3.12.6
4.0.1
3.12.5
CVE-2020-11076 describes a vulnerability in Puma, a popular Ruby web server. This flaw allows attackers to smuggle HTTP responses by exploiting improper handling of transfer-encoding headers, potentially leading to request hijacking and other malicious activities. The vulnerability impacts Puma versions 3.9.1 and earlier. A fix is available in Puma 3.12.5 and 4.3.4.
The core of this vulnerability lies in Puma's handling of HTTP requests with potentially malformed transfer-encoding headers. An attacker can craft a request that tricks Puma into interpreting subsequent requests as part of the initial response, effectively smuggling them. This allows for various attacks, including session hijacking, cache poisoning, and potentially even gaining unauthorized access to backend systems. Successful exploitation could lead to an attacker impersonating legitimate users or manipulating the server's behavior. The impact is amplified in environments where Puma is used as a reverse proxy or load balancer, as the smuggled requests can bypass security controls.
This vulnerability was originally reported by @ZeddYu and publicly disclosed on May 22, 2020. While no active exploitation campaigns have been definitively linked to CVE-2020-11076, the technique of HTTP response smuggling is well-understood and has been exploited in other contexts. It is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are available, demonstrating the feasibility of the attack.
Applications and services relying on Puma as a web server or reverse proxy are at risk, particularly those handling untrusted user input or interacting with external APIs. Environments utilizing Puma behind a load balancer or in a microservices architecture are especially vulnerable due to the potential for cascading impacts.
• linux / server:
journalctl -u puma -g 'transfer-encoding' | grep -i error• generic web:
curl -I <target_url> | grep Transfer-Encoding• generic web:
grep -i 'transfer-encoding:' /var/log/apache2/access.logdisclosure
patch
漏洞利用状态
EPSS
1.94% (83% 百分位)
CVSS 向量
The primary mitigation for CVE-2020-11076 is to upgrade Puma to version 3.12.5 or 4.3.4, which contain the necessary fixes. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) or reverse proxy with rules to filter out requests containing suspicious transfer-encoding headers, specifically those with invalid or unexpected values. Carefully review and validate all incoming HTTP headers, especially transfer-encoding, to prevent malicious manipulation. Monitor Puma logs for unusual patterns or errors related to header parsing.
将 Puma gem 更新到 4.3.4 或更高版本,或 3.12.5 或更高版本。 这将修复由无效 Transfer-Encoding 头引起的 HTTP 走私漏洞。 运行 `gem update puma` 进行更新。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2020-11076 is a vulnerability in Puma versions ≤3.9.1 that allows attackers to smuggle HTTP responses via invalid transfer-encoding headers, potentially leading to request hijacking.
If you are using Puma version 3.9.1 or earlier, you are potentially affected by this vulnerability. Upgrade to Puma 3.12.5 or 4.3.4 to mitigate the risk.
Upgrade Puma to version 3.12.5 or 4.3.4. As a temporary workaround, implement WAF rules to filter suspicious transfer-encoding headers.
While no confirmed active exploitation campaigns are publicly known, the technique is well-understood and could be exploited. It's crucial to apply the patch.
Refer to the Puma security policy on GitHub: https://github.com/puma/puma/security/policy
上传你的 Gemfile.lock 文件,立即知道是否受影响。