CVE-2008-5189 — rails is vulnerable to CRLF injection

Description

CRLF injection vulnerability in Ruby on Rails before 2.0.5 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via a crafted URL to the redirect_to function.

How to fix CVE-2008-5189

To remediate CVE-2008-5189, upgrade the affected package to a fixed version below.

Debian/rails—upgrade to 2.1.0-6 or later
RubyGems/rails—upgrade to 2.0.5 or later

Is CVE-2008-5189 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 2.1.0-6
from 0, < 2.0.5

References (8)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2008-5189
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2008-5189
PATCHgithub.com/rails/rails
WEBgithub.com/rails/rails/commit/7282ed863ca7e6f928bae9162c9a63a98775a19d