High severityNVD Advisory· Published May 22, 2020· Updated Aug 4, 2024

HTTP Smuggling via Transfer-Encoding Header in Puma

CVE-2020-11076

Description

In Puma (RubyGem) before 4.3.4 and 3.12.5, an attacker could smuggle an HTTP response, by using an invalid transfer-encoding header. The problem has been fixed in Puma 3.12.5 and Puma 4.3.4.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Puma before 4.3.4 and 3.12.5 allows HTTP response smuggling via an invalid Transfer-Encoding header.

Vulnerability

In Puma, a Ruby web server, an attacker can exploit a response smuggling vulnerability by sending a request with an invalid Transfer-Encoding header. The server fails to properly validate the header, allowing an attacker to inject a second, attacker-controlled response (CVE-2020-11076). [1]

Exploitation

The attack does not require authentication; it can be performed by any client able to send HTTP requests to the server. By crafting a request with a malformed Transfer-Encoding header, an attacker can cause Puma to misinterpret the boundaries between consecutive HTTP responses. This can lead to a scenario where the first response is truncated and the attacker's crafted response is appended, potentially poisoning intermediary caches or affecting other clients. [2]

Impact

Successful exploitation allows an attacker to perform HTTP response smuggling. This can result in cache poisoning, where a proxy or browser caches the attacker's malicious response instead of the legitimate one. Other impacts include session hijacking and cross-site scripting (XSS), depending on how the application and downstream proxies handle the injected content. [3][4]

Mitigation

The vulnerability has been fixed in Puma versions 4.3.4 and 3.12.5. Users should upgrade to these versions or later immediately. No workaround is available. [1]

References

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
pumaRubyGems	< 3.12.5	3.12.5
pumaRubyGems	>= 4.0.0, < 4.3.4	4.3.4

