cp {en,ko}/news/_posts/2020-09-29-http-request-smuggling-cve-2020-25613.md

Sangyong Sim · Sangyong Sim · commit ad49497dd08e · 2020-10-06T18:11:54.000+09:00
diff --git a/ko/news/_posts/2020-09-29-http-request-smuggling-cve-2020-25613.md b/ko/news/_posts/2020-09-29-http-request-smuggling-cve-2020-25613.md
@@ -0,0 +1,32 @@
+---
+layout: news_post
+title: "CVE-2020-25613: Potential HTTP Request Smuggling Vulnerability in WEBrick"
+author: "mame"
+translator:
+date: 2020-09-29 06:30:00 +0000
+tags: security
+lang: en
+---
+
+A potential HTTP request smuggling vulnerability in WEBrick was reported. This vulnerability has been assigned the CVE idenfitifer [CVE-2020-25613](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25613). We strongly recommend upgrading the webrick gem.
+
+## Details
+
+WEBrick was too tolerant against an invalid Transfer-Encoding header. This may lead to inconsistent interpretation between WEBrick and some HTTP proxy servers, which may allow the attacker to "smuggle" a request. See [CWE-444](https://cwe.mitre.org/data/definitions/444.html) in detail.
+
+Please update the webrick gem to version 1.6.1 or later.  You can use `gem update webrick` to update it.  If you are using bundler, please add `gem "webrick", ">= 1.6.1"` to your `Gemfile`.
+
+## Affected versions
+
+* webrick gem 1.6.0 or prior
+* bundled versions of webrick in ruby 2.7.1 or prior
+* bundled versions of webrick in ruby 2.6.6 or prior
+* bundled versions of webrick in ruby 2.5.8 or prior
+
+## Credits
+
+Thanks to [piao](https://hackerone.com/piao) for discovering this issue.
+
+## History
+
+* Originally published at 2020-09-29 06:30:00 (UTC)
