CVE-2021-41136

Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') in gem/puma

Identifiers

CVE-2021-41136, GHSA-48w2-rm65-62xx

Package Slug

gem/puma

Vulnerability

Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

Description

Puma is a HTTP server for Ruby/Rack applications., using puma with a proxy which forwards HTTP header values which contain the LF character could allow HTTP request smuggling. A client could smuggle a request through a proxy, causing the proxy to send a response back to another unknown client. The only proxy which has this behavior, as far as the Puma team is aware of, is Apache Traffic Server. If the proxy uses persistent connections and the client adds another request in via HTTP pipelining, the proxy may mistake it as the first request's body. Puma, however, would see it as two requests, and when processing the second request, send back a response that the proxy does not expect. If the proxy has reused the persistent connection to Puma to send another request for a different client, the second response from the first client will be sent to the second client.

Affected Versions

All versions up to 4.3.8, all versions starting from 5.0.0 up to 5.5.0

Solution

Upgrade to versions 4.3.9, 5.5.1 or above.

Last Modified

2021-10-20

source