Lucene search
Veracode Vulnerability DatabaseVERACODE:22604HistoryMar 02, 2020 - 1:51 a.m.
CRLF Injection
2020-03-0201:51:14
Veracode Vulnerability Database
sca.analysiscenter.veracode.com
4
0.011 Low
EPSS
Percentile
84.2%
puma is vulnerable to CRLF injection. The values in the HTTP response headers not sanitized and validated, allowing an attacker perform HTTP response splitting by adding carriage feed or line return characters to inject arbitrary content in the HTTP response from the server. This vulnerability is related to CVE-2019-16254.
| CPE | Name | Operator | Version |
|---|---|---|---|
| puma | le | 4.3.1 | |
| puma | le | 3.12.2 | |
| puma:buster | eq | 3.12.0-2+deb10u1 | |
| puma | le | 4.3.1 | |
| puma | le | 3.12.2 | |
| puma:buster | eq | 3.12.0-2+deb10u1 |
References
github.com/advisories/GHSA-84j7-475p-hp8v
github.com/puma/puma/security/advisories/GHSA-84j7-475p-hp8v
lists.debian.org/debian-lts-announce/2022/05/msg00034.html
lists.fedoraproject.org/archives/list/[email protected]/message/BMJ3CGZ3DLBJ5WUUKMI5ZFXFJQMXJZIK/
lists.fedoraproject.org/archives/list/[email protected]/message/DIHVO3CQMU7BZC7FCTSRJ33YDNS3GFPK/
lists.fedoraproject.org/archives/list/[email protected]/message/NJ3LL5F5QADB6LM46GXZETREAKZMQNRD/
owasp.org/www-community/attacks/HTTP_Response_Splitting
sca.analysiscenter.veracode.com/vulnerability-database/security/http-response-splitting/ruby/sid-21605/summary
www.ruby-lang.org/en/news/2019/10/01/http-response-splitting-in-webrick-cve-2019-16254
Related
cvelist
cvelist
CVE-2020-5247 HTTP Response Splitting in Puma
2020-02-28 16:55:15
CVE-2019-16254
2019-11-26 00:00:00
CVE-2020-5249 HTTP Response Splitting (Early Hints) in Puma
2020-03-02 15:20:21
nvd
nvd
ubuntucve
ubuntucve
prion
prion
Cross site scripting
2020-02-28 17:15:00
Input validation
2019-11-26 18:15:00
Cross site scripting
2020-03-02 16:15:00
github
github
HTTP Response Splitting in Puma
2020-02-28 16:53:55
HTTP Response Splitting (Early Hints) in Puma
2020-03-03 23:33:16
cve
cve
debiancve
debiancve
osv
osv
CVE-2020-5247
2020-02-28 17:15:12
HTTP Response Splitting in Puma
2020-02-28 16:53:55
BIT-ruby-2020-5247
2024-03-06 11:05:50
nessus
nessus
Debian DLA-3023-1 : puma - LTS security update
2022-05-26 00:00:00
EulerOS 2.0 SP5 : ruby (EulerOS-SA-2020-1130)
2020-02-24 00:00:00
Fedora 31 : rubygem-puma (2020-fd87f90634)
2020-04-10 00:00:00
veracode
veracode
HTTP Response Splitting
2019-10-02 06:21:10
HTTP Response Splitting
2020-03-03 05:17:42
cbl_mariner
cbl_mariner
CVE-2019-16254 affecting package ruby 2.6.3-3
2021-06-09 03:50:37
CVE-2020-5247 affecting package ruby 2.6.3-3
2021-06-09 03:50:37
redhatcve
redhatcve
CVE-2020-5247
2020-03-23 14:08:38
CVE-2019-16254
2020-01-09 19:38:59
rubygems
rubygems
HTTP Response Splitting (Early Hints) in Puma
2020-03-02 21:00:00
openvas
