修复版本
3.12.5
4.0.1
3.12.4
CVE-2020-5249 describes a HTTP Response Splitting vulnerability within Puma, a Ruby web server. This flaw allows attackers to inject malicious content into HTTP responses by manipulating early-hints headers, potentially leading to cross-site scripting (XSS) attacks. The vulnerability impacts Puma versions 3.9.1 and earlier, and a fix is available in version 3.12.4.
The core of this vulnerability lies in Puma's handling of early-hints headers. If an application using Puma accepts untrusted input within these headers, a malicious actor can exploit this by injecting a carriage return character. This effectively terminates the header prematurely, allowing the attacker to inject arbitrary content, such as additional headers or even a completely new response body. While not a direct attack vector itself, HTTP Response Splitting serves as a foundation for numerous other attacks. The most common consequence is cross-site scripting (XSS), where injected scripts can compromise user sessions and steal sensitive data. Furthermore, response splitting can be leveraged for cache poisoning, session hijacking, and other malicious activities, significantly expanding the potential blast radius of this vulnerability.
CVE-2020-5249 is related to CVE-2020-5247, highlighting a broader issue in Puma's header handling. While no active exploitation campaigns have been publicly reported, the vulnerability's potential for XSS and other attacks makes it a worthwhile target. The vulnerability was publicly disclosed on March 3, 2020. No KEV listing or public proof-of-concept has been identified as of the current date.
Applications built with Ruby on Rails or other Ruby frameworks that utilize Puma as their web server are at risk. Specifically, deployments using Puma versions 3.9.1 or earlier, especially those that accept user-supplied data in HTTP headers without proper validation, are highly vulnerable. Shared hosting environments where users have control over application configuration are also at increased risk.
• ruby / puma:
grep -r 'early-hints' /path/to/puma/config.yml• generic web:
curl -I 'http://your-puma-app.com' | grep 'early-hints'• generic web:
grep -r 'early-hints' /var/log/nginx/access.logdisclosure
漏洞利用状态
EPSS
0.50% (66% 百分位)
CVSS 向量
The primary mitigation for CVE-2020-5249 is to upgrade Puma to version 3.12.4 or later, which includes the necessary fix. If an immediate upgrade is not feasible due to compatibility issues or breaking changes, consider implementing a temporary workaround by sanitizing or validating early-hints headers to prevent carriage return characters from being included. Web application firewalls (WAFs) can also be configured to filter out suspicious early-hints headers. Additionally, review application code to ensure that any user-supplied data included in HTTP headers is properly escaped to prevent injection attacks. After upgrading, confirm the fix by sending a request with a crafted early-hints header containing a carriage return and verifying that the response does not contain the injected content.
Actualice la gema Puma a la versión 4.3.3 o superior, o a la versión 3.12.4 o superior. Esto corregirá la vulnerabilidad de división de respuesta HTTP. Ejecute `gem update puma` para actualizar.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2020-5249 is a vulnerability in Puma versions 3.9.1 and earlier that allows attackers to inject malicious content into HTTP responses via early-hints headers, potentially leading to XSS.
You are affected if you are using Puma versions 3.9.1 or earlier. Upgrade to version 3.12.4 or later to resolve the issue.
Upgrade Puma to version 3.12.4 or later. If an immediate upgrade isn't possible, sanitize early-hints headers and consider using a WAF.
While no active exploitation campaigns have been publicly reported, the vulnerability's potential for XSS makes it a potential target.
Refer to the Puma security advisory on GitHub: https://github.com/puma/puma/security/advisories/GHSA-84j7-475p-hp8v
上传你的 Gemfile.lock 文件,立即知道是否受影响。