6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:S/C:N/I:P/A:N
puma is vulnerable to HTTP response splitting. The attack exist because it does not properly handle the CRLF (carriage feed or line return) characters injection in early hints response header, allowing an attacker to inject CRLF to end the the HTTP response header and manipulate with malicious content, such as additional headers or an entirely new response body. This vulnerability exists due to an incomplete fix of CVE-2020-5247.
CPE | Name | Operator | Version |
---|---|---|---|
puma | le | 4.3.2 | |
puma | le | 3.12.3 | |
puma:buster | eq | 3.12.0-2+deb10u1 |
github.com/puma/puma/commit/c22712fc93284a45a93f9ad7023888f3a65524f3
github.com/puma/puma/pull/2136
github.com/puma/puma/security/advisories/GHSA-33vf-4xgg-9r58
github.com/puma/puma/security/advisories/GHSA-84j7-475p-hp8v
lists.fedoraproject.org/archives/list/[email protected]/message/BMJ3CGZ3DLBJ5WUUKMI5ZFXFJQMXJZIK/
lists.fedoraproject.org/archives/list/[email protected]/message/DIHVO3CQMU7BZC7FCTSRJ33YDNS3GFPK/
lists.fedoraproject.org/archives/list/[email protected]/message/NJ3LL5F5QADB6LM46GXZETREAKZMQNRD/
owasp.org/www-community/attacks/HTTP_Response_Splitting
www.sourceclear.com/vulnerability-database/vulnerabilities/22623
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:S/C:N/I:P/A:N