Affected products

219

ghsa-coords218 versions
pkg:gem/puma pkg:rpm/opensuse/rmt-server&distro=openSUSE%20Leap%2015.1 pkg:rpm/opensuse/rmt-server&distro=openSUSE%20Leap%2015.2 pkg:rpm/opensuse/rubygem-puma&distro=openSUSE%20Leap%2015.1 pkg:rpm/opensuse/rubygem-puma&distro=openSUSE%20Leap%2015.2 pkg:rpm/suse/ansible1&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/ansible1&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/ansible&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/ansible&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/ansible&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/ansible&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/ardana-ansible&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/ardana-ansible&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/ardana-cluster&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/ardana-cluster&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/ardana-freezer&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/ardana-freezer&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/ardana-input-model&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/ardana-input-model&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/ardana-logging&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/ardana-logging&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/ardana-mq&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/ardana-mq&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/ardana-neutron&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/ardana-neutron&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/ardana-octavia&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/ardana-octavia&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/ardana-osconfig&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/ardana-osconfig&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/caasp-openstack-heat-templates&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/caasp-openstack-heat-templates&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/caasp-openstack-heat-templates&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/crowbar-core&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/crowbar-core&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/crowbar-ha&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/crowbar-openstack&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/crowbar-openstack&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/documentation-hpe-helion-openstack-installation&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/documentation-hpe-helion-openstack-operations&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/documentation-hpe-helion-openstack-opsconsole&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/documentation-hpe-helion-openstack-planning&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/documentation-hpe-helion-openstack-security&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/documentation-hpe-helion-openstack-user&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/documentation-suse-openstack-cloud-deployment&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/documentation-suse-openstack-cloud-installation&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/documentation-suse-openstack-cloud-operations&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/documentation-suse-openstack-cloud-opsconsole&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/documentation-suse-openstack-cloud-planning&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/documentation-suse-openstack-cloud-security&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/documentation-suse-openstack-cloud-supplement&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/documentation-suse-openstack-cloud-supplement&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/documentation-suse-openstack-cloud-upstream-admin&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/documentation-suse-openstack-cloud-upstream-admin&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/documentation-suse-openstack-cloud-upstream-user&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/documentation-suse-openstack-cloud-upstream-user&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/documentation-suse-openstack-cloud-user&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/grafana&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/grafana&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/grafana&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/grafana&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/keepalived&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/kibana&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/kibana&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/kibana&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/kibana&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/memcached&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/monasca-installer&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/openstack-dashboard&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/openstack-dashboard&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/openstack-dashboard&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/openstack-dashboard-theme-HPE&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/openstack-dashboard-theme-SUSE&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/openstack-heat-templates&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/openstack-heat-templates&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/openstack-heat-templates&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/openstack-keystone&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/openstack-keystone&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/openstack-keystone&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/openstack-keystone-doc&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/openstack-keystone-doc&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/openstack-keystone-doc&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/openstack-manila&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/openstack-manila-doc&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/openstack-monasca-agent&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/openstack-monasca-agent&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/openstack-monasca-agent&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/openstack-monasca-installer&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/openstack-monasca-installer&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/openstack-monasca-installer&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/openstack-neutron&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/openstack-neutron&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/openstack-neutron&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/openstack-neutron-doc&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/openstack-neutron-doc&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/openstack-neutron-doc&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/openstack-neutron-fwaas&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/openstack-neutron-fwaas-doc&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/openstack-nova&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/openstack-nova-doc&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/openstack-octavia-amphora-image&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/openstack-octavia-amphora-image&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/openstack-octavia-amphora-image&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/openstack-tempest&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/python-amqp&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/python-amqp&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/python-amqp&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/python-apicapi&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/python-apicapi&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/python-apicapi&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/python-Django&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/python-Django&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/python-Django&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/python-Django&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/python-Flask&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/python-Flask&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/python-Flask&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/python-GitPython&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/python-GitPython&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/python-keystoneauth1&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/python-keystoneauth1&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/python-keystoneauth1&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/python-oslo.messaging&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/python-oslo.messaging&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/python-oslo.messaging&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/python-Pillow&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/python-Pillow&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/python-Pillow&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/python-Pillow&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/python-psql2mysql&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/python-psutil&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/python-psutil&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/python-psutil&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/python-psutil&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/python-py&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/python-pyroute2&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/python-pyroute2&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/python-pyroute2&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/python-pysaml2&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/python-pysaml2&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/python-pysaml2&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/python-pysaml2&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/python-tooz&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/python-tooz&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/python-tooz&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/python-waitress&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/python-waitress&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/python-waitress&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/python-waitress&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/rabbitmq-server&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/release-notes-suse-openstack-cloud&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/rmt-server&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-ESPOS pkg:rpm/suse/rmt-server&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015-LTSS pkg:rpm/suse/rmt-server&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Public%20Cloud%2015%20SP1 pkg:rpm/suse/rmt-server&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Public%20Cloud%2015%20SP2 pkg:rpm/suse/rmt-server&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Server%20Applications%2015%20SP1 pkg:rpm/suse/rmt-server&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Server%20Applications%2015%20SP2 pkg:rpm/suse/rmt-server&distro=SUSE%20Linux%20Enterprise%20Server%2015-LTSS pkg:rpm/suse/rmt-server&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015 