SB2020030309 - Multiple vulnerabilities in Puma web server for Ruby
Published: March 3, 2020
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 secuirty vulnerabilities.
1) HTTP response splitting (CVE-ID: CVE-2020-5247)
The vulnerability allows a remote attacker to perform HTTP splitting attacks.
The vulnerability exists due to software does not corrector process CRLF character sequences in a response header. A remote attacker can send specially crafted request containing CRLF sequence and make the application to send a split HTTP response.
Successful exploitation of the vulnerability may allow an attacker perform cache poisoning attack.
2) HTTP response splitting (CVE-ID: CVE-2020-5249)
The vulnerability allows a remote attacker to perform HTTP splitting attacks.
The vulnerability exists due to software does not corrector process CRLF character sequences in an early-hints header. A remote attacker can send specially crafted request containing CRLF sequence and make the application to send a split HTTP response.
Successful exploitation of the vulnerability may allow an attacker perform cache poisoning attack.
Note: This is related to CVE-2020-5247, which fixed this vulnerability but only for regular responses.
Remediation
Install update from vendor's website.
References
- https://github.com/puma/puma/security/advisories/GHSA-84j7-475p-hp8v
- https://owasp.org/www-community/attacks/HTTP_Response_Splitting
- https://www.ruby-lang.org/en/news/2019/10/01/http-response-splitting-in-webrick-cve-2019-16254
- https://github.com/puma/puma/commit/c22712fc93284a45a93f9ad7023888f3a65524f3
- https://github.com/puma/puma/security/advisories/GHSA-33vf-4xgg-9r58