Various methods in WEBrick::HTTPRequest in Ruby 1.9.2-p290 and 1.8.7-p352 and earlier and do not validate the X-Forwarded-For, X-Forwarded-Host and X-Forwarded-Server headers in requests, which might allow remote attackers to inject arbitrary text into log files or bypass intended address parsing via a crafted header. https://redmine.ruby-lang.org/issues/5418 Rating is low due to limited impact (log file corruption/etc.), exploitation via another user requires man in the middle or control of a web proxy used by the user.