Описание
Puma vulnerable to HTTP Request Smuggling
When using Puma behind a proxy that does not properly validate that the incoming HTTP request matches the RFC7230 standard, Puma and the frontend proxy may disagree on where a request starts and ends. This would allow requests to be smuggled via the front-end proxy to Puma.
The following vulnerabilities are addressed by this advisory:
- Lenient parsing of
Transfer-Encodingheaders, when unsupported encodings should be rejected and the final encoding must bechunked. - Lenient parsing of malformed
Content-Lengthheaders and chunk sizes, when only digits and hex digits should be allowed. - Lenient parsing of duplicate
Content-Lengthheaders, when they should be rejected. - Lenient parsing of the ending of chunked segments, when they should end with
\r\n.
The vulnerability has been fixed in 5.6.4 and 4.3.12. When deploying a proxy in front of Puma, turning on any and all functionality to make sure that the request matches the RFC7230 standard.
These proxy servers are known to have "good" behavior re: this standard and upgrading Puma may not be necessary. Users are encouraged to validate for themselves.
- Nginx (latest)
- Apache (latest)
- Haproxy 2.5+
- Caddy (latest)
- Traefik (latest)
Ссылки
- https://github.com/puma/puma/security/advisories/GHSA-h99w-9q5r-gjq9
- https://nvd.nist.gov/vuln/detail/CVE-2022-24790
- https://github.com/puma/puma/commit/5bb7d202e24dec00a898dca4aa11db391d7787a5
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2022-24790.yml
- https://lists.debian.org/debian-lts-announce/2022/08/msg00015.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F6YWGIIKL7KKTS3ZOAYMYPC7D6WQ5OA5
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L7NESIBFCNSR3XH7LXDPKVMSUBNUB43G
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TUBFJ44NCKJ34LECZRAP4N5VL6USJSIB
- https://portswigger.net/web-security/request-smuggling
- https://security.gentoo.org/glsa/202208-28
- https://www.debian.org/security/2022/dsa-5146
Пакеты
puma
>= 5.0.0, < 5.6.4
5.6.4
puma
< 4.3.12
4.3.12
Связанные уязвимости
Puma is a simple, fast, multi-threaded, parallel HTTP 1.1 server for Ruby/Rack applications. When using Puma behind a proxy that does not properly validate that the incoming HTTP request matches the RFC7230 standard, Puma and the frontend proxy may disagree on where a request starts and ends. This would allow requests to be smuggled via the front-end proxy to Puma. The vulnerability has been fixed in 5.6.4 and 4.3.12. Users are advised to upgrade as soon as possible. Workaround: when deploying a proxy in front of Puma, turning on any and all functionality to make sure that the request matches the RFC7230 standard.
Puma is a simple, fast, multi-threaded, parallel HTTP 1.1 server for Ruby/Rack applications. When using Puma behind a proxy that does not properly validate that the incoming HTTP request matches the RFC7230 standard, Puma and the frontend proxy may disagree on where a request starts and ends. This would allow requests to be smuggled via the front-end proxy to Puma. The vulnerability has been fixed in 5.6.4 and 4.3.12. Users are advised to upgrade as soon as possible. Workaround: when deploying a proxy in front of Puma, turning on any and all functionality to make sure that the request matches the RFC7230 standard.
Puma is a simple, fast, multi-threaded, parallel HTTP 1.1 server for Ruby/Rack applications. When using Puma behind a proxy that does not properly validate that the incoming HTTP request matches the RFC7230 standard, Puma and the frontend proxy may disagree on where a request starts and ends. This would allow requests to be smuggled via the front-end proxy to Puma. The vulnerability has been fixed in 5.6.4 and 4.3.12. Users are advised to upgrade as soon as possible. Workaround: when deploying a proxy in front of Puma, turning on any and all functionality to make sure that the request matches the RFC7230 standard.
Puma is a simple, fast, multi-threaded, parallel HTTP 1.1 server for R ...
