Bug 2013495 (CVE-2021-41136) - CVE-2021-41136 rubygem-puma: Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') in puma
Summary: CVE-2021-41136 rubygem-puma: Inconsistent Interpretation of HTTP Requests ('H...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-41136
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2013497 2016424 2017334
Blocks: 2013498
TreeView+ depends on / blocked
 
Reported: 2021-10-13 04:34 UTC by Marian Rehak
Modified: 2022-07-05 19:26 UTC (History)
30 users (show)

Fixed In Version: puma 5.5.1, puma 4.3.9
Doc Type: If docs needed, set a value
Doc Text:
An HTTP Request Smuggling vulnerability was found in puma. When using puma with a proxy, which forwards LF characters as line endings, an attacker could use this flaw to smuggle a request through a proxy, causing the proxy to send a response back to another unknown client.
Clone Of:
Environment:
Last Closed: 2022-07-05 19:26:09 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2022:5498 0 None None None 2022-07-05 14:26:55 UTC

Description Marian Rehak 2021-10-13 04:34:09 UTC
Using `puma` with a proxy which forwards HTTP header values which contain the LF character could allow HTTP request smugggling. A client could smuggle a request through a proxy, causing the proxy to send a response back to another unknown client. If the proxy uses persistent connections and the client adds another request in via HTTP pipelining, the proxy may mistake it as the first request's body. Puma, however, would see it as two requests, and when processing the second request, send back a response that the proxy does not expect. If the proxy has reused the persistent connection to Puma to send another request for a different client, the second response from the first client will be sent to the second client.

Upstream Advisory:

https://github.com/puma/puma/security/advisories/GHSA-48w2-rm65-62xx

Comment 1 Marian Rehak 2021-10-13 04:34:38 UTC
Created rubygem-puma tracking bugs for this issue:

Affects: fedora-all [bug 2013497]

Comment 2 Yadnyawalk Tale 2021-10-21 13:42:20 UTC
Upstream patch: 
https://github.com/puma/puma/commit/acdc3ae571dfae0e045cf09a295280127db65c7f

Comment 3 Yadnyawalk Tale 2021-10-21 13:43:37 UTC
External references:
https://github.com/puma/puma/security/advisories/GHSA-48w2-rm65-62xx

Comment 6 Jun Aruga 2022-06-02 15:20:09 UTC
Note the current Fedora rawhide is rubygem-puma-5.5.2-2.fc36 .
https://src.fedoraproject.org/rpms/rubygem-puma

Comment 7 errata-xmlrpc 2022-07-05 14:26:52 UTC
This issue has been addressed in the following products:

  Red Hat Satellite 6.11 for RHEL 7
  Red Hat Satellite 6.11 for RHEL 8

Via RHSA-2022:5498 https://access.redhat.com/errata/RHSA-2022:5498

Comment 8 Product Security DevOps Team 2022-07-05 19:26:07 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-41136


Note You need to log in before you can comment on or make changes to this bug.