pkg:rpm/suse/rubygem-activeresource&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/rubygem-activeresource&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/rubygem-crowbar-client&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/rubygem-crowbar-client&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/rubygem-json-1_7&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/rubygem-json-1_7&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/rubygem-puma&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015 pkg:rpm/suse/rubygem-puma&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015%20SP1 pkg:rpm/suse/rubygem-puma&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015%20SP2 pkg:rpm/suse/rubygem-puma&distro=SUSE%20OpenStack%20Cloud%206-LTSS pkg:rpm/suse/rubygem-puma&distro=SUSE%20OpenStack%20Cloud%207 pkg:rpm/suse/rubygem-puma&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/storm&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/storm&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/storm&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208 pkg:rpm/suse/venv-openstack-aodh&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-aodh&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-barbican&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-barbican&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-ceilometer&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-ceilometer&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-cinder&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-cinder&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-designate&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-designate&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-freezer&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-freezer&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-glance&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-glance&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-heat&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-heat&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-horizon&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-horizon-hpe&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-ironic&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-ironic&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-keystone&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-keystone&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-magnum&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-magnum&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-manila&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-manila&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-monasca-ceilometer&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-monasca-ceilometer&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-monasca&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-monasca&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-murano&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-murano&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-neutron&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-neutron&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-nova&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-nova&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-octavia&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-octavia&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-sahara&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-sahara&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-swift&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-swift&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/venv-openstack-trove&distro=HPE%20Helion%20OpenStack%208 pkg:rpm/suse/venv-openstack-trove&distro=SUSE%20OpenStack%20Cloud%208 pkg:rpm/suse/zookeeper&distro=SUSE%20OpenStack%20Cloud%207
< 3.12.5+ 217 more
- (no CPE)range: < 3.12.5
- (no CPE)range: < 2.6.5-lp151.2.18.2
- (no CPE)range: < 2.6.5-lp152.2.3.1
- (no CPE)range: < 4.3.5-lp151.3.3.1
- (no CPE)range: < 4.3.5-lp152.4.3.1
- (no CPE)range: < 1.9.6-7.3.1
- (no CPE)range: < 1.9.6-7.3.1
- (no CPE)range: < 2.4.6.0-3.9.1
- (no CPE)range: < 2.2.3.0-12.2
- (no CPE)range: < 2.4.6.0-3.9.1
- (no CPE)range: < 2.4.6.0-3.9.1
- (no CPE)range: < 8.0+git.1589740980.6c3bcdc-3.73.1
- (no CPE)range: < 8.0+git.1589740980.6c3bcdc-3.73.1
- (no CPE)range: < 8.0+git.1585685203.3e71e49-3.36.1
- (no CPE)range: < 8.0+git.1585685203.3e71e49-3.36.1
- (no CPE)range: < 8.0+git.1586539529.b7d295f-3.21.1
- (no CPE)range: < 8.0+git.1586539529.b7d295f-3.21.1
- (no CPE)range: < 8.0+git.1589740934.0e0ad61-3.39.1
- (no CPE)range: < 8.0+git.1589740934.0e0ad61-3.39.1
- (no CPE)range: < 8.0+git.1591194866.b7375d0-3.24.1
- (no CPE)range: < 8.0+git.1591194866.b7375d0-3.24.1
- (no CPE)range: < 8.0+git.1589715269.62ad6df-3.22.1
- (no CPE)range: < 8.0+git.1589715269.62ad6df-3.22.1
- (no CPE)range: < 8.0+git.1590756744.ba84abc-3.42.1
- (no CPE)range: < 8.0+git.1590756744.ba84abc-3.42.1
- (no CPE)range: < 8.0+git.1590100427.cf4cc8f-3.29.1
- (no CPE)range: < 8.0+git.1590100427.cf4cc8f-3.29.1
- (no CPE)range: < 8.0+git.1587034587.eac37b8-3.45.1
- (no CPE)range: < 8.0+git.1587034587.eac37b8-3.45.1
- (no CPE)range: < 1.0+git.1560518045.ad7dc6d-4.18.1
- (no CPE)range: < 1.0+git.1560518045.ad7dc6d-4.18.1
- (no CPE)range: < 1.0+git.1560518045.ad7dc6d-4.18.1
- (no CPE)range: < 4.0+git.1580209654.1d112d31f-9.66.5
- (no CPE)range: < 5.0+git.1593156248.55bbdb26d-3.41.2
- (no CPE)range: < 4.0+git.1585316203.d6ad2c8-4.52.4
- (no CPE)range: < 4.0+git.1589804581.9972163f0-9.71.4
- (no CPE)range: < 5.0+git.1593085772.64c4ab43c-4.40.2
- (no CPE)range: < 8.20200527-1.26.1
- (no CPE)range: < 8.20200527-1.26.1
- (no CPE)range: < 8.20200527-1.26.1
- (no CPE)range: < 8.20200527-1.26.1
- (no CPE)range: < 8.20200527-1.26.1
- (no CPE)range: < 8.20200527-1.26.1
- (no CPE)range: < 8.20200527-1.26.1
- (no CPE)range: < 8.20200527-1.26.1
- (no CPE)range: < 8.20200527-1.26.1
- (no CPE)range: < 8.20200527-1.26.1
- (no CPE)range: < 8.20200527-1.26.1
- (no CPE)range: < 8.20200527-1.26.1
- (no CPE)range: < 8.20200527-1.26.1
- (no CPE)range: < 8.20200527-1.26.1
- (no CPE)range: < 8.20200527-1.26.1
