gsd-2022-24790
Vulnerability from gsd
Modified
2022-03-30 00:00
Details
### Impact
When using Puma behind a proxy that does not properly validate that the
incoming HTTP request matches the RFC7230 standard, Puma and the frontend
proxy may disagree on where a request starts and ends. This would allow
requests to be smuggled via the front-end proxy to Puma.
The following vulnerabilities are addressed by this advisory:
- Lenient parsing of `Transfer-Encoding` headers, when unsupported encodings
should be rejected and the final encoding must be `chunked`.
- Lenient parsing of malformed `Content-Length` headers and chunk sizes, when
only digits and hex digits should be allowed.
- Lenient parsing of duplicate `Content-Length` headers, when they should be
rejected.
- Lenient parsing of the ending of chunked segments, when they should end
with `\r\n`.
### Patches
The vulnerability has been fixed in 5.6.4 and 4.3.12.
### Workarounds
When deploying a proxy in front of Puma, turning on any and all functionality
to make sure that the request matches the RFC7230 standard.
These proxy servers are known to have "good" behavior re: this standard and
upgrading Puma may not be necessary. Users are encouraged to validate for
themselves.
- Nginx (latest)
- Apache (latest)
- Haproxy 2.5+
- Caddy (latest)
- Traefik (latest)
### References
[HTTP Request Smuggling](https://portswigger.net/web-security/request-smuggling)
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2022-24790",
"description": "Puma is a simple, fast, multi-threaded, parallel HTTP 1.1 server for Ruby/Rack applications. When using Puma behind a proxy that does not properly validate that the incoming HTTP request matches the RFC7230 standard, Puma and the frontend proxy may disagree on where a request starts and ends. This would allow requests to be smuggled via the front-end proxy to Puma. The vulnerability has been fixed in 5.6.4 and 4.3.12. Users are advised to upgrade as soon as possible. Workaround: when deploying a proxy in front of Puma, turning on any and all functionality to make sure that the request matches the RFC7230 standard.",
"id": "GSD-2022-24790",
"references": [
"https://www.suse.com/security/cve/CVE-2022-24790.html",
"https://security.archlinux.org/CVE-2022-24790",
"https://www.debian.org/security/2022/dsa-5146",
"https://access.redhat.com/errata/RHSA-2022:8532"
]
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "puma",
"purl": "pkg:gem/puma"
}
}
],
"aliases": [
"CVE-2022-24790",
"GHSA-h99w-9q5r-gjq9"
],
"details": "### Impact\n\nWhen using Puma behind a proxy that does not properly validate that the\nincoming HTTP request matches the RFC7230 standard, Puma and the frontend\nproxy may disagree on where a request starts and ends. This would allow\nrequests to be smuggled via the front-end proxy to Puma.\n\nThe following vulnerabilities are addressed by this advisory:\n- Lenient parsing of `Transfer-Encoding` headers, when unsupported encodings\n should be rejected and the final encoding must be `chunked`.\n- Lenient parsing of malformed `Content-Length` headers and chunk sizes, when\n only digits and hex digits should be allowed.\n- Lenient parsing of duplicate `Content-Length` headers, when they should be\n rejected.\n- Lenient parsing of the ending of chunked segments, when they should end\n with `\\r\\n`.\n\n### Patches\n\nThe vulnerability has been fixed in 5.6.4 and 4.3.12.\n\n### Workarounds\n\nWhen deploying a proxy in front of Puma, turning on any and all functionality\nto make sure that the request matches the RFC7230 standard.\n\nThese proxy servers are known to have \"good\" behavior re: this standard and\nupgrading Puma may not be necessary. Users are encouraged to validate for\nthemselves.\n\n- Nginx (latest)\n- Apache (latest)\n- Haproxy 2.5+\n- Caddy (latest)\n- Traefik (latest)\n\n### References\n\n[HTTP Request Smuggling](https://portswigger.net/web-security/request-smuggling)\n",
