GHSA-33vf-4xgg-9r58

Source
https://github.com/advisories/GHSA-33vf-4xgg-9r58
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/03/GHSA-33vf-4xgg-9r58/GHSA-33vf-4xgg-9r58.json
Aliases
Published
2020-03-03T23:33:16Z
Modified
2024-05-23T01:28:25.835595Z
Summary
HTTP Response Splitting (Early Hints) in Puma
Details

Impact

If an application using Puma allows untrusted input in an early-hints header, an attacker can use a carriage return character to end the header and inject malicious content, such as additional headers or an entirely new response body. This vulnerability is known as HTTP Response Splitting.

While not an attack in itself, response splitting is a vector for several other attacks, such as cross-site scripting (XSS).

This is related to CVE-2020-5247, which fixed this vulnerability but only for regular responses.

Patches

This has been fixed in 4.3.3 and 3.12.4.

Workarounds

Users can not allow untrusted/user input in the Early Hints response header.

For more information

If you have any questions or comments about this advisory: * Open an issue in puma * Email us a project maintainer. Email addresses are listed in our Code of Conduct.

References

Affected packages

RubyGems / puma

Package

Name
puma

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0The exact introduced commit is unknown
Fixed
3.12.4

Affected versions

0.*

0.8.0
0.8.1
0.8.2
0.9.0
0.9.1
0.9.2
0.9.3
0.9.4
0.9.5

1.*

1.0.0
1.1.0
1.1.1
1.2.0
1.2.1
1.2.2
1.3.0
1.3.1
1.4.0
1.5.0
1.6.0
1.6.1
1.6.2
1.6.3

2.*

2.0.0.b1
2.0.0.b2
2.0.0.b3
2.0.0.b4
2.0.0.b5
2.0.0.b6
2.0.0.b7
2.0.0
2.0.1
2.1.0
2.1.1
2.2.0
2.2.1
2.2.2
2.3.0
2.3.1
2.3.2
2.4.0
2.4.1
2.5.0
2.5.1
2.6.0
2.7.0
2.7.1
2.8.0
2.8.1
2.8.2
2.9.0
2.9.1
2.9.2
2.10.0
2.10.1
2.10.2
2.11.0
2.11.1
2.11.2
2.11.3
2.12.0
2.12.1
2.12.2
2.12.3
2.13.0
2.13.1
2.13.2
2.13.3
2.13.4
2.14.0
2.15.0
2.15.1
2.15.2
2.15.3
2.16.0

3.*

3.0.0.rc1
3.0.0
3.0.1
3.0.2
3.1.0
3.1.1
3.2.0
3.3.0
3.4.0
3.5.0
3.5.1
3.5.2
3.6.0
3.6.1
3.6.2
3.7.0
3.7.1
3.8.0
3.8.1
3.8.2
3.9.0
3.9.1
3.10.0
3.11.0
3.11.1
3.11.2
3.11.3
3.11.4
3.12.0
3.12.1
3.12.2

RubyGems / puma

Package

Name
puma

Affected ranges

Type
ECOSYSTEM
Events
Introduced
4.0.0
Fixed
4.3.3

Affected versions

4.*

4.0.0
4.0.1
4.1.0
4.1.1
4.2.0
4.2.1
4.3.0
4.3.1