Bug 1816187 (CVE-2020-5247) - CVE-2020-5247 rubygem-puma: attacker is able to use newline characters to insert malicious content (HTTP Response Splitting), this could lead to XSS
Summary: CVE-2020-5247 rubygem-puma: attacker is able to use newline characters to ins...
Status: NEW
Alias: CVE-2020-5247
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1816189 1816666 1817859 1819661
Blocks: 1997390 1816188
TreeView+ depends on / blocked
Reported: 2020-03-23 14:03 UTC by Marian Rehak
Modified: 2021-11-17 21:43 UTC (History)
22 users (show)

Fixed In Version: puma 4.3.2, puma 3.12.3
Doc Type: If docs needed, set a value
Doc Text:
A flaw was discovered in rubygem-puma, where it did not properly forbid untrusted input in a response header. This flaw allows an attacker with the ability to tamper with HTTP headers to insert a new-line and insert malicious content, allowing an HTTP response splitting, which exposes the risk of attacks such as cross-site scripting.
Clone Of:
Last Closed:

Attachments (Terms of Use)

Description Marian Rehak 2020-03-23 14:03:26 UTC
In Puma (RubyGem) before 4.3.2 and before 3.12.3, if an application using Puma allows untrusted input in a response header, an attacker can use newline characters (i.e. `CR`, `LF` or`/r`, `/n`) to end the header and inject malicious content. This vulnerability is known as HTTP Response Splitting. While not an attack in itself, response splitting is a vector for several other attacks, such as cross-site scripting (XSS).

Upstream Advisory:


Comment 1 Marian Rehak 2020-03-23 14:04:06 UTC
Created rubygem-puma tracking bugs for this issue:

Affects: fedora-all [bug 1816189]

Comment 2 Hardik Vyas 2020-03-24 11:57:27 UTC
External References:


Comment 5 Yadnyawalk Tale 2020-03-27 05:14:06 UTC

This issue affects the version of rubygem-puma shipped with Red Hat Gluster Storage 3, as it does not validate whether the header value could inject a CR or LF and inject their own HTTP response.

Red Hat CloudForms uses affected RubyGem Puma, however, it is not vulnerable since it does not have custom code enabling early hints, HTTP/2 support or way to return 103 response. A future update may fix affected RubyGem.

Comment 7 Yadnyawalk Tale 2020-03-27 07:06:39 UTC
CVSS difference explanation: 

Red Hat uses Pume in products, however, we are immune from this vulnerability since most of our products do not use early hint configuration and thus attack complexity is "High" for Red Hat least which make this difference.

Note You need to log in before you can comment on or make changes to this bug.