CVE-2020-5247
published 2020-02-28CVE-2020-5247: In Puma (RubyGem) before 4.3.2 and before 3.12.3, if an application using Puma allows untrusted input in a response header, an attacker can use newline…
PriorityP339high7.5CVSS 3.1
AVNACLPRNUINSUCNIHAN
EPSS
2.49%
82.6th percentile
In Puma (RubyGem) before 4.3.2 and before 3.12.3, if an application using Puma allows untrusted input in a response header, an attacker can use newline characters (i.e. `CR`, `LF` or`/r`, `/n`) to end the header and inject malicious content, such as additional headers or an entirely new response body. This vulnerability is known as HTTP Response Splitting. While not an attack in itself, response splitting is a vector for several other attacks, such as cross-site scripting (XSS). This is related to CVE-2019-16254, which fixed this vulnerability for the WEBrick Ruby web server. This has been fixed in versions 4.3.2 and 3.12.3 by checking all headers for line endings and rejecting headers with those characters.
Affected
23 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | puma | < puma 3.12.4-1 (bookworm) | puma 3.12.4-1 (bookworm) |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| msrc | cbl_mariner_1.0_arm | — | — |
| msrc | cbl_mariner_1.0_x64 | — | — |
| msrc | cm1_ruby_2.6.7-1_on_cbl_mariner_1.0 | — | — |
| puma | puma | < 3.12.4 | 3.12.4 |
| puma | puma | <= 3.12.3 | — |
| puma | puma | — | — |
| puma | puma | >= 0 < 3.12.4-1 | 3.12.4-1 |
| puma | puma | >= 0 < 3.12.4-1 | 3.12.4-1 |
| puma | puma | >= 0 < 3.12.4-1 | 3.12.4-1 |
| puma | puma | >= 0 < 3.12.4-1 | 3.12.4-1 |
| puma | puma | >= 0 < 3.12.4 | 3.12.4 |
| puma | puma | >= 4.0.0 < 4.3.3 | 4.3.3 |
| puma | puma | 4.0.0 – 4.3.2 | — |
| ruby-lang | ruby | <= 2.3.0 | — |
| ruby-lang | ruby | — | — |
| ruby-lang | ruby | 2.4.0 – 2.4.7 | — |
| ruby-lang | ruby | 2.5.0 – 2.5.6 | — |
| ruby-lang | ruby | 2.6.0 – 2.6.4 | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
ghsa7.5HIGH
osv7.5HIGH
vendor_msrc7.5HIGH
vendor_debian6.5MEDIUM
vendor_redhat6.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
rubygem-puma: attacker is able to use newline characters to insert malicious content (HTTP Response Splitting), this could lead to XSS
vendor_redhat·2020-03-02·CVSS 5.3
CVE-2020-5247 [MEDIUM] CWE-113 rubygem-puma: attacker is able to use newline characters to insert malicious content (HTTP Response Splitting), this could lead to XSS
rubygem-puma: attacker is able to use newline characters to insert malicious content (HTTP Response Splitting), this could lead to XSS
In Puma (RubyGem) before 4.3.2 and before 3.12.3, if an application using Puma allows untrusted input in a response header, an attacker can use newline characters (i.e. `CR`, `LF` or`/r`, `/n`) to end the header and inject malicious content, such as additional headers or an entirely new response body. This vulnerability is known as HTTP Response Splitting. While not an attack in itself, response splitting is a vector for several other attacks, such as cross-site scripting (XSS). This is related to CVE-2019-16254, which fixed this vulnerability for the WEBrick Ruby web server. This has been fixed in versions 4.3.2 and 3.12.3 by checking all headers for line
Red Hat
rubygem-puma: attacker is able to use carriage return character to insert malicious content (HTTP Response Splitting), this could lead to XSS
vendor_redhat·2020-03-02·CVSS 6.5
CVE-2020-5249 [MEDIUM] CWE-79 rubygem-puma: attacker is able to use carriage return character to insert malicious content (HTTP Response Splitting), this could lead to XSS
rubygem-puma: attacker is able to use carriage return character to insert malicious content (HTTP Response Splitting), this could lead to XSS
In Puma (RubyGem) before 4.3.3 and 3.12.4, if an application using Puma allows untrusted input in an early-hints header, an attacker can use a carriage return character to end the header and inject malicious content, such as additional headers or an entirely new response body. This vulnerability is known as HTTP Response Splitting. While not an attack in itself, response splitting is a vector for several other attacks, such as cross-site scripting (XSS). This is related to CVE-2020-5247, which fixed this vulnerability but only for regular responses. This has been fixed in 4.3.3 and 3.12.4.
