Bug 2345301 (CVE-2025-25184)

Summary: CVE-2025-25184 rubygem-rack: Possible Log Injection in Rack::CommonLogger
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: akostadi, amasferr, anthomas, cbartlet, crizzo, dmayorov, ehelms, ggainey, jcantril, jlledo, juwatts, jvasik, kaycoth, mhulan, mkudlej, mmakovy, nmoumoul, osousa, pcreech, rblanco, rchan, rojacob, smallamp, tjochec, vmugicag
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the rubygem-rack package. When a user provides the authorization credentials via Rack::Auth::Basic, if successful, the username is placed in env['REMOTE_USER'] and later used by Rack::CommonLogger for logging purposes. The issue occurs when a server intentionally or unintentionally allows a user creation with the username containing CRLF and white space characters or the server logs every login attempt. If an attacker enters a username with a CRLF character, the logger will log the malicious username with CRLF characters into the logfile. This flaw allows attackers to break log formats or insert fraudulent entries, potentially obscuring activity or injecting malicious data into log files.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2345709, 2345710, 2345712, 2345711    
Bug Blocks:    

Description OSIDB Bzimport 2025-02-12 17:01:27 UTC 
Rack provides an interface for developing web applications in Ruby. Prior to versions 2.2.11, 3.0.12, and 3.1.11, Rack::CommonLogger can be exploited by crafting input that includes newline characters to manipulate log entries. The supplied proof-of-concept demonstrates injecting malicious content into logs. When a user provides the authorization credentials via Rack::Auth::Basic, if success, the username will be put in env['REMOTE_USER'] and later be used by Rack::CommonLogger for logging purposes. The issue occurs when a server intentionally or unintentionally allows a user creation with the username contain CRLF and white space characters, or the server just want to log every login attempts. If an attacker enters a username with CRLF character, the logger will log the malicious username with CRLF characters into the logfile. Attackers can break log formats or insert fraudulent entries, potentially obscuring real activity or injecting malicious data into log files. Versions 2.2.11, 3.0.12, and 3.1.11 contain a fix.
Comment 5 errata-xmlrpc 2025-05-13 09:57:01 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:7085 https://access.redhat.com/errata/RHSA-2025:7085