7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
0.005 Low
EPSS
Percentile
75.4%
When using Puma behind a proxy that does not properly validate that the incoming HTTP request matches the RFC7230 standard, Puma and the frontend proxy may disagree on where a request starts and ends. This would allow requests to be smuggled via the front-end proxy to Puma.
The following vulnerabilities are addressed by this advisory:
Transfer-Encoding
headers, when unsupported encodings should be rejected and the final encoding must be chunked
.Content-Length
headers and chunk sizes, when only digits and hex digits should be allowed.Content-Length
headers, when they should be rejected.\r\n
.The vulnerability has been fixed in 5.6.4 and 4.3.12. When deploying a proxy in front of Puma, turning on any and all functionality to make sure that the request matches the RFC7230 standard.
These proxy servers are known to have “good” behavior re: this standard and upgrading Puma may not be necessary. Users are encouraged to validate for themselves.
github.com/advisories/GHSA-h99w-9q5r-gjq9
github.com/puma/puma/commit/5bb7d202e24dec00a898dca4aa11db391d7787a5
github.com/puma/puma/security/advisories/GHSA-h99w-9q5r-gjq9
github.com/rubysec/ruby-advisory-db/blob/master/gems/puma/CVE-2022-24790.yml
lists.debian.org/debian-lts-announce/2022/08/msg00015.html
lists.fedoraproject.org/archives/list/[email protected]/message/F6YWGIIKL7KKTS3ZOAYMYPC7D6WQ5OA5/
lists.fedoraproject.org/archives/list/[email protected]/message/L7NESIBFCNSR3XH7LXDPKVMSUBNUB43G/
lists.fedoraproject.org/archives/list/[email protected]/message/TUBFJ44NCKJ34LECZRAP4N5VL6USJSIB/
nvd.nist.gov/vuln/detail/CVE-2022-24790
portswigger.net/web-security/request-smuggling
security.gentoo.org/glsa/202208-28
www.debian.org/security/2022/dsa-5146
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
0.005 Low
EPSS
Percentile
75.4%