How severe is CVE-2020-5247?

This vulnerability has a severity rating of HIGH with a CVSS score of 7.5 out of 10.

What type of vulnerability is CVE-2020-5247?

This is classified as CWE-113, which is a common weakness in software security.

CVE-2020-5247 - HIGH Severity | CVSS 7.5

Vulnerability Description

In Puma (RubyGem) before 4.3.2 and before 3.12.3, if an application using Puma allows untrusted input in a response header, an attacker can use newline characters (i.e. `CR`, `LF` or`/r`, `/n`) to end the header and inject malicious content, such as additional headers or an entirely new response body. This vulnerability is known as HTTP Response Splitting. While not an attack in itself, response splitting is a vector for several other attacks, such as cross-site scripting (XSS). This is related to CVE-2019-16254, which fixed this vulnerability for the WEBrick Ruby web server. This has been fixed in versions 4.3.2 and 3.12.3 by checking all headers for line endings and rejecting headers with those characters.

Related Vulnerabilities

CVE-2018-7830

HIGH

CVSS:7.5(High)

Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting') vulnerability exists in the embedded web servers in all Modicon M340, Premium, Quantum PLCs and BMXNOR0200 where a...

CWE-1132018

CVE-2022-3215

HIGH

CVSS:7.5(High)

NIOHTTP1 and projects using it for generating HTTP responses can be subject to a HTTP Response Injection attack. This occurs when a HTTP/1.1 server accepts user generated input from an incoming reques...

CWE-1132022

CVE-2023-42450

HIGH

CVSS:7.5(High)

Mastodon is a free, open-source social network server based on ActivityPub. Starting in version 4.2.0-beta1 and prior to version 4.2.0-rc2, by crafting specific input, attackers can inject arbitrary d...

CWE-1132023

CVE-2015-1445

HIGH

CVSS:7.2(High)

HTTP header injection in the httpd package in fli4l before 3.10.1 and 4.0 before 2015-01-30.

CWE-1132015

CVE-2016-8024

HIGH

CVSS:8.1(High)

Improper neutralization of CRLF sequences in HTTP headers vulnerability in Intel Security VirusScan Enterprise Linux (VSEL) 2.0.3 (and earlier) allows remote unauthenticated attacker to obtain sensiti...

CWE-1132016

CVE-2024-23644

HIGH

CVSS:8.1(High)

Trillium is a composable toolkit for building internet applications with async rust. In `trillium-http` prior to 0.3.12 and `trillium-client` prior to 0.5.4, insufficient validation of outbound header...

CWE-1132024