A flaw was discovered in rubygem-puma, where it did not pro
Microsoft
HTTP Response Splitting in Puma
vendor_msrc·2020-02-11·CVSS 7.5
CVE-2020-5247 [MEDIUM] CWE-113 HTTP Response Splitting in Puma
HTTP Response Splitting in Puma
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
GitHub_M: GitHub_M
Customer Action Required: Yes
Remediation: CBL-Mariner Releases
Reference: https://learn.microsoft.com/en-
Debian
CVE-2020-5247: puma - In Puma (RubyGem) before 4.3.2 and before 3.12.3, if an application using Puma a...
vendor_debian·2020·CVSS 5.3
CVE-2020-5247 [MEDIUM] CVE-2020-5247: puma - In Puma (RubyGem) before 4.3.2 and before 3.12.3, if an application using Puma a...
In Puma (RubyGem) before 4.3.2 and before 3.12.3, if an application using Puma allows untrusted input in a response header, an attacker can use newline characters (i.e. `CR`, `LF` or`/r`, `/n`) to end the header and inject malicious content, such as additional headers or an entirely new response body. This vulnerability is known as HTTP Response Splitting. While not an attack in itself, response splitting is a vector for several other attacks, such as cross-site scripting (XSS). This is related to CVE-2019-16254, which fixed this vulnerability for the WEBrick Ruby web server. This has been fixed in versions 4.3.2 and 3.12.3 by checking all headers for line endings and rejecting headers with those characters.
Scope: local
bookworm: resolved (fixed in 3.12.4-1)
bullseye: resolved (fixed in 3
Debian
CVE-2020-5249: puma - In Puma (RubyGem) before 4.3.3 and 3.12.4, if an application using Puma allows u...
vendor_debian·2020·CVSS 6.5
CVE-2020-5249 [MEDIUM] CVE-2020-5249: puma - In Puma (RubyGem) before 4.3.3 and 3.12.4, if an application using Puma allows u...
In Puma (RubyGem) before 4.3.3 and 3.12.4, if an application using Puma allows untrusted input in an early-hints header, an attacker can use a carriage return character to end the header and inject malicious content, such as additional headers or an entirely new response body. This vulnerability is known as HTTP Response Splitting. While not an attack in itself, response splitting is a vector for several other attacks, such as cross-site scripting (XSS). This is related to CVE-2020-5247, which fixed this vulnerability but only for regular responses. This has been fixed in 4.3.3 and 3.12.4.
Scope: local
bookworm: resolved (fixed in 3.12.4-1)
bullseye: resolved (fixed in 3.12.4-1)
forky: resolved (fixed in 3.12.4-1)
sid: resolved (fixed in 3.12.4-1)
trixie: resolved (fixed in 3.12.4-1)
GHSA
HTTP Response Splitting (Early Hints) in Puma
ghsa·2020-03-03·CVSS 7.5
CVE-2020-5249 [HIGH] CWE-113 HTTP Response Splitting (Early Hints) in Puma
HTTP Response Splitting (Early Hints) in Puma
### Impact
If an application using Puma allows untrusted input in an early-hints header, an attacker can use a carriage return character to end the header and inject malicious content, such as additional headers or an entirely new response body. This vulnerability is known as [HTTP Response Splitting](https://owasp.org/www-community/attacks/HTTP_Response_Splitting).
