Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

github логотип

GHSA-c2f4-cvqm-65w2

Опубликовано: 08 янв. 2024
Источник: github
Github: Прошло ревью
CVSS3: 5.9

Описание

Puma HTTP Request/Response Smuggling vulnerability

Impact

Prior to versions 6.4.2 and 5.6.8, puma exhibited dangerous behavior when parsing chunked transfer encoding bodies.

Fixed versions limit the size of chunk extensions. Without this limit, an attacker could cause unbounded resource (CPU, network bandwidth) consumption.

Patches

The vulnerability has been fixed in 6.4.2 and 5.6.8.

Workarounds

No known workarounds.

References

Ссылки

Пакеты

Наименование

puma

rubygems
Затронутые версииВерсия исправления

>= 6.0.0, < 6.4.2

6.4.2

Наименование

puma

rubygems
Затронутые версииВерсия исправления

< 5.6.8

5.6.8

EPSS

Процентиль: 82%
0.01794
Низкий

5.9 Medium

CVSS3

CVE ID

CVE-2024-21647

Дефекты

CWE-444

Связанные уязвимости

ubuntu логотип

CVE-2024-21647

CVSS3: 5.9
ubuntu
больше 1 года назад

Puma is a web server for Ruby/Rack applications built for parallelism. Prior to version 6.4.2, puma exhibited incorrect behavior when parsing chunked transfer encoding bodies in a way that allowed HTTP request smuggling. Fixed versions limits the size of chunk extensions. Without this limit, an attacker could cause unbounded resource (CPU, network bandwidth) consumption. This vulnerability has been fixed in versions 6.4.2 and 5.6.8.

redhat логотип

CVE-2024-21647

CVSS3: 7.5
redhat
больше 1 года назад

Puma is a web server for Ruby/Rack applications built for parallelism. Prior to version 6.4.2, puma exhibited incorrect behavior when parsing chunked transfer encoding bodies in a way that allowed HTTP request smuggling. Fixed versions limits the size of chunk extensions. Without this limit, an attacker could cause unbounded resource (CPU, network bandwidth) consumption. This vulnerability has been fixed in versions 6.4.2 and 5.6.8.

nvd логотип

CVE-2024-21647

CVSS3: 5.9
nvd
больше 1 года назад

Puma is a web server for Ruby/Rack applications built for parallelism. Prior to version 6.4.2, puma exhibited incorrect behavior when parsing chunked transfer encoding bodies in a way that allowed HTTP request smuggling. Fixed versions limits the size of chunk extensions. Without this limit, an attacker could cause unbounded resource (CPU, network bandwidth) consumption. This vulnerability has been fixed in versions 6.4.2 and 5.6.8.

debian логотип

CVE-2024-21647

CVSS3: 5.9
debian
больше 1 года назад

Puma is a web server for Ruby/Rack applications built for parallelism. ...

fstec логотип

BDU:2024-00328

CVSS3: 7.5
fstec
больше 1 года назад

Уязвимость HTTP-сервера для Ruby/Rack приложений Puma, связанная с недостатками обработки HTTP-запросов, позволяющая нарушителю вызвать отказ в обслуживании

EPSS

Процентиль: 82%
0.01794
Низкий

5.9 Medium

CVSS3

CVE ID

CVE-2024-21647

Дефекты

CWE-444