CVE-2020-5247

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Name of the Vulnerable Software and Affected Versions: Puma versions prior to 4.3.2 Puma versions prior to 3.12.3

Description: The issue is related to HTTP Response Splitting, where an attacker can use newline characters (CR, LF, or /r, /n) to end a header and inject malicious content, such as additional headers or a new response body. This can be a vector for other attacks, including cross-site scripting (XSS).

Recommendations: For versions prior to 4.3.2, update to version 4.3.2 or later. For versions prior to 3.12.3, update to version 3.12.3 or later. As a temporary workaround, consider restricting untrusted input in response headers to minimize the risk of exploitation.

Exploit

Fix

Special Elements Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-74CWE-113

Related Identifiers

ALSA-2025_16880

ALT-PU-2016-2061

ALT-PU-2020-1679

ALT-PU-2020-3411

ALT-PU-2021-3068

BDU:2020-04073

BIT-RUBY-2020-5247

BIT-RUBY-MIN-2020-5247

CVE-2020-5247

DLA-3023-1

GHSA-33VF-4XGG-9R58

GHSA-84J7-475P-HP8V

OPENSUSE-SU-2020:1993-1

OPENSUSE-SU-2020:2000-1

OPENSUSE-SU-2020_1993-1

OPENSUSE-SU-2020_2000-1

SUSE-RU-2020:2072-1

SUSE-SU-2020:1066-1

SUSE-SU-2020:1190-1

SUSE-SU-2020:2060-1

SUSE-SU-2020:3036-1

SUSE-SU-2020:3147-1

SUSE-SU-2020:3160-1

Affected Products

Alt Linux

Puma

Suse

CVE-2020-5247

Weakness Enumeration

Related Identifiers

Affected Products

References · 174