CVE-2024-47220
- Source
- https://cve.org/CVERecord?id=CVE-2024-47220
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-47220.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2024-47220
- Aliases
- Downstream
- Related
- Published
- 2024-09-22T00:00:00Z
- Modified
- 2026-05-26T04:00:48.753551841Z
- Summary
- [none]
- Details
-
An issue was discovered in the WEBrick toolkit through 1.8.1 for Ruby. It allows HTTP request smuggling by providing both a Content-Length header and a Transfer-Encoding header, e.g., "GET /admin HTTP/1.1\r\n" inside of a "POST /user HTTP/1.1\r\n" request. NOTE: the supplier's position is "Webrick should not be used in production."
- Database specific
{ "isDisputed": true, "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/47xxx/CVE-2024-47220.json", "cna_assigner": "mitre" }- References
-
- https://github.com/ruby/webrick/pull/146/commits/d88321da45dcd230ac2b4585cad4833d6d5e8841
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/47xxx/CVE-2024-47220.json
- https://nvd.nist.gov/vuln/detail/CVE-2024-47220
- https://github.com/ruby/webrick/issues/145
- https://github.com/ruby/webrick/issues/145#issuecomment-2369994610
- https://github.com/ruby/webrick/issues/145#issuecomment-2372838285