{"containers": {"cna": {"affected": [{"product": "puma", "vendor": "puma", "versions": [{"status": "affected", "version": ">= 5.0.0, < 5.5.1"}, {"status": "affected", "version": "< 4.3.9"}]}], "descriptions": [{"lang": "en", "value": "Puma is a HTTP 1.1 server for Ruby/Rack applications. Prior to versions 5.5.1 and 4.3.9, using `puma` with a proxy which forwards HTTP header values which contain the LF character could allow HTTP request smugggling. A client could smuggle a request through a proxy, causing the proxy to send a response back to another unknown client. The only proxy which has this behavior, as far as the Puma team is aware of, is Apache Traffic Server. If the proxy uses persistent connections and the client adds another request in via HTTP pipelining, the proxy may mistake it as the first request's body. Puma, however, would see it as two requests, and when processing the second request, send back a response that the proxy does not expect. If the proxy has reused the persistent connection to Puma to send another request for a different client, the second response from the first client will be sent to the second client. This vulnerability was patched in Puma 5.5.1 and 4.3.9. As a workaround, do not use Apache Traffic Server with `puma`."}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-444", "description": "CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2022-08-27T20:06:18", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/puma/puma/security/advisories/GHSA-48w2-rm65-62xx"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/puma/puma/commit/acdc3ae571dfae0e045cf09a295280127db65c7f"}, {"name": "DSA-5146", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "https://www.debian.org/security/2022/dsa-5146"}, {"name": "GLSA-202208-28", "tags": ["vendor-advisory", "x_refsource_GENTOO"], "url": "https://security.gentoo.org/glsa/202208-28"}, {"name": "[debian-lts-announce] 20220827 [SECURITY] [DLA 3083-1] puma security update", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "https://lists.debian.org/debian-lts-announce/2022/08/msg00015.html"}], "source": {"advisory": "GHSA-48w2-rm65-62xx", "discovery": "UNKNOWN"}, "title": "Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') in puma", "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "security-advisories@github.com", "ID": "CVE-2021-41136", "STATE": "PUBLIC", "TITLE": "Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') in puma"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "puma", "version": {"version_data": [{"version_value": ">= 5.0.0, < 5.5.1"}, {"version_value": "< 4.3.9"}]}}]}, "vendor_name": "puma"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Puma is a HTTP 1.1 server for Ruby/Rack applications. Prior to versions 5.5.1 and 4.3.9, using `puma` with a proxy which forwards HTTP header values which contain the LF character could allow HTTP request smugggling. A client could smuggle a request through a proxy, causing the proxy to send a response back to another unknown client. The only proxy which has this behavior, as far as the Puma team is aware of, is Apache Traffic Server. If the proxy uses persistent connections and the client adds another request in via HTTP pipelining, the proxy may mistake it as the first request's body. Puma, however, would see it as two requests, and when processing the second request, send back a response that the proxy does not expect. If the proxy has reused the persistent connection to Puma to send another request for a different client, the second response from the first client will be sent to the second client. This vulnerability was patched in Puma 5.5.1 and 4.3.9. As a workaround, do not use Apache Traffic Server with `puma`."}]}, "impact": {"cvss": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')"}]}]}, "references": {"reference_data": [{"name": "https://github.com/puma/puma/security/advisories/GHSA-48w2-rm65-62xx", "refsource": "CONFIRM", "url": "https://github.com/puma/puma/security/advisories/GHSA-48w2-rm65-62xx"}, {"name": "https://github.com/puma/puma/commit/acdc3ae571dfae0e045cf09a295280127db65c7f", "refsource": "MISC", "url": "https://github.com/puma/puma/commit/acdc3ae571dfae0e045cf09a295280127db65c7f"}, {"name": "DSA-5146", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2022/dsa-5146"}, {"name": "GLSA-202208-28", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/202208-28"}, {"name": "[debian-lts-announce] 20220827 [SECURITY] [DLA 3083-1] puma security update", "refsource": "MLIST", "url": "https://lists.debian.org/debian-lts-announce/2022/08/msg00015.html"}]}, "source": {"advisory": "GHSA-48w2-rm65-62xx", "discovery": "UNKNOWN"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T02:59:31.645Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/puma/puma/security/advisories/GHSA-48w2-rm65-62xx"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/puma/puma/commit/acdc3ae571dfae0e045cf09a295280127db65c7f"}, {"name": "DSA-5146", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "https://www.debian.org/security/2022/dsa-5146"}, {"name": "GLSA-202208-28", "tags": ["vendor-advisory", "x_refsource_GENTOO", "x_transferred"], "url": "https://security.gentoo.org/glsa/202208-28"}, {"name": "[debian-lts-announce] 20220827 [SECURITY] [DLA 3083-1] puma security update", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2022/08/msg00015.html"}]}]}, "cveMetadata": {"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2021-41136", "datePublished": "2021-10-12T15:30:11", "dateReserved": "2021-09-15T00:00:00", "dateUpdated": "2024-08-04T02:59:31.645Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:puma:puma:*:*:*:*:*:ruby:*:*", "matchCriteriaId": "8B1C2F6F-4978-4F25-B62B-B103AEA0B64A", "versionEndIncluding": "4.3.8", "vulnerable": true}, {"criteria": "cpe:2.3:a:puma:puma:*:*:*:*:*:ruby:*:*", "matchCriteriaId": "920A054F-A248-42DA-8873-B8ECFA453A50", "versionEndIncluding": "5.5.0", "versionStartIncluding": "5.