GSD-2020-5249
Vulnerability from gsd - Updated: 2020-03-03 00:00Details
### Impact
If an application using Puma allows untrusted input in an early-hints header,
an attacker can use a carriage return character to end the header and inject
malicious content, such as additional headers or an entirely new response body.
This vulnerability is known as [HTTP Response
Splitting](https://owasp.org/www-community/attacks/HTTP_Response_Splitting)
While not an attack in itself, response splitting is a vector for several other
attacks, such as cross-site scripting (XSS).
This is related to [CVE-2020-5247](https://github.com/puma/puma/security/advisories/GHSA-84j7-475p-hp8v),
which fixed this vulnerability but only for regular responses.
### Patches
This has been fixed in 4.3.3 and 3.12.4.
### Workarounds
Users can not allow untrusted/user input in the Early Hints response header.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2020-5249",
"description": "In Puma (RubyGem) before 4.3.3 and 3.12.4, if an application using Puma allows untrusted input in an early-hints header, an attacker can use a carriage return character to end the header and inject malicious content, such as additional headers or an entirely new response body. This vulnerability is known as HTTP Response Splitting. While not an attack in itself, response splitting is a vector for several other attacks, such as cross-site scripting (XSS). This is related to CVE-2020-5247, which fixed this vulnerability but only for regular responses. This has been fixed in 4.3.3 and 3.12.4.",
"id": "GSD-2020-5249",
"references": [
"https://www.suse.com/security/cve/CVE-2020-5249.html"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "puma",
"purl": "pkg:gem/puma"
}
}
],
"aliases": [
"CVE-2020-5249",
"GHSA-33vf-4xgg-9r58"
],
"details": "### Impact\nIf an application using Puma allows untrusted input in an early-hints header,\nan attacker can use a carriage return character to end the header and inject\nmalicious content, such as additional headers or an entirely new response body.\nThis vulnerability is known as [HTTP Response\nSplitting](https://owasp.org/www-community/attacks/HTTP_Response_Splitting)\n\nWhile not an attack in itself, response splitting is a vector for several other\nattacks, such as cross-site scripting (XSS).\n\nThis is related to [CVE-2020-5247](https://github.com/puma/puma/security/advisories/GHSA-84j7-475p-hp8v),\nwhich fixed this vulnerability but only for regular responses.\n\n### Patches\nThis has been fixed in 4.3.3 and 3.12.4.\n\n### Workarounds\nUsers can not allow untrusted/user input in the Early Hints response header.",
"id": "GSD-2020-5249",
"modified": "2020-03-03T00:00:00.000Z",
"published": "2020-03-03T00:00:00.000Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/puma/puma/security/advisories/GHSA-33vf-4xgg-9r58"
}
],
"related": [
"CVE-2020-5247"
],
"schema_version": "1.4.0",
"severity": [
{
"score": 6.5,
"type": "CVSS_V3"
}
],
"summary": "HTTP Response Splitting (Early Hints) in Puma"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-5249",
"STATE": "PUBLIC",
"TITLE": "HTTP Response Splitting (Early Hints) in Puma"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Puma",
"version": {
"version_data": [
{
"version_value": "\u003c 3.12.4"
},
{
"version_value": "\u003e= 4.0.0, \u003c 4.3.3"
}
]
}
}
]
},
"vendor_name": "puma"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "In Puma (RubyGem) before 4.3.3 and 3.12.4, if an application using Puma allows untrusted input in an early-hints header, an attacker can use a carriage return character to end the header and inject malicious content, such as additional headers or an entirely new response body. This vulnerability is known as HTTP Response Splitting. While not an attack in itself, response splitting is a vector for several other attacks, such as cross-site scripting (XSS). This is related to CVE-2020-5247, which fixed this vulnerability but only for regular responses. This has been fixed in 4.3.3 and 3.12.4."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers (\u0027HTTP Response Splitting\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://owasp.org/www-community/attacks/HTTP_Response_Splitting",