- (no CPE)range: < 8.20200527-1.26.1
- (no CPE)range: < 8.20200527-1.26.1
- (no CPE)range: < 8.20200527-1.26.1
- (no CPE)range: < 8.20200527-1.26.1
- (no CPE)range: < 4.6.5-4.9.1
- (no CPE)range: < 4.6.5-1.14.1
- (no CPE)range: < 4.6.5-4.9.1
- (no CPE)range: < 4.6.5-4.9.1
- (no CPE)range: < 2.0.19-1.8.1
- (no CPE)range: < 4.6.3-3.3.1
- (no CPE)range: < 4.6.3-5.1
- (no CPE)range: < 4.6.3-3.3.1
- (no CPE)range: < 4.6.3-3.3.1
- (no CPE)range: < 1.5.17-3.6.1
- (no CPE)range: < 20180608_12.47-12.1
- (no CPE)range: < 12.0.5~dev3-3.26.1
- (no CPE)range: < 12.0.5~dev3-3.26.1
- (no CPE)range: < 12.0.5~dev3-3.26.1
- (no CPE)range: < 8+git.1523473653.6599ec8-3.3.1
- (no CPE)range: < 2016.2-5.12.4
- (no CPE)range: < 0.0.0+git.1582270132.8a20477-3.15.1
- (no CPE)range: < 0.0.0+git.1582270132.8a20477-3.15.1
- (no CPE)range: < 0.0.0+git.1582270132.8a20477-3.15.1
- (no CPE)range: < 12.0.4~dev11-5.33.2
- (no CPE)range: < 12.0.4~dev11-5.33.2
- (no CPE)range: < 12.0.4~dev11-5.33.2
- (no CPE)range: < 12.0.4~dev11-5.33.2
- (no CPE)range: < 12.0.4~dev11-5.33.2
- (no CPE)range: < 12.0.4~dev11-5.33.2
- (no CPE)range: < 3.0.1~dev30-4.12.2
- (no CPE)range: < 3.0.1~dev30-4.12.3
- (no CPE)range: < 2.2.6~dev4-3.18.1
- (no CPE)range: < 2.2.6~dev4-3.18.1
- (no CPE)range: < 2.2.6~dev4-3.18.1
- (no CPE)range: < 20190923_16.32-3.12.1
- (no CPE)range: < 20190923_16.32-3.12.1
- (no CPE)range: < 20190923_16.32-3.12.1
- (no CPE)range: < 11.0.9~dev65-3.33.2
- (no CPE)range: < 11.0.9~dev65-3.33.2
- (no CPE)range: < 11.0.9~dev65-3.33.2
- (no CPE)range: < 11.0.9~dev65-3.33.2
- (no CPE)range: < 11.0.9~dev65-3.33.2
- (no CPE)range: < 11.0.9~dev65-3.33.2
- (no CPE)range: < 9.0.2~dev5-4.9.3
- (no CPE)range: < 9.0.2~dev5-4.9.4
- (no CPE)range: < 14.0.11~dev13-4.40.2
- (no CPE)range: < 14.0.11~dev13-4.40.2
- (no CPE)range: < 0.1.4-3.12.2
- (no CPE)range: < 0.1.4-3.12.2
- (no CPE)range: < 0.1.4-3.12.2
- (no CPE)range: < 12.2.1~a0~dev177-4.9.1
- (no CPE)range: < 2.4.2-3.12.1
- (no CPE)range: < 2.4.2-3.12.1
- (no CPE)range: < 2.4.2-3.12.1
- (no CPE)range: < 1.6.0-3.6.1
- (no CPE)range: < 1.6.0-3.6.1
- (no CPE)range: < 1.6.0-3.6.1
- (no CPE)range: < 1.11.23-3.15.1
- (no CPE)range: < 1.8.19-3.23.1
- (no CPE)range: < 1.11.23-3.15.1
- (no CPE)range: < 1.11.23-3.15.1
- (no CPE)range: < 0.12.1-3.3.1
- (no CPE)range: < 0.12.1-3.3.1
- (no CPE)range: < 0.12.1-3.3.1
- (no CPE)range: < 2.1.8-3.3.1
- (no CPE)range: < 2.1.8-3.3.1
- (no CPE)range: < 3.1.2~dev2-3.3.1
- (no CPE)range: < 3.1.2~dev2-3.3.1
- (no CPE)range: < 3.1.2~dev2-3.3.1
- (no CPE)range: < 5.30.8-3.11.1
- (no CPE)range: < 5.30.8-3.11.1
- (no CPE)range: < 5.30.8-3.11.1
- (no CPE)range: < 4.2.1-3.5.1
- (no CPE)range: < 2.8.1-4.12.1
- (no CPE)range: < 4.2.1-3.5.1
- (no CPE)range: < 4.2.1-3.5.1
- (no CPE)range: < 0.5.0+git.1589351878.4ef877c-1.12.1
- (no CPE)range: < 5.2.2-3.3.1
- (no CPE)range: < 1.2.1-21.1
- (no CPE)range: < 5.2.2-3.3.1
- (no CPE)range: < 5.2.2-3.3.1
- (no CPE)range: < 1.8.1-11.12.1
- (no CPE)range: < 0.4.21-3.3.1
- (no CPE)range: < 0.4.21-3.3.1
- (no CPE)range: < 0.4.21-3.3.1
- (no CPE)range: < 4.0.2-5.6.1
- (no CPE)range: < 4.0.2-3.17.1
- (no CPE)range: < 4.0.2-5.6.1
- (no CPE)range: < 4.0.2-5.6.1
- (no CPE)range: < 1.58.1-3.3.1
- (no CPE)range: < 1.58.1-3.3.1
- (no CPE)range: < 1.58.1-3.3.1
- (no CPE)range: < 1.4.3-3.3.1
- (no CPE)range: < 1.4.3-3.3.1
- (no CPE)range: < 1.4.3-3.3.1
- (no CPE)range: < 1.4.3-3.3.1
- (no CPE)range: < 3.4.4-3.16.1
- (no CPE)range: < 7.20180803-3.18.3
- (no CPE)range: < 2.6.5-3.34.1
- (no CPE)range: < 2.6.5-3.34.1
- (no CPE)range: < 2.6.5-3.18.1
- (no CPE)range: < 2.6.5-3.3.1
- (no CPE)range: < 2.6.5-3.18.1
- (no CPE)range: < 2.6.5-3.3.1
- (no CPE)range: < 2.6.5-3.34.1
- (no CPE)range: < 2.6.5-3.34.1
- (no CPE)range: < 4.0.0-3.3.1
- (no CPE)range: < 4.0.0-3.3.1
- (no CPE)range: < 3.9.2-7.20.1
- (no CPE)range: < 3.9.2-3.12.1
- (no CPE)range: < 1.7.7-3.3.1
- (no CPE)range: < 1.7.7-3.3.1
- (no CPE)range: < 4.3.5-3.3.1
- (no CPE)range: < 4.3.5-3.3.1
- (no CPE)range: < 4.3.5-3.3.1
- (no CPE)range: < 2.16.0-4.3.1
- (no CPE)range: < 2.16.0-4.6.1
- (no CPE)range: < 2.16.0-3.9.1
- (no CPE)range: < 1.1.3-3.3.1
- (no CPE)range: < 1.1.3-3.3.1
- (no CPE)range: < 1.1.3-3.3.1
- (no CPE)range: < 5.1.1~dev7-12.26.2
- (no CPE)range: < 5.1.1~dev7-12.26.2
- (no CPE)range: < 5.0.2~dev3-12.27.2
- (no CPE)range: < 5.0.2~dev3-12.27.2
- (no CPE)range: < 9.0.8~dev7-12.24.2
- (no CPE)range: < 9.0.8~dev7-12.24.2
- (no CPE)range: < 11.2.3~dev23-14.27.2
- (no CPE)range: < 11.2.3~dev23-14.27.2
- (no CPE)range: < 5.0.3~dev7-12.25.2
- (no CPE)range: < 5.0.3~dev7-12.25.2
- (no CPE)range: < 5.0.0.0~xrc2~dev2-10.22.1
- (no CPE)range: < 5.0.0.0~xrc2~dev2-10.22.1
- (no CPE)range: < 15.0.3~dev3-12.25.1
- (no CPE)range: < 15.0.3~dev3-12.25.1
- (no CPE)range: < 9.0.8~dev22-12.27.1
- (no CPE)range: < 9.0.8~dev22-12.27.1
- (no CPE)range: < 12.0.5~dev3-14.30.1
- (no CPE)range: < 12.0.5~dev3-14.30.1
- (no CPE)range: < 9.1.8~dev8-12.27.2
- (no CPE)range: < 9.1.8~dev8-12.27.2
- (no CPE)range: < 12.0.4~dev11-11.28.2
- (no CPE)range: < 12.0.4~dev11-11.28.2
- (no CPE)range: < 5.0.2_5.0.2_5.0.2~dev31-11.26.2
- (no CPE)range: < 5.0.2_5.0.2_5.0.2~dev31-11.26.2
- (no CPE)range: < 5.1.1~dev5-12.31.2
- (no CPE)range: < 5.1.1~dev5-12.31.2
- (no CPE)range: < 1.5.1_1.5.1_1.5.1~dev3-8.22.2
- (no CPE)range: < 1.5.1_1.5.1_1.5.1~dev3-8.22.2
- (no CPE)range: < 2.2.2~dev1-11.22.3
- (no CPE)range: < 2.2.2~dev1-11.22.3
- (no CPE)range: < 4.0.2~dev2-12.22.1
- (no CPE)range: < 4.0.2~dev2-12.22.1
- (no CPE)range: < 11.0.9~dev65-13.30.2
- (no CPE)range: < 11.0.9~dev65-13.30.2
- (no CPE)range: < 16.1.9~dev61-11.28.2
- (no CPE)range: < 16.1.9~dev61-11.28.2
- (no CPE)range: < 1.0.6~dev3-12.27.2
- (no CPE)range: < 1.0.6~dev3-12.27.2
- (no CPE)range: < 7.0.5~dev4-11.26.2
- (no CPE)range: < 7.0.5~dev4-11.26.2
- (no CPE)range: < 2.15.2_2.15.2_2.15.2~dev32-11.18.1
- (no CPE)range: < 2.15.2_2.15.2_2.15.2~dev32-11.18.1
- (no CPE)range: < 8.0.2~dev2-11.26.1
- (no CPE)range: < 8.0.2~dev2-11.26.1
- (no CPE)range: < 3.4.10-6.1
puma/pumav5
Range: < 3.12.5

