CVE-2020-11076

Source

https://nvd.nist.gov/vuln/detail/CVE-2020-11076

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-11076.json

Aliases

GHSA-x7jg-6pwg-fx5h

Related

DLA-2398-1
USN-6682-1

Published

2020-05-22T15:15:11Z

Modified

2023-11-29T07:45:14.074253Z

Details

In Puma (RubyGem) before 4.3.4 and 3.12.5, an attacker could smuggle an HTTP response, by using an invalid transfer-encoding header. The problem has been fixed in Puma 3.12.5 and Puma 4.3.4.

References

https://github.com/puma/puma/security/advisories/GHSA-x7jg-6pwg-fx5h
http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00034.html
http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00038.html
https://lists.debian.org/debian-lts-announce/2020/10/msg00009.html
https://github.com/puma/puma/commit/f24d5521295a2152c286abb0a45a1e1e2bd275bd
https://github.com/puma/puma/blob/master/History.md#434435-and-31253126--2020-05-22
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SKIY5H67GJIGJL6SMFWFLUQQQR3EMVPR/

Affected packages

Git / github.com/puma/puma

Affected ranges

Type: GIT
Repo: https://github.com/puma/puma
Events: Fixed

f24d5521295a2152c286abb0a45a1e1e2bd275bd

Introduced

f5d7600e4e4d9104803b5f0f5f596f8dc45fc191

Introduced

f0762d1216c825009a5d3d0a13d1d3ec1ff95682

Affected versions

v4.*

v4.0.0

v4.0.1

v4.1.0

v4.2.0

v4.2.1

v4.3.0

v4.3.1

v4.3.2

v4.3.3