CVE-2020-5247: 
Ruby vulnerability analysis and mitigation

CVE-2020-5247 affects Puma (RubyGem) versions before 4.3.2 and before 3.12.3. The vulnerability was discovered in early 2020 and involves HTTP Response Splitting, where untrusted input in response headers could be exploited. This security issue affects Ruby/Rack applications using the Puma web server (NVD, GitHub Advisory).

The vulnerability allows an attacker to use newline characters (CR, LF or /r, /n) to end a header and inject malicious content, including additional headers or an entirely new response body. The issue received a CVSS v3.1 base score of 7.5 (HIGH) from NVD and 6.5 (MEDIUM) from GitHub, indicating significant severity. This vulnerability is related to CVE-2019-16254, which fixed a similar issue in the WEBrick Ruby web server (NVD, OWASP).

While HTTP Response Splitting is not an attack in itself, it serves as a vector for several other attacks. The vulnerability can facilitate cross-site scripting (XSS), cross-user defacement, cache poisoning, and page hijacking attacks. The attacker can potentially manipulate how the web browser interprets the response, leading to various security implications (OWASP, GitHub Advisory).

The vulnerability has been fixed in Puma versions 4.3.2 and 3.12.3 by implementing checks for line endings in headers and rejecting headers containing those characters. For systems unable to upgrade immediately, a workaround involves adding a Rack middleware to the application that performs header checks and rejects any values containing CR/LF characters (GitHub Advisory).