Vulnerability Name:

CVE-2021-41136 (CCN-211365)

Assigned:2021-10-12
Published:2021-10-12
Updated:2022-10-12
Summary:Puma is a HTTP 1.1 server for Ruby/Rack applications. Prior to versions 5.5.1 and 4.3.9, using `puma` with a proxy which forwards HTTP header values which contain the LF character could allow HTTP request smugggling. A client could smuggle a request through a proxy, causing the proxy to send a response back to another unknown client. The only proxy which has this behavior, as far as the Puma team is aware of, is Apache Traffic Server. If the proxy uses persistent connections and the client adds another request in via HTTP pipelining, the proxy may mistake it as the first request's body. Puma, however, would see it as two requests, and when processing the second request, send back a response that the proxy does not expect. If the proxy has reused the persistent connection to Puma to send another request for a different client, the second response from the first client will be sent to the second client. This vulnerability was patched in Puma 5.5.1 and 4.3.9. As a workaround, do not use Apache Traffic Server with `puma`.
CVSS v3 Severity:3.7 Low (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N)
3.2 Low (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): Low
User Interaction (UI): Required
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): None
4.6 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N)
4.0 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): Required
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:3.6 Low (CVSS v2 Vector: AV:N/AC:H/Au:S/C:P/I:P/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): High
Authentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): None
5.5 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): None
Vulnerability Type:CWE-444
Vulnerability Consequences:Gain Access
References:Source: MITRE
Type: CNA
CVE-2021-41136

Source: XF
Type: UNKNOWN
puma-cve202141136-request-samuggling(211365)

Source: MISC
Type: Patch, Third Party Advisory
https://github.com/puma/puma/commit/acdc3ae571dfae0e045cf09a295280127db65c7f

Source: CCN
Type: Puma GIT Repository
Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') in puma

Source: CONFIRM
Type: Third Party Advisory
https://github.com/puma/puma/security/advisories/GHSA-48w2-rm65-62xx

Source: MLIST
Type: Mailing List, Third Party Advisory
[debian-lts-announce] 20220827 [SECURITY] [DLA 3083-1] puma security update

Source: GENTOO
Type: Third Party Advisory
GLSA-202208-28

Source: DEBIAN
Type: Third Party Advisory
DSA-5146

Vulnerable Configuration:Configuration 1:
  • cpe:/a:puma:puma:*:*:*:*:*:ruby:*:* (Version <= 4.3.8)
  • OR cpe:/a:puma:puma:*:*:*:*:*:ruby:*:* (Version >= 5.0.0 and <= 5.5.0)

    • Configuration 2:
  • cpe:/o:debian:debian_linux:10.0:*:*:*:*:*:*:*
  • OR cpe:/o:debian:debian_linux:11.0:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:puma:puma:4.3.8:*:*:*:*:ruby:*:*
  • OR cpe:/a:puma:puma:5.5.0:*:*:*:*:ruby:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:469
    P
    		Security update for rubygem-puma (Important)
    2022-05-04
    oval:org.opensuse.security:def:1749
    P
    		Security update for rubygem-puma (Important)
    2022-05-04
    oval:org.opensuse.security:def:118645
    P
    		Security update for rubygem-puma (Important)
    2022-05-04
    oval:org.opensuse.security:def:102308
    P
    		Security update for rubygem-puma (Important) (in QA)
    2022-04-22
    oval:org.opensuse.security:def:84235
    P
    		Security update for ardana-ansible, ardana-monasca, documentation-suse-openstack-cloud, openstack-ec2-api, openstack-heat-templates, python-Django, python-monasca-common, rubygem-redcarpet, rubygem-puma (Moderate)
    2021-11-19
    oval:org.opensuse.security:def:84693
    P
    		Security update for ardana-ansible, ardana-monasca, documentation-suse-openstack-cloud, openstack-ec2-api, openstack-heat-templates, python-Django, python-monasca-common, rubygem-redcarpet, rubygem-puma (Moderate)
    2021-11-19
    oval:org.opensuse.security:def:88217
    P
    		Security update for ardana-ansible, ardana-monasca, crowbar-openstack, influxdb, kibana, openstack-cinder, openstack-ec2-api, openstack-heat-gbp, openstack-heat-templates, openstack-horizon-plugin-gbp-ui, openstack-keystone, openstack-neutron-gbp, openstack-nova, python-eventlet, rubygem-redcarpet, rubygem-puma (Moderate)
    2021-11-19
    oval:org.opensuse.security:def:88534
    P
    		Security update for ardana-ansible, ardana-monasca, crowbar-openstack, influxdb, kibana, openstack-cinder, openstack-ec2-api, openstack-heat-gbp, openstack-heat-templates, openstack-horizon-plugin-gbp-ui, openstack-keystone, openstack-neutron-gbp, openstack-nova, python-eventlet, rubygem-redcarpet, rubygem-puma (Moderate)
    2021-11-19
    BACK
    puma puma *
    puma puma *
    debian debian linux 10.0
    debian debian linux 11.0
    puma puma 4.3.8
    puma puma 5.5.0