Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2024-21647

Опубликовано: 08 янв. 2024
Источник: redhat
CVSS3: 7.5

Описание

Puma is a web server for Ruby/Rack applications built for parallelism. Prior to version 6.4.2, puma exhibited incorrect behavior when parsing chunked transfer encoding bodies in a way that allowed HTTP request smuggling. Fixed versions limits the size of chunk extensions. Without this limit, an attacker could cause unbounded resource (CPU, network bandwidth) consumption. This vulnerability has been fixed in versions 6.4.2 and 5.6.8.

A flaw was found in Puma rubygem. Versions prior 6.4.2 are susceptible to a HTTP smuggling attack when parsing chunked transfer encoding bodies on HTTP messages, which don't limit the size of the message chunk extensions. This issue may lead to uncontrolled resource consumption, possibly resulting in a denial of service of the attacked server.

Отчет

For Red Hat Satellite the affected version of the package tfm-rubygem-puma applies to EL7 only, which means it only applies to Satellite 6.11 on RHEL 7 which is currently out of support.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Satellite 6tfm-rubygem-pumaNot affected
Red Hat Storage 3rubygem-pumaAffected
Red Hat Satellite 6.15 for RHEL 8rubygem-pumaFixedRHSA-2024:201023.04.2024

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Important
Дефект:
CWE-444
https://bugzilla.redhat.com/show_bug.cgi?id=2257340rubygem-puma: HTTP request smuggling when parsing chunked Transfer-Encoding Bodies

7.5 High

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2024-21647

CVSS3: 5.9
ubuntu
больше 1 года назад

Puma is a web server for Ruby/Rack applications built for parallelism. Prior to version 6.4.2, puma exhibited incorrect behavior when parsing chunked transfer encoding bodies in a way that allowed HTTP request smuggling. Fixed versions limits the size of chunk extensions. Without this limit, an attacker could cause unbounded resource (CPU, network bandwidth) consumption. This vulnerability has been fixed in versions 6.4.2 and 5.6.8.

nvd логотип

CVE-2024-21647

CVSS3: 5.9
nvd
больше 1 года назад

Puma is a web server for Ruby/Rack applications built for parallelism. Prior to version 6.4.2, puma exhibited incorrect behavior when parsing chunked transfer encoding bodies in a way that allowed HTTP request smuggling. Fixed versions limits the size of chunk extensions. Without this limit, an attacker could cause unbounded resource (CPU, network bandwidth) consumption. This vulnerability has been fixed in versions 6.4.2 and 5.6.8.

debian логотип

CVE-2024-21647

CVSS3: 5.9
debian
больше 1 года назад

Puma is a web server for Ruby/Rack applications built for parallelism. ...

github логотип

GHSA-c2f4-cvqm-65w2

CVSS3: 5.9
github
больше 1 года назад

Puma HTTP Request/Response Smuggling vulnerability

fstec логотип

BDU:2024-00328

CVSS3: 7.5
fstec
больше 1 года назад

Уязвимость HTTP-сервера для Ruby/Rack приложений Puma, связанная с недостатками обработки HTTP-запросов, позволяющая нарушителю вызвать отказ в обслуживании

7.5 High

CVSS3