openvas
Huawei EulerOS: Security Advisory for ruby (EulerOS-SA-2020-1130)
2020-02-24 00:00:00
Fedora: Security Advisory for rubygem-puma (FEDORA-2020-08092b4c97)
2020-04-12 00:00:00
Fedora: Security Advisory for rubygem-puma (FEDORA-2020-a3f26a9387)
2020-04-12 00:00:00
hackerone
hackerone
Ruby: HTTP header can split /[\r\n]/ instead of /\r\n/
2018-04-02 14:50:38
Ruby: RubyのCGIライブラリにHTTPレスポンス分割(HTTPヘッダインジェクション)があり、秘密情報が漏洩する
2021-05-21 01:10:02
alpinelinux
alpinelinux
CVE-2019-16254
2019-11-26 18:15:15
fedora
fedora
[SECURITY] Fedora 30 Update: rubygem-puma-3.12.4-1.fc30
2020-04-09 17:44:36
[SECURITY] Fedora 31 Update: rubygem-puma-3.12.4-1.fc31
2020-04-09 18:19:31
[SECURITY] Fedora 32 Update: rubygem-puma-4.3.3-1.fc32
2020-04-09 14:46:14
debian
debian
[SECURITY] [DLA 3023-1] puma security update
2022-05-25 22:50:13
[SECURITY] [DSA 4586-1] ruby2.5 security update
2019-12-17 09:37:05
[SECURITY] [DLA 2027-1] jruby security update
2019-12-10 12:43:11
cloudfoundry
cloudfoundry
USN-4201-1: Ruby vulnerabilities | Cloud Foundry
2019-12-05 00:00:00
freebsd
freebsd
ruby -- multiple vulnerabilities
2019-10-01 00:00:00
symantec
symantec
Ruby Multiple Security Vulnerabilities
2019-10-01 00:00:00
ubuntu
ubuntu
Ruby vulnerabilities
2019-11-26 00:00:00
gentoo
gentoo
Ruby: Multiple vulnerabilities
2020-03-13 00:00:00
mageia
mageia
Updated ruby packages fix security vulnerabilities
2019-12-25 22:08:41
Updated jruby packages fix security vulnerabilities
2020-11-27 23:14:57
archlinux
archlinux
[ASA-201910-2] ruby: multiple issues
2019-10-02 00:00:00
[ASA-201910-5] ruby2.5: multiple issues
2019-10-02 00:00:00
amazon
amazon
Important: ruby
2024-02-29 10:03:00
Important: ruby24
2020-08-26 23:09:00
suse
suse
Recommended update for ruby2.5 (important)
2020-03-28 00:00:00
Security update for rmt-server (important)
2020-11-23 00:00:00
Security update for rmt-server (important)
2020-11-21 00:00:00
almalinux
almalinux
Moderate: ruby:2.5 security, bug fix, and enhancement update
2021-06-29 13:58:20
Moderate: ruby:2.6 security, bug fix, and enhancement update
2021-06-29 13:58:40
redhat
redhat
rocky
rocky
ruby:2.5 security, bug fix, and enhancement update
2021-06-29 13:58:20
ruby:2.6 security, bug fix, and enhancement update
2021-06-29 13:58:40
oraclelinux
oraclelinux
ruby:2.5 security, bug fix, and enhancement update
2021-07-02 00:00:00
ruby:2.6 security, bug fix, and enhancement update
2021-07-07 00:00:00
photon
photon
Critical Photon OS Security Update - PHSA-2019-0263
2019-12-27 00:00:00
Critical Photon OS Security Update - PHSA-2020-0047
2020-01-16 00:00:00
Critical Photon OS Security Update - PHSA-2019-0196
2019-09-24 00:00:00
ibm
ibm
rosalinux
rosalinux
Advisory ROSA-SA-2021-1966
2021-07-02 18:06:34
oracle
oracle
Oracle Critical Patch Update Advisory - January 2020
2020-01-14 00:00:00