CVE-2020-5249

HTTP Response Splitting (Early Hints) in Puma

Severity Score

6.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

In Puma (RubyGem) before 4.3.3 and 3.12.4, if an application using Puma allows untrusted input in an early-hints header, an attacker can use a carriage return character to end the header and inject malicious content, such as additional headers or an entirely new response body. This vulnerability is known as HTTP Response Splitting. While not an attack in itself, response splitting is a vector for several other attacks, such as cross-site scripting (XSS). This is related to CVE-2020-5247, which fixed this vulnerability but only for regular responses. This has been fixed in 4.3.3 and 3.12.4.

En Puma (RubyGem) versiones anteriores a 3.3 y 3.12.4, si una aplicación que usa Puma permite una entrada no confiable en un encabezado early-hint, un atacante puede usar un carácter retorno de carro para finalizar el encabezado e inyectar contenido malicioso, tales como encabezados adicionales o un cuerpo de respuesta completamente nuevo. Esta vulnerabilidad se conoce como División de Respuesta HTTP. Si bien no es un ataque en sí mismo, la división de la respuesta es un vector para varios otros ataques, tales como un cross-site scripting (XSS). Esto está relacionado con CVE-2020-5247, que corrigió esta vulnerabilidad pero solo para respuestas regulares. Esto se ha corregido en las versiones 4.3.3 y 3.12.4.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

Low

Attack Vector

Network

Attack Complexity

Low

Authentication

Single

Confidentiality

None

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2020-01-02 CVE Reserved
2020-03-02 CVE Published
2024-06-26 EPSS Updated
2024-08-04 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')

CAPEC

References (7)

URL	Tag	Source
https://github.com/puma/puma/security/advisories/GHSA-33vf-4xgg-9r58	Third Party Advisory
https://github.com/puma/puma/security/advisories/GHSA-84j7-475p-hp8v	Third Party Advisory
https://owasp.org/www-community/attacks/HTTP_Response_Splitting	Third Party Advisory

URL	Date	SRC

URL	Date	SRC
https://github.com/puma/puma/commit/c22712fc93284a45a93f9ad7023888f3a65524f3	2023-11-07

URL	Date	SRC
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BMJ3CGZ3DLBJ5WUUKMI5ZFXFJQMXJZIK	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DIHVO3CQMU7BZC7FCTSRJ33YDNS3GFPK	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NJ3LL5F5QADB6LM46GXZETREAKZMQNRD	2023-11-07

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Puma Search vendor "Puma"		Puma Search vendor "Puma" for product "Puma"				<= 3.12.3 Search vendor "Puma" for product "Puma" and version " <= 3.12.3"		ruby		Affected
Puma Search vendor "Puma"		Puma Search vendor "Puma" for product "Puma"				>= 4.0.0 <= 4.3.2 Search vendor "Puma" for product "Puma" and version " >= 4.0.0 <= 4.3.2"		ruby		Affected