SB2020033147 - Fedora 31 update for rubygem-puma

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2020033147

SB2020033147 - Fedora 31 update for rubygem-puma

Published: March 31, 2020 Updated: April 25, 2025

Security Bulletin ID SB2020033147
Severity
Medium
Patch available
YES
Number of vulnerabilities 2
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Medium 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.


1) HTTP response splitting (CVE-ID: CVE-2020-5247)

The vulnerability allows a remote attacker to perform HTTP splitting attacks.

The vulnerability exists due to software does not corrector process CRLF character sequences in a response header. A remote attacker can send specially crafted request containing CRLF sequence and make the application to send a split HTTP response.

Successful exploitation of the vulnerability may allow an attacker perform cache poisoning attack.


2) HTTP response splitting (CVE-ID: CVE-2020-5249)

The vulnerability allows a remote attacker to perform HTTP splitting attacks.

The vulnerability exists due to software does not corrector process CRLF character sequences in an early-hints header. A remote attacker can send specially crafted request containing CRLF sequence and make the application to send a split HTTP response.

Successful exploitation of the vulnerability may allow an attacker perform cache poisoning attack.

Note: This is related to CVE-2020-5247, which fixed this vulnerability but only for regular responses.


Remediation

Install update from vendor's website.

References