GHSA-7xx3-m584-x994

Опубликовано: 05 дек. 2019

Источник: github

Github: Прошло ревью

CVSS3: 5.3

Описание

A poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack

Keepalive thread overload/DoS

Impact

A poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack.

If more keepalive connections to Puma are opened than there are threads available, additional connections will wait permanently if the attacker sends requests frequently enough.

Patches

This vulnerability is patched in Puma 4.3.1 and 3.12.2.

Workarounds

Reverse proxies in front of Puma could be configured to always allow less than X keepalive connections to a Puma cluster or process, where X is the number of threads configured in Puma's thread pool.

For more information

If you have any questions or comments about this advisory:

Open an issue at puma.

Ссылки

Пакеты

Наименование

puma

rubygems

Затронутые версииВерсия исправления

< 3.12.2

3.12.2

Наименование

puma

rubygems

Затронутые версииВерсия исправления

>= 4.0.0, < 4.3.1

4.3.1

EPSS

Процентиль: 81%

0.01587

Низкий

5.3 Medium

CVSS3

CVE ID

CVE-2019-16770

Дефекты

CWE-770

Связанные уязвимости

CVE-2019-16770

CVSS3: 5.3

ubuntu

около 6 лет назад

In Puma before versions 3.12.2 and 4.3.1, a poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack. If more keepalive connections to Puma are opened than there are threads available, additional connections will wait permanently if the attacker sends requests frequently enough. This vulnerability is patched in Puma 4.3.1 and 3.12.2.