Page 2 of 12 results (0.012 seconds)

CVSS: 3.7EPSS: 0%CPEs: 4EXPL: 0

Puma is a HTTP 1.1 server for Ruby/Rack applications. Prior to versions 5.5.1 and 4.3.9, using `puma` with a proxy which forwards HTTP header values which contain the LF character could allow HTTP request smugggling. A client could smuggle a request through a proxy, causing the proxy to send a response back to another unknown client. The only proxy which has this behavior, as far as the Puma team is aware of, is Apache Traffic Server. If the proxy uses persistent connections and the client adds another request in via HTTP pipelining, the proxy may mistake it as the first request's body. • https://github.com/puma/puma/commit/acdc3ae571dfae0e045cf09a295280127db65c7f https://github.com/puma/puma/security/advisories/GHSA-48w2-rm65-62xx https://lists.debian.org/debian-lts-announce/2022/08/msg00015.html https://security.gentoo.org/glsa/202208-28 https://www.debian.org/security/2022/dsa-5146 https://access.redhat.com/security/cve/CVE-2021-41136 https://bugzilla.redhat.com/show_bug.cgi?id=2013495 • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •

CVSS: 7.5EPSS: 2%CPEs: 3EXPL: 0

Puma is a concurrent HTTP 1.1 server for Ruby/Rack applications. The fix for CVE-2019-16770 was incomplete. The original fix only protected existing connections that had already been accepted from having their requests starved by greedy persistent-connections saturating all threads in the same process. However, new connections may still be starved by greedy persistent-connections saturating all threads in all processes in the cluster. A `puma` server which received more concurrent `keep-alive` connections than the server had threads in its threadpool would service only a subset of connections, denying service to the unserved connections. • https://gist.github.com/nateberkopec/4b3ea5676c0d70cbb37c82d54be25837 https://github.com/puma/puma/security/advisories/GHSA-q28m-8xjw-8vr5 https://github.com/puma/puma/security/policy https://lists.debian.org/debian-lts-announce/2022/08/msg00015.html https://rubygems.org/gems/puma https://security.gentoo.org/glsa/202208-28 https://access.redhat.com/security/cve/CVE-2021-29509 https://bugzilla.redhat.com/show_bug.cgi?id=1964874 • CWE-400: Uncontrolled Resource Consumption CWE-667: Improper Locking •

CVSS: 7.5EPSS: 0%CPEs: 6EXPL: 0

In Puma (RubyGem) before 4.3.5 and 3.12.6, a client could smuggle a request through a proxy, causing the proxy to send a response back to another unknown client. If the proxy uses persistent connections and the client adds another request in via HTTP pipelining, the proxy may mistake it as the first request's body. Puma, however, would see it as two requests, and when processing the second request, send back a response that the proxy does not expect. If the proxy has reused the persistent connection to Puma to send another request for a different client, the second response from the first client will be sent to the second client. This is a similar but different vulnerability from CVE-2020-11076. • http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00034.html http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00038.html https://github.com/puma/puma/blob/master/History.md#434435-and-31253126--2020-05-22 https://github.com/puma/puma/security/advisories/GHSA-w64w-qqph-5gxm https://lists.debian.org/debian-lts-announce/2020/10/msg00009.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SKIY5H67GJIGJL6SMFWFLUQQQR3EMVPR • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •

CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0

In Puma (RubyGem) before 4.3.4 and 3.12.5, an attacker could smuggle an HTTP response, by using an invalid transfer-encoding header. The problem has been fixed in Puma 3.12.5 and Puma 4.3.4. En Puma (RubyGem) versiones anteriores a 4.3.4 y 3.12.5, un atacante podría hacer pasar sin autorización una respuesta HTTP, mediante el uso de un encabezado de codificación transfer no válido. El problema ha sido corregido en Puma versión 3.12.5 y Puma versión 4.3.4. • http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00034.html http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00038.html https://github.com/puma/puma/blob/master/History.md#434435-and-31253126--2020-05-22 https://github.com/puma/puma/commit/f24d5521295a2152c286abb0a45a1e1e2bd275bd https://github.com/puma/puma/security/advisories/GHSA-x7jg-6pwg-fx5h https://lists.debian.org/debian-lts-announce/2020/10/msg00009.html https://lists.fedoraproject.org/archives/list/package-announ • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •

CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 0

In Puma (RubyGem) before 4.3.3 and 3.12.4, if an application using Puma allows untrusted input in an early-hints header, an attacker can use a carriage return character to end the header and inject malicious content, such as additional headers or an entirely new response body. This vulnerability is known as HTTP Response Splitting. While not an attack in itself, response splitting is a vector for several other attacks, such as cross-site scripting (XSS). This is related to CVE-2020-5247, which fixed this vulnerability but only for regular responses. This has been fixed in 4.3.3 and 3.12.4. • https://github.com/puma/puma/commit/c22712fc93284a45a93f9ad7023888f3a65524f3 https://github.com/puma/puma/security/advisories/GHSA-33vf-4xgg-9r58 https://github.com/puma/puma/security/advisories/GHSA-84j7-475p-hp8v https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BMJ3CGZ3DLBJ5WUUKMI5ZFXFJQMXJZIK https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DIHVO3CQMU7BZC7FCTSRJ33YDNS3GFPK https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproje • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') •