Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2019-16770

Опубликовано: 05 дек. 2019
Источник: redhat
CVSS3: 7.5
EPSS Низкий

Описание

In Puma before versions 3.12.2 and 4.3.1, a poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack. If more keepalive connections to Puma are opened than there are threads available, additional connections will wait permanently if the attacker sends requests frequently enough. This vulnerability is patched in Puma 4.3.1 and 3.12.2.

A flaw was found in rubygem-puma. A poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack. If more keepalive connections to Puma are opened than there are threads available, additional connections will wait permanently if the attacker sends requests frequently enough.

Отчет

Red Hat CloudForms uses affected RubyGem Puma, however, not vulnerable since after increasing multiple keepalive connections compare to threads available; additional connections have not waited long. Red Hat Gluster Storage Web Administration component uses affected RubyGem Puma.

Меры по смягчению последствий

Reverse proxies in front of Puma could be configured to always allow less than X keepalive connections to a Puma cluster or process, where X is the number of threads configured in Puma's thread pool.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
CloudForms Management Engine 5rubygem-pumaWill not fix
Red Hat 3scale API Management Platform 2rubygem-pumaNot affected
Red Hat Software Collectionsrh-ror50-rubygem-pumaWill not fix
Red Hat Storage 3rubygem-pumaAffected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-770
https://bugzilla.redhat.com/show_bug.cgi?id=1831297rubygem-puma: keepalive requests from poorly-behaved client leads to denial of service

EPSS

Процентиль: 81%
0.01587
Низкий

7.5 High

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2019-16770

CVSS3: 5.3
ubuntu
около 6 лет назад

In Puma before versions 3.12.2 and 4.3.1, a poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack. If more keepalive connections to Puma are opened than there are threads available, additional connections will wait permanently if the attacker sends requests frequently enough. This vulnerability is patched in Puma 4.3.1 and 3.12.2.

nvd логотип

CVE-2019-16770

CVSS3: 5.3
nvd
около 6 лет назад

In Puma before versions 3.12.2 and 4.3.1, a poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack. If more keepalive connections to Puma are opened than there are threads available, additional connections will wait permanently if the attacker sends requests frequently enough. This vulnerability is patched in Puma 4.3.1 and 3.12.2.

debian логотип

CVE-2019-16770

CVSS3: 5.3
debian
около 6 лет назад

In Puma before versions 3.12.2 and 4.3.1, a poorly-behaved client coul ...

github логотип

GHSA-7xx3-m584-x994

CVSS3: 5.3
github
около 6 лет назад

A poorly-behaved client could use keepalive requests to monopolize Puma's reactor and create a denial of service attack

suse-cvrf логотип

openSUSE-SU-2020:2000-1

suse-cvrf
около 5 лет назад

Security update for rmt-server

EPSS

Процентиль: 81%
0.01587
Низкий

7.5 High

CVSS3