Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling') in puma
Description
Puma is a HTTP 1.1 server for Ruby/Rack applications. Prior to versions 5.5.1 and 4.3.9, using puma with a proxy which forwards HTTP header values which contain the LF character could allow HTTP request smugggling. A client could smuggle a request through a proxy, causing the proxy to send a response back to another unknown client. The only proxy which has this behavior, as far as the Puma team is aware of, is Apache Traffic Server. If the proxy uses persistent connections and the client adds another request in via HTTP pipelining, the proxy may mistake it as the first request's body. Puma, however, would see it as two requests, and when processing the second request, send back a response that the proxy does not expect. If the proxy has reused the persistent connection to Puma to send another request for a different client, the second response from the first client will be sent to the second client. This vulnerability was patched in Puma 5.5.1 and 4.3.9. As a workaround, do not use Apache Traffic Server with puma.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
pumaRubyGems | >= 5.0.0, < 5.5.1 | 5.5.1 |
pumaRubyGems | < 4.3.9 | 4.3.9 |
Affected products
98- ghsa-coords97 versionspkg:gem/pumapkg:rpm/opensuse/ruby3.2-rubygem-puma-5&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/rubygem-puma-4&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/rubygem-puma-5&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/rubygem-puma&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/rubygem-puma&distro=openSUSE%20Leap%2015.4pkg:rpm/suse/ardana-ansible&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/ardana-ansible&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/ardana-ansible&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/ardana-monasca&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/ardana-monasca&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/ardana-monasca&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/crowbar-openstack&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/documentation-hpe-helion-openstack-installation&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/documentation-hpe-helion-openstack-operations&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/documentation-hpe-helion-openstack-opsconsole&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/documentation-hpe-helion-openstack-planning&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/documentation-hpe-helion-openstack-security&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/documentation-hpe-helion-openstack-user&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/documentation-suse-openstack-cloud-deployment&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/documentation-suse-openstack-cloud-installation&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/documentation-suse-openstack-cloud-operations&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/documentation-suse-openstack-cloud-opsconsole&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/documentation-suse-openstack-cloud-planning&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/documentation-suse-openstack-cloud-security&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/documentation-suse-openstack-cloud-supplement&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/documentation-suse-openstack-cloud-supplement&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/documentation-suse-openstack-cloud-upstream-admin&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/documentation-suse-openstack-cloud-upstream-admin&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/documentation-suse-openstack-cloud-upstream-user&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/documentation-suse-openstack-cloud-upstream-user&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/documentation-suse-openstack-cloud-user&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/influxdb&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/influxdb&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/kibana&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/kibana&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/openstack-cinder&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/openstack-cinder&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/openstack-ec2-api&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/openstack-ec2-api&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