"id": "GSD-2022-24790",
"modified": "2022-03-30T00:00:00.000Z",
"published": "2022-03-30T00:00:00.000Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/puma/puma/security/advisories/GHSA-h99w-9q5r-gjq9"
},
{
"type": "WEB",
"url": "https://github.com/puma/puma/commit/5bb7d202e24dec00a898dca4aa11db391d7787a5"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": 9.1,
"type": "CVSS_V3"
}
],
"summary": "HTTP Request Smuggling in puma"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-24790",
"STATE": "PUBLIC",
"TITLE": "HTTP Request Smuggling in puma"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "puma",
"version": {
"version_data": [
{
"version_value": "\u003c 4.3.12"
},
{
"version_value": "\u003e= 5.0.0, \u003c 5.6.4"
}
]
}
}
]
},
"vendor_name": "puma"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Puma is a simple, fast, multi-threaded, parallel HTTP 1.1 server for Ruby/Rack applications. When using Puma behind a proxy that does not properly validate that the incoming HTTP request matches the RFC7230 standard, Puma and the frontend proxy may disagree on where a request starts and ends. This would allow requests to be smuggled via the front-end proxy to Puma. The vulnerability has been fixed in 5.6.4 and 4.3.12. Users are advised to upgrade as soon as possible. Workaround: when deploying a proxy in front of Puma, turning on any and all functionality to make sure that the request matches the RFC7230 standard."
}
]
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-444: Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request Smuggling\u0027)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/puma/puma/security/advisories/GHSA-h99w-9q5r-gjq9",
"refsource": "CONFIRM",
"url": "https://github.com/puma/puma/security/advisories/GHSA-h99w-9q5r-gjq9"
},
{
"name": "https://github.com/puma/puma/commit/5bb7d202e24dec00a898dca4aa11db391d7787a5",
"refsource": "MISC",
"url": "https://github.com/puma/puma/commit/5bb7d202e24dec00a898dca4aa11db391d7787a5"
},
{
"name": "DSA-5146",
"refsource": "DEBIAN",
"url": "https://www.debian.org/security/2022/dsa-5146"
},
{
"name": "GLSA-202208-28",
"refsource": "GENTOO",
"url": "https://security.gentoo.org/glsa/202208-28"
},
{
"name": "[debian-lts-announce] 20220827 [SECURITY] [DLA 3083-1] puma security update",
"refsource": "MLIST",
"url": "https://lists.debian.org/debian-lts-announce/2022/08/msg00015.html"
},
{
"name": "FEDORA-2022-de968d1b6c",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TUBFJ44NCKJ34LECZRAP4N5VL6USJSIB/"
},
{
"name": "FEDORA-2022-52d0032596",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L7NESIBFCNSR3XH7LXDPKVMSUBNUB43G/"
},
{
"name": "FEDORA-2022-7c8b29195f",
"refsource": "FEDORA",
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F6YWGIIKL7KKTS3ZOAYMYPC7D6WQ5OA5/"
}
]
},
"source": {
"advisory": "GHSA-h99w-9q5r-gjq9",
"discovery": "UNKNOWN"
}
},
"github.com/rubysec/ruby-advisory-db": {
"cve": "2022-24790",
"cvss_v3": 9.1,
"date": "2022-03-30",
