Bug 1165524 - (CVE-2020-5249) VUL-1: CVE-2020-5249: rubygem-puma: if an application using Puma allows untrusted input in an early-hints header, an attacker can use a carriage return character to end the header and inject malicious content
(CVE-2020-5249)
VUL-1: CVE-2020-5249: rubygem-puma: if an application using Puma allows untru...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Minor
: ---
Assigned To: Dario Maiocchi
Security Team bot
https://smash.suse.de/issue/254082/
CVSSv2:NVD:CVE-2020-5249:4.0:(AV:N/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-03-03 09:28 UTC by Wolfgang Frisch
Modified: 2021-01-13 13:07 UTC (History)
6 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Wolfgang Frisch 2020-03-03 09:28:42 UTC
CVE-2020-5249

In Puma (RubyGem) before 4.3.3 and 3.12.4, if an application using Puma allows
untrusted input in an early-hints header, an attacker can use a carriage return
character to end the header and inject malicious content, such as additional
headers or an entirely new response body. This vulnerability is known as HTTP
Response Splitting. While not an attack in itself, response splitting is a
vector for several other attacks, such as cross-site scripting (XSS). This is
related to CVE-2020-5247, which fixed this vulnerability but only for regular
responses. This has been fixed in 4.3.3 and 3.12.4.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-5249
https://github.com/puma/puma/security/advisories/GHSA-84j7-475p-hp8v
https://github.com/puma/puma/commit/c22712fc93284a45a93f9ad7023888f3a65524f3
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5249
https://github.com/puma/puma/security/advisories/GHSA-33vf-4xgg-9r58
https://owasp.org/www-community/attacks/HTTP_Response_Splitting
Comment 2 Dario Maiocchi 2021-01-13 13:07:20 UTC
fixed