CVE-2020-11077
Vulnerability from cvelistv5
Published
2020-05-22 14:55
Modified
2024-08-04 11:21
Severity ?
EPSS score ?
Summary
HTTP Smuggling via Transfer-Encoding Header in Puma
References
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T11:21:14.618Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/puma/puma/blob/master/History.md#434435-and-31253126--2020-05-22" }, { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://github.com/puma/puma/security/advisories/GHSA-w64w-qqph-5gxm" }, { "name": "openSUSE-SU-2020:0990", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00034.html" }, { "name": "openSUSE-SU-2020:1001", "tags": [ "vendor-advisory", "x_refsource_SUSE", "x_transferred" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00038.html" }, { "name": "FEDORA-2020-fe354f24e8", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SKIY5H67GJIGJL6SMFWFLUQQQR3EMVPR/" }, { "name": "[debian-lts-announce] 20201007 [SECURITY] [DLA 2398-1] puma security update", "tags": [ "mailing-list", "x_refsource_MLIST", "x_transferred" ], "url": "https://lists.debian.org/debian-lts-announce/2020/10/msg00009.html" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "puma", "vendor": "puma", "versions": [ { "status": "affected", "version": "\u003c 3.12.6" }, { "status": "affected", "version": "\u003e= 4.0.0, \u003c 4.3.5" } ] } ], "descriptions": [ { "lang": "en", "value": "In Puma (RubyGem) before 4.3.5 and 3.12.6, a client could smuggle a request through a proxy, causing the proxy to send a response back to another unknown client. If the proxy uses persistent connections and the client adds another request in via HTTP pipelining, the proxy may mistake it as the first request\u0027s body. Puma, however, would see it as two requests, and when processing the second request, send back a response that the proxy does not expect. If the proxy has reused the persistent connection to Puma to send another request for a different client, the second response from the first client will be sent to the second client. This is a similar but different vulnerability from CVE-2020-11076. The problem has been fixed in Puma 3.12.6 and Puma 4.3.5." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-444", "description": "CWE-444: Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request Smuggling\u0027)", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2020-10-07T12:06:27", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/puma/puma/blob/master/History.md#434435-and-31253126--2020-05-22" }, { "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/puma/puma/security/advisories/GHSA-w64w-qqph-5gxm" }, { "name": "openSUSE-SU-2020:0990", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00034.html" }, { "name": "openSUSE-SU-2020:1001", "tags": [ "vendor-advisory", "x_refsource_SUSE" ], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00038.html" }, { "name": "FEDORA-2020-fe354f24e8", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SKIY5H67GJIGJL6SMFWFLUQQQR3EMVPR/" }, { "name": "[debian-lts-announce] 20201007 [SECURITY] [DLA 2398-1] puma security update", "tags": [ "mailing-list", "x_refsource_MLIST" ], "url": "https://lists.debian.org/debian-lts-announce/2020/10/msg00009.html" } ], "source": { "advisory": "GHSA-w64w-qqph-5gxm", "discovery": "UNKNOWN" }, "title": "HTTP Smuggling via Transfer-Encoding Header in Puma", "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "security-advisories@github.com", "ID": "CVE-2020-11077", "STATE": "PUBLIC", "TITLE": "HTTP Smuggling via Transfer-Encoding Header in Puma" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "puma", "version": { "version_data": [ { "version_value": "\u003c 3.12.6" }, { "version_value": "\u003e= 4.0.0, \u003c 4.3.5" } ] } } ] }, "vendor_name": "puma" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "In Puma (RubyGem) before 4.3.5 and 3.12.6, a client could smuggle a request through a proxy, causing the proxy to send a response back to another unknown client. If the proxy uses persistent connections and the client adds another request in via HTTP pipelining, the proxy may mistake it as the first request\u0027s body. Puma, however, would see it as two requests, and when processing the second request, send back a response that the proxy does not expect. If the proxy has reused the persistent connection to Puma to send another request for a different client, the second response from the first client will be sent to the second client. This is a similar but different vulnerability from CVE-2020-11076. The problem has been fixed in Puma 3.12.6 and Puma 4.3.5." } ] }, "impact": { "cvss": { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N", "version": "3.1" } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-444: Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request Smuggling\u0027)" } ] } ] }, "references": { "reference_data": [ { "name": "https://github.com/puma/puma/blob/master/History.md#434435-and-31253126--2020-05-22", "refsource": "MISC", "url": "https://github.com/puma/puma/blob/master/History.md#434435-and-31253126--2020-05-22" }, { "name": "https://github.com/puma/puma/security/advisories/GHSA-w64w-qqph-5gxm", "refsource": "CONFIRM", "url": "https://github.com/puma/puma/security/advisories/GHSA-w64w-qqph-5gxm" }, { "name": "openSUSE-SU-2020:0990", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00034.html" }, { "name": "openSUSE-SU-2020:1001", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00038.html" }, { "name": "FEDORA-2020-fe354f24e8", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SKIY5H67GJIGJL6SMFWFLUQQQR3EMVPR/" }, { "name": "[debian-lts-announce] 20201007 [SECURITY] [DLA 2398-1] puma security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2020/10/msg00009.html" } ] }, "source": { "advisory": "GHSA-w64w-qqph-5gxm", "discovery": "UNKNOWN" } } } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2020-11077", "datePublished": "2020-05-22T14:55:13", "dateReserved": "2020-03-30T00:00:00", "dateUpdated": "2024-08-04T11:21:14.618Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1", "meta": { "nvd": "{\"cve\":{\"id\":\"CVE-2020-11077\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2020-05-22T15:15:11.507\",\"lastModified\":\"2023-11-07T03:14:29.117\",\"vulnStatus\":\"Modified\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"In Puma (RubyGem) before 4.3.5 and 3.12.6, a client could smuggle a request through a proxy, causing the proxy to send a response back to another unknown client. If the proxy uses persistent connections and the client adds another request in via HTTP pipelining, the proxy may mistake it as the first request\u0027s body. Puma, however, would see it as two requests, and when processing the second request, send back a response that the proxy does not expect. If the proxy has reused the persistent connection to Puma to send another request for a different client, the second response from the first client will be sent to the second client. This is a similar but different vulnerability from CVE-2020-11076. The problem has been fixed in Puma 3.12.6 and Puma 4.3.5.\"},{\"lang\":\"es\",\"value\":\"En Puma (RubyGem) versiones anteriores a 4.3.5 y 3.12.6, un cliente podr\u00eda hacer pasar sin autorizaci\u00f3n una petici\u00f3n por medio de un proxy, causando que el proxy env\u00ede una respuesta a otro cliente desconocido. Si el proxy usa conexiones persistentes y el cliente agrega otra petici\u00f3n por medio de la canalizaci\u00f3n HTTP, el proxy puede confundirlo como el cuerpo de la primera petici\u00f3n. Sin embargo, Puma lo ver\u00eda como dos peticiones y, al procesar la segunda petici\u00f3n, devolver\u00eda una respuesta que el proxy no espera. Si el proxy ha reutilizado la conexi\u00f3n persistente a Puma para enviar otra petici\u00f3n para un cliente diferente, la segunda respuesta desde el primer cliente ser\u00e1 enviada al segundo cliente. Esta es una vulnerabilidad similar pero diferente de CVE-2020-11076. El problema se ha corregido en Puma versi\u00f3n 3.12.6 y Puma versi\u00f3n 4.3.5.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6},{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\",\"baseScore\":6.8,\"baseSeverity\":\"MEDIUM\"},\"exploitabilityScore\":2.2,\"impactScore\":4.0}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:N/I:P/A:N\",\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\",\"baseScore\":5.0},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":10.0,\"impactScore\":2.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-444\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-444\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:puma:puma:*:*:*:*:*:ruby:*:*\",\"versionStartIncluding\":\"3.0.0\",\"versionEndExcluding\":\"3.12.6\",\"matchCriteriaId\":\"94D6645C-59B2-466F-A147-B23EF284DEBA\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:puma:puma:*:*:*:*:*:ruby:*:*\",\"versionStartIncluding\":\"4.0.0\",\"versionEndExcluding\":\"4.3.5\",\"matchCriteriaId\":\"916E4164-0951-4145-85D6-684EF781F13A\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E460AA51-FCDA-46B9-AE97-E6676AA5E194\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"DEECE5FC-CACF-4496-A3E7-164736409252\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B620311B-34A3-48A6-82DF-6F078D7A4493\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:opensuse:leap:15.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"B009C22E-30A4-4288-BCF6-C3E81DEAF45A\"}]}]}],\"references\":[{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00034.html\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00038.html\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/puma/puma/blob/master/History.md#434435-and-31253126--2020-05-22\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://github.com/puma/puma/security/advisories/GHSA-w64w-qqph-5gxm\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://lists.debian.org/debian-lts-announce/2020/10/msg00009.html\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SKIY5H67GJIGJL6SMFWFLUQQQR3EMVPR/\",\"source\":\"security-advisories@github.com\"}]}}" } }
Loading...
Loading...
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.