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", "matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Puma is a HTTP 1.1 server for Ruby/Rack applications. Prior to versions 5.5.1 and 4.3.9, using `puma` with a proxy which forwards HTTP header values which contain the LF character could allow HTTP request smugggling. A client could smuggle a request through a proxy, causing the proxy to send a response back to another unknown client. The only proxy which has this behavior, as far as the Puma team is aware of, is Apache Traffic Server. If the proxy uses persistent connections and the client adds another request in via HTTP pipelining, the proxy may mistake it as the first request's body. Puma, however, would see it as two requests, and when processing the second request, send back a response that the proxy does not expect. If the proxy has reused the persistent connection to Puma to send another request for a different client, the second response from the first client will be sent to the second client. This vulnerability was patched in Puma 5.5.1 and 4.3.9. As a workaround, do not use Apache Traffic Server with `puma`."}, {"lang": "es", "value": "Puma es un servidor HTTP versi\u00f3n 1.1 para aplicaciones Ruby/Rack. Antes de las versiones 5.5.1 y 4.3.9, usar \"puma\" con un proxy que reenv\u00ede valores del encabezado HTTP que contengan el car\u00e1cter LF pod\u00eda permitir el contrabando de peticiones HTTP. Un cliente pod\u00eda pasar una petici\u00f3n mediante un proxy, causando que el proxy enviara una respuesta a otro cliente desconocido. El \u00fanico proxy que presenta este comportamiento, hasta donde el equipo de Puma sabe, es Apache Traffic Server. Si el proxy usa conexiones persistentes y el cliente a\u00f1ade otra petici\u00f3n por medio de HTTP pipelining, el proxy puede confundirla con el cuerpo de la primera petici\u00f3n. Puma, sin embargo, lo ver\u00eda como dos peticiones, y cuando procese la segunda petici\u00f3n, devolver\u00e1 una respuesta que el proxy no espera. Si el proxy ha reusado la conexi\u00f3n persistente con Puma para enviar otra petici\u00f3n para un cliente diferente, la segunda respuesta del primer cliente ser\u00e1 enviada al segundo cliente. Esta vulnerabilidad fue parcheada en Puma versiones 5.5.1 y 4.3.9. Como soluci\u00f3n, no use Apache Traffic Server con \"puma\""}], "id": "CVE-2021-41136", "lastModified": "2022-10-12T13:30:51.080", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "HIGH", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 3.6, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:H/Au:S/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 2.5, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 2.5, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2021-10-12T16:15:07.630", "references": [{"source": "security-advisories@github.com", "tags": ["Patch", "Third Party Advisory"], "url": "https://github.com/puma/puma/commit/acdc3ae571dfae0e045cf09a295280127db65c7f"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://github.com/puma/puma/security/advisories/GHSA-48w2-rm65-62xx"}, {"source": "security-advisories@github.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2022/08/msg00015.html"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202208-28"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2022/dsa-5146"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-444"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2022:5498", "cpe": "cpe:/a:redhat:satellite:6.11::el7", "package": "tfm-rubygem-puma-0:5.6.2-1.el7sat", "product_name": "Red Hat Satellite 6.11 for RHEL 7", "release_date": "2022-07-05T00:00:00Z"}, {"advisory": "RHSA-2022:5498", "cpe": "cpe:/a:redhat:satellite:6.11::el8", "package": "rubygem-puma-0:5.6.2-1.el8sat", "product_name": "Red Hat Satellite 6.11 for RHEL 8", "release_date": "2022-07-05T00:00:00Z"}], "bugzilla": {"description": "rubygem-puma: Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') in puma", "id": "2013495", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2013495"}, "csaw": false, "cvss3": {"cvss3_base_score": "3.7", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N", "status": "verified"}, "cwe": "CWE-444", "details": ["Puma is a HTTP 1.1 server for Ruby/Rack applications. Prior to versions 5.5.1 and 4.3.9, using `puma` with a proxy which forwards HTTP header values which contain the LF character could allow HTTP request smugggling. A client could smuggle a request through a proxy, causing the proxy to send a response back to another unknown client. The only proxy which has this behavior, as far as the Puma team is aware of, is Apache Traffic Server. If the proxy uses persistent connections and the client adds another request in via HTTP pipelining, the proxy may mistake it as the first request's body. Puma, however, would see it as two requests, and when processing the second request, send back a response that the proxy does not expect. If the proxy has reused the persistent connection to Puma to send another request for a different client, the second response from the first client will be sent to the second client. This vulnerability was patched in Puma 5.5.1 and 4.3.9. As a workaround, do not use Apache Traffic Server with `puma`.", "An HTTP Request Smuggling vulnerability was found in puma. When using puma with a proxy, which forwards LF characters as line endings, an attacker could use this flaw to smuggle a request through a proxy, causing the proxy to send a response back to another unknown client."], "name": "CVE-2021-41136", "package_state": [{"cpe": "cpe:/a:redhat:cloudforms_managementengine:5", "fix_state": "Will not fix", "package_name": "rubygem-puma", "product_name": "CloudForms Management Engine 5"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Affected", "package_name": "rubygem-puma", "product_name": "Red Hat Storage 3"}], "public_date": "2021-10-12T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2021-41136\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-41136\nhttps://github.com/puma/puma/security/advisories/GHSA-48w2-rm65-62xx"], "statement": "Red Hat CloudForms 5.0 (CFME 5.11) is in the maintenance phase and Medium and Low impact security bugs will not be fixed. See https://access.redhat.com/support/policy/updates/cloudforms for additional information.", "threat_severity": "Low", "upstream_fix": "puma 5.5.1, puma 4.3.9"}