CVE-2022-24790
HTTP Request Smuggling vulnerability in puma (RubyGems)
What is CVE-2022-24790 About?
This vulnerability in Puma allows HTTP Request Smuggling when placed behind a proxy that doesn't strictly validate incoming HTTP requests against RFC7230. Malformed headers can cause discrepancies between the proxy and Puma's interpretation of request boundaries, enabling attackers to smuggle requests. Exploitation involves crafting specific HTTP requests and requires the presence of a vulnerable proxy configuration.
Affected Software
- puma
- >=5.0.0, <5.6.4
- <4.3.12
Technical Details
The vulnerability arises from Puma's lenient parsing of certain HTTP headers, specifically Transfer-Encoding, Content-Length, and chunked segment endings, when a frontend proxy does not adequately enforce RFC7230 standards. This discrepancy allows attackers to craft ambiguous HTTP requests that are interpreted differently by the proxy and the backend Puma server. For instance, by using unsupported Transfer-Encoding values, malformed Content-Length headers (e.g., non-digit characters, duplicates), or incorrect chunked segment endings (\r\n), an attacker can cause the proxy to forward a request in a way that Puma perceives as multiple distinct requests, effectively 'smuggling' a hidden request past the proxy's security checks and directly to Puma.
What is the Impact of CVE-2022-24790?
Successful exploitation may allow attackers to bypass security controls, gain unauthorized access to internal resources, perform cache poisoning, or execute arbitrary commands by exploiting differences in how proxies and the backend server interpret HTTP requests.
What is the Exploitability of CVE-2022-24790?
Exploiting this involves crafting specific HTTP requests that exploit discrepancies in how a frontend proxy and Puma interpret RFC7230 standards. The complexity is high, requiring a deep understanding of HTTP protocol nuances, header parsing, and the specific behaviors of both the proxy and Puma. No authentication or specific privileges are required, making it a remote attack. A critical prerequisite is the presence of a misconfigured proxy in front of Puma that does not strictly validate HTTP requests. The risk factors include the proxy's leniency in parsing Transfer-Encoding, Content-Length, and chunked segment endings. Users are advised to validate their proxy configurations, even if using known 'good' proxies, as misconfigurations can still expose the vulnerability.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-24790?
Available Upgrade Options
- puma
- <4.3.12 → Upgrade to 4.3.12
- puma
- >=5.0.0, <5.6.4 → Upgrade to 5.6.4
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://osv.dev/vulnerability/GHSA-h99w-9q5r-gjq9
- https://www.debian.org/security/2022/dsa-5146
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TUBFJ44NCKJ34LECZRAP4N5VL6USJSIB
- https://www.debian.org/security/2022/dsa-5146
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F6YWGIIKL7KKTS3ZOAYMYPC7D6WQ5OA5/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TUBFJ44NCKJ34LECZRAP4N5VL6USJSIB/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/L7NESIBFCNSR3XH7LXDPKVMSUBNUB43G
- https://portswigger.net/web-security/request-smuggling
- https://github.com/puma/puma
- https://github.com/puma/puma/commit/5bb7d202e24dec00a898dca4aa11db391d7787a5
What are Similar Vulnerabilities to CVE-2022-24790?
Similar Vulnerabilities: CVE-2023-26815 , CVE-2020-1934 , CVE-2020-1927 , CVE-2021-23017 , CVE-2021-36195
