CVE-2020-5247

HTTP Response Splitting in Puma

Severity Score

7.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

In Puma (RubyGem) before 4.3.2 and before 3.12.3, if an application using Puma allows untrusted input in a response header, an attacker can use newline characters (i.e. `CR`, `LF` or`/r`, `/n`) to end the header and inject malicious content, such as additional headers or an entirely new response body. This vulnerability is known as HTTP Response Splitting. While not an attack in itself, response splitting is a vector for several other attacks, such as cross-site scripting (XSS). This is related to CVE-2019-16254, which fixed this vulnerability for the WEBrick Ruby web server. This has been fixed in versions 4.3.2 and 3.12.3 by checking all headers for line endings and rejecting headers with those characters.

En Puma (RubyGem) anterior a la versión 4.3.2 y anterior a la versión 3.12.3, si una aplicación que usa Puma permite la entrada no segura en un encabezado de respuesta, un atacante puede usar caracteres de nueva línea (es decir, `CR`,` LF` o` / r`, ` / n`) para finalizar el encabezado e inyectar contenido malicioso, como encabezados adicionales o un cuerpo de respuesta completamente nuevo. Esta vulnerabilidad se conoce como división de respuesta HTTP. Si bien no es un ataque en sí mismo, la división de la respuesta es un vector para varios otros ataques, como las secuencias de cross-site scripting (XSS). Esto está relacionado con CVE-2019-16254, que corrigió esta vulnerabilidad para el servidor web WEBrick Ruby. Esto se ha solucionado en las versiones 4.3.2 y 3.12.3 verificando todos los encabezados para ver los finales de línea y rechazando los encabezados con esos caracteres.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

Low

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

None

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2020-01-02 CVE Reserved
2020-02-28 CVE Published
2024-06-23 EPSS Updated
2024-08-04 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')

CAPEC

References (7)

URL	Tag	Source
https://github.com/puma/puma/security/advisories/GHSA-84j7-475p-hp8v	Mitigation
https://lists.debian.org/debian-lts-announce/2022/05/msg00034.html	Mailing List
https://owasp.org/www-community/attacks/HTTP_Response_Splitting	Third Party Advisory

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BMJ3CGZ3DLBJ5WUUKMI5ZFXFJQMXJZIK	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DIHVO3CQMU7BZC7FCTSRJ33YDNS3GFPK	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NJ3LL5F5QADB6LM46GXZETREAKZMQNRD	2023-11-07
https://www.ruby-lang.org/en/news/2019/10/01/http-response-splitting-in-webrick-cve-2019-16254	2023-11-07

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Puma Search vendor "Puma"		Puma Search vendor "Puma" for product "Puma"				<= 3.12.3 Search vendor "Puma" for product "Puma" and version " <= 3.12.3"		ruby		Affected
Puma Search vendor "Puma"		Puma Search vendor "Puma" for product "Puma"				>= 4.0.0 <= 4.3.2 Search vendor "Puma" for product "Puma" and version " >= 4.0.0 <= 4.3.2"		ruby		Affected
Ruby-lang Search vendor "Ruby-lang"		Ruby Search vendor "Ruby-lang" for product "Ruby"				<= 2.3.0 Search vendor "Ruby-lang" for product "Ruby" and version " <= 2.3.0"		-		Affected
Ruby-lang Search vendor "Ruby-lang"		Ruby Search vendor "Ruby-lang" for product "Ruby"				>= 2.4.0 <= 2.4.7 Search vendor "Ruby-lang" for product "Ruby" and version " >= 2.4.0 <= 2.4.7"		-		Affected
Ruby-lang Search vendor "Ruby-lang"		Ruby Search vendor "Ruby-lang" for product "Ruby"				>= 2.5.0 <= 2.5.6 Search vendor "Ruby-lang" for product "Ruby" and version " >= 2.5.0 <= 2.5.6"		-		Affected
Ruby-lang Search vendor "Ruby-lang"		Ruby Search vendor "Ruby-lang" for product "Ruby"				>= 2.6.0 <= 2.6.4 Search vendor "Ruby-lang" for product "Ruby" and version " >= 2.6.0 <= 2.6.4"		-		Affected
Ruby-lang Search vendor "Ruby-lang"		Ruby Search vendor "Ruby-lang" for product "Ruby"				2.7.0 Search vendor "Ruby-lang" for product "Ruby" and version "2.7.0"		preview1		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				30 Search vendor "Fedoraproject" for product "Fedora" and version "30"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				31 Search vendor "Fedoraproject" for product "Fedora" and version "31"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				32 Search vendor "Fedoraproject" for product "Fedora" and version "32"		-		Affected