7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.0004 Low
EPSS
Percentile
11.9%
Prior to versions 6.4.2 and 5.6.8, puma exhibited dangerous behavior when parsing chunked transfer encoding bodies.
Fixed versions limit the size of chunk extensions. Without this limit, an attacker could cause unbounded resource (CPU, network bandwidth) consumption.
The vulnerability has been fixed in 6.4.2 and 5.6.8.
No known workarounds.
github.com/advisories/GHSA-c2f4-cvqm-65w2
github.com/puma/puma/commit/5fc43d73b6ff193325e657a24ed76dec79133e93
github.com/puma/puma/commit/60d5ee3734adc8cee85c3f0561af392448fe19b7
github.com/puma/puma/commit/bbb880ffb6debbfdea535b4b3eb2204d49ae151d
github.com/puma/puma/security/advisories/GHSA-c2f4-cvqm-65w2
github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2024-21647.yml
nvd.nist.gov/vuln/detail/CVE-2024-21647
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
0.0004 Low
EPSS
Percentile
11.9%