CVE-2024-47220 Information

Description

An issue was discovered in the WEBrick toolkit through 1.8.1 for Ruby. It allows HTTP request smuggling by providing both a Content-Length header and a Transfer-Encoding header e.g. \GET /admin HTTP/1.1\r\n\ inside of a \POST /user HTTP/1.1\r\n\ request. NOTE: the supplier’s position is \Webrick should not be used in production.\

Reference

https://github.com/ruby/webrick/issues/145 https://github.com/ruby/webrick/pull/146/commits/d88321da45dcd230ac2b4585cad4833d6d5e8841