In Puma (RubyGem) before 4.3.3 and 3.12.4, if an application using Puma allows untrusted input in an early-hints header, an attacker can use a carriage return character to end the header and inject malicious content. This vulnerability is known as HTTP Response Splitting. While not an attack in itself, response splitting is a vector for several other attacks, such as cross-site scripting (XSS).
Created rubygem-puma tracking bugs for this issue:
Affects: fedora-all [bug 1816182]
Upstream patch : https://github.com/puma/puma/commit/c22712fc93284a45a93f9ad7023888f3a65524f3
This issue affects the version of rubygem-puma shipped with Red Hat Gluster Storage 3, as it does not prevent HTTP Response splitting via CR in early hints.
Red Hat CloudForms uses affected RubyGem Puma, however, it is not vulnerable since it does not have custom code enabling early hints, HTTP/2 support or way to return 103 response. A future update may fix affected RubyGem.
CVSS difference explanation:
Red Hat uses Pume in products, however, we are immune from this vulnerability since most of our products do not use early hint configuration and thus attack complexity is "High" for Red Hat least which make this difference.