CVSS: 7.5EPSS: 0%CPEs: 11EXPL: 0CVE-2020-5247 – HTTP Response Splitting in Puma
https://notcve.org/view.php?id=CVE-2020-5247
28 Feb 2020 — In Puma (RubyGem) before 4.3.2 and before 3.12.3, if an application using Puma allows untrusted input in a response header, an attacker can use newline characters (i.e. `CR`, `LF` or`/r`, `/n`) to end the header and inject malicious content, such as additional headers or an entirely new response body. This vulnerability is known as HTTP Response Splitting. While not an attack in itself, response splitting is a vector for several other attacks, such as cross-site scripting (XSS). This is related to CVE-2019-... • https://github.com/puma/puma/security/advisories/GHSA-84j7-475p-hp8v • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') •
CVSS: 7.5EPSS: 0%CPEs: 3EXPL: 0CVE-2019-16770 – Potential DOS attack in Puma
https://notcve.org/view.php?id=CVE-2019-16770
05 Dec 2019 — In Puma before versions 3.12.2 and 4.3.1, a poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack. If more keepalive connections to Puma are opened than there are threads available, additional connections will wait permanently if the attacker sends requests frequently enough. This vulnerability is patched in Puma 4.3.1 and 3.12.2. En Puma, anterior a las versiones 3.12.2 y 4.3.1, un cliente con mal comportamiento podría utilizar solicitudes de ... • https://github.com/puma/puma/security/advisories/GHSA-7xx3-m584-x994 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2017-8943
https://notcve.org/view.php?id=CVE-2017-8943
15 May 2017 — The PUMA PUMATRAC app 3.0.2 for iOS does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. La aplicación PUMA PUMATRAC en versiones 3.0.2 para iOS no verifica los certificados X.509 de los servidores SSL, lo que permite que los atacantes Man-in-the-Middle (MitM) suplanten servidores y obtengan información sensible mediante un certificado manipulado. • https://medium.com/%40chronic_9612/follow-up-76-popular-apps-confirmed-vulnerable-to-silent-interception-of-tls-protected-data-64185035029f • CWE-295: Improper Certificate Validation •