SCA: security update for rack (GHSA-7g2v-jj9q-g3rg)

high Tenable Cloud Security Plugin ID 420880

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- Rack provides an interface for developing web applications in Ruby. Prior to versions 2.2.11, 3.0.12, and
3.1.10, Rack::CommonLogger can be exploited by crafting input that includes newline characters to
manipulate log entries. The supplied proof-of-concept demonstrates injecting malicious content into logs.
When a user provides the authorization credentials via Rack::Auth::Basic, if success, the username will be
put in env['REMOTE_USER'] and later be used by Rack::CommonLogger for logging purposes. The issue occurs
when a server intentionally or unintentionally allows a user creation with the username contain CRLF and
white space characters, or the server just want to log every login attempts. If an attacker enters a
username with CRLF character, the logger will log the malicious username with CRLF characters into the
logfile. Attackers can break log formats or insert fraudulent entries, potentially obscuring real activity
or injecting malicious data into log files. Versions 2.2.11, 3.0.12, and 3.1.10 contain a fix.
(CVE-2025-25184)

See Also

https://github.com/advisories/GHSA-7g2v-jj9q-g3rg

Plugin Details

Severity: High

ID: 420880

Version: Revision 1.21

Type: Local

Family: SCA Checks

Published: 2/13/2025

Updated: 11/4/2025

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.51

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5.3

Vector: CVSS2#AV:N/AC:L/Au:S/C:N/I:C/A:N

CVSS Score Source: CVE-2025-25184

CVSS v3

Risk Factor: Medium

Base Score: 6.5

Temporal Score: 5.9

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS v4

Risk Factor: High

Base Score: 7.1

Threat Score: 5.7

Threat Vector: CVSS:4.0/E:P

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Vulnerability Information

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2/12/2025

Vulnerability Publication Date: 2/12/2025

Reference Information

CVE: CVE-2025-25184

IAVB: 2025-B-0065-S

cwe: CWE-117, CWE-93