UBUNTU-CVE-2025-25184
- Source
- https://ubuntu.com/security/CVE-2025-25184
- Import Source
- https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-25184.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/UBUNTU-CVE-2025-25184
- Related
- Published
- 2025-02-12T17:15:00Z
- Modified
- 2025-03-26T17:03:39Z
- Summary
- [none]
- Details
-
Rack provides an interface for developing web applications in Ruby. Prior to versions 2.2.11, 3.0.12, and 3.1.10, Rack::CommonLogger can be exploited by crafting input that includes newline characters to manipulate log entries. The supplied proof-of-concept demonstrates injecting malicious content into logs. When a user provides the authorization credentials via Rack::Auth::Basic, if success, the username will be put in env['REMOTE_USER'] and later be used by Rack::CommonLogger for logging purposes. The issue occurs when a server intentionally or unintentionally allows a user creation with the username contain CRLF and white space characters, or the server just want to log every login attempts. If an attacker enters a username with CRLF character, the logger will log the malicious username with CRLF characters into the logfile. Attackers can break log formats or insert fraudulent entries, potentially obscuring real activity or injecting malicious data into log files. Versions 2.2.11, 3.0.12, and 3.1.10 contain a fix.
- References
Affected packages
Ubuntu:Pro:14.04:LTS / ruby-rack
Package
- Name
- ruby-rack
- Purl
- pkg:deb/ubuntu/ruby-rack@1.5.2-3+deb8u3ubuntu1~esm9?arch=source&distro=esm-infra-legacy/trusty
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed1.5.2-3+deb8u3ubuntu1~esm9
Affected versions
1.*
Ecosystem specific
{
"availability": "Available with Ubuntu Pro with Legacy support add-on: https://ubuntu.com/pro",
"ubuntu_priority": "low",
"binaries": [
{
"binary_version": "1.5.2-3+deb8u3ubuntu1~esm9",
"binary_name": "librack-ruby"
},
{
"binary_version": "1.5.2-3+deb8u3ubuntu1~esm9",
"binary_name": "librack-ruby1.8"
},
{
"binary_version": "1.5.2-3+deb8u3ubuntu1~esm9",
"binary_name": "librack-ruby1.9.1"
},
{
"binary_version": "1.5.2-3+deb8u3ubuntu1~esm9",
"binary_name": "ruby-rack"
}
],
"priority_reason": "Only allows inserting newlines into log file in certain circumstances"
}
Ubuntu:Pro:16.04:LTS / ruby-rack
Package
- Name
- ruby-rack
- Purl
- pkg:deb/ubuntu/ruby-rack@1.6.4-3ubuntu0.2+esm7?arch=source&distro=esm-apps/xenial
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed1.6.4-3ubuntu0.2+esm7
Ubuntu:Pro:18.04:LTS / ruby-rack
Package
- Name
- ruby-rack
- Purl
- pkg:deb/ubuntu/ruby-rack@1.6.4-4ubuntu0.2+esm7?arch=source&distro=esm-apps/bionic
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed1.6.4-4ubuntu0.2+esm7
Ubuntu:20.04:LTS / ruby-rack
Package
- Name
- ruby-rack
- Purl
- pkg:deb/ubuntu/ruby-rack@2.0.7-2ubuntu0.1?arch=source&distro=focal
Ubuntu:Pro:20.04:LTS / ruby-rack
Package
- Name
- ruby-rack
- Purl
- pkg:deb/ubuntu/ruby-rack@2.0.7-2ubuntu0.1+esm6?arch=source&distro=esm-apps/focal
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed2.0.7-2ubuntu0.1+esm6
Ubuntu:22.04:LTS / ruby-rack
Package
- Name
- ruby-rack
- Purl
- pkg:deb/ubuntu/ruby-rack@2.1.4-5ubuntu1.1?arch=source&distro=jammy
Ubuntu:Pro:22.04:LTS / ruby-rack
Package
- Name
- ruby-rack
- Purl
- pkg:deb/ubuntu/ruby-rack@2.1.4-5ubuntu1.1+esm1?arch=source&distro=esm-apps/jammy
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed2.1.4-5ubuntu1.1+esm1
Ubuntu:24.10 / ruby-rack
Package
- Name
- ruby-rack
- Purl
- pkg:deb/ubuntu/ruby-rack@2.2.7-1.1ubuntu0.1?arch=source&distro=oracular