"description": "### Impact\n\nWhen using Puma behind a proxy that does not properly validate that the\nincoming HTTP request matches the RFC7230 standard, Puma and the frontend\nproxy may disagree on where a request starts and ends. This would allow\nrequests to be smuggled via the front-end proxy to Puma.\n\nThe following vulnerabilities are addressed by this advisory:\n- Lenient parsing of `Transfer-Encoding` headers, when unsupported encodings\n should be rejected and the final encoding must be `chunked`.\n- Lenient parsing of malformed `Content-Length` headers and chunk sizes, when\n only digits and hex digits should be allowed.\n- Lenient parsing of duplicate `Content-Length` headers, when they should be\n rejected.\n- Lenient parsing of the ending of chunked segments, when they should end\n with `\\r\\n`.\n\n### Patches\n\nThe vulnerability has been fixed in 5.6.4 and 4.3.12.\n\n### Workarounds\n\nWhen deploying a proxy in front of Puma, turning on any and all functionality\nto make sure that the request matches the RFC7230 standard.\n\nThese proxy servers are known to have \"good\" behavior re: this standard and\nupgrading Puma may not be necessary. Users are encouraged to validate for\nthemselves.\n\n- Nginx (latest)\n- Apache (latest)\n- Haproxy 2.5+\n- Caddy (latest)\n- Traefik (latest)\n\n### References\n\n[HTTP Request Smuggling](https://portswigger.net/web-security/request-smuggling)\n",
"gem": "puma",
"ghsa": "h99w-9q5r-gjq9",
"patched_versions": [
"~\u003e 4.3.12",
"\u003e= 5.6.4"
],
"related": {
"url": [
"https://github.com/puma/puma/commit/5bb7d202e24dec00a898dca4aa11db391d7787a5"
]
},
"title": "HTTP Request Smuggling in puma",
"url": "https://github.com/puma/puma/security/advisories/GHSA-h99w-9q5r-gjq9"
},
"gitlab.com": {
"advisories": [
{
"affected_range": "\u003c4.3.12||\u003e=5.0.0 \u003c5.6.4",
"affected_versions": "All versions before 4.3.12, all versions starting from 5.0.0 before 5.6.4",
"cvss_v2": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-444",
"CWE-937"
],
"date": "2022-10-12",
"description": "Puma is a simple, fast, multi-threaded, parallel HTTP 1.1 server for Ruby/Rack applications. When using Puma behind a proxy that does not properly validate that the incoming HTTP request matches the RFC7230 standard, Puma and the frontend proxy may disagree on where a request starts and ends. This would allow requests to be smuggled via the front-end proxy to Puma. The vulnerability has been fixed in 5.6.4 and 4.3.12. Users are advised to upgrade as soon as possible. Workaround: when deploying a proxy in front of Puma, turning on any and all functionality to make sure that the request matches the RFC7230 standard.",
"fixed_versions": [],
"identifier": "CVE-2022-24790",
"identifiers": [
"CVE-2022-24790",
"GHSA-h99w-9q5r-gjq9"
],
"not_impacted": "",
"package_slug": "gem/gitlab-puma",
"pubdate": "2022-03-30",
"solution": "Unfortunately, there is no solution available yet.",
"title": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request Smuggling\u0027)",
"urls": [
"https://nvd.nist.gov/vuln/detail/CVE-2022-24790",
"https://github.com/puma/puma/commit/5bb7d202e24dec00a898dca4aa11db391d7787a5",
"https://github.com/puma/puma/security/advisories/GHSA-h99w-9q5r-gjq9"
],
"uuid": "d511407c-e0b0-45e0-8d87-5ca4f9ae7123"
},
{
"affected_range": "\u003c4.3.12||\u003e=5.0.0 \u003c5.6.4",
"affected_versions": "All versions before 4.3.12, all versions starting from 5.0.0 before 5.6.4",
"cvss_v2": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"cwe_ids": [
"CWE-1035",
"CWE-444",
"CWE-937"
],
"date": "2022-10-12",
"description": "Puma is a simple, fast, multi-threaded, parallel HTTP 1.1 server for Ruby/Rack applications. When using Puma behind a proxy that does not properly validate that the incoming HTTP request matches the RFC7230 standard, Puma and the frontend proxy may disagree on where a request starts and ends. This would allow requests to be smuggled via the front-end proxy to Puma. The vulnerability has been fixed in 5.6.4 and 4.3.12. Users are advised to upgrade as soon as possible. Workaround: when deploying a proxy in front of Puma, turning on any and all functionality to make sure that the request matches the RFC7230 standard.",
