Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
HTTP Request Smuggling in puma
Vulnerability Description
Puma is a simple, fast, multi-threaded, parallel HTTP 1.1 server for Ruby/Rack applications. When using Puma behind a proxy that does not properly validate that the incoming HTTP request matches the RFC7230 standard, Puma and the frontend proxy may disagree on where a request starts and ends. This would allow requests to be smuggled via the front-end proxy to Puma. The vulnerability has been fixed in 5.6.4 and 4.3.12. Users are advised to upgrade as soon as possible. Workaround: when deploying a proxy in front of Puma, turning on any and all functionality to make sure that the request matches the RFC7230 standard.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Vulnerability Type
HTTP请求的解释不一致性(HTTP请求私运)
Vulnerability Title
Puma 环境问题漏洞
Vulnerability Description
Puma是美国Evan Phoenix个人开发者的一款针对高并发应用的Web服务器。 Puma 存在环境问题漏洞,该漏洞源于当在未正确验证传入 HTTP 请求是否符合 RFC7230 标准的代理后面使用 Puma 时,Puma 和前端代理可能会在请求开始和结束的位置上存在分歧。 这将允许通过前端代理将请求走私到 Puma。
CVSS Information
N/A
Vulnerability Type
N/A