"refsource": "MISC",
"url": "https://owasp.org/www-community/attacks/HTTP_Response_Splitting"
},
{
"name": "https://github.com/puma/puma/security/advisories/GHSA-33vf-4xgg-9r58",
"refsource": "CONFIRM",
"url": "https://github.com/puma/puma/security/advisories/GHSA-33vf-4xgg-9r58"
},
{
"name": "https://github.com/puma/puma/security/advisories/GHSA-84j7-475p-hp8v",
"refsource": "MISC",
"url": "https://github.com/puma/puma/security/advisories/GHSA-84j7-475p-hp8v"
},
{
"name": "https://github.com/puma/puma/commit/c22712fc93284a45a93f9ad7023888f3a65524f3",
"refsource": "MISC",
"url": "https://github.com/puma/puma/commit/c22712fc93284a45a93f9ad7023888f3a65524f3"
},
{
"name": "FEDORA-2020-a3f26a9387",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NJ3LL5F5QADB6LM46GXZETREAKZMQNRD/"
},
{
"name": "FEDORA-2020-fd87f90634",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BMJ3CGZ3DLBJ5WUUKMI5ZFXFJQMXJZIK/"
},
{
"name": "FEDORA-2020-08092b4c97",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DIHVO3CQMU7BZC7FCTSRJ33YDNS3GFPK/"
}
]
},
"source": {
"advisory": "GHSA-33vf-4xgg-9r58",
"discovery": "UNKNOWN"
}
},
"github.com/rubysec/ruby-advisory-db": {
"cve": "2020-5249",
"cvss_v3": 6.5,
"date": "2020-03-03",
"description": "### Impact\nIf an application using Puma allows untrusted input in an early-hints header,\nan attacker can use a carriage return character to end the header and inject\nmalicious content, such as additional headers or an entirely new response body.\nThis vulnerability is known as [HTTP Response\nSplitting](https://owasp.org/www-community/attacks/HTTP_Response_Splitting)\n\nWhile not an attack in itself, response splitting is a vector for several other\nattacks, such as cross-site scripting (XSS).\n\nThis is related to [CVE-2020-5247](https://github.com/puma/puma/security/advisories/GHSA-84j7-475p-hp8v),\nwhich fixed this vulnerability but only for regular responses.\n\n### Patches\nThis has been fixed in 4.3.3 and 3.12.4.\n\n### Workarounds\nUsers can not allow untrusted/user input in the Early Hints response header.",
"gem": "puma",
"ghsa": "33vf-4xgg-9r58",
"patched_versions": [
"~\u003e 3.12.4",
"\u003e= 4.3.3"
],
"related": {
"cve": [
"2020-5247"
]
},
"title": "HTTP Response Splitting (Early Hints) in Puma",
"url": "https://github.com/puma/puma/security/advisories/GHSA-33vf-4xgg-9r58"
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003c=3.12.3||\u003e=4.0.0 \u003c=4.3.2",
"affected_versions": "All versions up to 3.12.3, all versions starting from 4.0.0 up to 4.3.2",
"cvss_v2": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-74",
"CWE-937"
],
"date": "2020-04-09",
"description": "In Puma (RubyGem), if an application using Puma allows untrusted input in an early-hints header, an attacker can use a carriage return character to end the header and inject malicious content, such as additional headers or an entirely new response body. This vulnerability is known as HTTP Response Splitting. While not an attack in itself, response splitting is a vector for several other attacks, such as cross-site scripting (XSS).",
"fixed_versions": [
"3.12.4",
"4.3.3"
],
"identifier": "CVE-2020-5249",
"identifiers": [
"CVE-2020-5249",
"GHSA-84j7-475p-hp8v"
],
"not_impacted": "All versions after 3.12.3 before 4.0.0, all versions after 4.3.2",
"package_slug": "gem/gitlab-puma",
"pubdate": "2020-03-02",
"solution": "Upgrade to versions 3.12.4, 4.3.3 or above.",
"title": "Injection Vulnerability",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2020-5249"
],
"uuid": "ddf150a3-0eeb-4fdb-8f57-50b19fd6448d"
},
{
"affected_range": "\u003c=3.12.3||\u003e=4.0.0 \u003c=4.3.2",
