Bug 1816187 (CVE-2020-5247)

Summary: CVE-2020-5247 rubygem-puma: attacker is able to use newline characters to insert malicious content (HTTP Response Splitting), this could lead to XSS
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: amackenz, amasferr, chazlett, dmetzger, gblomqui, gmccullo, gtanzill, hhorak, hvyas, jaruga, jhardy, jorton, kdixon, mkudlej, ruby-maint, ruby-packagers-sig, simaishi, smallamp, tjochec, vondruch
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: puma 4.3.2, puma 3.12.3 Doc Type: If docs needed, set a value
Doc Text:
A flaw was discovered in rubygem-puma, where it did not properly forbid untrusted input in a response header. This flaw allows an attacker with the ability to tamper with HTTP headers to insert a new-line and insert malicious content, allowing an HTTP response splitting, which exposes the risk of attacks such as cross-site scripting.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1816189, 1816666, 1817859, 1819661    
Bug Blocks: 1816188, 1997390    

Description Marian Rehak 2020-03-23 14:03:26 UTC 
In Puma (RubyGem) before 4.3.2 and before 3.12.3, if an application using Puma allows untrusted input in a response header, an attacker can use newline characters (i.e. `CR`, `LF` or`/r`, `/n`) to end the header and inject malicious content. This vulnerability is known as HTTP Response Splitting. While not an attack in itself, response splitting is a vector for several other attacks, such as cross-site scripting (XSS).

Upstream Advisory:

https://github.com/puma/puma/security/advisories/GHSA-84j7-475p-hp8v
Comment 1 Marian Rehak 2020-03-23 14:04:06 UTC 
Created rubygem-puma tracking bugs for this issue:

Affects: fedora-all [bug 1816189]
Comment 2 Hardik Vyas 2020-03-24 11:57:27 UTC 
External References:

https://github.com/puma/puma/security/advisories/GHSA-84j7-475p-hp8v
Comment 5 Yadnyawalk Tale 2020-03-27 05:14:06 UTC 
Statement:

This issue affects the version of rubygem-puma shipped with Red Hat Gluster Storage 3, as it does not validate whether the header value could inject a CR or LF and inject their own HTTP response.

Red Hat CloudForms uses affected RubyGem Puma, however, it is not vulnerable since it does not have custom code enabling early hints, HTTP/2 support or way to return 103 response. A future update may fix affected RubyGem.
Comment 7 Yadnyawalk Tale 2020-03-27 07:06:39 UTC 
CVSS difference explanation: 

Red Hat uses Pume in products, however, we are immune from this vulnerability since most of our products do not use early hint configuration and thus attack complexity is "High" for Red Hat least which make this difference.