CVE-2020-11077
HTTP Smuggling via Transfer-Encoding Header in Puma
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
In Puma (RubyGem) before 4.3.5 and 3.12.6, a client could smuggle a request through a proxy, causing the proxy to send a response back to another unknown client. If the proxy uses persistent connections and the client adds another request in via HTTP pipelining, the proxy may mistake it as the first request's body. Puma, however, would see it as two requests, and when processing the second request, send back a response that the proxy does not expect. If the proxy has reused the persistent connection to Puma to send another request for a different client, the second response from the first client will be sent to the second client. This is a similar but different vulnerability from CVE-2020-11076. The problem has been fixed in Puma 3.12.6 and Puma 4.3.5.
En Puma (RubyGem) versiones anteriores a 4.3.5 y 3.12.6, un cliente podría hacer pasar sin autorización una petición por medio de un proxy, causando que el proxy envíe una respuesta a otro cliente desconocido. Si el proxy usa conexiones persistentes y el cliente agrega otra petición por medio de la canalización HTTP, el proxy puede confundirlo como el cuerpo de la primera petición. Sin embargo, Puma lo vería como dos peticiones y, al procesar la segunda petición, devolvería una respuesta que el proxy no espera. Si el proxy ha reutilizado la conexión persistente a Puma para enviar otra petición para un cliente diferente, la segunda respuesta desde el primer cliente será enviada al segundo cliente. Esta es una vulnerabilidad similar pero diferente de CVE-2020-11076. El problema se ha corregido en Puma versión 3.12.6 y Puma versión 4.3.5.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2020-03-30 CVE Reserved
- 2020-05-22 CVE Published
- 2024-08-04 CVE Updated
- 2024-09-15 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
CAPEC
References (6)
| URL | Tag | Source |
|---|---|---|
| https://github.com/puma/puma/blob/master/History.md#434435-and-31253126--2020-05-22 | Release Notes | |
| https://lists.debian.org/debian-lts-announce/2020/10/msg00009.html | Mailing List |
|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Puma Search vendor "Puma" | Puma Search vendor "Puma" for product "Puma" | >= 3.0.0 < 3.12.6 Search vendor "Puma" for product "Puma" and version " >= 3.0.0 < 3.12.6" | ruby |
Affected
| ||||||
| Puma Search vendor "Puma" | Puma Search vendor "Puma" for product "Puma" | >= 4.0.0 < 4.3.5 Search vendor "Puma" for product "Puma" and version " >= 4.0.0 < 4.3.5" | ruby |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 33 Search vendor "Fedoraproject" for product "Fedora" and version "33" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0" | - |
Affected
| ||||||
| Opensuse Search vendor "Opensuse" | Leap Search vendor "Opensuse" for product "Leap" | 15.1 Search vendor "Opensuse" for product "Leap" and version "15.1" | - |
Affected
| ||||||
| Opensuse Search vendor "Opensuse" | Leap Search vendor "Opensuse" for product "Leap" | 15.2 Search vendor "Opensuse" for product "Leap" and version "15.2" | - |
Affected
| ||||||