CVE-2021-41136
HTTP Request Smuggling vulnerability in puma (RubyGems)
What is CVE-2021-41136 About?
This vulnerability allows for HTTP request smuggling when Puma is used with a specific type of proxy. Attackers can smuggle requests, causing unexpected responses to be sent to other clients. The impact is low due to the uncommon nature of the required proxy behavior, but exploitation could lead to information disclosure or session hijacking.
Affected Software
- puma
- >=5.0.0, <5.5.1
- <4.3.9
Technical Details
Prior to Puma versions 5.5.0 and 4.3.9, a vulnerability exists when Puma is deployed behind a proxy server that forwards LF characters as line endings in HTTP requests. This specific proxy behavior, identified as very uncommon, can lead to HTTP request smuggling. If a client sends a request with an LF character where a CRLF is expected for line endings, and the proxy forwards this malformed request, Puma may interpret it differently than the proxy. Specifically, if the proxy uses persistent connections and the client pipelines an additional request, the proxy might incorrectly see this as part of the first request's body. Puma, however, parses it as a separate, second request. When Puma responds to this second request, the proxy is not expecting it and may forward this response to another client that has reused the persistent connection, leading to a cross-client response misdirection.
What is the Impact of CVE-2021-41136?
Successful exploitation may allow attackers to redirect responses intended for one client to another, potentially leading to information disclosure, session hijacking, or cache poisoning.
What is the Exploitability of CVE-2021-41136?
Exploitation of this vulnerability is complex and highly dependent on a specific environment setup. It requires a proxy server that forwards LF characters as line endings, which is an uncommon behavior among most widely used proxies. No authentication or specific privileges are required for the client-side attack, but it is a remote attack. The primary constraint is the rare behavior of the intermediary proxy. The likelihood of exploitation is low due to these specific environmental prerequisites, making it difficult to find and leverage in typical deployments.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-41136?
Available Upgrade Options
- puma
- <4.3.9 → Upgrade to 4.3.9
- puma
- >=5.0.0, <5.5.1 → Upgrade to 5.5.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/puma/puma/security/advisories/GHSA-48w2-rm65-62xx
- https://www.debian.org/security/2022/dsa-5146
- https://github.com/puma/puma/security/advisories/GHSA-48w2-rm65-62xx
- https://www.debian.org/security/2022/dsa-5146
- https://osv.dev/vulnerability/GHSA-48w2-rm65-62xx
- https://github.com/puma/puma/commit/acdc3ae571dfae0e045cf09a295280127db65c7f
- https://github.com/puma/puma
- https://github.com/puma/puma/commit/acdc3ae571dfae0e045cf09a295280127db65c7f
- https://github.com/puma/puma/commit/436c71807f00e07070902a03f79fd3e130eb6b18
- https://github.com/puma/puma/commit/436c71807f00e07070902a03f79fd3e130eb6b18
What are Similar Vulnerabilities to CVE-2021-41136?
Similar Vulnerabilities: CVE-2023-38035 , CVE-2021-22926 , CVE-2020-19349 , CVE-2019-17571 , CVE-2023-23946