While not an attack in itself, response splitting is a vector for several other attacks, such as cross-site scripting (XSS).
This is related to [CVE-2020-5247](https://github.com/puma/puma/security/advisories/GHSA-84j7-475p-hp8v), which fixed this vulnerability but only for regular responses.
### Patches
This has been fixed in 4.3.3 and 3.12.4.
### Workarounds
Users can not all
OSV
HTTP Response Splitting (Early Hints) in Puma
osv·2020-03-03·CVSS 7.5
CVE-2020-5249 [HIGH] HTTP Response Splitting (Early Hints) in Puma
HTTP Response Splitting (Early Hints) in Puma
### Impact
If an application using Puma allows untrusted input in an early-hints header, an attacker can use a carriage return character to end the header and inject malicious content, such as additional headers or an entirely new response body. This vulnerability is known as [HTTP Response Splitting](https://owasp.org/www-community/attacks/HTTP_Response_Splitting).
While not an attack in itself, response splitting is a vector for several other attacks, such as cross-site scripting (XSS).
This is related to [CVE-2020-5247](https://github.com/puma/puma/security/advisories/GHSA-84j7-475p-hp8v), which fixed this vulnerability but only for regular responses.
### Patches
This has been fixed in 4.3.3 and 3.12.4.
### Workarounds
Users can not all
OSV
CVE-2020-5249: In Puma (RubyGem) before 4
osv·2020-03-02·CVSS 7.5
CVE-2020-5249 [HIGH] CVE-2020-5249: In Puma (RubyGem) before 4
In Puma (RubyGem) before 4.3.3 and 3.12.4, if an application using Puma allows untrusted input in an early-hints header, an attacker can use a carriage return character to end the header and inject malicious content, such as additional headers or an entirely new response body. This vulnerability is known as HTTP Response Splitting. While not an attack in itself, response splitting is a vector for several other attacks, such as cross-site scripting (XSS). This is related to CVE-2020-5247, which fixed this vulnerability but only for regular responses. This has been fixed in 4.3.3 and 3.12.4.
OSV
HTTP Response Splitting in Puma
osv·2020-02-28·CVSS 5.3
CVE-2020-5247 [MEDIUM] HTTP Response Splitting in Puma
HTTP Response Splitting in Puma
In Puma (RubyGem) before 4.3.2 and 3.12.3, if an application using Puma allows untrusted input in a response header, an attacker can use newline characters (i.e. `CR`, `LF` or`/r`, `/n`) to end the header and inject malicious content, such as additional headers or an entirely new response body. This vulnerability is known as HTTP Response Splitting.
While not an attack in itself, response splitting is a vector for several other attacks, such as cross-site scripting (XSS).
This is related to CVE-2019-16254, which fixed this vulnerability for the WEBrick Ruby web server.
This has been fixed in versions 4.3.2 and 3.12.3 by checking all headers for line endings and rejecting headers with those characters.
GHSA
HTTP Response Splitting in Puma
ghsa·2020-02-28·CVSS 5.3
CVE-2020-5247 [MEDIUM] CWE-113 HTTP Response Splitting in Puma
HTTP Response Splitting in Puma
In Puma (RubyGem) before 4.3.2 and 3.12.3, if an application using Puma allows untrusted input in a response header, an attacker can use newline characters (i.e. `CR`, `LF` or`/r`, `/n`) to end the header and inject malicious content, such as additional headers or an entirely new response body. This vulnerability is known as HTTP Response Splitting.
While not an attack in itself, response splitting is a vector for several other attacks, such as cross-site scripting (XSS).
This is related to CVE-2019-16254, which fixed this vulnerability for the WEBrick Ruby web server.
This has been fixed in versions 4.3.2 and 3.12.3 by checking all headers for line endings and rejecting headers with those characters.
