RubySec

Providing security resources for the Ruby community

CVE-2020-11076 (puma): HTTP Smuggling via Transfer-Encoding Header in Puma

ADVISORIES

GEM

puma

SEVERITY

CVSS v3: 7.5

PATCHED VERSIONS

  • ~> 3.12.5
  • >= 4.3.4

DESCRIPTION

Impact

By using an invalid transfer-encoding header, an attacker could smuggle an HTTP response.

Patches

The problem has been fixed in Puma 3.12.5 and Puma 4.3.4.