Bug 1816181 (CVE-2020-5249)

Summary: CVE-2020-5249 rubygem-puma: attacker is able to use carriage return character to insert malicious content (HTTP Response Splitting), this could lead to XSS
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: dmetzger, gblomqui, gmccullo, gtanzill, hhorak, hvyas, jaruga, jhardy, jorton, kdixon, roliveri, ruby-maint, ruby-packagers-sig, simaishi, smallamp, vondruch
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: puma 4.3.3, puma 3.12.4 Doc Type: If docs needed, set a value
Doc Text:
A flaw was discovered in rubygem-puma, where it did not properly forbid untrusted input in an early-hints header. This flaw allows an attacker with the ability to tamper with HTTP headers to insert a carriage return character to end the header and then insert malicious content, allowing an HTTP response splitting, which exposes the risk of attacks such as cross-site scripting.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-11-08 13:35:03 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1816182, 1816665, 1817856, 1819660    
Bug Blocks: 1816188    

Description Marian Rehak 2020-03-23 13:58:00 UTC 
In Puma (RubyGem) before 4.3.3 and 3.12.4, if an application using Puma allows untrusted input in an early-hints header, an attacker can use a carriage return character to end the header and inject malicious content. This vulnerability is known as HTTP Response Splitting. While not an attack in itself, response splitting is a vector for several other attacks, such as cross-site scripting (XSS).

Upstream Advisory:

https://github.com/puma/puma/security/advisories/GHSA-33vf-4xgg-9r58
Comment 1 Marian Rehak 2020-03-23 13:58:51 UTC 
Created rubygem-puma tracking bugs for this issue:

Affects: fedora-all [bug 1816182]
Comment 2 Hardik Vyas 2020-03-24 11:16:27 UTC 
External References:

https://github.com/puma/puma/security/advisories/GHSA-33vf-4xgg-9r58
Comment 4 Hardik Vyas 2020-03-24 11:58:49 UTC 
Upstream patch : https://github.com/puma/puma/commit/c22712fc93284a45a93f9ad7023888f3a65524f3
Comment 7 Yadnyawalk Tale 2020-03-27 05:13:04 UTC 
Statement:

This issue affects the version of rubygem-puma shipped with Red Hat Gluster Storage 3, as it does not prevent HTTP Response splitting via CR in early hints.

Red Hat CloudForms uses affected RubyGem Puma, however, it is not vulnerable since it does not have custom code enabling early hints, HTTP/2 support or way to return 103 response. A future update may fix affected RubyGem.
Comment 9 Yadnyawalk Tale 2020-03-27 07:06:22 UTC 
CVSS difference explanation: 

Red Hat uses Pume in products, however, we are immune from this vulnerability since most of our products do not use early hint configuration and thus attack complexity is "High" for Red Hat least which make this difference.