CVE-2020-11076

Summary

In Puma (RubyGem) before 4.3.4 and 3.12.5, an attacker could smuggle an HTTP response, by using an invalid transfer-encoding header. The problem has been fixed in Puma 3.12.5 and Puma 4.3.4.

Affected Software

VendorProductVersion RangeStatus
pumapuma< 3.12.5affected
pumapuma>= 4.0.0, < 4.3.4affected

Weaknesses

  • CWE-444: CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

ADP Enrichment

CVE Program Container

Additional References

References