GitHub Advisory DatabaseGHSA-C2F4-CVQM-65W2Puma HTTP Request/Response Smuggling vulnerability
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.0004 Low
EPSS
Percentile
11.9%
Impact
Prior to versions 6.4.2 and 5.6.8, puma exhibited dangerous behavior when parsing chunked transfer encoding bodies.
Fixed versions limit the size of chunk extensions. Without this limit, an attacker could cause unbounded resource (CPU, network bandwidth) consumption.
Patches
The vulnerability has been fixed in 6.4.2 and 5.6.8.
Workarounds
No known workarounds.
References
- HTTP Request Smuggling
- Open an issue in Puma
- See our security policy
References
github.com/advisories/GHSA-c2f4-cvqm-65w2
github.com/puma/puma/commit/5fc43d73b6ff193325e657a24ed76dec79133e93
github.com/puma/puma/commit/60d5ee3734adc8cee85c3f0561af392448fe19b7
github.com/puma/puma/commit/bbb880ffb6debbfdea535b4b3eb2204d49ae151d
github.com/puma/puma/security/advisories/GHSA-c2f4-cvqm-65w2
github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2024-21647.yml
nvd.nist.gov/vuln/detail/CVE-2024-21647
Related
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.0004 Low
EPSS
Percentile
11.9%