cbcvebase.
CVE-2020-5247
published 2020-02-28

CVE-2020-5247: In Puma (RubyGem) before 4.3.2 and before 3.12.3, if an application using Puma allows untrusted input in a response header, an attacker can use newline…

PriorityP339high7.5CVSS 3.1
AVNACLPRNUINSUCNIHAN
EPSS
2.49%
82.6th percentile
In Puma (RubyGem) before 4.3.2 and before 3.12.3, if an application using Puma allows untrusted input in a response header, an attacker can use newline characters (i.e. `CR`, `LF` or`/r`, `/n`) to end the header and inject malicious content, such as additional headers or an entirely new response body. This vulnerability is known as HTTP Response Splitting. While not an attack in itself, response splitting is a vector for several other attacks, such as cross-site scripting (XSS). This is related to CVE-2019-16254, which fixed this vulnerability for the WEBrick Ruby web server. This has been fixed in versions 4.3.2 and 3.12.3 by checking all headers for line endings and rejecting headers with those characters.

Affected

23 ranges
VendorProductVersion rangeFixed in
debiandebian_linux
debianpuma< puma 3.12.4-1 (bookworm)puma 3.12.4-1 (bookworm)
fedoraprojectfedora
fedoraprojectfedora
fedoraprojectfedora
msrccbl_mariner_1.0_arm
msrccbl_mariner_1.0_x64
msrccm1_ruby_2.6.7-1_on_cbl_mariner_1.0
pumapuma< 3.12.43.12.4
pumapuma<= 3.12.3
pumapuma
pumapuma>= 0 < 3.12.4-13.12.4-1
pumapuma>= 0 < 3.12.4-13.12.4-1
pumapuma>= 0 < 3.12.4-13.12.4-1
pumapuma>= 0 < 3.12.4-13.12.4-1
pumapuma>= 0 < 3.12.43.12.4
pumapuma>= 4.0.0 < 4.3.34.3.3
pumapuma4.0.0 – 4.3.2
ruby-langruby<= 2.3.0
ruby-langruby
ruby-langruby2.4.0 – 2.4.7
ruby-langruby2.5.0 – 2.5.6
ruby-langruby2.6.0 – 2.6.4

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
ghsa7.5HIGH
osv7.5HIGH
vendor_msrc7.5HIGH
vendor_debian6.5MEDIUM
vendor_redhat6.5MEDIUM
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.