GHSA-h99w-9q5r-gjq9
Vulnerability from github
Published
2022-03-30 21:48
Modified
2022-08-16 19:37
Severity ?
Summary
Puma vulnerable to HTTP Request Smuggling
Details

When using Puma behind a proxy that does not properly validate that the incoming HTTP request matches the RFC7230 standard, Puma and the frontend proxy may disagree on where a request starts and ends. This would allow requests to be smuggled via the front-end proxy to Puma.

The following vulnerabilities are addressed by this advisory: - Lenient parsing of Transfer-Encoding headers, when unsupported encodings should be rejected and the final encoding must be chunked. - Lenient parsing of malformed Content-Length headers and chunk sizes, when only digits and hex digits should be allowed. - Lenient parsing of duplicate Content-Length headers, when they should be rejected. - Lenient parsing of the ending of chunked segments, when they should end with \r\n.

The vulnerability has been fixed in 5.6.4 and 4.3.12. When deploying a proxy in front of Puma, turning on any and all functionality to make sure that the request matches the RFC7230 standard.

These proxy servers are known to have "good" behavior re: this standard and upgrading Puma may not be necessary. Users are encouraged to validate for themselves.

  • Nginx (latest)
  • Apache (latest)
  • Haproxy 2.5+
  • Caddy (latest)
  • Traefik (latest)
Show details on source website


{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "puma"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.0.0"
            },
            {
              "fixed": "5.6.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "puma"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.3.12"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-24790"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-444"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-03-30T21:48:50Z",
    "nvd_published_at": "2022-03-30T22:15:00Z",
    "severity": "CRITICAL"
  },
  "details": "When using Puma behind a proxy that does not properly validate that the incoming HTTP request matches the RFC7230 standard, Puma and the frontend proxy may disagree on where a request starts and ends. This would allow requests to be smuggled via the front-end proxy to Puma.\n\nThe following vulnerabilities are addressed by this advisory:\n- Lenient parsing of `Transfer-Encoding` headers, when unsupported encodings should be rejected and the final encoding must be `chunked`.\n- Lenient parsing of malformed `Content-Length` headers and chunk sizes, when only digits and hex digits should be allowed.\n- Lenient parsing of duplicate `Content-Length` headers, when they should be rejected.\n- Lenient parsing of the ending of chunked segments, when they should end with `\\r\\n`.\n\nThe vulnerability has been fixed in 5.6.4 and 4.3.12. When deploying a proxy in front of Puma, turning on any and all functionality to make sure that the request matches the RFC7230 standard. \n\nThese proxy servers are known to have \"good\" behavior re: this standard and upgrading Puma may not be necessary. Users are encouraged to validate for themselves.\n\n- Nginx (latest)\n- Apache (latest)\n- Haproxy 2.5+\n- Caddy (latest)\n- Traefik (latest)",
  "id": "GHSA-h99w-9q5r-gjq9",
  "modified": "2022-08-16T19:37:40Z",
  "published": "2022-03-30T21:48:50Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/puma/puma/security/advisories/GHSA-h99w-9q5r-gjq9"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-24790"
    },
    {
      "type": "WEB",
      "url": "https://github.com/puma/puma/commit/5bb7d202e24dec00a898dca4aa11db391d7787a5"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/puma/puma"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2022-24790.yml"
    },
    {
      "type": "WEB",
      "url": "https://lists.debian.org/debian-lts-announce/2022/08/msg00015.html"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F6YWGIIKL7KKTS3ZOAYMYPC7D6WQ5OA5"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L7NESIBFCNSR3XH7LXDPKVMSUBNUB43G"
    },
    {
      "type": "WEB",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TUBFJ44NCKJ34LECZRAP4N5VL6USJSIB"
    },
    {
      "type": "WEB",
      "url": "https://portswigger.net/web-security/request-smuggling"
    },
    {
      "type": "WEB",
      "url": "https://security.gentoo.org/glsa/202208-28"
    },
    {
      "type": "WEB",
      "url": "https://www.debian.org/security/2022/dsa-5146"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Puma vulnerable to HTTP Request Smuggling"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading...

Loading...

Loading...

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.