search

mgh3326 / createandread

0 stars 0 forks source link

CVE-2020-5249 (Medium) detected in puma-4.3.1.gem #54

Open mend-bolt-for-github[bot] opened 3 years ago

mend-bolt-for-github[bot] commented 3 years ago

CVE-2020-5249 - Medium Severity Vulnerability

Vulnerable Library - puma-4.3.1.gem

Puma is a simple, fast, threaded, and highly concurrent HTTP 1.1 server for Ruby/Rack applications. Puma is intended for use in both development and production environments. It's great for highly concurrent Ruby implementations such as Rubinius and JRuby as well as as providing process worker support to support CRuby well.

Library home page: https://rubygems.org/gems/puma-4.3.1.gem

Path to dependency file: /Gemfile.lock

Path to vulnerable library: /ms/2.3.0/cache/puma-4.3.1.gem

Dependency Hierarchy: - :x: **puma-4.3.1.gem** (Vulnerable Library)

Found in HEAD commit: b2a639cfb683201a8f153c64347d5a208f653927

Found in base branch: master

Vulnerability Details

In Puma (RubyGem) before 4.3.3 and 3.12.4, if an application using Puma allows untrusted input in an early-hints header, an attacker can use a carriage return character to end the header and inject malicious content, such as additional headers or an entirely new response body. This vulnerability is known as HTTP Response Splitting. While not an attack in itself, response splitting is a vector for several other attacks, such as cross-site scripting (XSS). This is related to CVE-2020-5247, which fixed this vulnerability but only for regular responses. This has been fixed in 4.3.3 and 3.12.4.

Publish Date: 2020-03-02

URL: CVE-2020-5249

CVSS 3 Score Details (6.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: High - Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5249

Release Date: 2020-04-09

Fix Resolution: puma - 3.12.4,4.3.3

Step up your Open Source Security Game with Mend here

mend-bolt-for-github[bot] commented 2 years ago

:heavy_check_mark: This issue was automatically closed by WhiteSource because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the WhiteSource inventory.

mend-bolt-for-github[bot] commented 1 year ago

:information_source: This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.