OSV
CVE-2020-5247: In Puma (RubyGem) before 4
osv·2020-02-28·CVSS 5.3
CVE-2020-5247 [MEDIUM] CVE-2020-5247: In Puma (RubyGem) before 4
In Puma (RubyGem) before 4.3.2 and before 3.12.3, if an application using Puma allows untrusted input in a response header, an attacker can use newline characters (i.e. `CR`, `LF` or`/r`, `/n`) to end the header and inject malicious content, such as additional headers or an entirely new response body. This vulnerability is known as HTTP Response Splitting. While not an attack in itself, response splitting is a vector for several other attacks, such as cross-site scripting (XSS). This is related to CVE-2019-16254, which fixed this vulnerability for the WEBrick Ruby web server. This has been fixed in versions 4.3.2 and 3.12.3 by checking all headers for line endings and rejecting headers with those characters.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2020-5247 rubygem-puma: attacker is able to use newline characters to insert malicious content (HTTP Response Splitting), this could lead to XSS
bugzilla·2020-03-23·CVSS 6.5
CVE-2020-5247 [MEDIUM] CVE-2020-5247 rubygem-puma: attacker is able to use newline characters to insert malicious content (HTTP Response Splitting), this could lead to XSS
CVE-2020-5247 rubygem-puma: attacker is able to use newline characters to insert malicious content (HTTP Response Splitting), this could lead to XSS
In Puma (RubyGem) before 4.3.2 and before 3.12.3, if an application using Puma allows untrusted input in a response header, an attacker can use newline characters (i.e. `CR`, `LF` or`/r`, `/n`) to end the header and inject malicious content. This vulnerability is known as HTTP Response Splitting. While not an attack in itself, response splitting is a vector for several other attacks, such as cross-site scripting (XSS).
Upstream Advisory:
https://github.com/puma/puma/security/advisories/GHSA-84j7-475p-hp8v
Discussion:
Created rubygem-puma tracking bugs for this issue:
Affects: fedora-all [bug 1816189]
---
External References:
https://g
Bugzilla
CVE-2020-5247 rubygem-puma: attacker is able to use newline characters to insert malicious content (HTTP Response Splitting), this could lead to XSS [fedora-all]
bugzilla·2020-03-23·CVSS 6.5
CVE-2020-5247 [MEDIUM] CVE-2020-5247 rubygem-puma: attacker is able to use newline characters to insert malicious content (HTTP Response Splitting), this could lead to XSS [fedora-all]
CVE-2020-5247 rubygem-puma: attacker is able to use newline characters to insert malicious content (HTTP Response Splitting), this could lead to XSS [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog
https://github.com/puma/puma/security/advisories/GHSA-84j7-475p-hp8vhttps://lists.debian.org/debian-lts-announce/2022/05/msg00034.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BMJ3CGZ3DLBJ5WUUKMI5ZFXFJQMXJZIK/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DIHVO3CQMU7BZC7FCTSRJ33YDNS3GFPK/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NJ3LL5F5QADB6LM46GXZETREAKZMQNRD/https://owasp.org/www-community/attacks/HTTP_Response_Splittinghttps://www.ruby-lang.org/en/news/2019/10/01/http-response-splitting-in-webrick-cve-2019-16254https://github.com/puma/puma/security/advisories/GHSA-84j7-475p-hp8vhttps://lists.debian.org/debian-lts-announce/2022/05/msg00034.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BMJ3CGZ3DLBJ5WUUKMI5ZFXFJQMXJZIK/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DIHVO3CQMU7BZC7FCTSRJ33YDNS3GFPK/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NJ3LL5F5QADB6LM46GXZETREAKZMQNRD/https://owasp.org/www-community/attacks/HTTP_Response_Splittinghttps://www.ruby-lang.org/en/news/2019/10/01/http-response-splitting-in-webrick-cve-2019-16254
2020-02-28
Published