CVE-2020-5247

In Puma (RubyGem) before 4.3.2 and before 3.12.3, if an application using Puma allows untrusted input in a response header, an attacker can use newline characters (i.e. `CR`, `LF` or`/r`, `/n`) to end the header and inject malicious content, such as additional headers or an entirely new response body. This vulnerability is known as HTTP Response Splitting. While not an attack in itself, response splitting is a vector for several other attacks, such as cross-site scripting (XSS). This is related to CVE-2019-16254, which fixed this vulnerability for the WEBrick Ruby web server. This has been fixed in versions 4.3.2 and 3.12.3 by checking all headers for line endings and rejecting headers with those characters.
HTTP Request/Response Splitting
Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
6.5 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
GitHub_MCNA
6.5 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 78%
VendorProductVersion
pumapuma
𝑥
≤ 3.12.3
pumapuma
4.0.0 ≤
𝑥
≤ 4.3.2
ruby-langruby
𝑥
≤ 2.3.0
ruby-langruby
2.4.0 ≤
𝑥
≤ 2.4.7
ruby-langruby
2.5.0 ≤
𝑥
≤ 2.5.6
ruby-langruby
2.6.0 ≤
𝑥
≤ 2.6.4
ruby-langruby
2.7.0:preview1
debiandebian_linux
9.0
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
puma
bullseye
4.3.8-1+deb11u2
fixed
bullseye (security)
4.3.8-1+deb11u3
fixed
bookworm
5.6.5-3
fixed
sid
6.4.2-6
fixed
trixie
6.4.2-6
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
puma
focal
not-affected
eoan
ignored
bionic
dne
xenial
dne
trusty
dne