How severe is CVE-2020-5249?

This vulnerability has a severity rating of MEDIUM with a CVSS score of 6.5 out of 10.

What type of vulnerability is CVE-2020-5249?

This is classified as CWE-113, which is a common weakness in software security.

CVE-2020-5249

MEDIUM Year: 2020

CVSS v3 Score

6.5

Medium

CVSS v2 Score

4.0

Medium

Weakness Type

CWE-113

View all →

Vulnerability Description

In Puma (RubyGem) before 4.3.3 and 3.12.4, if an application using Puma allows untrusted input in an early-hints header, an attacker can use a carriage return character to end the header and inject malicious content, such as additional headers or an entirely new response body. This vulnerability is known as HTTP Response Splitting. While not an attack in itself, response splitting is a vector for several other attacks, such as cross-site scripting (XSS). This is related to CVE-2020-5247, which fixed this vulnerability but only for regular responses. This has been fixed in 4.3.3 and 3.12.4.

CVE-2017-7528

MEDIUM

CVSS:6.5(Medium)

Ansible Tower as shipped with Red Hat CloudForms Management Engine 5 is vulnerable to CRLF Injection. It was found that X-Forwarded-For header allows internal servers to deploy other systems (using ca...

CWE-1132017

CVE-2019-16771

MEDIUM

CVSS:6.5(Medium)

Versions of Armeria 0.85.0 through and including 0.96.0 are vulnerable to HTTP response splitting, which allows remote attackers to inject arbitrary HTTP headers via CRLF sequences when unsanitized da...

CWE-1132019

CVE-2020-10753

MEDIUM

CVSS:6.5(Medium)

A flaw was found in the Red Hat Ceph Storage RadosGW (Ceph Object Gateway). The vulnerability is related to the injection of HTTP headers via a CORS ExposeHeader tag. The newline character in the Expo...

CWE-1132020

CVE-2022-41915

MEDIUM

CVSS:6.5(Medium)

Netty project is an event-driven asynchronous network application framework. Starting in version 4.1.83.Final and prior to 4.1.86.Final, when calling `DefaultHttpHeadesr.set` with an _iterator_ of val...

CWE-1132022

CVE-2023-48256

MEDIUM

CVSS:6.3(Medium)

The vulnerability allows a remote attacker to inject arbitrary HTTP response headers or manipulate HTTP response bodies inside a victim’s session via a crafted URL or HTTP request.

CWE-1132023

CVE-2024-24795

MEDIUM

CVSS:6.3(Medium)

HTTP Response splitting in multiple modules in Apache HTTP Server allows an attacker that can inject malicious response headers into backend applications to cause an HTTP desynchronization attack. Use...

CWE-1132024

CVE-2020-5249

Vulnerability Description

Related Vulnerabilities

CVE-2017-7528

CVE-2019-16771

CVE-2020-10753

CVE-2022-41915

CVE-2023-48256

CVE-2024-24795