"fixed_versions": [
"4.3.12",
"5.6.4"
],
"identifier": "CVE-2022-24790",
"identifiers": [
"CVE-2022-24790",
"GHSA-h99w-9q5r-gjq9"
],
"not_impacted": "All versions starting from 4.3.12 before 5.0.0, all versions starting from 5.6.4",
"package_slug": "gem/puma",
"pubdate": "2022-03-30",
"solution": "Upgrade to versions 4.3.12, 5.6.4 or above.",
"title": "Inconsistent Interpretation of HTTP Requests (\u0027HTTP Request Smuggling\u0027)",
"urls": [
"https://github.com/puma/puma/security/advisories/GHSA-h99w-9q5r-gjq9",
"https://github.com/puma/puma/commit/5bb7d202e24dec00a898dca4aa11db391d7787a5",
"https://github.com/advisories/GHSA-h99w-9q5r-gjq9"
],
"uuid": "e3fa2ba1-01ed-4de4-8bc1-8761adf07836"
}
]
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:puma:puma:*:*:*:*:*:ruby:*:*",
"cpe_name": [],
"versionEndExcluding": "4.3.12",
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:puma:puma:*:*:*:*:*:ruby:*:*",
"cpe_name": [],
"versionEndExcluding": "5.6.4",
"versionStartIncluding": "5.0.0",
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "security-advisories@github.com",
"ID": "CVE-2022-24790"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "Puma is a simple, fast, multi-threaded, parallel HTTP 1.1 server for Ruby/Rack applications. When using Puma behind a proxy that does not properly validate that the incoming HTTP request matches the RFC7230 standard, Puma and the frontend proxy may disagree on where a request starts and ends. This would allow requests to be smuggled via the front-end proxy to Puma. The vulnerability has been fixed in 5.6.4 and 4.3.12. Users are advised to upgrade as soon as possible. Workaround: when deploying a proxy in front of Puma, turning on any and all functionality to make sure that the request matches the RFC7230 standard."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-444"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/puma/puma/commit/5bb7d202e24dec00a898dca4aa11db391d7787a5",
"refsource": "MISC",
"tags": [
"Patch",
"Third Party Advisory"
],
"url": "https://github.com/puma/puma/commit/5bb7d202e24dec00a898dca4aa11db391d7787a5"
},
{
"name": "https://github.com/puma/puma/security/advisories/GHSA-h99w-9q5r-gjq9",
"refsource": "CONFIRM",
"tags": [
"Issue Tracking",
"Third Party Advisory"
],
"url": "https://github.com/puma/puma/security/advisories/GHSA-h99w-9q5r-gjq9"
},
{
"name": "DSA-5146",
"refsource": "DEBIAN",
"tags": [
"Third Party Advisory"
],
"url": "https://www.debian.org/security/2022/dsa-5146"
},
{
"name": "GLSA-202208-28",
"refsource": "GENTOO",
"tags": [
"Third Party Advisory"
],
"url": "https://security.gentoo.org/glsa/202208-28"
},
{
"name": "[debian-lts-announce] 20220827 [SECURITY] [DLA 3083-1] puma security update",
"refsource": "MLIST",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.debian.org/debian-lts-announce/2022/08/msg00015.html"
},
{
"name": "FEDORA-2022-de968d1b6c",
"refsource": "FEDORA",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TUBFJ44NCKJ34LECZRAP4N5VL6USJSIB/"
},
{
"name": "FEDORA-2022-52d0032596",
"refsource": "FEDORA",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L7NESIBFCNSR3XH7LXDPKVMSUBNUB43G/"
},
{
"name": "FEDORA-2022-7c8b29195f",
"refsource": "FEDORA",
"tags": [
"Mailing List",
"Third Party Advisory"
],
"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F6YWGIIKL7KKTS3ZOAYMYPC7D6WQ5OA5/"
}
]
}
},
"impact": {
"baseMetricV2": {
"acInsufInfo": false,
"cvssV2": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"userInteractionRequired": false
},
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6
}
},
"lastModifiedDate": "2022-10-12T13:15Z",
"publishedDate": "2022-03-30T22:15Z"
}
}
}
Loading...