{"id":"CVE-2020-11076","details":"In Puma (RubyGem) before 4.3.4 and 3.12.5, an attacker could smuggle an HTTP response, by using an invalid transfer-encoding header. The problem has been fixed in Puma 3.12.5 and Puma 4.3.4.","aliases":["GHSA-x7jg-6pwg-fx5h"],"modified":"2026-04-09T06:47:39.192691Z","published":"2020-05-22T15:15:11.363Z","related":["GHSA-x7jg-6pwg-fx5h","SUSE-RU-2020:2072-1","SUSE-SU-2020:1901-1","SUSE-SU-2020:1919-1","SUSE-SU-2020:2060-1","SUSE-SU-2020:3036-1","SUSE-SU-2020:3147-1","SUSE-SU-2020:3160-1","openSUSE-SU-2020:0990-1","openSUSE-SU-2020:1001-1","openSUSE-SU-2020:1993-1","openSUSE-SU-2020:2000-1","openSUSE-SU-2024:10589-1","openSUSE-SU-2024:11342-1","openSUSE-SU-2024:11343-1","openSUSE-SU-2024:11830-1","openSUSE-SU-2024:11847-1","openSUSE-SU-2024:12592-1","openSUSE-SU-2024:12900-1","openSUSE-SU-2024:13166-1","openSUSE-SU-2024:13720-1","openSUSE-SU-2024:13721-1","openSUSE-SU-2025:15123-1","openSUSE-SU-2026:10357-1"],"references":[{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SKIY5H67GJIGJL6SMFWFLUQQQR3EMVPR/"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2020/10/msg00009.html"},{"type":"ADVISORY","url":"http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00034.html"},{"type":"ADVISORY","url":"http://lists.opensuse.org/opensuse-security-announce/2020-07/msg00038.html"},{"type":"ADVISORY","url":"https://github.com/puma/puma/blob/master/History.md#434435-and-31253126--2020-05-22"},{"type":"ADVISORY","url":"https://github.com/puma/puma/security/advisories/GHSA-x7jg-6pwg-fx5h"},{"type":"FIX","url":"https://github.com/puma/puma/commit/f24d5521295a2152c286abb0a45a1e1e2bd275bd"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/puma/puma","events":[{"introduced":"f0762d1216c825009a5d3d0a13d1d3ec1ff95682"},{"fixed":"0a3c09a0603857f088571d0eb69e0b9adee0fed1"},{"introduced":"f5d7600e4e4d9104803b5f0f5f596f8dc45fc191"},{"fixed":"a24b51b294ff8dd2511f910abe1a0db0d66ed43a"},{"fixed":"f24d5521295a2152c286abb0a45a1e1e2bd275bd"}],"database_specific":{"versions":[{"introduced":"3.0.0"},{"fixed":"3.12.6"},{"introduced":"4.0.0"},{"fixed":"4.3.5"}]}}],"versions":["v3.0.0","v3.0.1","v3.0.2","v3.1.0","v3.1.1","v3.10.0","v3.11.0","v3.11.1","v3.11.2","v3.11.3","v3.11.4","v3.12.0","v3.12.1","v3.12.2","v3.12.3","v3.12.4","v3.12.5","v3.2.0","v3.3.0","v3.4.0","v3.5.0","v3.5.1","v3.5.2","v3.6.0","v3.7.1","v3.8.0","v3.9.0","v3.9.1","v4.0.0","v4.0.1","v4.1.0","v4.2.0","v4.2.1","v4.3.0","v4.3.1","v4.3.2","v4.3.3","v4.3.4"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-11076.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"33"}]},{"events":[{"introduced":"0"},{"last_affected":"9.0"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}]}