CVE-2025-25184

{"id": "CVE-2025-25184", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.8}], "cvssMetricV40": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "PROOF_OF_CONCEPT", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-02-12T17:15:24.000", "references": [{"url": "https://github.com/rack/rack/commit/074ae244430cda05c27ca91cda699709cfb3ad8e", "tags": ["Patch"], "source": "[email protected]"}, {"url": "https://github.com/rack/rack/security/advisories/GHSA-7g2v-jj9q-g3rg", "tags": ["Exploit", "Vendor Advisory"], "source": "[email protected]"}, {"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00016.html", "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Secondary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-93"}, {"lang": "en", "value": "CWE-117"}]}], "descriptions": [{"lang": "en", "value": "Rack provides an interface for developing web applications in Ruby. Prior to versions 2.2.11, 3.0.12, and 3.1.10, Rack::CommonLogger can be exploited by crafting input that includes newline characters to manipulate log entries. The supplied proof-of-concept demonstrates injecting malicious content into logs. When a user provides the authorization credentials via Rack::Auth::Basic, if success, the username will be put in env['REMOTE_USER'] and later be used by Rack::CommonLogger for logging purposes. The issue occurs when a server intentionally or unintentionally allows a user creation with the username contain CRLF and white space characters, or the server just want to log every login attempts. If an attacker enters a username with CRLF character, the logger will log the malicious username with CRLF characters into the logfile. Attackers can break log formats or insert fraudulent entries, potentially obscuring real activity or injecting malicious data into log files. Versions 2.2.11, 3.0.12, and 3.1.10 contain a fix."}, {"lang": "es", "value": "Rack proporciona una interfaz para desarrollar aplicaciones web en Ruby. Antes de las versiones 2.2.11, 3.0.12 y 3.1.11, Rack::CommonLogger se puede explotar creando entradas que incluyan caracteres de nueva l\u00ednea para manipular las entradas del registro. La prueba de concepto proporcionada demuestra la inyecci\u00f3n de contenido malicioso en los registros. Cuando un usuario proporciona las credenciales de autorizaci\u00f3n a trav\u00e9s de Rack::Auth::Basic, si tiene \u00e9xito, el nombre de usuario se colocar\u00e1 en env['REMOTE_USER'] y luego ser\u00e1 utilizado por Rack::CommonLogger para fines de registro. El problema ocurre cuando un servidor intencional o involuntariamente permite la creaci\u00f3n de un usuario con el nombre de usuario que contiene caracteres CRLF y espacios en blanco, o el servidor solo desea registrar cada intento de inicio de sesi\u00f3n. Si un atacante ingresa un nombre de usuario con caracteres CRLF, el registrador registrar\u00e1 el nombre de usuario malicioso con caracteres CRLF en el archivo de registro. Los atacantes pueden romper los formatos de registro o insertar entradas fraudulentas, lo que podr\u00eda ocultar la actividad real o inyectar datos maliciosos en los archivos de registro. Las versiones 2.2.11, 3.0.12 y 3.1.11 contienen una correcci\u00f3n."}], "lastModified": "2025-11-03T22:18:41.023", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:rack:rack:*:*:*:*:*:ruby:*:*", "vulnerable": true, "matchCriteriaId": "B567CD52-16EF-4E81-BE55-EB81F8DBAEEE", "versionEndExcluding": "2.2.11"}, {"criteria": "cpe:2.3:a:rack:rack:*:*:*:*:*:ruby:*:*", "vulnerable": true, "matchCriteriaId": "C27B8087-BC5A-4690-AF64-0D66531643DA", "versionEndExcluding": "3.0.12", "versionStartIncluding": "3.0.0"}, {"criteria": "cpe:2.3:a:rack:rack:*:*:*:*:*:ruby:*:*", "vulnerable": true, "matchCriteriaId": "F4C269DB-B894-4D44-8D01-2FA3936E3BC1", "versionEndExcluding": "3.1.10", "versionStartIncluding": "3.1.0"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}