CVE-2020-5249

MEDIUM

Puma < 3.12.3 - Injection

Title source: rule

Description

In Puma (RubyGem) before 4.3.3 and 3.12.4, if an application using Puma allows untrusted input in an early-hints header, an attacker can use a carriage return character to end the header and inject malicious content, such as additional headers or an entirely new response body. This vulnerability is known as HTTP Response Splitting. While not an attack in itself, response splitting is a vector for several other attacks, such as cross-site scripting (XSS). This is related to CVE-2020-5247, which fixed this vulnerability but only for regular responses. This has been fixed in 4.3.3 and 3.12.4.

References (7)

[Third Party Advisory] https://owasp.org/www-community/attacks/HTTP_Response_Splitting

[Third Party Advisory] https://github.com/puma/puma/security/advisories/GHSA-33vf-4xgg-9r58

[Third Party Advisory] https://github.com/puma/puma/security/advisories/GHSA-84j7-475p-hp8v

[Patch, Third Party Advisory] https://github.com/puma/puma/commit/c22712fc93284a45a93f9ad7023888f3a65524f3

View Patch ZIP pw:eip

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NJ3LL5F5QADB6LM46GXZETREAKZMQNRD/

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BMJ3CGZ3DLBJ5WUUKMI5ZFXFJQMXJZIK/

[Mailing List, Third Party Advisory] https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DIHVO3CQMU7BZC7FCTSRJ33YDNS3GFPK/

Scores

CVSS v3 6.5

EPSS 0.0050

EPSS Percentile 65.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

Details

CWE

CWE-113 CWE-74

Status published

Products (2)

puma/puma < 3.12.3

rubygems/puma 0 - 3.12.4RubyGems

Published Mar 02, 2020

Tracked Since Feb 18, 2026