Описание
In Puma (RubyGem) before 4.3.4 and 3.12.5, an attacker could smuggle an HTTP response, by using an invalid transfer-encoding header. The problem has been fixed in Puma 3.12.5 and Puma 4.3.4.
Пакеты
| Пакет | Статус | Версия исправления | Релиз | Тип |
|---|---|---|---|---|
| puma | fixed | 4.3.6-1 | package | |
| puma | fixed | 3.12.0-2+deb10u2 | buster | package |
Примечания
https://github.com/puma/puma/security/advisories/GHSA-x7jg-6pwg-fx5h
https://github.com/puma/puma/commit/f24d5521295a2152c286abb0a45a1e1e2bd275bd
EPSS
Связанные уязвимости
In Puma (RubyGem) before 4.3.4 and 3.12.5, an attacker could smuggle an HTTP response, by using an invalid transfer-encoding header. The problem has been fixed in Puma 3.12.5 and Puma 4.3.4.
In Puma (RubyGem) before 4.3.4 and 3.12.5, an attacker could smuggle an HTTP response, by using an invalid transfer-encoding header. The problem has been fixed in Puma 3.12.5 and Puma 4.3.4.
In Puma (RubyGem) before 4.3.4 and 3.12.5, an attacker could smuggle an HTTP response, by using an invalid transfer-encoding header. The problem has been fixed in Puma 3.12.5 and Puma 4.3.4.
HTTP Smuggling via Transfer-Encoding Header in Puma
Уязвимость HTTP-сервера для Ruby/Rack приложений Puma, связанная с недостатками обработки HTTP-запросов, позволяющая нарушителю оказать влияние на целостность информации
EPSS