{
  "threat_severity" : "Moderate",
  "public_date" : "2020-05-21T00:00:00Z",
  "bugzilla" : {
    "description" : "rubygem-puma: HTTP Smuggling via an invalid Transfer-Encoding Header",
    "id" : "1842539",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1842539"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
    "status" : "draft"
  },
  "cwe" : "CWE-444",
  "details" : [ "In Puma (RubyGem) before 4.3.4 and 3.12.5, an attacker could smuggle an HTTP response, by using an invalid transfer-encoding header. The problem has been fixed in Puma 3.12.5 and Puma 4.3.4.", "A flaw was found in rubygem-puma. An attacker could smuggle an HTTP response, by using an invalid transfer-encoding header." ],
  "statement" : "Red Hat Gluster Storage 3 Web Administration component uses affected RubyGem Puma, which does not have the http body chunk verification.",
  "package_state" : [ {
    "product_name" : "CloudForms Management Engine 5",
    "fix_state" : "Will not fix",
    "package_name" : "rubygem-puma",
    "cpe" : "cpe:/a:redhat:cloudforms_managementengine:5",
    "impact" : "low"
  }, {
    "product_name" : "Red Hat Storage 3",
    "fix_state" : "Will not fix",
    "package_name" : "rubygem-puma",
    "cpe" : "cpe:/a:redhat:storage:3"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2020-11076\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-11076\nhttps://github.com/puma/puma/security/advisories/GHSA-x7jg-6pwg-fx5h" ],
  "name" : "CVE-2020-11076",
  "mitigation" : {
    "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.",
    "lang" : "en:us"
  },
  "csaw" : false
}