Bug 2013495 (CVE-2021-41136) - CVE-2021-41136 rubygem-puma: Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') in puma
Summary: CVE-2021-41136 rubygem-puma: Inconsistent Interpretation of HTTP Requests ('H...
Keywords:
Status: NEW
Alias: CVE-2021-41136
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2013497 2016424 2017334
Blocks: 2013498
TreeView+ depends on / blocked
 
Reported: 2021-10-13 04:34 UTC by Marian Rehak
Modified: 2021-12-14 09:23 UTC (History)
30 users (show)

Fixed In Version: puma 5.5.1, puma 4.3.9
Doc Type: If docs needed, set a value
Doc Text:
An HTTP Request Smuggling vulnerability was found in puma. When using puma with a proxy, which forwards LF characters as line endings, an attacker could use this flaw to smuggle a request through a proxy, causing the proxy to send a response back to another unknown client.
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Marian Rehak 2021-10-13 04:34:09 UTC
Using `puma` with a proxy which forwards HTTP header values which contain the LF character could allow HTTP request smugggling. A client could smuggle a request through a proxy, causing the proxy to send a response back to another unknown client. If the proxy uses persistent connections and the client adds another request in via HTTP pipelining, the proxy may mistake it as the first request's body. Puma, however, would see it as two requests, and when processing the second request, send back a response that the proxy does not expect. If the proxy has reused the persistent connection to Puma to send another request for a different client, the second response from the first client will be sent to the second client.

Upstream Advisory:

https://github.com/puma/puma/security/advisories/GHSA-48w2-rm65-62xx

Comment 1 Marian Rehak 2021-10-13 04:34:38 UTC
Created rubygem-puma tracking bugs for this issue:

Affects: fedora-all [bug 2013497]

Comment 2 Yadnyawalk Tale 2021-10-21 13:42:20 UTC
Upstream patch: 
https://github.com/puma/puma/commit/acdc3ae571dfae0e045cf09a295280127db65c7f

Comment 3 Yadnyawalk Tale 2021-10-21 13:43:37 UTC
External references:
https://github.com/puma/puma/security/advisories/GHSA-48w2-rm65-62xx


Note You need to log in before you can comment on or make changes to this bug.