CVE-2020-11076
📋 TL;DR
This vulnerability in Puma web server allows attackers to perform HTTP response smuggling by sending requests with invalid Transfer-Encoding headers. This could enable cache poisoning, session hijacking, or cross-site scripting attacks. All systems running vulnerable versions of Puma are affected.
💻 Affected Systems
- Puma (Ruby web server)
📦 What is this software?
Fedora by Fedoraproject
Puma by Puma
Puma by Puma
⚠️ Risk & Real-World Impact
Worst Case
Attackers could poison web caches, hijack user sessions, perform cross-site scripting attacks, or bypass security controls by smuggling malicious HTTP responses.
Likely Case
Cache poisoning leading to users receiving malicious content or session hijacking through response smuggling.
If Mitigated
Limited impact with proper WAF/IPS filtering of malformed HTTP headers and network segmentation.
🎯 Exploit Status
Exploitation requires sending specially crafted HTTP requests with invalid Transfer-Encoding headers.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Puma 3.12.5 or 4.3.4
Vendor Advisory: https://github.com/puma/puma/security/advisories/GHSA-x7jg-6pwg-fx5h
Restart Required: Yes
Instructions:
1. Update Gemfile to specify 'puma', '>= 3.12.5' or '>= 4.3.4'. 2. Run 'bundle update puma'. 3. Restart the Puma server.
🔧 Temporary Workarounds
WAF/IPS Rule Implementation
allConfigure web application firewall or intrusion prevention system to block requests with invalid Transfer-Encoding headers.
Reverse Proxy Filtering
allConfigure reverse proxy (nginx, Apache) to validate and sanitize Transfer-Encoding headers before forwarding to Puma.
🧯 If You Can't Patch
- Implement strict HTTP header validation at reverse proxy or load balancer layer
- Deploy WAF with rules to detect and block HTTP request smuggling attempts
🔍 How to Verify
Check if Vulnerable:
Check Puma version with 'bundle show puma' or 'gem list puma'. If version is below 3.12.5 (for 3.x) or below 4.3.4 (for 4.x), system is vulnerable.Check Version:
bundle show puma | grep puma || gem list puma | grep pumaVerify Fix Applied:
After updating, verify version shows 3.12.5+ or 4.3.4+ and test with HTTP requests containing invalid Transfer-Encoding headers.📡 Detection & Monitoring
Log Indicators:
- HTTP requests with malformed Transfer-Encoding headers
- Unusual response patterns or cache inconsistencies
Network Indicators:
- HTTP requests with invalid Transfer-Encoding values
- Response smuggling patterns in HTTP traffic
SIEM Query:
http.request.headers.transfer_encoding IN ("invalid_value", "chunked, chunked", "chunked, ")🔗 References
- http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00034.html
- http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00038.html
- https://github.com/puma/puma/blob/master/History.md#434435-and-31253126--2020-05-22
- https://github.com/puma/puma/commit/f24d5521295a2152c286abb0a45a1e1e2bd275bd
- https://github.com/puma/puma/security/advisories/GHSA-x7jg-6pwg-fx5h
- https://lists.debian.org/debian-lts-announce/2020/10/msg00009.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SKIY5H67GJIGJL6SMFWFLUQQQR3EMVPR/
- http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00034.html
- http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00038.html
- https://github.com/puma/puma/blob/master/History.md#434435-and-31253126--2020-05-22
- https://github.com/puma/puma/commit/f24d5521295a2152c286abb0a45a1e1e2bd275bd
- https://github.com/puma/puma/security/advisories/GHSA-x7jg-6pwg-fx5h
- https://lists.debian.org/debian-lts-announce/2020/10/msg00009.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SKIY5H67GJIGJL6SMFWFLUQQQR3EMVPR/
