CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
EPSS
Percentile
57.6%
Prior to puma
version 5.6.2
, puma
may not always call
close
on the response body. Rails, prior to version 7.0.2.2
, depended on the
response body being closed in order for its CurrentAttributes
implementation to
work correctly.
From Rails:
> Under certain circumstances response bodies will not be closed, for example
> a bug in a webserver[1] or a bug in a Rack middleware. In the event a
> response is not notified of a close, ActionDispatch::Executor will not know
> to reset thread local state for the next request. This can lead to data
> being leaked to subsequent requests, especially when interacting with
> ActiveSupport::CurrentAttributes.
The combination of these two behaviors (Puma not closing the body + Rails’
Executor implementation) causes information leakage.
This problem is fixed in Puma versions 5.6.2 and 4.3.11.
This problem is fixed in Rails versions 7.02.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2.
See: https://github.com/advisories/GHSA-wh98-p28r-vrc9
for details about the rails vulnerability
Upgrading to a patched Rails or Puma version fixes the vulnerability.
Upgrade to Rails versions 7.0.2.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2.
The Rails CVE
includes a middleware that can be used instead.
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
EPSS
Percentile
57.6%