-
-
Notifications
You must be signed in to change notification settings - Fork 221
/
CVE-2022-24790.yml
55 lines (44 loc) · 1.74 KB
/
CVE-2022-24790.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
---
gem: puma
cve: 2022-24790
ghsa: h99w-9q5r-gjq9
url: https://github.com/puma/puma/security/advisories/GHSA-h99w-9q5r-gjq9
title: HTTP Request Smuggling in puma
date: 2022-03-30
description: |
### Impact
When using Puma behind a proxy that does not properly validate that the
incoming HTTP request matches the RFC7230 standard, Puma and the frontend
proxy may disagree on where a request starts and ends. This would allow
requests to be smuggled via the front-end proxy to Puma.
The following vulnerabilities are addressed by this advisory:
- Lenient parsing of `Transfer-Encoding` headers, when unsupported encodings
should be rejected and the final encoding must be `chunked`.
- Lenient parsing of malformed `Content-Length` headers and chunk sizes, when
only digits and hex digits should be allowed.
- Lenient parsing of duplicate `Content-Length` headers, when they should be
rejected.
- Lenient parsing of the ending of chunked segments, when they should end
with `\r\n`.
### Patches
The vulnerability has been fixed in 5.6.4 and 4.3.12.
### Workarounds
When deploying a proxy in front of Puma, turning on any and all functionality
to make sure that the request matches the RFC7230 standard.
These proxy servers are known to have "good" behavior re: this standard and
upgrading Puma may not be necessary. Users are encouraged to validate for
themselves.
- Nginx (latest)
- Apache (latest)
- Haproxy 2.5+
- Caddy (latest)
- Traefik (latest)
### References
[HTTP Request Smuggling](https://portswigger.net/web-security/request-smuggling)
cvss_v3: 9.1
patched_versions:
- "~> 4.3.12"
- ">= 5.6.4"
related:
url:
- https://github.com/puma/puma/commit/5bb7d202e24dec00a898dca4aa11db391d7787a5