"affected_versions": "All versions up to 3.12.3, all versions starting from 4.0.0 up to 4.3.2",
"cvss_v2": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-74",
"CWE-937"
],
"date": "2020-04-09",
"description": "In Puma (RubyGem), if an application using Puma allows untrusted input in an early-hints header, an attacker can use a carriage return character to end the header and inject malicious content, such as additional headers or an entirely new response body. This vulnerability is known as HTTP Response Splitting. While not an attack in itself, response splitting is a vector for several other attacks, such as cross-site scripting (XSS).",
"fixed_versions": [
"3.12.4",
"4.3.3"
],
"identifier": "CVE-2020-5249",
"identifiers": [
"CVE-2020-5249",
"GHSA-84j7-475p-hp8v"
],
"not_impacted": "All versions after 3.12.3 before 4.0.0, all versions after 4.3.2",
"package_slug": "gem/puma",
"pubdate": "2020-03-02",
"solution": "Upgrade to versions 3.12.4, 4.3.3 or above.",
"title": "Injection Vulnerability",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2020-5249"
],
"uuid": "9b88f320-c56b-477d-8d32-f99f79147d74"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:puma:puma:*:*:*:*:*:ruby:*:*",
"cpe_name": [],
"versionEndIncluding": "3.12.3",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:puma:puma:*:*:*:*:*:ruby:*:*",
"cpe_name": [],
"versionEndIncluding": "4.3.2",
"versionStartIncluding": "4.0.0",
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2020-5249"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "In Puma (RubyGem) before 4.3.3 and 3.12.4, if an application using Puma allows untrusted input in an early-hints header, an attacker can use a carriage return character to end the header and inject malicious content, such as additional headers or an entirely new response body. This vulnerability is known as HTTP Response Splitting. While not an attack in itself, response splitting is a vector for several other attacks, such as cross-site scripting (XSS). This is related to CVE-2020-5247, which fixed this vulnerability but only for regular responses. This has been fixed in 4.3.3 and 3.12.4."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-74"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/puma/puma/commit/c22712fc93284a45a93f9ad7023888f3a65524f3",
"refsource": "MISC",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/puma/puma/commit/c22712fc93284a45a93f9ad7023888f3a65524f3"
},
{
"name": "https://github.com/puma/puma/security/advisories/GHSA-84j7-475p-hp8v",
"refsource": "MISC",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/puma/puma/security/advisories/GHSA-84j7-475p-hp8v"
},
{
"name": "https://github.com/puma/puma/security/advisories/GHSA-33vf-4xgg-9r58",
"refsource": "CONFIRM",
"tags": [
"Third Party Advisory"
],
"url": "https://github.com/puma/puma/security/advisories/GHSA-33vf-4xgg-9r58"
},
{
"name": "https://owasp.org/www-community/attacks/HTTP_Response_Splitting",
"refsource": "MISC",
"tags": [
"Third Party Advisory"
],
"url": "https://owasp.org/www-community/attacks/HTTP_Response_Splitting"
},
{
"name": "FEDORA-2020-a3f26a9387",
"refsource": "FEDORA",
"tags": [],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NJ3LL5F5QADB6LM46GXZETREAKZMQNRD/"
},
{
"name": "FEDORA-2020-fd87f90634",
"refsource": "FEDORA",
"tags": [],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BMJ3CGZ3DLBJ5WUUKMI5ZFXFJQMXJZIK/"
},
{
"name": "FEDORA-2020-08092b4c97",
"refsource": "FEDORA",
"tags": [],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DIHVO3CQMU7BZC7FCTSRJ33YDNS3GFPK/"
}
]
}
},
"impact": {
"baseMetricV2": {
"acInsufInfo": false,
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "NONE",
"baseScore": 4.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": false
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 3.6
}
},
"lastModifiedDate": "2020-04-09T17:15Z",
"publishedDate": "2020-03-02T16:15Z"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…