gsd-2020-5249
Vulnerability from gsd
Modified
2020-03-03 00:00
Details
### Impact
If an application using Puma allows untrusted input in an early-hints header,
an attacker can use a carriage return character to end the header and inject
malicious content, such as additional headers or an entirely new response body.
This vulnerability is known as [HTTP Response
Splitting](https://owasp.org/www-community/attacks/HTTP_Response_Splitting)
While not an attack in itself, response splitting is a vector for several other
attacks, such as cross-site scripting (XSS).
This is related to [CVE-2020-5247](https://github.com/puma/puma/security/advisories/GHSA-84j7-475p-hp8v),
which fixed this vulnerability but only for regular responses.
### Patches
This has been fixed in 4.3.3 and 3.12.4.
### Workarounds
Users can not allow untrusted/user input in the Early Hints response header.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2020-5249",
"description": "In Puma (RubyGem) before 4.3.3 and 3.12.4, if an application using Puma allows untrusted input in an early-hints header, an attacker can use a carriage return character to end the header and inject malicious content, such as additional headers or an entirely new response body. This vulnerability is known as HTTP Response Splitting. While not an attack in itself, response splitting is a vector for several other attacks, such as cross-site scripting (XSS). This is related to CVE-2020-5247, which fixed this vulnerability but only for regular responses. This has been fixed in 4.3.3 and 3.12.4.",
"id": "GSD-2020-5249",
"references": [
"https://www.suse.com/security/cve/CVE-2020-5249.html"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "puma",
"purl": "pkg:gem/puma"
}
}
],
"aliases": [
"CVE-2020-5249",
"GHSA-33vf-4xgg-9r58"
],
"details": "### Impact\nIf an application using Puma allows untrusted input in an early-hints header,\nan attacker can use a carriage return character to end the header and inject\nmalicious content, such as additional headers or an entirely new response body.\nThis vulnerability is known as [HTTP Response\nSplitting](https://owasp.org/www-community/attacks/HTTP_Response_Splitting)\n\nWhile not an attack in itself, response splitting is a vector for several other\nattacks, such as cross-site scripting (XSS).\n\nThis is related to [CVE-2020-5247](https://github.com/puma/puma/security/advisories/GHSA-84j7-475p-hp8v),\nwhich fixed this vulnerability but only for regular responses.\n\n### Patches\nThis has been fixed in 4.3.3 and 3.12.4.\n\n### Workarounds\nUsers can not allow untrusted/user input in the Early Hints response header.",
"id": "GSD-2020-5249",
"modified": "2020-03-03T00:00:00.000Z",
"published": "2020-03-03T00:00:00.000Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/puma/puma/security/advisories/GHSA-33vf-4xgg-9r58"
}
],
"related": [
"CVE-2020-5247"
],
"schema_version": "1.4.0",
"severity": [
{
"score": 6.5,
"type": "CVSS_V3"
}
],
"summary": "HTTP Response Splitting (Early Hints) in Puma"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-5249",
"STATE": "PUBLIC",
"TITLE": "HTTP Response Splitting (Early Hints) in Puma"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Puma",
"version": {
"version_data": [
{
"version_value": "\u003c 3.12.4"
},
{
"version_value": "\u003e= 4.0.0, \u003c 4.3.3"
}
]
}
}
]
},
"vendor_name": "puma"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Puma (RubyGem) before 4.3.3 and 3.12.4, if an application using Puma allows untrusted input in an early-hints header, an attacker can use a carriage return character to end the header and inject malicious content, such as additional headers or an entirely new response body. This vulnerability is known as HTTP Response Splitting. While not an attack in itself, response splitting is a vector for several other attacks, such as cross-site scripting (XSS). This is related to CVE-2020-5247, which fixed this vulnerability but only for regular responses. This has been fixed in 4.3.3 and 3.12.4."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers (\u0027HTTP Response Splitting\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://owasp.org/www-community/attacks/HTTP_Response_Splitting",
