GHSA-68xg-gqqm-vgj8

Suggest an improvement
Source
https://github.com/advisories/GHSA-68xg-gqqm-vgj8
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/08/GHSA-68xg-gqqm-vgj8/GHSA-68xg-gqqm-vgj8.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-68xg-gqqm-vgj8
Aliases
Published
2023-08-18T21:50:05Z
Modified
2023-11-09T05:35:57.896647Z
Severity
  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Puma HTTP Request/Response Smuggling vulnerability
Details

Impact

Prior to version 6.3.1, puma exhibited incorrect behavior when parsing chunked transfer encoding bodies and zero-length Content-Length headers in a way that allowed HTTP request smuggling.

The following vulnerabilities are addressed by this advisory:

  • Incorrect parsing of trailing fields in chunked transfer encoding bodies
  • Parsing of blank/zero-length Content-Length headers

Patches

The vulnerability has been fixed in 6.3.1 and 5.6.7.

Workarounds

No known workarounds.

References

HTTP Request Smuggling

For more information

If you have any questions or comments about this advisory:

Open an issue in Puma See our security policy

References

Affected packages

RubyGems / puma

Package

Name
puma
Purl
pkg:gem/puma

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.6.7

Affected versions

0.*

0.8.0
0.8.1
0.8.2
0.9.0
0.9.1
0.9.2
0.9.3
0.9.4
0.9.5

1.*

1.0.0
1.1.0
1.1.1
1.2.0
1.2.1
1.2.2
1.3.0
1.3.1
1.4.0
1.5.0
1.6.0
1.6.1
1.6.2
1.6.3

2.*

2.0.0.b1
2.0.0.b2
2.0.0.b3
2.0.0.b4
2.0.0.b5
2.0.0.b6
2.0.0.b7
2.0.0
2.0.1
2.1.0
2.1.1
2.2.0
2.2.1
2.2.2
2.3.0
2.3.1
2.3.2
2.4.0
2.4.1
2.5.0
2.5.1
2.6.0
2.7.0
2.7.1
2.8.0
2.8.1
2.8.2
2.9.0
2.9.1
2.9.2
2.10.0
2.10.1
2.10.2
2.11.0
2.11.1
2.11.2
2.11.3
2.12.0
2.12.1
2.12.2
2.12.3
2.13.0
2.13.1
2.13.2
2.13.3
2.13.4
2.14.0
2.15.0
2.15.1
2.15.2
2.15.3
2.16.0

3.*

3.0.0.rc1
3.0.0
3.0.1
3.0.2
3.1.0
3.1.1
3.2.0
3.3.0
3.4.0
3.5.0
3.5.1
3.5.2
3.6.0
3.6.1
3.6.2
3.7.0
3.7.1
3.8.0
3.8.1
3.8.2
3.9.0
3.9.1
3.10.0
3.11.0
3.11.1
3.11.2
3.11.3
3.11.4
3.12.0
3.12.1
3.12.2
3.12.4
3.12.5
3.12.6

4.*

4.0.0
4.0.1
4.1.0
4.1.1
4.2.0
4.2.1
4.3.0
4.3.1
4.3.3
4.3.4
4.3.5
4.3.6
4.3.7
4.3.8
4.3.9
4.3.10
4.3.11
4.3.12

5.*

5.0.0.beta1
5.0.0.beta2
5.0.0
5.0.1
5.0.2
5.0.3
5.0.4
5.1.0
5.1.1
5.2.0
5.2.1
5.2.2
5.3.0
5.3.1
5.3.2
5.4.0
5.5.0
5.5.1
5.5.2
5.6.0
5.6.1
5.6.2
5.6.4
5.6.5
5.6.6

RubyGems / puma

Package

Name
puma
Purl
pkg:gem/puma

Affected ranges

Type
ECOSYSTEM
Events
Introduced
6.0.0
Fixed
6.3.1

Affected versions

6.*

6.0.0
6.0.1
6.0.2
6.1.0
6.1.1
6.2.0
6.2.1
6.2.2
6.3.0