HIGH 7.5
GHSA-x7jg-6pwg-fx5h
HTTP Smuggling via Transfer-Encoding Header in Puma
Details
### Impact
By using an invalid transfer-encoding header, an attacker could [smuggle an HTTP response.](https://portswigger.net/web-security/request-smuggling)
Originally reported by @ZeddYu, who has our thanks for the detailed report.
### Patches
The problem has been fixed in Puma 3.12.5 and Puma 4.3.4.
### For more information
If you have any questions or comments about this advisory:
* Open an issue in [Puma](https://github.com/puma/puma) * See our [security policy](https://github.com/puma/puma/security/policy)
Are you affected?
Enter the version of the package you're using.
Affected packages
References
- https://github.com/puma/puma/security/advisories/GHSA-x7jg-6pwg-fx5h [WEB]
- https://nvd.nist.gov/vuln/detail/CVE-2020-11076 [ADVISORY]
- https://github.com/puma/puma/commit/f24d5521295a2152c286abb0a45a1e1e2bd275bd [WEB]
- https://github.com/puma/puma [PACKAGE]
- https://github.com/puma/puma/blob/master/History.md#434435-and-31253126--2020-05-22 [WEB]
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2020-11076.yml [WEB]
- https://lists.debian.org/debian-lts-announce/2020/10/msg00009.html [WEB]
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SKIY5H67GJIGJL6SMFWFLUQQQR3EMVPR [WEB]
- http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00034.html [WEB]
- http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00038.html [WEB]