Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact
5
CVSSv2

CVE-2020-11077

Published: 22/05/2020 Updated: 07/11/2023
CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10
CVSS v3 Base Score: 7.5 | Impact Score: 3.6 | Exploitability Score: 3.9
VMScore: 445
Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N
Subscribe to Puma

Vulnerability Summary

In Puma (RubyGem) prior to 4.3.5 and 3.12.6, a client could smuggle a request through a proxy, causing the proxy to send a response back to another unknown client. If the proxy uses persistent connections and the client adds another request in via HTTP pipelining, the proxy may mistake it as the first request's body. Puma, however, would see it as two requests, and when processing the second request, send back a response that the proxy does not expect. If the proxy has reused the persistent connection to Puma to send another request for a different client, the second response from the first client will be sent to the second client. This is a similar but different vulnerability from CVE-2020-11076. The problem has been fixed in Puma 3.12.6 and Puma 4.3.5.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

puma puma

fedoraproject fedora 33

debian debian linux 9.0

opensuse leap 15.1

opensuse leap 15.2

Vendor Advisories

Debian CVElist Bug Report Logs: CVE-2020-11076 CVE-2020-11077
Debian Bug report logs - #972102 CVE-2020-11076 CVE-2020-11077 Package: puma; Maintainer for puma is Debian Ruby Extras Maintainers <pkg-ruby-extras-maintainers@listsaliothdebianorg>; Source for puma is src:puma (PTS, buildd, popcon) Reported by: Moritz Muehlenhoff <jmm@debianorg> Date: Mon, 12 Oct 2020 18:15:01 ...

References

CWE-444https://github.com/puma/puma/blob/master/History.md#434435-and-31253126--2020-05-22https://github.com/puma/puma/security/advisories/GHSA-w64w-qqph-5gxmhttp://lists.opensuse.org/opensuse-security-announce/2020-07/msg00034.htmlhttp://lists.opensuse.org/opensuse-security-announce/2020-07/msg00038.htmlhttps://lists.debian.org/debian-lts-announce/2020/10/msg00009.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SKIY5H67GJIGJL6SMFWFLUQQQR3EMVPR/https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=972102https://nvd.nist.gov
CVSSv2
CVSSv2
CVSSv3
VMScore
Recommendations:
CVE-2024-27322administrator privilegesCVE-2024-1579hardcodedCVE-2023-20198CVE-2024-33587CVE-2024-33449CVE-2024-4308HTML injection
Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook