From 23ccf6b4632286ceddd661300b3169050c0624eb Mon Sep 17 00:00:00 2001 From: Hiroshi SHIBATA Date: Fri, 10 Jul 2026 18:06:09 +0900 Subject: [PATCH] Remove webrick advisories CVE-2024-47220 and CVE-2026-38969 Both CVEs were assigned without any involvement of the WEBrick maintainers, and WEBrick's documented scope has excluded production deployment since 2020. The records generate false positives in bundler-audit for applications that depend on webrick only in test environments. Both IDs are added to lib/rad-ignores.sh so the GHSA sync does not recreate the files. A rejection request for CVE-2026-38969 has been filed with MITRE and is pending. https://github.com/ruby/webrick/commit/d91c98573da7a4af915410d40c6cf7a3a193fed2 https://github.com/ruby/webrick/issues/198 --- gems/webrick/CVE-2024-47220.yml | 25 ------------------------- gems/webrick/CVE-2026-38969.yml | 24 ------------------------ lib/rad-ignores.sh | 7 +++++++ 3 files changed, 7 insertions(+), 49 deletions(-) delete mode 100644 gems/webrick/CVE-2024-47220.yml delete mode 100644 gems/webrick/CVE-2026-38969.yml diff --git a/gems/webrick/CVE-2024-47220.yml b/gems/webrick/CVE-2024-47220.yml deleted file mode 100644 index a979c9204b..0000000000 --- a/gems/webrick/CVE-2024-47220.yml +++ /dev/null @@ -1,25 +0,0 @@ ---- -gem: webrick -cve: 2024-47220 -ghsa: 6f62-3596-g6w7 -url: https://github.com/advisories/GHSA-6f62-3596-g6w7 -title: HTTP Request Smuggling in ruby webrick -date: 2024-09-22 -description: | - An issue was discovered in the WEBrick toolkit through 1.8.1 for Ruby. - It allows HTTP request smuggling by providing both a Content-Length - header and a Transfer-Encoding header, e.g., - "GET /admin HTTP/1.1\r\n" inside of a "POST /user HTTP/1.1\r\n" - request. - - NOTE: the supplier''s position is "Webrick should not be used in production." -cvss_v3: 7.5 -patched_versions: - - ">= 1.8.2" -related: - url: - - https://nvd.nist.gov/vuln/detail/CVE-2024-47220 - - https://github.com/ruby/webrick/issues/145 - - https://github.com/ruby/webrick/pull/146/commits/d88321da45dcd230ac2b4585cad4833d6d5e8841 - - https://github.com/ruby/webrick/commit/f5faca9222541591e1a7c3c97552ebb0c92733c7 - - https://github.com/advisories/GHSA-6f62-3596-g6w7 diff --git a/gems/webrick/CVE-2026-38969.yml b/gems/webrick/CVE-2026-38969.yml deleted file mode 100644 index d4e9d33da5..0000000000 --- a/gems/webrick/CVE-2026-38969.yml +++ /dev/null @@ -1,24 +0,0 @@ ---- -gem: webrick -cve: 2026-38969 -ghsa: h4w6-wx8r-p68v -url: https://nvd.nist.gov/vuln/detail/CVE-2026-38969 -title: ruby webrick through v1.9.2 WEBrick reparses trailer -date: 2026-07-02 -description: | - ruby webrick through v1.9.2 WEBrick reparses trailer Content-Length - into canonical request state, enabling request smuggling. -related: - url: - - https://nvd.nist.gov/vuln/detail/CVE-2026-38969 - - https://github.com/ruby/webrick/pull/199 - - https://github.com/ruby/webrick/issues/198 - - https://nvd.nist.gov/vuln/detail/CVE-2015-7519 - - https://github.com/advisories/GHSA-h4w6-wx8r-p68v -notes: | - - - Not patched (last release was 1.9.2) - - https://rubygems.org/gems/webrick/versions/1.9.2 - - https://github.com/ruby/webrick/releases/tag/v1.9.2 - - No CVSS value in nvd.nist.gov URL. - - GHSA is unreviewed. diff --git a/lib/rad-ignores.sh b/lib/rad-ignores.sh index 741721f3c5..e5c6bea7db 100755 --- a/lib/rad-ignores.sh +++ b/lib/rad-ignores.sh @@ -57,6 +57,13 @@ rm -rf gems/nokogiri/GHSA-gx8x-g87m-h5q6.yml # 7/7/2026: gems/commonmarker/CVE-2023-37463.yml rm -rf gems/commonmarker/GHSA-7vh7-fw88-wj87.yml +# Disputed by the WEBrick maintainers. CVEs were assigned without +# maintainer involvement, and WEBrick's documented scope has excluded +# production use since 2020. +# 7/10/2026: https://github.com/ruby/webrick/issues/198 +rm -f gems/webrick/CVE-2024-47220.yml +rm -f gems/webrick/CVE-2026-38969.yml + exit # AL>> QUESTION (ruby or jruby)?