Description In Puma (RubyGem) before 4.3.4 and 3.12.5, an attacker could smuggle an HTTP response, by using an invalid transfer-encoding header. The problem has been fixed in Puma 3.12.5 and Puma 4.3.4.
CVSS vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Exploitability: 3.9 | Impact: 3.6 Attack Vector: Network
Complexity: Low
Privileges: None
User Interaction: None
Scope: Unchanged
Confidentiality: None
Integrity: High
Availability: None
Affected Packages7 packages Show 2 more packages Also affects: Debian Linux 9.0, Fedora 33
🔴 Vulnerability Details5 OSV puma vulnerabilities ↗ 2024-03-07 ▶ OSV CVE-2020-11077: In Puma (RubyGem) before 4 ↗ 2020-05-22 ▶ GHSA HTTP Smuggling via Transfer-Encoding Header in Puma ↗ 2020-05-22 ▶ OSV CVE-2020-11076: In Puma (RubyGem) before 4 ↗ 2020-05-22 ▶ OSV HTTP Smuggling via Transfer-Encoding Header in Puma ↗ 2020-05-22 ▶
📋 Vendor Advisories5 Ubuntu Puma vulnerabilities ↗ 2024-03-07 ▶ Red Hat rubygem-puma: HTTP Smuggling via an invalid Transfer-Encoding Header ↗ 2020-05-21 ▶ Red Hat rubygem-puma: HTTP Smuggling through a proxy via Transfer-Encoding Header ↗ 2020-05-21 ▶ Debian CVE-2020-11077: puma - In Puma (RubyGem) before 4.3.5 and 3.12.6, a client could smuggle a request thro... ↗ 2020 ▶ Debian CVE-2020-11076: puma - In Puma (RubyGem) before 4.3.4 and 3.12.5, an attacker could smuggle an HTTP res... ↗ 2020 ▶
💬 Community3 Bugzilla CVE-2020-11077 rubygem-puma: HTTP Smuggling through a proxy via Transfer-Encoding Header ↗ 2020-06-01 ▶ Bugzilla CVE-2020-11076 rubygem-puma: HTTP Smuggling via an invalid Transfer-Encoding Header ↗ 2020-06-01 ▶ Bugzilla CVE-2020-11076 rubygem-puma: HTTP Smuggling via an invalid Transfer-Encoding Header [fedora-all] ↗ 2020-06-01 ▶