CVE-2023-40175
HTTP Request Smuggling vulnerability in puma (RubyGems)
What is CVE-2023-40175 About?
This vulnerability in Puma versions prior to 6.3.1 (and 5.6.7) is a critical HTTP Request Smuggling flaw. It arises from incorrect parsing of chunked transfer encoding and zero-length Content-Length headers, potentially leading to bypassing security controls, cache poisoning, and other serious impacts. Exploitation requires precise crafting of HTTP requests but can be highly impactful.
Affected Software
- puma
- <5.6.7
- >=6.0.0, <6.3.1
Technical Details
Puma, in affected versions, exhibits incorrect behavior when handling two specific HTTP parsing scenarios. Firstly, it misinterprets trailing fields in chunked transfer encoding bodies, potentially allowing an attacker to append unauthorized data to a request. Secondly, it improperly parses blank or zero-length Content-Length headers, which can lead to desynchronization between front-end (proxy/load balancer) and back-end (Puma) servers regarding the length of an HTTP message. An attacker can exploit this desynchronization by sending a carefully constructed HTTP request. The front-end server might interpret the request differently from Puma, leading to parts of the attacker's request being prepended to a subsequent legitimate user's request. This can bypass security mechanisms, enable cache poisoning, or facilitate cross-site scripting by injecting malicious content into responses.
What is the Impact of CVE-2023-40175?
Successful exploitation may allow attackers to bypass security controls, poison web caches, hijack user sessions, perform unauthorized actions on behalf of other users, and potentially carry out cross-site scripting (XSS) attacks. It can lead to a compromise of data confidentiality, integrity, and availability within the web application.
What is the Exploitability of CVE-2023-40175?
Exploitation of HTTP request smuggling vulnerabilities is generally complex, requiring a deep understanding of HTTP protocol specifics and how web servers and proxies handle requests. It typically involves crafting sophisticated, multi-part HTTP requests that are interpreted differently by an intermediary (e.g., a load balancer) and the backend server (Puma). No authentication is required, and exploitation is remote. Prerequisites include the presence of an HTTP intermediary (proxy, load balancer, CDN) in front of the vulnerable Puma server. The primary constraint is the precision needed in constructing the malicious requests to achieve the desynchronization. Risk factors that increase exploitation likelihood include misconfigured front-end servers or network architectures where request boundaries are not consistently enforced.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-40175?
Available Upgrade Options
- puma
- <5.6.7 → Upgrade to 5.6.7
- puma
- >=6.0.0, <6.3.1 → Upgrade to 6.3.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/puma/puma/commit/7405a219801dcebc0ad6e0aa108d4319ca23f662
- https://github.com/puma/puma/security/advisories/GHSA-68xg-gqqm-vgj8
- https://github.com/puma/puma/security/advisories/GHSA-68xg-gqqm-vgj8
- https://osv.dev/vulnerability/GHSA-68xg-gqqm-vgj8
- https://github.com/puma/puma/releases/tag/v5.6.7
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2023-40175.yml
- https://github.com/puma/puma/releases/tag/v6.3.1
- https://nvd.nist.gov/vuln/detail/CVE-2023-40175
- https://github.com/puma/puma/commit/690155e7d644b80eeef0a6094f9826ee41f1080a
- https://github.com/puma/puma
What are Similar Vulnerabilities to CVE-2023-40175?
Similar Vulnerabilities: CVE-2023-29400 , CVE-2021-43527 , CVE-2021-22926 , CVE-2020-1934 , CVE-2019-15605
