.com/ruby/ruby/blob/v3_0_0/NEWS.md + - https://bugs.ruby-lang.org/issues/17303 + - https://raw.githubusercontent.com/ruby/ruby/refs/heads/ruby_1_9_2/ChangeLog + - https://access.redhat.com/security/cve/cve-2011-3624 + - https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-3624 + - https://security-tracker.debian.org/tracker/CVE-2011-3624 + - https://github.com/advisories/GHSA-rc82-v3mm-rhj2 +notes: | + - Ruby 3.0.0 was the release when webrick was moved into a separate gem. + - Did not find references to 1.8.7 fix. + - Found this in above 1.9.2 ChangeLog. Unclear if connected. + -- Fri Jun 24 19:57:30 2011 Hiroshi Nakamura + * lib/webrick/httprequest.rb (setup_forwarded_info): Parsing request + header failed when the request is from 2 or more Apache reverse + proxies. It's said that all X-Forwarded-* headers will contain more + than one (comma-separated) value if the original request already + contained one of these headers. Since we could use these values as + Host header, we choose the initial(first) value. See #4922. From bf6db1eb5f63c5a565988b9de8cbc6d762a2a9e5 Mon Sep 17 00:00:00 2001 From: Al Snow <43523+jasnow@users.noreply.github.com> Date: Wed, 25 Feb 2026 10:50:47 -0500 Subject: [PATCH 2/2] Update CVE-2011-3624.yml for Ruby vulnerabilities Removed outdated patched version for Ruby 1.9.2 and updated notes regarding webrick's gem separation. --- rubies/ruby/CVE-2011-3624.yml | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/rubies/ruby/CVE-2011-3624.yml b/rubies/ruby/CVE-2011-3624.yml index 4ee323c57b..15dceb4f3b 100644 --- a/rubies/ruby/CVE-2011-3624.yml +++ b/rubies/ruby/CVE-2011-3624.yml @@ -13,7 +13,6 @@ description: | cvss_v2: 5.0 cvss_v3: 5.3 patched_versions: - - "~> 1.9.2" - ">= 3.0.0" related: url: @@ -28,12 +27,3 @@ related: - https://github.com/advisories/GHSA-rc82-v3mm-rhj2 notes: | - Ruby 3.0.0 was the release when webrick was moved into a separate gem. - - Did not find references to 1.8.7 fix. - - Found this in above 1.9.2 ChangeLog. Unclear if connected. - -- Fri Jun 24 19:57:30 2011 Hiroshi Nakamura - * lib/webrick/httprequest.rb (setup_forwarded_info): Parsing request - header failed when the request is from 2 or more Apache reverse - proxies. It's said that all X-Forwarded-* headers will contain more - than one (comma-separated) value if the original request already - contained one of these headers. Since we could use these values as - Host header, we choose the initial(first) value. See #4922.