NVD Vulnerability Detail

CVE-2020-11077

Summary	In Puma (RubyGem) before 4.3.5 and 3.12.6, a client could smuggle a request through a proxy, causing the proxy to send a response back to another unknown client. If the proxy uses persistent connections and the client adds another request in via HTTP pipelining, the proxy may mistake it as the first request's body. Puma, however, would see it as two requests, and when processing the second request, send back a response that the proxy does not expect. If the proxy has reused the persistent connection to Puma to send another request for a different client, the second response from the first client will be sent to the second client. This is a similar but different vulnerability from CVE-2020-11076. The problem has been fixed in Puma 3.12.6 and Puma 4.3.5.
Publication Date	May 23, 2020, 12:15 a.m.
Registration Date	Jan. 26, 2021, 11:50 a.m.
Last Update	Nov. 21, 2024, 1:56 p.m.

Affected software configurations

Configuration2		or higher	or less	more than	less than
cpe:2.3:o:fedoraproject:fedora:33:::::::*

Configuration3		or higher	or less	more than	less than
cpe:2.3:o:debian:debian_linux:9.0:::::::*

Related information, measures and tools

No	URL	タグ
1	http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00034.html	Mailing List Third Party Advisory
2	http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00038.html	Mailing List Third Party Advisory
3	https://github.com/puma/puma/blob/master/History.md#434435-and-31253126--2020-05-22	Release Notes
4	https://github.com/puma/puma/security/advisories/GHSA-w64w-qqph-5gxm	Vendor Advisory
5	https://lists.debian.org/debian-lts-announce/2020/10/msg00009.html	Mailing List Third Party Advisory
6	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SKIY5H67GJIGJL6SMFWFLUQQQR3EMVPR/
7	http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00034.html	Mailing List Third Party Advisory
8	https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SKIY5H67GJIGJL6SMFWFLUQQQR3EMVPR/
9	https://lists.debian.org/debian-lts-announce/2020/10/msg00009.html	Mailing List Third Party Advisory
10	https://github.com/puma/puma/security/advisories/GHSA-w64w-qqph-5gxm	Vendor Advisory
11	https://github.com/puma/puma/blob/master/History.md#434435-and-31253126--2020-05-22	Release Notes
12	http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00038.html	Mailing List Third Party Advisory

Common Vulnerabilities List

JVN Vulnerability Information

Puma における HTTP リクエストスマグリングに関する脆弱性

Title	Puma における HTTP リクエストスマグリングに関する脆弱性
Summary	Puma (RubyGem) には、HTTP リクエストスマグリングに関する脆弱性が存在します。
Possible impacts	情報を改ざんされる可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	May 22, 2020, midnight
Registration Date	June 23, 2020, 5:45 p.m.
Last Update	June 23, 2020, 5:45 p.m.

Affected System

Puma

puma 3.12.6 未満

puma 4.3.5 未満

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2020-11077	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11077
National Vulnerability Database (NVD)
2	CVE-2020-11077	https://nvd.nist.gov/vuln/detail/CVE-2020-11077

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-444	https://cwe.mitre.org/data/definitions/444.html

ベンダー情報

No	Name	URL
GitHub
1	4.3.4/4.3.5 and 3.12.5/3.12.6 / 2020-05-22	https://github.com/puma/puma/blob/master/History.md#434435-and-31253126--2020-05-22
2	HTTP Smuggling via Transfer-Encoding Header	https://github.com/puma/puma/security/advisories/GHSA-w64w-qqph-5gxm

Change Log

No	Changed Details	Date of change
1	[2020年06月23日] 掲載	June 23, 2020, 5:45 p.m.