CVE-2020-5249: 
Ruby vulnerability analysis and mitigation

In Puma (RubyGem) versions before 4.3.3 and 3.12.4, a vulnerability was discovered that allowed HTTP Response Splitting attacks through early-hints headers. The vulnerability was identified as CVE-2020-5249 and was disclosed on February 28, 2020. This security issue affected applications using Puma that allowed untrusted input in early-hints headers (GitHub Advisory).

The vulnerability occurs when an application using Puma allows untrusted input in an early-hints header. An attacker can exploit this by using a carriage return character to end the header and inject malicious content, such as additional headers or an entirely new response body. This vulnerability is specifically related to HTTP Response Splitting attacks, which while not an attack in themselves, serve as a vector for other attacks such as cross-site scripting (XSS) (GitHub Advisory, OWASP).

The vulnerability could allow attackers to perform various malicious activities through HTTP Response Splitting, including cross-site scripting (XSS), cross-user defacement, cache poisoning, and page hijacking. The ability to inject malicious content through header manipulation poses significant security risks to affected applications (OWASP, GitHub Advisory).

The vulnerability was patched in Puma versions 4.3.3 and 3.12.4. Users are advised to upgrade to these or later versions to address the security issue. As a workaround, applications can implement input validation to prevent untrusted input in early-hints headers (GitHub Advisory, Fedora Update).