Vulnerability Details : CVE-2020-5249
In Puma (RubyGem) before 4.3.3 and 3.12.4, if an application using Puma allows untrusted input in an early-hints header, an attacker can use a carriage return character to end the header and inject malicious content, such as additional headers or an entirely new response body. This vulnerability is known as HTTP Response Splitting. While not an attack in itself, response splitting is a vector for several other attacks, such as cross-site scripting (XSS). This is related to CVE-2020-5247, which fixed this vulnerability but only for regular responses. This has been fixed in 4.3.3 and 3.12.4.
Vulnerability category: Cross site scripting (XSS)
Products affected by CVE-2020-5249
- cpe:2.3:a:puma:puma:*:*:*:*:*:ruby:*:*
- cpe:2.3:a:puma:puma:*:*:*:*:*:ruby:*:*
Exploit prediction scoring system (EPSS) score for CVE-2020-5249
0.50%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 65 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-5249
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
4.0
|
MEDIUM | AV:N/AC:L/Au:S/C:N/I:P/A:N |
8.0
|
2.9
|
NIST | |
|
6.5
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N |
2.8
|
3.6
|
NIST | |
|
6.5
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L |
2.3
|
3.7
|
GitHub, Inc. |
CWE ids for CVE-2020-5249
-
The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.Assigned by: nvd@nist.gov (Primary)
-
The product receives data from an HTTP agent/component (e.g., web server, proxy, browser, etc.), but it does not neutralize or incorrectly neutralizes CR and LF characters before the data is included in outgoing HTTP headers.Assigned by: security-advisories@github.com (Secondary)
References for CVE-2020-5249
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NJ3LL5F5QADB6LM46GXZETREAKZMQNRD/
[SECURITY] Fedora 32 Update: rubygem-puma-4.3.3-1.fc32 - package-announce - Fedora Mailing-Lists
-
https://github.com/puma/puma/security/advisories/GHSA-33vf-4xgg-9r58
HTTP Response Splitting (Early Hints) · Advisory · puma/puma · GitHubThird Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DIHVO3CQMU7BZC7FCTSRJ33YDNS3GFPK/
[SECURITY] Fedora 30 Update: rubygem-puma-3.12.4-1.fc30 - package-announce - Fedora Mailing-Lists
-
https://owasp.org/www-community/attacks/HTTP_Response_Splitting
HTTP Response Splitting | OWASPThird Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BMJ3CGZ3DLBJ5WUUKMI5ZFXFJQMXJZIK/
[SECURITY] Fedora 31 Update: rubygem-puma-3.12.4-1.fc31 - package-announce - Fedora Mailing-Lists
-
https://github.com/puma/puma/commit/c22712fc93284a45a93f9ad7023888f3a65524f3
HTTP Injection - fix bug + 1 more vector (#2136) · puma/puma@c22712f · GitHubPatch;Third Party Advisory
-
https://github.com/puma/puma/security/advisories/GHSA-84j7-475p-hp8v
HTTP Response Splitting · Advisory · puma/puma · GitHubThird Party Advisory
Jump to