漏洞信息详情
Puma 注入漏洞
- CNNVD编号:CNNVD-202002-1298 <!--
- 危害等级: 高危-->
- 危害等级: 高危
- CVE编号: CVE-2020-5247
- 漏洞类型: 注入
- 发布时间: 2020-02-28
- 威胁类型: 远程
- 更新时间: 2020-11-10
- 厂 商:
- 漏洞来源:
-
漏洞简介
Puma是一款针对高并发应用的Web服务器。
Puma (RubyGem) 4.3.2之前版本和3.12.2之前版本中存在注入漏洞。攻击者可通过使用换行符(例如CR,LF,/ r或 / n)利用该漏洞结束标头并注入恶意内容。
漏洞公告
目前厂商已发布升级补丁以修复漏洞,补丁获取链接:
https://github.com/puma/puma/security/advisories/GHSA-84j7-475p-hp8v
参考网址
来源:http-response-splitting-in-webrick-cve-2019-16254
链接:http-response-splitting-in-webrick-cve-2019-16254
来源:MISC
链接:https://www.ruby-lang.org/en/news/2019/10/01/
来源:MISC
链接:https://owasp.org/www-community/attacks/HTTP_Response_Splitting
来源:FEDORA
链接:https://lists.fedoraproject.org/archives/list/[email protected]/message/DIHVO3CQMU7BZC7FCTSRJ33YDNS3GFPK/
来源:CONFIRM
链接:https://github.com/puma/puma/security/advisories/GHSA-84j7-475p-hp8v
来源:FEDORA
链接:https://lists.fedoraproject.org/archives/list/[email protected]/message/NJ3LL5F5QADB6LM46GXZETREAKZMQNRD/
来源:FEDORA
链接:https://lists.fedoraproject.org/archives/list/[email protected]/message/BMJ3CGZ3DLBJ5WUUKMI5ZFXFJQMXJZIK/
来源:vigilance.fr
链接:https://vigilance.fr/vulnerability/RubyGem-Puma-information-disclosure-via-Newline-Response-Splitting-31986
来源:www.auscert.org.au
链接:https://www.auscert.org.au/bulletins/ESB-2020.1405/
来源:www.auscert.org.au
链接:https://www.auscert.org.au/bulletins/ESB-2020.1638/
来源:www.auscert.org.au
链接:https://www.auscert.org.au/bulletins/ESB-2020.2571/
来源:www.auscert.org.au
链接:https://www.auscert.org.au/bulletins/ESB-2020.3691/
来源:www.auscert.org.au
链接:https://www.auscert.org.au/bulletins/ESB-2020.3928/
来源:www.auscert.org.au
链接:https://www.auscert.org.au/bulletins/ESB-2020.3841/
来源:nvd.nist.gov
链接:https://nvd.nist.gov/vuln/detail/CVE-2020-5247
受影响实体
暂无
补丁
- Puma 注入漏洞的修复措施<!--2020-2-28-->
还没有评论,来说两句吧...