"refsource": "MISC",
"url": "https://owasp.org/www-community/attacks/HTTP_Response_Splitting"
},
{
"name": "https://github.com/puma/puma/security/advisories/GHSA-33vf-4xgg-9r58",
"refsource": "CONFIRM",
"url": "https://github.com/puma/puma/security/advisories/GHSA-33vf-4xgg-9r58"
},
{
"name": "https://github.com/puma/puma/security/advisories/GHSA-84j7-475p-hp8v",
"refsource": "MISC",
"url": "https://github.com/puma/puma/security/advisories/GHSA-84j7-475p-hp8v"
},
{
"name": "https://github.com/puma/puma/commit/c22712fc93284a45a93f9ad7023888f3a65524f3",
"refsource": "MISC",
"url": "https://github.com/puma/puma/commit/c22712fc93284a45a93f9ad7023888f3a65524f3"
},
{
"name": "FEDORA-2020-a3f26a9387",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NJ3LL5F5QADB6LM46GXZETREAKZMQNRD/"
},
{
"name": "FEDORA-2020-fd87f90634",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BMJ3CGZ3DLBJ5WUUKMI5ZFXFJQMXJZIK/"
},
{
"name": "FEDORA-2020-08092b4c97",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DIHVO3CQMU7BZC7FCTSRJ33YDNS3GFPK/"
}
]
},
"source": {
"advisory": "GHSA-33vf-4xgg-9r58",
"discovery": "UNKNOWN"
}
},
"github.com/rubysec/ruby-advisory-db": {
"cve": "2020-5249",
"cvss_v3": 6.5,
"date": "2020-03-03",
"description": "### Impact\nIf an application using Puma allows untrusted input in an early-hints header,\nan attacker can use a carriage return character to end the header and inject\nmalicious content, such as additional headers or an entirely new response body.\nThis vulnerability is known as [HTTP Response\nSplitting](https://owasp.org/www-community/attacks/HTTP_Response_Splitting)\n\nWhile not an attack in itself, response splitting is a vector for several other\nattacks, such as cross-site scripting (XSS).\n\nThis is related to [CVE-2020-5247](https://github.com/puma/puma/security/advisories/GHSA-84j7-475p-hp8v),\nwhich fixed this vulnerability but only for regular responses.\n\n### Patches\nThis has been fixed in 4.3.3 and 3.12.4.\n\n### Workarounds\nUsers can not allow untrusted/user input in the Early Hints response header.",
"gem": "puma",
"ghsa": "33vf-4xgg-9r58",
"patched_versions": [
"~\u003e 3.12.4",
"\u003e= 4.3.3"
],
"related": {
"cve": [
"2020-5247"
]
},
"title": "HTTP Response Splitting (Early Hints) in Puma",
"url": "https://github.com/puma/puma/security/advisories/GHSA-33vf-4xgg-9r58"
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003c=3.12.3||\u003e=4.0.0 \u003c=4.3.2",
"affected_versions": "All versions up to 3.12.3, all versions starting from 4.0.0 up to 4.3.2",
"cvss_v2": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-74",
"CWE-937"
],
"date": "2020-04-09",
"description": "In Puma (RubyGem), if an application using Puma allows untrusted input in an early-hints header, an attacker can use a carriage return character to end the header and inject malicious content, such as additional headers or an entirely new response body. This vulnerability is known as HTTP Response Splitting. While not an attack in itself, response splitting is a vector for several other attacks, such as cross-site scripting (XSS).",
"fixed_versions": [
"3.12.4",
"4.3.3"
],
"identifier": "CVE-2020-5249",
"identifiers": [
"CVE-2020-5249",
"GHSA-84j7-475p-hp8v"
],
"not_impacted": "All versions after 3.12.3 before 4.0.0, all versions after 4.3.2",
"package_slug": "gem/gitlab-puma",
"pubdate": "2020-03-02",
"solution": "Upgrade to versions 3.12.4, 4.3.3 or above.",
"title": "Injection Vulnerability",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2020-5249"
],
"uuid": "ddf150a3-0eeb-4fdb-8f57-50b19fd6448d"
},
{
"affected_range": "\u003c=3.12.3||\u003e=4.0.0 \u003c=4.3.2",
