CVE-2021-41136

Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') in puma

Severity Score

3.7

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Puma is a HTTP 1.1 server for Ruby/Rack applications. Prior to versions 5.5.1 and 4.3.9, using `puma` with a proxy which forwards HTTP header values which contain the LF character could allow HTTP request smugggling. A client could smuggle a request through a proxy, causing the proxy to send a response back to another unknown client. The only proxy which has this behavior, as far as the Puma team is aware of, is Apache Traffic Server. If the proxy uses persistent connections and the client adds another request in via HTTP pipelining, the proxy may mistake it as the first request's body. Puma, however, would see it as two requests, and when processing the second request, send back a response that the proxy does not expect. If the proxy has reused the persistent connection to Puma to send another request for a different client, the second response from the first client will be sent to the second client. This vulnerability was patched in Puma 5.5.1 and 4.3.9. As a workaround, do not use Apache Traffic Server with `puma`.

Puma es un servidor HTTP versión 1.1 para aplicaciones Ruby/Rack. Antes de las versiones 5.5.1 y 4.3.9, usar "puma" con un proxy que reenvíe valores del encabezado HTTP que contengan el carácter LF podía permitir el contrabando de peticiones HTTP. Un cliente podía pasar una petición mediante un proxy, causando que el proxy enviara una respuesta a otro cliente desconocido. El único proxy que presenta este comportamiento, hasta donde el equipo de Puma sabe, es Apache Traffic Server. Si el proxy usa conexiones persistentes y el cliente añade otra petición por medio de HTTP pipelining, el proxy puede confundirla con el cuerpo de la primera petición. Puma, sin embargo, lo vería como dos peticiones, y cuando procese la segunda petición, devolverá una respuesta que el proxy no espera. Si el proxy ha reusado la conexión persistente con Puma para enviar otra petición para un cliente diferente, la segunda respuesta del primer cliente será enviada al segundo cliente. Esta vulnerabilidad fue parcheada en Puma versiones 5.5.1 y 4.3.9. Como solución, no use Apache Traffic Server con "puma"

An HTTP Request Smuggling vulnerability was found in puma. When using puma with a proxy, which forwards LF characters as line endings, an attacker could use this flaw to smuggle a request through a proxy, causing the proxy to send a response back to another unknown client.

*Credits: N/A

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

None

Attack Vector

Network

Attack Complexity

High

Authentication

Single

Confidentiality

Partial

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2021-09-15 CVE Reserved
2021-10-12 CVE Published
2024-01-04 EPSS Updated
2024-08-04 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

CAPEC

References (7)

URL	Tag	Source
https://github.com/puma/puma/security/advisories/GHSA-48w2-rm65-62xx	Third Party Advisory
https://lists.debian.org/debian-lts-announce/2022/08/msg00015.html	Mailing List

URL	Date	SRC

URL	Date	SRC
https://github.com/puma/puma/commit/acdc3ae571dfae0e045cf09a295280127db65c7f	2022-10-12

URL	Date	SRC
https://security.gentoo.org/glsa/202208-28	2022-10-12
https://www.debian.org/security/2022/dsa-5146	2022-10-12
https://access.redhat.com/security/cve/CVE-2021-41136	2022-07-05
https://bugzilla.redhat.com/show_bug.cgi?id=2013495	2022-07-05

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Puma Search vendor "Puma"		Puma Search vendor "Puma" for product "Puma"				<= 4.3.8 Search vendor "Puma" for product "Puma" and version " <= 4.3.8"		ruby		Affected
Puma Search vendor "Puma"		Puma Search vendor "Puma" for product "Puma"				>= 5.0.0 <= 5.5.0 Search vendor "Puma" for product "Puma" and version " >= 5.0.0 <= 5.5.0"		ruby		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				10.0 Search vendor "Debian" for product "Debian Linux" and version "10.0"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				11.0 Search vendor "Debian" for product "Debian Linux" and version "11.0"		-		Affected