/openstack-ec2-api&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/openstack-ec2-api&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/openstack-ec2-api&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/openstack-heat-gbp&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/openstack-heat-gbp&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/openstack-heat-templates&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/openstack-heat-templates&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/openstack-heat-templates&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/openstack-heat-templates&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/openstack-heat-templates&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/openstack-horizon-plugin-gbp-ui&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/openstack-horizon-plugin-gbp-ui&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/openstack-keystone&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/openstack-keystone&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/openstack-neutron-gbp&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/openstack-neutron-gbp&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/openstack-nova&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/openstack-nova&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/python-Django&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/python-Django&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/python-Django&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/python-eventlet&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/python-eventlet&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/python-monasca-common&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/python-monasca-common&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/python-monasca-common&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/rubygem-puma&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015pkg:rpm/suse/rubygem-puma&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015%20SP1pkg:rpm/suse/rubygem-puma&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015%20SP2pkg:rpm/suse/rubygem-puma&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015%20SP3pkg:rpm/suse/rubygem-puma&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/rubygem-puma&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/rubygem-redcarpet&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/rubygem-redcarpet&distro=SUSE%20OpenStack%20Cloud%20Crowbar%209pkg:rpm/suse/venv-openstack-barbican&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/venv-openstack-cinder&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/venv-openstack-designate&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/venv-openstack-glance&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/venv-openstack-heat&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/venv-openstack-heat&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/venv-openstack-heat&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/venv-openstack-horizon&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/venv-openstack-horizon&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/venv-openstack-horizon-hpe&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/venv-openstack-ironic&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/venv-openstack-keystone&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/venv-openstack-magnum&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/venv-openstack-manila&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/venv-openstack-monasca-ceilometer&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/venv-openstack-monasca&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/venv-openstack-monasca&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/venv-openstack-monasca&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/venv-openstack-neutron&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/venv-openstack-nova&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/venv-openstack-octavia&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/venv-openstack-sahara&distro=SUSE%20OpenStack%20Cloud%209pkg:rpm/suse/venv-openstack-swift&distro=SUSE%20OpenStack%20Cloud%209
>= 5.0.0, < 5.5.1+ 96 more
- (no CPE)range: >= 5.0.0, < 5.5.1
- (no CPE)range: < 5.6.5-1.7
- (no CPE)range: < 4.3.10-1.1
- (no CPE)range: < 5.6.5-1.1
- (no CPE)range: < 4.3.11-150000.3.6.2
