CVE-2021-41136 — HTTP Request Smuggling in Puma

CWE-444 — HTTP Request Smuggling6 documents5 sources

Severity

3.7LOWNVD

EPSS

0.3%

top 47.71%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Puma Debian Puma Debian Linux

Timeline

PublishedOct 12

Description

Puma is a HTTP 1.1 server for Ruby/Rack applications. Prior to versions 5.5.1 and 4.3.9, using `puma` with a proxy which forwards HTTP header values which contain the LF character could allow HTTP request smugggling. A client could smuggle a request through a proxy, causing the proxy to send a response back to another unknown client. The only proxy which has this behavior, as far as the Puma team is aware of, is Apache Traffic Server. If the proxy uses persistent connections and the client adds …

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:NExploitability: 1.2 | Impact: 2.5

Affected Packages5 packages

▶CVEListV5puma/puma< 4.3.9+1

▶RubyGemspuma/puma5.0.0 — 5.5.1+1

▶debiandebian/puma< puma 5.5.2-1 (bookworm)

▶Debianpuma/puma< 4.3.8-1+deb11u2+3

▶NVDpuma/puma5.0.0 — 5.5.0+1

Also affects: Debian Linux 10.0, 11.0

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

Puma with proxy which forwards LF characters as line endings could allow HTTP request smuggling↗2021-10-12

▶

OSV

Puma with proxy which forwards LF characters as line endings could allow HTTP request smuggling↗2021-10-12

▶

OSV

CVE-2021-41136: Puma is a HTTP 1↗2021-10-12

▶

📋Vendor Advisories

Red Hat

rubygem-puma: Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') in puma↗2021-10-12

▶

Debian

CVE-2021-41136: puma - Puma is a HTTP 1.1 server for Ruby/Rack applications. Prior to versions 5.5.1 an...↗2021

▶