"affected_versions": "All versions up to 3.12.3, all versions starting from 4.0.0 up to 4.3.2",
"cvss_v2": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-74",
"CWE-937"
],
"date": "2020-04-09",
"description": "In Puma (RubyGem), if an application using Puma allows untrusted input in an early-hints header, an attacker can use a carriage return character to end the header and inject malicious content, such as additional headers or an entirely new response body. This vulnerability is known as HTTP Response Splitting. While not an attack in itself, response splitting is a vector for several other attacks, such as cross-site scripting (XSS).",
"fixed_versions": [
"3.12.4",
"4.3.3"
],
"identifier": "CVE-2020-5249",
"identifiers": [
"CVE-2020-5249",
"GHSA-84j7-475p-hp8v"
],
"not_impacted": "All versions after 3.12.3 before 4.0.0, all versions after 4.3.2",
"package_slug": "gem/puma",
"pubdate": "2020-03-02",
"solution": "Upgrade to versions 3.12.4, 4.3.3 or above.",
"title": "Injection Vulnerability",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2020-5249"
],
"uuid": "9b88f320-c56b-477d-8d32-f99f79147d74"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:puma:puma:*:*:*:*:*:ruby:*:*",
"cpe_name": [],
"versionEndIncluding": "3.12.3",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:puma:puma:*:*:*:*:*:ruby:*:*",
"cpe_name": [],
"versionEndIncluding": "4.3.2",
"versionStartIncluding": "4.0.0",
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-5249"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "In Puma (RubyGem) before 4.3.3 and 3.12.4, if an application using Puma allows untrusted input in an early-hints header, an attacker can use a carriage return character to end the header and inject malicious content, such as additional headers or an entirely new response body. This vulnerability is known as HTTP Response Splitting. While not an attack in itself, response splitting is a vector for several other attacks, such as cross-site scripting (XSS). This is related to CVE-2020-5247, which fixed this vulnerability but only for regular responses. This has been fixed in 4.3.3 and 3.12.4."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-74"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/puma/puma/commit/c22712fc93284a45a93f9ad7023888f3a65524f3",
"refsource": "MISC",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/puma/puma/commit/c22712fc93284a45a93f9ad7023888f3a65524f3"
},
{
"name": "https://github.com/puma/puma/security/advisories/GHSA-84j7-475p-hp8v",
"refsource": "MISC",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/puma/puma/security/advisories/GHSA-84j7-475p-hp8v"
},
{
"name": "https://github.com/puma/puma/security/advisories/GHSA-33vf-4xgg-9r58",
"refsource": "CONFIRM",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/puma/puma/security/advisories/GHSA-33vf-4xgg-9r58"
},
{
"name": "https://owasp.org/www-community/attacks/HTTP_Response_Splitting",
"refsource": "MISC",
"tags": [
"Third Party Advisory"
],
"url": "https://owasp.org/www-community/attacks/HTTP_Response_Splitting"
},
{
"name": "FEDORA-2020-a3f26a9387",
"refsource": "FEDORA",
"tags": [],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NJ3LL5F5QADB6LM46GXZETREAKZMQNRD/"
},
{
"name": "FEDORA-2020-fd87f90634",
"refsource": "FEDORA",
"tags": [],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BMJ3CGZ3DLBJ5WUUKMI5ZFXFJQMXJZIK/"
},
{
"name": "FEDORA-2020-08092b4c97",
"refsource": "FEDORA",
"tags": [],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DIHVO3CQMU7BZC7FCTSRJ33YDNS3GFPK/"
}
]
}
},
"impact": {
"baseMetricV2": {
"acInsufInfo": false,
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": false
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6
}
},
"lastModifiedDate": "2020-04-09T17:15Z",
"publishedDate": "2020-03-02T16:15Z"
}
}
}
Loading...
Loading...
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.