Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

nvd логотип

CVE-2022-23634

Опубликовано: 11 фев. 2022
Источник: nvd
CVSS3: 8
CVSS3: 5.9
CVSS2: 4.3
EPSS Низкий

Описание

Puma is a Ruby/Rack web server built for parallelism. Prior to puma version 5.6.2, puma may not always call close on the response body. Rails, prior to version 7.0.2.2, depended on the response body being closed in order for its CurrentAttributes implementation to work correctly. The combination of these two behaviors (Puma not closing the body + Rails' Executor implementation) causes information leakage. This problem is fixed in Puma versions 5.6.2 and 4.3.11. This problem is fixed in Rails versions 7.02.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2. Upgrading to a patched Rails or Puma version fixes the vulnerability.

Ссылки

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:puma:puma:*:*:*:*:*:ruby:*:*
Версия до 4.3.11 (исключая)
cpe:2.3:a:puma:puma:*:*:*:*:*:ruby:*:*
Версия от 5.0.0 (включая) до 5.6.2 (исключая)
Конфигурация 2

Одно из

cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*
Версия от 5.0.0 (включая) до 5.2.6.2 (исключая)
cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*
Версия от 6.0.0 (включая) до 6.0.4.6 (исключая)
cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*
Версия от 6.1.0 (включая) до 6.1.4.6 (исключая)
cpe:2.3:a:rubyonrails:rails:*:*:*:*:*:*:*:*
Версия от 7.0.0 (включая) до 7.0.2.2 (исключая)
Конфигурация 3

Одно из

cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
Конфигурация 4

Одно из

cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:36:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*

EPSS

Процентиль: 53%
0.00303
Низкий

8 High

CVSS3

5.9 Medium

CVSS3

4.3 Medium

CVSS2

Дефекты

CWE-200
CWE-404

Связанные уязвимости

ubuntu логотип

CVE-2022-23634

CVSS3: 8
ubuntu
больше 3 лет назад

Puma is a Ruby/Rack web server built for parallelism. Prior to `puma` version `5.6.2`, `puma` may not always call `close` on the response body. Rails, prior to version `7.0.2.2`, depended on the response body being closed in order for its `CurrentAttributes` implementation to work correctly. The combination of these two behaviors (Puma not closing the body + Rails' Executor implementation) causes information leakage. This problem is fixed in Puma versions 5.6.2 and 4.3.11. This problem is fixed in Rails versions 7.02.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2. Upgrading to a patched Rails _or_ Puma version fixes the vulnerability.

redhat логотип

CVE-2022-23634

CVSS3: 8
redhat
больше 3 лет назад

Puma is a Ruby/Rack web server built for parallelism. Prior to `puma` version `5.6.2`, `puma` may not always call `close` on the response body. Rails, prior to version `7.0.2.2`, depended on the response body being closed in order for its `CurrentAttributes` implementation to work correctly. The combination of these two behaviors (Puma not closing the body + Rails' Executor implementation) causes information leakage. This problem is fixed in Puma versions 5.6.2 and 4.3.11. This problem is fixed in Rails versions 7.02.2, 6.1.4.6, 6.0.4.6, and 5.2.6.2. Upgrading to a patched Rails _or_ Puma version fixes the vulnerability.

debian логотип

CVE-2022-23634

CVSS3: 8
debian
больше 3 лет назад

Puma is a Ruby/Rack web server built for parallelism. Prior to `puma` ...

github логотип

GHSA-rmj8-8hhh-gv5h

CVSS3: 8
github
больше 3 лет назад

Puma used with Rails may lead to Information Exposure

fstec логотип

BDU:2024-07773

CVSS3: 8
fstec
больше 3 лет назад

Уязвимость HTTP-сервера для Ruby/Rack приложений Puma, позволяющая нарушителю получить доступ к конфиденциальной информации

EPSS

Процентиль: 53%
0.00303
Низкий

8 High

CVSS3

5.9 Medium

CVSS3

4.3 Medium

CVSS2

Дефекты

CWE-200
CWE-404