// For flags

CVE-2021-41136

Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') in puma

Severity Score

3.7
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Puma is a HTTP 1.1 server for Ruby/Rack applications. Prior to versions 5.5.1 and 4.3.9, using `puma` with a proxy which forwards HTTP header values which contain the LF character could allow HTTP request smugggling. A client could smuggle a request through a proxy, causing the proxy to send a response back to another unknown client. The only proxy which has this behavior, as far as the Puma team is aware of, is Apache Traffic Server. If the proxy uses persistent connections and the client adds another request in via HTTP pipelining, the proxy may mistake it as the first request's body. Puma, however, would see it as two requests, and when processing the second request, send back a response that the proxy does not expect. If the proxy has reused the persistent connection to Puma to send another request for a different client, the second response from the first client will be sent to the second client. This vulnerability was patched in Puma 5.5.1 and 4.3.9. As a workaround, do not use Apache Traffic Server with `puma`.

Puma es un servidor HTTP versión 1.1 para aplicaciones Ruby/Rack. Antes de las versiones 5.5.1 y 4.3.9, usar "puma" con un proxy que reenvíe valores del encabezado HTTP que contengan el carácter LF podía permitir el contrabando de peticiones HTTP. Un cliente podía pasar una petición mediante un proxy, causando que el proxy enviara una respuesta a otro cliente desconocido. El único proxy que presenta este comportamiento, hasta donde el equipo de Puma sabe, es Apache Traffic Server. Si el proxy usa conexiones persistentes y el cliente añade otra petición por medio de HTTP pipelining, el proxy puede confundirla con el cuerpo de la primera petición. Puma, sin embargo, lo vería como dos peticiones, y cuando procese la segunda petición, devolverá una respuesta que el proxy no espera. Si el proxy ha reusado la conexión persistente con Puma para enviar otra petición para un cliente diferente, la segunda respuesta del primer cliente será enviada al segundo cliente. Esta vulnerabilidad fue parcheada en Puma versiones 5.5.1 y 4.3.9. Como solución, no use Apache Traffic Server con "puma"

An HTTP Request Smuggling vulnerability was found in puma. When using puma with a proxy, which forwards LF characters as line endings, an attacker could use this flaw to smuggle a request through a proxy, causing the proxy to send a response back to another unknown client.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None
Attack Vector
Network
Attack Complexity
High
Authentication
Single
Confidentiality
Partial
Integrity
Partial
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2021-09-15 CVE Reserved
  • 2021-10-12 CVE Published
  • 2024-01-04 EPSS Updated
  • 2024-08-04 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Puma
Search vendor "Puma"
Puma
Search vendor "Puma" for product "Puma"
<= 4.3.8
Search vendor "Puma" for product "Puma" and version " <= 4.3.8"
ruby
Affected
Puma
Search vendor "Puma"
Puma
Search vendor "Puma" for product "Puma"
>= 5.0.0 <= 5.5.0
Search vendor "Puma" for product "Puma" and version " >= 5.0.0 <= 5.5.0"
ruby
Affected
Debian
Search vendor "Debian"
Debian Linux
Search vendor "Debian" for product "Debian Linux"
10.0
Search vendor "Debian" for product "Debian Linux" and version "10.0"
-
Affected
Debian
Search vendor "Debian"
Debian Linux
Search vendor "Debian" for product "Debian Linux"
11.0
Search vendor "Debian" for product "Debian Linux" and version "11.0"
-
Affected