CVE-2020-5247: HTTP Response Splitting in Puma
First published: Fri Feb 28 2020(Updated: )
In Puma (RubyGem) before 4.3.2 and 3.12.3, if an application using Puma allows untrusted input in a response header, an attacker can use newline characters (i.e. `CR`, `LF` or`/r`, `/n`) to end the header and inject malicious content, such as additional headers or an entirely new response body. This vulnerability is known as HTTP Response Splitting. While not an attack in itself, response splitting is a vector for several other attacks, such as cross-site scripting (XSS). This is related to CVE-2019-16254, which fixed this vulnerability for the WEBrick Ruby web server. This has been fixed in versions 4.3.2 and 3.12.3 by checking all headers for line endings and rejecting headers with those characters.
Credit: security-advisories@github.com security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Puma Puma | <=3.12.3 | |
| Puma Puma | >=4.0.0<=4.3.2 | |
| Ruby-lang Ruby | <=2.3.0 | |
| Ruby-lang Ruby | >=2.4.0<=2.4.7 | |
| Ruby-lang Ruby | >=2.5.0<=2.5.6 | |
| Ruby-lang Ruby | >=2.6.0<=2.6.4 | |
| Ruby-lang Ruby | =2.7.0-preview1 | |
| Debian Debian Linux | =9.0 | |
| Fedoraproject Fedora | =30 | |
| Fedoraproject Fedora | =31 | |
| Fedoraproject Fedora | =32 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/puma/puma/security/advisories/GHSA-84j7-475p-hp8v
- https://github.com/puma/puma/commit/c36491756f68a9d6a8b3a49e7e5eb07fe6f1332f
- https://owasp.org/www-community/attacks/HTTP_Response_Splitting
- https://www.ruby-lang.org/en/news/2019/10/01/http-response-splitting-in-webrick-cve-2019-16254
- https://nvd.nist.gov/vuln/detail/CVE-2020-5247
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BMJ3CGZ3DLBJ5WUUKMI5ZFXFJQMXJZIK/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DIHVO3CQMU7BZC7FCTSRJ33YDNS3GFPK/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NJ3LL5F5QADB6LM46GXZETREAKZMQNRD/
- https://lists.debian.org/debian-lts-announce/2022/05/msg00034.html
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2020-5247.yml
- https://github.com/advisories/GHSA-84j7-475p-hp8v (Advisory)
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NJ3LL5F5QADB6LM46GXZETREAKZMQNRD/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BMJ3CGZ3DLBJ5WUUKMI5ZFXFJQMXJZIK/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DIHVO3CQMU7BZC7FCTSRJ33YDNS3GFPK/
Frequently Asked Questions
What is CVE-2020-5247?
CVE-2020-5247 is a vulnerability in Puma (RubyGem) that allows an attacker to inject malicious content via newline characters in response headers.
What is the severity of CVE-2020-5247?
The severity of CVE-2020-5247 is high with a CVSS score of 7.5.
Which versions of Puma are affected by CVE-2020-5247?
Puma versions before 4.3.2 and before 3.12.3 are affected by CVE-2020-5247.
How can an attacker exploit CVE-2020-5247?
An attacker can exploit CVE-2020-5247 by using newline characters to end the header and inject malicious content, such as additional headers or a new response body.
Where can I find more information about CVE-2020-5247?
You can find more information about CVE-2020-5247 on the GitHub security advisory page and the OWASP website.
- collector/github-advisory-latest
- alias/GHSA-84j7-475p-hp8v
- alias/CVE-2020-5247
- collector/github-advisory
- collector/nvd-index
- collector/nvd-cve
- agent/author
- agent/type
- agent/first-publish-date
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/references
- agent/remedy
- agent/weakness
- agent/severity
- agent/last-modified-date
- agent/tags
- agent/description
- agent/event
- package-manager/rubygems
- vendor/puma
- canonical/puma puma
- version/puma puma/3.12.3
- version/puma puma/4.0.0
- version/puma puma/4.3.2
- vendor/ruby-lang
- canonical/ruby-lang ruby
- version/ruby-lang ruby/2.3.0
- version/ruby-lang ruby/2.4.0
- version/ruby-lang ruby/2.4.7
- version/ruby-lang ruby/2.5.0
- version/ruby-lang ruby/2.5.6
- version/ruby-lang ruby/2.6.0
- version/ruby-lang ruby/2.6.4
- version/ruby-lang ruby/2.7.0-preview1
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/9.0
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/30
- version/fedoraproject fedora/31
- version/fedoraproject fedora/32