- (no CPE)range: < 4.3.11-150000.3.6.2
- (no CPE)range: < 8.0+git.1632499354.a56668f-3.82.1
- (no CPE)range: < 8.0+git.1632499354.a56668f-3.82.1
- (no CPE)range: < 9.0+git.1628097238.f6cbb0e-3.29.1
- (no CPE)range: < 8.0+git.1627997000.6c3bc04-3.30.1
- (no CPE)range: < 8.0+git.1627997000.6c3bc04-3.30.1
- (no CPE)range: < 9.0+git.1627995376.30bdf85-3.25.1
- (no CPE)range: < 6.0+git.1630614261.26948f746-3.37.2
- (no CPE)range: < 8.20210806-1.35.1
- (no CPE)range: < 8.20210806-1.35.1
- (no CPE)range: < 8.20210806-1.35.1
- (no CPE)range: < 8.20210806-1.35.1
- (no CPE)range: < 8.20210806-1.35.1
- (no CPE)range: < 8.20210806-1.35.1
- (no CPE)range: < 8.20210806-1.35.1
- (no CPE)range: < 8.20210806-1.35.1
- (no CPE)range: < 8.20210806-1.35.1
- (no CPE)range: < 8.20210806-1.35.1
- (no CPE)range: < 8.20210806-1.35.1
- (no CPE)range: < 8.20210806-1.35.1
- (no CPE)range: < 8.20210806-1.35.1
- (no CPE)range: < 8.20210806-1.35.1
- (no CPE)range: < 8.20210806-1.35.1
- (no CPE)range: < 8.20210806-1.35.1
- (no CPE)range: < 8.20210806-1.35.1
- (no CPE)range: < 8.20210806-1.35.1
- (no CPE)range: < 8.20210806-1.35.1
- (no CPE)range: < 1.3.8-4.6.1
- (no CPE)range: < 1.3.8-4.6.1
- (no CPE)range: < 4.6.6-4.12.1
- (no CPE)range: < 4.6.6-4.12.1
- (no CPE)range: < 13.0.10~dev23-3.31.2
- (no CPE)range: < 13.0.10~dev23-3.31.2
- (no CPE)range: < 5.0.1~dev12-4.9.1
- (no CPE)range: < 5.0.1~dev12-4.9.1
- (no CPE)range: < 7.1.1~dev6-3.3.2
- (no CPE)range: < 5.0.1~dev12-4.9.1
- (no CPE)range: < 7.1.1~dev6-3.3.2
- (no CPE)range: < 12.0.1~dev4-3.6.1
- (no CPE)range: < 12.0.1~dev4-3.6.1
- (no CPE)range: < 0.0.0+git.1628179051.7d761bf-3.24.1
- (no CPE)range: < 0.0.0+git.1628179051.7d761bf-3.24.1
- (no CPE)range: < 0.0.0+git.1628179051.7d761bff-3.12.1
- (no CPE)range: < 0.0.0+git.1628179051.7d761bf-3.24.1
- (no CPE)range: < 0.0.0+git.1628179051.7d761bff-3.12.1
- (no CPE)range: < 12.0.1~dev5-3.6.1
- (no CPE)range: < 12.0.1~dev5-3.6.1
- (no CPE)range: < 14.2.1~dev7-3.25.2
- (no CPE)range: < 14.2.1~dev7-3.25.2
- (no CPE)range: < 14.0.1~dev19-3.28.1
- (no CPE)range: < 14.0.1~dev19-3.28.1
- (no CPE)range: < 18.3.1~dev91-3.40.1
- (no CPE)range: < 18.3.1~dev91-3.40.1
- (no CPE)range: < 1.11.29-3.28.1
- (no CPE)range: < 1.11.29-3.28.1
- (no CPE)range: < 1.11.29-3.28.1
- (no CPE)range: < 0.20.0-8.3.1
- (no CPE)range: < 0.20.0-8.3.1
- (no CPE)range: < 2.3.1~dev4-4.9.1
- (no CPE)range: < 2.3.1~dev4-4.9.1
- (no CPE)range: < 2.3.1~dev4-4.9.1
- (no CPE)range: < 4.3.11-150000.3.6.2
- (no CPE)range: < 4.3.11-150000.3.6.2
- (no CPE)range: < 4.3.11-150000.3.6.2
- (no CPE)range: < 4.3.11-150000.3.6.2
- (no CPE)range: < 2.16.0-3.15.1
- (no CPE)range: < 2.16.0-4.15.1
- (no CPE)range: < 3.2.3-3.3.1
- (no CPE)range: < 3.2.3-4.3.1
- (no CPE)range: < 7.0.1~dev24-3.25.1
- (no CPE)range: < 13.0.10~dev23-3.28.1
- (no CPE)range: < 7.0.2~dev2-3.25.1
- (no CPE)range: < 17.0.1~dev30-3.23.1
- (no CPE)range: < 9.0.8~dev22-12.35.1
- (no CPE)range: < 9.0.8~dev22-12.35.1
- (no CPE)range: < 11.0.4~dev4-3.25.1
- (no CPE)range: < 12.0.5~dev6-14.38.2
- (no CPE)range: < 14.1.1~dev11-4.29.1
- (no CPE)range: < 12.0.5~dev6-14.38.1
- (no CPE)range: < 11.1.5~dev17-4.23.1
- (no CPE)range: < 14.2.1~dev7-3.26.1
- (no CPE)range: < 7.2.1~dev1-4.25.1
- (no CPE)range: < 7.4.2~dev60-3.31.1
- (no CPE)range: < 1.8.2~dev3-3.25.1
- (no CPE)range: < 2.2.2~dev1-11.30.1
- (no CPE)range: < 2.2.2~dev1-11.30.1
- (no CPE)range: < 2.7.1~dev10-3.23.1
- (no CPE)range: < 13.0.8~dev164-6.29.1
- (no CPE)range: < 18.3.1~dev91-3.29.1
- (no CPE)range: < 3.2.3~dev7-4.25.1
- (no CPE)range: < 9.0.2~dev15-3.25.1
- (no CPE)range: < 2.19.2~dev48-2.20.1
- puma/pumav5Range: >= 5.0.0, < 5.5.1
Patches
Vulnerability mechanics
References
12- github.com/advisories/GHSA-48w2-rm65-62xxghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-41136ghsaADVISORY
- github.com/puma/puma/commit/436c71807f00e07070902a03f79fd3e130eb6b18ghsax_refsource_MISCWEB
- github.com/puma/puma/commit/acdc3ae571dfae0e045cf09a295280127db65c7fghsax_refsource_MISCWEB
- github.com/puma/puma/commit/fb6ad8f8013ab5cdbb2f444cbfabd0b4fde71139ghsax_refsource_MISCWEB
- github.com/puma/puma/releases/tag/v4.3.9ghsaWEB
- github.com/puma/puma/releases/tag/v5.5.1ghsaWEB
- github.com/puma/puma/security/advisories/GHSA-48w2-rm65-62xxghsax_refsource_CONFIRMWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2021-41136.ymlghsaWEB
- lists.debian.org/debian-lts-announce/2022/08/msg00015.htmlghsaWEB
- security.gentoo.org/glsa/202208-28ghsaWEB
- www.debian.org/security/2022/dsa-5146ghsaWEB
News mentions
0No linked articles in our index yet.