Patches

f24d5521295a

Better handle client input

https://github.com/puma/pumaEvan PhoenixMay 18, 2020via ghsa

commit

1 file changed · +10 −2

lib/puma/client.rb+10 −2 modified

@@ -285,8 +285,16 @@ def setup_body
 
       te = @env[TRANSFER_ENCODING2]
 
-      if te && CHUNKED.casecmp(te) == 0
-        return setup_chunked_body(body)
+      if te
+        if te.include?(",")
+          te.split(",").each do |part|
+            if CHUNKED.casecmp(part.strip) == 0
+              return setup_chunked_body(body)
+            end
+          end
+        elsif CHUNKED.casecmp(te) == 0
+          return setup_chunked_body(body)
+        end
       end
 
       @chunked_body = false

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

lists.opensuse.org/opensuse-security-announce/2020-07/msg00034.htmlghsavendor-advisoryx_refsource_SUSEWEB
lists.opensuse.org/opensuse-security-announce/2020-07/msg00038.htmlghsavendor-advisoryx_refsource_SUSEWEB
github.com/advisories/GHSA-x7jg-6pwg-fx5hghsaADVISORY
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SKIY5H67GJIGJL6SMFWFLUQQQR3EMVPR/mitrevendor-advisoryx_refsource_FEDORA
nvd.nist.gov/vuln/detail/CVE-2020-11076ghsaADVISORY
github.com/puma/puma/blob/master/History.mdghsax_refsource_MISCWEB
github.com/puma/puma/commit/f24d5521295a2152c286abb0a45a1e1e2bd275bdghsax_refsource_MISCWEB
github.com/puma/puma/security/advisories/GHSA-x7jg-6pwg-fx5hghsax_refsource_CONFIRMWEB
github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2020-11076.ymlghsaWEB
lists.debian.org/debian-lts-announce/2020/10/msg00009.htmlghsamailing-listx_refsource_MLISTWEB
lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SKIY5H67GJIGJL6SMFWFLUQQQR3EMVPRghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.001
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000